(unknown charset) Re: Notes on Last Call Issues for SpecGL from (unknown charset) Alex Rousskov on 2003-03-28 (www-qa@w3.org from March 2003)

From: (unknown charset) Alex Rousskov <rousskov@measurement-factory.com>
Date: Fri, 28 Mar 2003 09:41:55 -0700 (MST)
To: (unknown charset) www-qa@w3.org
Message-ID: <Pine.BSF.4.53.0303280910280.12867@measurement-factory.com>

On Fri, 28 Mar 2003, Dominique [ISO-8859-1] Hazaël-Massieux wrote:

> Issues regarding the scope of specGL:
>
> - LC-1: should there be considerations about security?
>
> Analysis:
>
> This is clearly out of the scope of the document ["enhance the
> clarity, implementability, and testability of TRs"] and of our
> charter ["* improving the quality of W3C specifications (with
> respect to conformance statement, test assertions,
> tutorial/examples, formal representation of languages, etc.)"].

Dominique,

	I disagree with your interpretation of the WG charter.  IMO,
requiring "Security Considerations" sections in TRs is a "quality of
W3C specifications" issue. Both spec writers and implementors need to
be forced to think about security issues because those issues are
overlooked otherwise. The "(with respect to ...)" items you quote have
"etc." for a good reason.

IMO, the same is true for recommending or requiring _any_ specific
section in TRs -- QA WG should be in a position to recommend basic
structure of a typical TR (i.e., a list of required sections). If QA
WG cannot do that, who can? And SpecGL is _the_ place to make such a
recommendation.

I also disagree with your interpretation of the SpecGL scope.  A
"Security Considerations" section does enhance the clarity of TRs
(because all concerns are listed in a single place) and does help
implementors (because they are likely to miss important implementation
caveats without it). If you think it does not, why do we have
"Security Considerations" sections at all? To guide crackers to
possible vulnerabilities?!

Presence of a "Security Considerations" section should be a checkpoint
in SpecGL, IMO.

Thanks,

Alex.

P.S. I suspect the very same reasoning applies to a "Accessibility
     Considerations" section.

-- 
                            | HTTP performance - Web Polygraph benchmark
www.measurement-factory.com | HTTP compliance+ - Co-Advisor test suite
                            | all of the above - PolyBox appliance

Received on Friday, 28 March 2003 11:42:08 UTC