Re: Security, Privacy, and Accessibility self-review Questionnaires.

On Tue, Nov 4, 2014 at 10:46 AM, <chaals@yandex-team.ru> wrote:

> It's a really good idea to have some documents that guide reviews.
>
> It's not nearly such a good idea to encourage "check-a-box" review of
> architectural issues. (I presume this is obvious to the people writing, but
> it isn't obvious from what is being written).
>

Agreed. With accessibility in particular, I think most folks who care would
certainly point to the various checklist approaches as examples of how not
to do reviews. With this in mind, I see the questionnaire as a pre-review
step: it's there to give someone who wants to review a specification a feel
for the things the group has already thought about, and to give the group
itself a little kick in a good direction.

As I noted earlier, this has been a pretty successful approach inside the
Chrome team; feature implementers fill out a questionnaire as a prelude to
a more detailed security or privacy review, and often find issues they need
to fix before the review even happens. Just like rubber duck debugging[1],
the mere act of explaining the specification in terms of the questionnaire
can create insight and action.


> I think it is fair to describe the TAG's level of accessibility knowledge
> as "not especially high" (although it is probably a bit better than almost
> any other group of people selected to deal with architecture of a complex
> system). The same may be true of usability, privacy, and social impact, to
> pick some.
>

I agree, so allow me to rephrase: the TAG is chartered with stewardship of
the web's architecture. Given that "buck stops here" sort of remit, if it
isn't currently capable of providing feedback on topics like accessibility,
it ought to be able to delegate to folks who can. Otherwise, its
stewardship is less stewardy than it should be. :)


> The TAG has a specific role, and it has been doing that well. I'd be
> concerned about spreading it too thinly, and assuming that they are going
> to manage things they're really not the best at.
>

The TAG has been providing useful feedback to me while writing WebAppSec
specs, and I see a number of other active reviews in progress. Given that
folks are already coming to the TAG for advice, I'd like to ensure that the
TAG is equipped to make good use of those feedback opportunities. I think
it's asking a lot of the various WGs out there to go ask the TAG for
advice, and at the same time remember to hit all the other review groups
that might exist.

Perhaps that's the point you're making with regard to synergies?

-mike

[1]: http://en.wikipedia.org/wiki/Rubber_duck_debugging

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 4 November 2014 10:00:46 UTC