Re: Review for the WebAppSec WG Recharter -- update milestones from Wendy Seltzer on 2017-02-08 (public-webappsec@w3.org from February 2017)

From: Wendy Seltzer <wseltzer@w3.org>
Date: Wed, 8 Feb 2017 14:43:28 -0500
To: Philippe Le Hégaret <plh@w3.org>, Mike West <mkwst@google.com>, Jochen Eisinger <eisinger@google.com>, Emily Stark <estark@google.com>, Tanvi Vyas <tanvi@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <d5ca4908-7fbb-7d60-e39f-a4e09bad4893@w3.org>

Thanks Mike,

I updated the draft charter with these milestones (choosing Q1 2018
where you offered Q4/Q1).
https://github.com/w3c/webappsec/commit/b5a2f59533edb405cf9d328c3d77363a3d59d439

--Wendy

On 02/08/2017 10:31 AM, Philippe Le Hégaret wrote:
> 
> 
> On 2/8/2017 3:53 AM, Mike West wrote:
>> With the caveat that we have never, ever hit a target milestone date
>> (and I think that's both normal and fine (and honestly don't think
>> there's much value in putting dates on things in the first place :) )),
> 
> We've been under pressure to make sure Working Groups are able to
> deliver in reasonable amount of time and in more predictable ways based
> on priorities. I do realize that putting milestones on items when we
> don't know the implementation schedules is difficult however. Keep in
> mind that this doesn't mean that every single spec must have a set of
> milestones (more below).
> 
>> here are some suggestions for the specs I'm most familiar with:
> 
> That's very useful input. Thank you.
> 
>> CSP:EE => Q4/Q1; Spec should be solid in Q2, Chrome plans to ship an
>> implementation around the same time. No one else has expressed interest,
>> so I kinda expect this to stall at CR until we're more successful at
>> gaining interest. (It's cool, really. Y'all should try it out!)
>>
>> Clear Site Data => Q4/Q1; Same as CSP:EE. Chrome's implementation is
>> solidifying, spec is solidifying (GitHub is using it already), but I
>> haven't heard anything from other folks recently. I expect it to stall
>> at CR for a while. (This is also cool. Y'all should also try it out!)
>>
>> Suborigins => Q1. Chrome is planning on shipping an experimental trial
>> in the very near future, and the spec seems pretty solid. That said,
>> Joel (again, unfortunately) left Google, and it's not clear whether
>> he'll be as active on the spec as he'd like to be. It's also unclear
>> if any other browser is as interested in it as we are, so I expect
>> this to stall for a bit while we look for interop.
>>
>> Site-Wide Policy => Q2 2018. I suspect that this is going to take some
>> time to get right, but folks on the Chrome team are pretty
>> interested.
> 
> My take for those is that, unless we think those items are high
> priorities, I'd rather not assign milestones to them. I would expect to
> get more information from other implementations before committing the
> Group.
> 
> Btw, on the Site-Wide Policy, I advise to not list it as a joint
> deliverable. We do get pushback on those nowadays and, unless we feel
> strongly, I'd rather keep things simple. In addition, if WebPerf or IETF
> are interested in the subject, they can always provide input to the spec.
> 
>> Mixed Content => Q2. We're basically done with this. Boris had some
>> suggestions for clarifications on a separate thread
>> (https://github.com/w3c/resource-hints/issues/70#issuecomment-275686626,
>> which I'm woefully behind on responding to), but I don't think the
>> behavior will change. We have pretty solid interop, REC should be within
>> reach, assuming the director doesn't renew his principled objections
>> raised in the CR period.
> 
> A few of us on the team have been working on the Director's aspect, in
> order to facilitate the transitions of the Working Groups. Still work in
> progress however but I understand that the ball is in our court to solve
> it.
> 
>> Upgrade Insecure Requests => Q2. We're done with this. I think calling
>> for PR ~now is a good idea.
>>
>> Secure Contexts => Q2. Ditto.
>>
>> Referrer Policy => Q2?. This hit CR, and we can/should ask to move to PR
>> on the 26th. (Can we do a CfC now, ending on that date? CCing Jochen and
>> Emily to get it on their calendars.)
>>
>> Credential Management => Q4/Q1. Chrome is shipping this, and folks are
>> iterating a bit on the details. WebKit has started an implementation,
>> and I look forward to iterating a bit more on the details with their
>> feedback. Depending on how that goes, CR in Q3 seems reasonable once
>> we're sure the details are baked.
>>
>> SRI2: Joel has, unfortunately, left Google, and I don't think his new
>> role is going to allow him much time to work on this document. It's not
>> clear to me if the other editors of SRI are planning to push forward on
>> this, but my intuition is that it's not on anyone's roadmap for 2017.
> 
> ok.
> 
>> We could also add "Something Something Isolation" that Emily, Tanvi, et
>> al are working through. It seems more like a 2018 thing to me than a
>> 2017 thing, but I'll let them weigh in on that. (CCing Emily and Tanvi
>> to weigh in)
> 
> This sounds like incubation to me to be honest.
> 
> Philippe


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Strategy Lead, World Wide Web Consortium (W3C)
https://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Wednesday, 8 February 2017 19:43:35 UTC