- From: Chaals McCathie Nevile <chaals@yandex-team.ru>
- Date: Fri, 22 Jul 2016 21:32:42 +0200
- To: "Anne van Kesteren" <annevk@annevk.nl>, "GALINDO Virginie" <Virginie.Galindo@gemalto.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Cc: "www-tag@w3.org" <www-tag@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "Wendy Seltzer" <wseltzer@w3.org>, "Samuel Weiler" <weiler@w3.org>
On Fri, 22 Jul 2016 12:27:39 +0200, Martin J. Dürst <duerst@it.aoyama.ac.jp> wrote: > On 2016/07/22 18:47, Martin J. Dürst wrote: >> On 2016/07/21 23:49, Anne van Kesteren wrote: >>> I think increasing the overall security competence and understanding >>> of the same-origin policy, through self-review and learning, is much >>> more important than delegating the task to a pool of "experts". Agreed. Especially in a world where we don't have agreed ways to even measure the expertise of others, One of the things experts *can* help with is precisely that learning. >>> The idea of having "accessibility", "internationalization", and now >>> "security" pillars has proven not to scale Hmm. Expecting them to handle the work has generally not scaled at all well. On the other hand having them describe best practices has in the long run turned out to be a good way to scale what expertise we have - providing a platform for people to learn from that is also a concrete base for those who are or have learned to challenge, build on, and improve. Leading edge efforts such as WAI and i18n have taken many years to produce their work, with a lot of revision as we learn how to explain things in the first place and then how to do so in a way that takes account of the continuous changes in our environment. This leads me to the conclusion that we're not very good teachers of each other, but that it is something we do learn to do better over time. >>> It's good to have communities where you can go for help, but >>> making them responsible doesn't really work. >> >> Based on my experience with internationalization, I think both trying to >> take responsibility for all aspects of your spec AND being able to ask >> expert groups for help is important. It seems to me you are both saying the same thing, and I agree. There is value in a community of experts, but one of the key values is for the experts to help the rest of us get to a reasonable level of competence, so instead of the experts having to continuously explain our beginners' mistake to us, we can do that amongst ourselves, and ask them to focus on the hard questions. I suspect that also makes the whole thing more fun. While having fun isn't our end goal, if it happens that way we will likely be more productive for longer, and be happier about it, so it's not a bad thing to encourage. (Alternately, we could try to gamify security reviews by making up magical characters you can collect if you find a bug… but that sort of thing would never work so it's clearly a silly idea…) cheers Chaals -- Charles McCathie Nevile - web standards - CTO Office, Yandex chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Friday, 22 July 2016 19:33:19 UTC