Re: Follow-up to TAG meeting on Powerful Features

https://github.com/w3c/webappsec/pull/180
https://w3c.github.io/webappsec/admin/webappsec-charter-2015.html

On Wed Feb 18 2015 at 6:05:18 AM Mike West <mkwst@google.com> wrote:

> I'd be happy to have Yan help out with the document! I've added her to the
> document in
> https://github.com/w3c/webappsec/commit/90a27a3b54b985b3469b6e63a0869115beae9e9b
> .
>
> What changes do we need to WebAppSec's charter to enable this kind of
> cooperation? If there's copy/pastable boilerplate, I'm happy to do the
> copy/pasting.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Wed, Feb 18, 2015 at 2:39 PM, Wendy Seltzer <wseltzer@w3.org> wrote:
>
>> Thanks Yan and Brad,
>> +mkwst as current editor
>>
>> Who wants to take the next action to propose a charter amendment and
>> description of work-mode?
>>
>> --Wendy
>>
>>
>> On 02/17/2015 02:52 PM, Yan Zhu wrote:
>> > I am happy with Brad's proposal that the TAG review new CRs against the
>> criteria in the Powerful Features document [1] and raise objections with
>> the working groups accordingly. I have no opinion on whether the language
>> is normative or not.
>> >
>> > As Daniel Appelquist mentioned, I volunteered on behalf of TAG to
>> become a co-editor of the Powerful Features document if that is what
>> webappsec would prefer. I am also fine with just shepherding recommendation
>> reviews through the TAG.
>> > [1] http://www.w3.org/TR/powerful-features/#is-feature-powerful
>> >
>> > On Tuesday, February 17, 2015 10:07 AM, Brad Hill <hillbrad@gmail.com>
>> wrote:
>> >
>> >
>> >
>> > That's not exactly how I remembered it, and I'm not sure if that will
>> address Mozilla's concerns.
>> >
>> > I think that Mozilla is correct that controversies will almost
>> certainly arise around this kind of decision, and there is a very real
>> tension to resolve.  It's not unreasonable to be concerned about normative
>> language coming from a group from a self-selected group with a very
>> particular point of view being applied to override hard-fought consensus
>> from other groups.
>> >
>> > I think this is exactly the kind of issue that the TAG is designed to
>> address, and which, as a group elected by the membership at large, has the
>> legitimacy to do so.
>> >
>> > I believe it makes sense for this to be delivered as a joint
>> deliverable with the TAG, to help ensure it receives the widest possible
>> review and "puts on notice" the W3C community that new Recommendations will
>> be assessed against these criteria so that they can have these discussions
>> in their own groups, early in their process.
>> >
>> > I think the expectation should be that, while non-normative, the TAG
>> will review new Candidate Recommendations against these criteria and may
>> object or ask a group to revisit a decision to make a feature available in
>> insecure contexts, if it believes that the group has not diligently applied
>> the rubric.  And that the WebAppSec WG (and Security and Privacy IGs!) may
>> be called on to assist the TAG as subject matter experts, but will not be
>> responsible for the final decision.
>> >
>> > The language of the document will not be normative, but the consensus
>> of the community in behalf of the Web, as represented by the TAG, will.
>> >
>> > -Brad
>> >
>> >
>> > On Tue Feb 17 2015 at 7:30:54 AM Daniel Appelquist <dan@torgo.com>
>> wrote:
>> >
>> > Hi Wendy -
>> >>
>> >>
>> >> As captured in our raw minutes (
>> http://www.w3.org/2015/02/12-tagmem-minutes.html) I believe Yan stepped
>> forward to play that role. I think it’s up to the WebAppSec group chairs to
>> determine whether that should be a co-editorship. My suggestion was to use
>> the packaging spec (http://www.w3.org/TR/web-packaging/) as a template
>> for what a joint deliverable could look like (check out the Status section
>> of that document).
>> >>
>> >>
>> >> Dan
>> >>
>> >>
>> >> On 16 Feb 2015, at 10:07, Wendy Seltzer <wseltzer@w3.org> wrote:
>> >>>
>> >>> Hi Dan and TAG, cc WebAppSec,
>> >>>
>> >>> Thanks for inviting discussion on "Requirements for Powerful Features"
>> >>> at the recent TAG meeting.
>> >>>
>> >>> As a proposed way forward, I heard TAG express interest in working
>> with
>> >>> WebAppSec on the specification, to edit a joint product in which the
>> >>> requirements for "Is [insert feature here] powerful?" could be
>> >>> normative. That way, we'd combine the TAG's insight on architectural
>> >>> considerations with WebAppSec's security expertise.
>> >>>
>> >>> If that's a correct recollection, who from the TAG would be interested
>> >>> in working with WebAppSec, and how can I help to bring you on-board?
>> >>>
>> >>> Best,
>> >>> --Wendy
>> >>>
>> >>> --
>> >>> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
>> >>> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
>> >>> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>> >>>
>> >>>
>> >>
>> >
>>
>>
>> --
>> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
>> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
>> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>>
>>
>

Received on Wednesday, 18 February 2015 17:45:16 UTC