- From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Date: Fri, 22 Jul 2016 18:47:33 +0900
- To: Anne van Kesteren <annevk@annevk.nl>, GALINDO Virginie <Virginie.Galindo@gemalto.com>
- CC: "www-tag@w3.org" <www-tag@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>
On 2016/07/21 23:49, Anne van Kesteren wrote: > On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie > <Virginie.Galindo@gemalto.com> wrote: >> Thanks for jumping in that thread if you believe you can help with improving security reviews in W3C ! > > I think increasing the overall security competence and understanding > of the same-origin policy, through self-review and learning, is much > more important than delegating the task to a pool of "experts". The > idea of having "accessibility", "internationalization", and now > "security" pillars has proven not to scale and has done more harm than > good. It's good to have communities where you can go for help, but > making them responsible doesn't really work. Based on my experience with internationalization, I think both trying to take responsibility for all aspects of your spec AND being able to ask expert groups for help is important. The reasons for the later are at least two-fold: 1) Most people are good at quite a lot of things, but not at everything. Even if they force themselves to think and work hard in some areas, it may be very difficult. As an example, at least some areas of security require a very distrusting mindset. To some extent, that can be learned, but it may require a lot of time. To others, it may come more natural. 2) Most if not all of the areas we are talking about have some easy things that by now we hope every average spec writer and developer should get. For internationalization, that might be something like "use Unicode". But each of these areas also comes with a long tail, where it may be difficult to keep reasonably current even for the experts. Regards, Martin.
Received on Friday, 22 July 2016 09:48:12 UTC