Fwd: Re: QA WG Response to SpecGL comments from Lynne Rosenthal on 2003-09-15 (www-qa-wg@w3.org from September 2003)

From: Lynne Rosenthal <lynne.rosenthal@nist.gov>
Date: Mon, 15 Sep 2003 14:54:27 -0400
To: rousskov@measurement-factory.com
Cc: www-qa-wg@w3.org
Message-Id: <5.1.0.14.2.20030915135045.06ff9aa0@mailserver.nist.gov>
Alex

Thank you for your quick response.  The QAWG has discussed your comments 
during today's teleconference and has asked me to respond to you.

The QAWG agrees with you, in that security is important and, when 
applicable to their technology, needs to be considered by WGs.  However, we 
reaffirm that security is not within the scope of the SpecGL.  The scope of 
the SpecGL is focused on conformance and conformance topics.   Addressing 
security is much wider than the QA Activity and SpecGL, and may exceed QA's 
scope and authority for writing requirements.   It is similar to other 
areas/concerns, such as accessibility, I18N or device independence.  All of 
these are important and need to be taken into account.  And, as you know, 
these other cross cutting areas are addressed by specific Activities or 
WGs.  Maybe security should be addressed at a higher W3C level.  The 
question becomes, where does security get addressed and what kind of policy 
(if any) should there be?  There is no W3C policy (that I know of) that 
requires recommendations to address security - perhaps there should 
be.  Perhaps there should be a separate document (white paper? W3C Note?) 
addressing security issues and practices.  This could be done by the QA in 
concert with the TAG.

>>[...]
>>         I think that most would agree that having a good security
>>section in a specification improves security and reliability of
>>implementations. Security (and reliability in general) is clearly a
>>quality issue. Better [quality] specifications are those with good
>>security sections (all other factors being equal) -- they often breed
>>better [more reliable] implementations.

Agreed.

>>         I will now quote specific QAWG documents that define
>>(AFAIK) QAWG scope.
>>
>>         http://www.w3.org/QA/Activity
>>         "The Quality Assurance (QA) Activity at W3C has a dual focus:
>>         to solidify and extend current quality practices ..."
>>
>>Being careful about and thinking ahead of the security of
>>implementations is a current quality practice (at least at IETF and
>>other forums I have access to).

Yes.  However, we are addressing the scope of the SpecGL (not the 
Activity), which is narrowly focused on conformance. This was done on 
purpose - to keep the document as concise as possible and targeted on a 
specific aspect of quality.  There are many quality practices that we don't 
address in SpecGL.  Our work is not finished - we will be exploring the 
development of Notes, other specs, tools, etc. targeting other areas.

>>         http://www.w3.org/QA/Activity
>>         Works on the quality of the specs themselves (...
>>         in particular, that they are coordinated with the TAG).
>>
>>TAG already deals with a growing number of security aspects/concerns
>>related to web architecture.

Again, one of the reasons this is beyond the scope of QA.  It would make 
sense to work with TAG to develop a W3C policy or guidance in this 
area.  This is something that we will pursue.

>>         http://www.w3.org/TR/qaframe-intro/
>>         Foremost amongst the purposes of defining a common QA
>>         Framework is the principal goal of the QA Activity itself:
>>         to improve the quality of W3C standards' implementations
>>         in the field.
>>
>>Again, having a good security section would improve the quality of W3C
>>standards' implementations in the field.

Don't disagree.

>>Please note that I do not expect QAWG to tell spec authors _how_ to
>>write a good security section. Such explanations may come from other,
>>more security-experienced W3C bodies or can be adopted from, say,
>>relevant IETF recommendations (as informative references). I expect
>>QAWG to tell spec authors to think about security and write a security
>>section. Period.

Again, we believe this to be out of the SpecGL scope, which addresses 
conformance topics.

>>To summarize, I see no basis to "consider security requirements to be
>>outside of the scope of QA Framework" and hence cannot agree with the
>>resolution. For me to accept a negative resolution, either the QAWG
>>scope should be narrowed/clarified or a different reason should be
>>given.

It is not necessarily out of scope of QA, but as we defined the QA 
Framework documents - SpecGL, specifically - it is out of scope.

>>Sorry for creating more work for you, but I think this issue is
>>important enough.

We agree that it is an important issue.  IMO, it is something that the QA 
with your help should pursue - at the very least, it would be great if you 
could put together a discussion paper.  We will also discuss security and 
your valid concerns in the context of a possible TAG/QA/other W3C 
collaboration and as a separate QA topic to be pursued in its own right.

regards
Lynne
Received on Monday, 15 September 2003 14:54:56 UTC