[security-request] Issue: Trace Context 2022-09-22 (#40) marked as REVIEW REQUESTED

• From: J. Kalyana Sundaram via GitHub <sysbot+gh@w3.org>
• Date: Thu, 29 Sep 2022 23:52:14 +0000
• To: public-web-security@w3.org
• Message-ID: <issues.labeled-1391630830-1664495532-sysbot+gh@w3.org>

kalyanaj has just labeled an issue for https://github.com/w3c/security-request as "REVIEW REQUESTED":

== Trace Context 2022-09-22 ==
We prefers groups to run a self-review around the time of FPWD. See https://w3ctag.github.io/security-questionnaire/.

If you still want us to review your spec, please provide the information below.

In the issue title above add the document name followed by the date of this request.

name of spec to be reviewed: Trace Context Level 2
URL of spec: https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2FTR%2Ftrace-context-1%2F&doc2=https%3A%2F%2Fwww.w3.org%2FTR%2F2022%2FWD-trace-context-2-20220929%2F
Does your document have an in-line Security Considerations section, ideally one separate from Privacy Considerations? Yes
Do you need a reply by a particular date? We are looking to get into recommendation stage before end of year.
Please point to the results of your own self-review (see https://w3ctag.github.io/security-questionnaire/ , https://w3c.github.io/fingerprinting-guidance/, https://tools.ietf.org/html/rfc6973): https://github.com/w3c/trace-context/issues/496
Where and how to file issues arising? https://github.com/w3c/trace-context/issues/
Pointer to any explainer for the spec?
Explainer: https://github.com/w3c/distributed-tracing-wg/blob/main/EXPLAINER.md.

Other comments:
**What**: The main difference from Trace Context Level 1 (which is already in recommendation status) is the ability to express whether at least a part of the traceID has been randomly (or pseudo-randomly) generated.
**Why**: This enables downstream systems to use the trace ID for sampling purposes or for sharding purposes.
**How**: This is achieved by the introduction of a new flag called "Random Trace ID flag". If the newly introduced random-trace-id flag is set, at least the right-most 7 bytes of the trace-id MUST be randomly (or pseudo-randomly) generated.


See https://github.com/w3c/security-request/issues/40


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 29 September 2022 23:52:16 UTC