Re: RfC: wide review of Sensor APIs Pre-CR WDs from Jochen Eisinger on 2017-10-23 (public-webappsec@w3.org from October 2017)

From: Jochen Eisinger <eisinger@google.com>
Date: Mon, 23 Oct 2017 14:52:22 +0000
To: "Kostiainen, Anssi" <anssi.kostiainen@intel.com>
Cc: Dominique Hazael-Massieux <dom@w3.org>, Wendy Seltzer <wseltzer@w3.org>, W3C Devices and Sensors WG <public-device-apis@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CALjhuieh0896g9aV1Dqu8Dz5ojVbJ+4F2jX-2gkAAGDsMQq3Nw@mail.gmail.com>
On Mon, Oct 23, 2017 at 1:50 PM Kostiainen, Anssi <
anssi.kostiainen@intel.com> wrote:

> [+W3C Team contacts Dom & Wendy to clarify wide review expectations.]
>
> Hi Jochen,
>
> > On 21 Oct 2017, at 10.11, Jochen Eisinger <eisinger@google.com> wrote:
> >
> > Hi!
> >
> > The WebAppSec WG doesn't review other WGs specs.
>
> Is that the WebAppSec WG's official position?
>
> I'm asking, since that's in conflict with the Document Review best
> practices (and advise I got from W3C Staff):
>
> [[
>
> Which group(s) should be asked to review a document?
>
> All group charters should include information about the groups and
> external liaisons that are interested in particular documents. At a
> minimum, those groups should be included in all review request for their
> related document(s).
>
> https://www.w3.org/wiki/DocumentReview#Who_to_ask_for_review.3F
>
> ]]
>
> The Device and Sensors WG has WebAppSec WG as a dependency in its charter,
> since practically all of its specs depend on WebAppSec specs:
>
> https://www.w3.org/2016/03/device-sensors-wg-charter.html#coordination
>
> Device and Sensors WG's expectation was WebAppSec WG would be interested
> in reviewing the use of these dependencies as noted in the wide review
> request to WebAppSec WG:
>
> [[
>
> In particular the group requests review of the use of Permissions, Feature
> Policy, and Secure Contexts specifications.
>
> ]]
>
> (Granted, the Feature Policy spec is still in WICG, but should still be of
> interest to this group. We reach out to WICG separately on that one.)
>
> > Please reach out to the
> > https://www.w3.org/Security/wiki/IG
>
> We reached out to the Security IG too as part of the wide review:
>
> https://lists.w3.org/Archives/Public/public-web-security/2017Oct/0001.html
>
> ... and asked them to focus their review on security considerations in
> general.
>
> (That said, we have observed the IG has not been very responsive recently
> and wide review requests have fallen through the cracks -- but that's an
> issue of its own.)
>
> > and work with the browser vendors involved in your WG to have their
> respective security teams support you.
>
> The Chrome Security team has been closely involved throughout the
> implementation of these specs, and the APIs in scope for this wide review
> have passed their scrutiny and are now shipping as an Origin Trial starting
> in Chrome 63 Beta.
>
> Hopefully this clears up some confusion around expectations for wide
> review.
>
> All that said, the Device and Sensors WG is welcoming any feedback from
> WebAppSec WG.
>
> We're not asking you to do a full-blown review unless you really want to,
> all we want is get feedback on the use of Permissions and Secure Contexts
> (and as a bonus Feature Policy). My apologies, if the expected scope of the
> review was not clear enough in the wide review request.
>


Thanks for the clarification!

I read your initial email as a general review requests as part of ticking
off checkboxes to move to CR.

>From the charter, it reads more like the intended interaction would have
been way earlier? Giving substantial input on the specs at a point where
they're already in origin trial in Chrome, and about to move to CR sounds
difficult :/

Maybe that's a question for Wendy et al. Is a sign-off as a last step
before CR the kind of interaction you intended?

best
-jochen


> Thanks,
>
> -Anssi (Device and Sensors WG Chair)
>
>
> > Best
> > Jochen
> >
> > Kostiainen, Anssi <anssi.kostiainen@intel.com> schrieb am Fr., 20. Okt.
> 2017, 10:28:
> > Hi WebAppSec WG,
> >
> > The Device and Sensors Working Group requests review of the following
> > specification before 2017-12-31:
> >
> >    Generic Sensor API
> >    https://www.w3.org/TR/generic-sensor/
> >
> > Including the following concrete sensor specifications that extend
> > the Generic Sensor API:
> >
> >    Ambient Light Sensor
> >    https://www.w3.org/TR/ambient-light/
> >
> >    Accelerometer
> >    https://www.w3.org/TR/accelerometer/
> >
> >    Gyroscope
> >    https://www.w3.org/TR/gyroscope/
> >
> >    Magnetometer
> >    https://www.w3.org/TR/magnetometer/
> >
> >    Orientation Sensor
> >    https://www.w3.org/TR/orientation-sensor/
> >
> > Informative background material (not in scope of the wide review):
> >
> >    Motion Sensors Explainer
> >    https://w3c.github.io/motion-sensors/
> >
> >    Sensor Use Cases
> >    https://w3c.github.io/sensors/usecases
> >
> > In particular the group requests review of the use of Permissions,
> > Feature Policy, and Secure Contexts specifications.
> >
> > The group requests feedback via the respective specifications' GitHub
> > repositories, or via email to public-device-apis@w3.org.
> >
> > These publications are Pre-Candidate Recommendation Drafts under the
> > 2017 Process [1]. Therefore, the group is looking for confirmation
> > that it has satisfied its relevant technical requirements and
> > dependencies with other groups.
> >
> > Thanks,
> >
> > -Anssi (Device and Sensors WG Chair)
> >
> > [1] https://www.w3.org/wiki/DocumentReview
> >
>
>
Received on Monday, 23 October 2017 14:53:00 UTC