Re: Securing the security reviews in W3C - how to proceed ? from Martin J. Dürst on 2016-07-22 (public-webappsec@w3.org from July 2016)

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Fri, 22 Jul 2016 19:27:39 +0900
To: Anne van Kesteren <annevk@annevk.nl>, GALINDO Virginie <Virginie.Galindo@gemalto.com>
CC: "www-tag@w3.org" <www-tag@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>
Message-ID: <7e5a8c09-7ff8-82e4-b4bc-65509fee2779@it.aoyama.ac.jp>

On 2016/07/22 18:47, Martin J. Dürst wrote:
> On 2016/07/21 23:49, Anne van Kesteren wrote:
>> On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie
>> <Virginie.Galindo@gemalto.com> wrote:
>>> Thanks for jumping in that thread if you believe you can help with
>>> improving security reviews in W3C !
>>
>> I think increasing the overall security competence and understanding
>> of the same-origin policy, through self-review and learning, is much
>> more important than delegating the task to a pool of "experts". The
>> idea of having "accessibility", "internationalization", and now
>> "security" pillars has proven not to scale and has done more harm than
>> good. It's good to have communities where you can go for help, but
>> making them responsible doesn't really work.
>
> Based on my experience with internationalization, I think both trying to
> take responsibility for all aspects of your spec AND being able to ask
> expert groups for help is important.
>
> The reasons for the later are at least two-fold:

One more reason:

3) From time to time, there are similar issues turning up in different
    specs. Having a common solution, or common pieces, where possible is
    of great benefit in many ways. But it's difficult for individual spec
    writers and WGs to detect such commonalities.

Regards,   Martin.


> 1) Most people are good at quite a lot of things, but not at everything.
>    Even if they force themselves to think and work hard in some areas,
>    it may be very difficult. As an example, at least some areas of
>    security require a very distrusting mindset. To some extent, that can
>    be learned, but it may require a lot of time. To others, it may come
>    more natural.
>
> 2) Most if not all of the areas we are talking about have some easy
>    things that by now we hope every average spec writer and developer
>    should get. For internationalization, that might be something like
>    "use Unicode". But each of these areas also comes with a long tail,
>    where it may be difficult to keep reasonably current even for the
>    experts.
>
> Regards,   Martin.
>
> .
>

Received on Friday, 22 July 2016 10:28:23 UTC