- From: Samuel Weiler <weiler@w3.org>
- Date: Thu, 8 Oct 2020 15:19:12 -0400
- To: "public-web-security@w3.org" <public-web-security@w3.org>
You have likely seen a relative flurry of review requests coming through this list of late. That is the product of W3C fixing some processes and documentation around requesting security reviews - and horizontal reviews in general. We've also gotten reviews for most - though not all - of the specs that have asked for them in the last few months! This is an update on how security reviews are being managed following the closure of the Web Security IG. As discussed below, we need more reviewers in the rotation, and I'm sending a call for reviewers in a separate note. If you're interested, please respond to that request. In the interest of getting more eyes onto specs and helping WGs evaluate their own analysis of specifications' security issues, I'm asking one person to take point on each requested security review. Those reviewers are drawn from a pool, mostly round-robin, with deference given to reviewers' expertise and preferences. I don't expect that a reviewer can catch every issue with a spec - instead, I want reviewers to see if the WG's own analysis of security issues appears to be complete and well-documented. Before asking for security review, I expect specifications to have a narrative discussion of Security Considerations (and a separate discussion of privacy issues before asking for privacy review). This is not the same as responding to the Self-Review Questionnaire published jointly by the TAG and PING (the W3C Privacy Interest Group, which does privacy reviews) - while considering the questionnaire may guide the analysis that goes into a good Security Considerations write-up, most spec readers need a more nuanced analysis of the issues, not verbatim answers to the questionnaire. (The TAG asks for verbatim answers to those questions before it does design reviews, which typically happen earlier in specs' lifecycle than these security reviews.) Speaking of the Self-Review Questionnaire, it is now being edited by Pete Snyder and Tess O'Connor. It has improved markedly, though it still needs work. They welcome your suggestions. https://w3ctag.github.io/security-questionnaire/ We have new Github tooling for tracking issues on raised during review. Any issue in a W3C repository with a "security-needs-resolution" label is considered blocking (at least to some degree). "security-tracker" issues are "FYI". The latter label can be applied by reviewers or by a WG, the latter to seek our attention and input. Here is the tracker dashboard for security issues: https://w3c.github.io/horizontal-issue-tracker/?repo=w3c/security-review And documentation: https://w3c.github.io/horizontal-issue-tracker/HOWTO There are parallel labels and a parallel dashboard for privacy issues. We're working on tooling for tracking review requests themselves in GitHub, so stay tuned for further changes. Meanwhile, the Privacy Interest Group (PING) is doing privacy reviews. Again, they're assigning an individual to take point, and they often also discuss the review on a group call. Security reviewers are welcome to follow along with the PING review and participate in those calls if they wish. Lastly, the requests: 1) If you find yourself interested in a document, please file comments even if you are not the designated reviewer. If you can't apply tracking labels, email me or this list with the issue links, and I'll label them. 2) We need more reviewers in the rotation. Between the increased volume of requests and individuals' own capacity for work during these odd times, I'm cycling through the rotation every 2-3 months. I want to be cycling through it every 3-6 months, to keep the workload on each reviewer modest. If you're interested, please respond to my next email. -- Sam Weiler
Received on Thursday, 8 October 2020 19:19:15 UTC