W3C home > Mailing lists > Public > www-tag@w3.org > July 2016

Re: Securing the security reviews in W3C - how to proceed ?

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Fri, 22 Jul 2016 18:47:33 +0900
To: Anne van Kesteren <annevk@annevk.nl>, GALINDO Virginie <Virginie.Galindo@gemalto.com>
CC: "www-tag@w3.org" <www-tag@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>
Message-ID: <9ae09697-db36-14d5-803f-cbbe12cb4afb@it.aoyama.ac.jp>
On 2016/07/21 23:49, Anne van Kesteren wrote:
> On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie
> <Virginie.Galindo@gemalto.com> wrote:
>> Thanks for jumping in that thread if you believe you can help with improving security reviews in W3C !
>
> I think increasing the overall security competence and understanding
> of the same-origin policy, through self-review and learning, is much
> more important than delegating the task to a pool of "experts". The
> idea of having "accessibility", "internationalization", and now
> "security" pillars has proven not to scale and has done more harm than
> good. It's good to have communities where you can go for help, but
> making them responsible doesn't really work.

Based on my experience with internationalization, I think both trying to 
take responsibility for all aspects of your spec AND being able to ask 
expert groups for help is important.

The reasons for the later are at least two-fold:

1) Most people are good at quite a lot of things, but not at everything.
    Even if they force themselves to think and work hard in some areas,
    it may be very difficult. As an example, at least some areas of
    security require a very distrusting mindset. To some extent, that can
    be learned, but it may require a lot of time. To others, it may come
    more natural.

2) Most if not all of the areas we are talking about have some easy
    things that by now we hope every average spec writer and developer
    should get. For internationalization, that might be something like
    "use Unicode". But each of these areas also comes with a long tail,
    where it may be difficult to keep reasonably current even for the
    experts.

Regards,   Martin.
Received on Friday, 22 July 2016 09:48:12 UTC

This archive was generated by hypermail 2.3.1 : Friday, 22 July 2016 09:48:15 UTC