Re: W3C Web Security IG - your view and implication

I believe the TAG reviewed promises, perhaps they also reviewed the security issues if any - cc'd the tag on this message to see if any issues/concerns/suggestions re promises security, or usefulness of review.

thanks

regards, Frederick

Frederick Hirsch
Nokia



On Jan 17, 2014, at 11:16 AM, ext GALINDO Virginie wrote:

> Thanks Art for your feedback.
> 
> About Promise, it is part of the DOM4 FPWD http://www.w3.org/TR/2013/WD-dom-20131107/#promises. While being still under construction, it allows us to have a look at it.
> 
> About Service Worker, you are right, it is still on github, and we cannot bet on its acceptance in WebApps.
> 
> About systematic security review : I hope to progress on this idea of establishing a spec review framework (see http://www.w3.org/Security/wiki/IG/W3C_spec_review#Process_Proposal_for_Reviewing_Specification) and a team to perform such reviews. Once we will be able to demonstrate that it works and useful, then we wil be able to convince W3C to include that step as a mandatory step in the specification elaboration process. And your recommendations on this matter are highly valuable.
> 
> Thanks,
> Virginie
> 
> 
> 
> -----Original Message-----
> From: Arthur Barstow [mailto:art.barstow@nokia.com]
> Sent: vendredi 17 janvier 2014 13:55
> To: GALINDO Virginie
> Cc: Frederick.Hirsch@nokia.com; wseltzer@w3.org
> Subject: Re: W3C Web Security IG - your view and implication
> 
> On 1/16/14 7:47 AM, ext GALINDO Virginie wrote:
>> 
>> Hello Frederick, Art,
>> 
>> Thanks again for your involvement in the Web Security IG. As you may
>> have noticed, the next IG call will fall in the time where Frederick
>> indicated he would not be available, and I apologize for that. I have
>> chosen the timing having in mind to have new people coming on board.
>> Nevertheless I am really interested in having your view on the IG
>> priorities and direction.
>> 
> 
> I think your outreach to the Chairs is great so thanks for that!
> 
> Although I can understand WebSecIG having various tasks and
> responsibilities, speaking primarily as a Chair, I think the spec review
> task is the most important. I do realize (as others have noted) that a
> credible and useful spec review requires `the right people` and that can
> be quite challenging. Nevertheless, anything members of the IG can do to
> help should be useful and appreciated. For instance when you, Adam,
> Wendy or someone else notice a spec that could benefit from a security
> review, issue some type of Call for Security Review. Even though there
> may not be much discussion, at least there will be an explicit call.
> Perhaps it would be helpful if the IG created some general guidelines
> and considerations and best practices (kinda' like what Frank Dawson has
> done with PING and Privacy review).
> 
> (BTW, when I was a member of OMA many years ago, explicit reviews by
> several `horizontal` groups (Security, Architecture, Requirements) were
> mandatory parts of the OMA's process. Perhaps something like that is
> needed in W3C (+Accessibility and +I18N) although I don't think anyone
> wants the reviews to become overly burdensome).
> 
>> During the last call, you have mentioned several topics like Promises
>> or Service Worker in which you would see some interest for the IG to
>> jump in. Would you be ready to allocate some time to review those
>> technologies ?
>> 
> 
> Well Promises is part of ES(6) so I'm not sure how to conduct a useful
> review.
> 
> An issue with Service Workers is that it is still a `spec in GH`. The
> PoA is for it to become a deliverable for WebApps. If/when that happens,
> we should indeed consider it as a candidate for a security review.
> 
> -Art
> 
> 
> 
>> I also wanted to mention you that the mobile web IG is expecting from
>> us a work, allowing them to understand the state of the art of the
>> mobile web security versus the mobile native security. If this is
>> something you would be interested to lead, just let me know.
>> 
>> Finally, in general, if there is any other topic in which one of you
>> would like to be involved, feel free to mention it here, or calling me
>> directly.
>> 
>> Have a nice week !
>> 
>> Virginie
>> 
>> Co-chair of the Web Security IG
>> 
>> 
>> 
>> 
>> 
>> 
>> *I**I**II **Virginie GALINDO*
>> Technical Marketing & Innovation
>> Mob: +33 6 13 23 20 03
>> 
>> La Vigie - Avenue du Jujubier - ZI Athelia IV
>> 13 705 La Ciotat Cedex - France
>> www.gemalto.com <http://www.gemalto.com>
>> 
>> 
>> ------------------------------------------------------------------------
>> This message and any attachments are intended solely for the
>> addressees and may contain confidential information. Any unauthorized
>> use or disclosure, either whole or partial, is prohibited.
>> E-mails are susceptible to alteration. Our company shall not be liable
>> for the message if altered, changed or falsified. If you are not the
>> intended recipient of this message, please delete it and notify the
>> sender.
>> Although all reasonable efforts have been made to keep this
>> transmission free from viruses, the sender will not be liable for
>> damages caused by a transmitted virus
> 
> 
> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus

Received on Friday, 17 January 2014 23:05:28 UTC