Re: Call for Consensus: Stop work and transition 3 Working Drafts to Working Group Notes from Daniel Veditz on 2016-07-18 (public-webappsec@w3.org from July 2016)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 18 Jul 2016 13:04:43 -0700
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCAyHrbKg7H=f2po6sYKuwrAggRMwtxL0Bvkdj_4YaoZng@mail.gmail.com>

[removing chair hat]

I've spoken with the Mozilla WASWG members and we agree with transitioning
these three documents.

-Dan Veditz

On Tue, Jul 12, 2016 at 2:33 PM, Brad Hill <hillbrad@gmail.com> wrote:

> This is a call for consensus to transition three Working Drafts of the Web
> Application Security WG to "Working Group Note" status and indicate that
> they are no longer under active development towards the Recommendation
> Track, as discussed at the May F2F and briefly on the list.
>
> The following specifications are proposed for transition:
> ---------------------------------------------------
> Entry Point Regulation
> https://www.w3.org/TR/epr/
>
> Last updated ~1 year ago.
> Reason to transition to Note: Same-site cookies (
> https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00)
> provide much of the intended attack surface reduction more simply
> ---------------------------------------------------
>
>
> ---------------------------------------------------
> CSP Cookie Controls
> https://www.w3.org/TR/csp-cookies/
>
> Last updated ~6 months ago.
> Reason to transition to Note: The Feature Policy proposal (
> https://wicg.github.io/feature-policy/) could be a better home for the
> intended functionality as part of a broader and more coherent approach,
> rather than putting this into CSP.
> ---------------------------------------------------
>
> ---------------------------------------------------
> CSP Pinning
> https://www.w3.org/TR/csp-pinning/
>
> Last updated ~6 months ago.
> Reason to transition to Note: While this kind of feature is still
> considered useful, like Cookie Controls and Feature Policy, the editor
> feels it would be better managed as part of a more generalized strategy for
> header pinning, and as part of that, with a strategy perhaps along the
> lines of a manifest, well-known resource or service worker that doesn't
> incur the cost of sending the pinning header with every request.
> ---------------------------------------------------
>
> This CfC will be discussed on tomorrow's regularly scheduled working group
> teleconference (agenda to follow shortly on this list) and will close on
> Friday, 22-July-2016.
>
> Positive responses encouraged, silence is consent.
>
> Thank you,
>
> Brad Hill
>
>

Received on Monday, 18 July 2016 20:05:15 UTC