W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: Securing the security reviews in W3C - how to proceed ?

From: Chaals McCathie Nevile <chaals@yandex-team.ru>
Date: Fri, 22 Jul 2016 21:32:42 +0200
To: "Anne van Kesteren" <annevk@annevk.nl>, "GALINDO Virginie" <Virginie.Galindo@gemalto.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>
Cc: "www-tag@w3.org" <www-tag@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "Wendy Seltzer" <wseltzer@w3.org>, "Samuel Weiler" <weiler@w3.org>
Message-ID: <op.yk0oksias7agh9@77.88.19.227-red.dhcp.yndx.net>
On Fri, 22 Jul 2016 12:27:39 +0200, Martin J. Dürst  
<duerst@it.aoyama.ac.jp> wrote:

> On 2016/07/22 18:47, Martin J. Dürst wrote:
>> On 2016/07/21 23:49, Anne van Kesteren wrote:

>>> I think increasing the overall security competence and understanding
>>> of the same-origin policy, through self-review and learning, is much
>>> more important than delegating the task to a pool of "experts".

Agreed. Especially in a world where we don't have agreed ways to even  
measure the expertise of others,

One of the things experts *can* help with is precisely that learning.

>>> The idea of having "accessibility", "internationalization", and now
>>> "security" pillars has proven not to scale

Hmm. Expecting them to handle the work has generally not scaled at all  
well.

On the other hand having them describe best practices has in the long run  
turned out to be a good way to scale what expertise we have - providing a  
platform for people to learn from that is also a concrete base for those  
who are or have learned to challenge, build on, and improve.

Leading edge efforts such as WAI and i18n have taken many years to produce  
their work, with a lot of revision as we learn how to explain things in  
the first place and then how to do so in a way that takes account of the  
continuous changes in our environment. This leads me to the conclusion  
that we're not very good teachers of each other, but that it is something  
we do learn to do better over time.

>>> It's good to have communities where you can go for help, but
>>> making them responsible doesn't really work.
>>
>> Based on my experience with internationalization, I think both trying to
>> take responsibility for all aspects of your spec AND being able to ask
>> expert groups for help is important.

It seems to me you are both saying the same thing, and I agree. There is  
value in a community of experts, but one of the key values is for the  
experts to help the rest of us get to a reasonable level of competence, so  
instead of the experts having to continuously explain our beginners'  
mistake to us, we can do that amongst ourselves, and ask them to focus on  
the hard questions.

I suspect that also makes the whole thing more fun. While having fun isn't  
our end goal, if it happens that way we will likely be more productive for  
longer, and be happier about it, so it's not a bad thing to encourage.

(Alternately, we could try to gamify security reviews by making up magical  
characters you can collect if you find a bug… but that sort of thing would  
never work so it's clearly a silly idea…)

cheers

Chaals

-- 
Charles McCathie Nevile - web standards - CTO Office, Yandex
  chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Friday, 22 July 2016 19:33:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC