- From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Date: Fri, 22 Jul 2016 19:27:39 +0900
- To: Anne van Kesteren <annevk@annevk.nl>, GALINDO Virginie <Virginie.Galindo@gemalto.com>
- CC: "www-tag@w3.org" <www-tag@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>
On 2016/07/22 18:47, Martin J. Dürst wrote: > On 2016/07/21 23:49, Anne van Kesteren wrote: >> On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie >> <Virginie.Galindo@gemalto.com> wrote: >>> Thanks for jumping in that thread if you believe you can help with >>> improving security reviews in W3C ! >> >> I think increasing the overall security competence and understanding >> of the same-origin policy, through self-review and learning, is much >> more important than delegating the task to a pool of "experts". The >> idea of having "accessibility", "internationalization", and now >> "security" pillars has proven not to scale and has done more harm than >> good. It's good to have communities where you can go for help, but >> making them responsible doesn't really work. > > Based on my experience with internationalization, I think both trying to > take responsibility for all aspects of your spec AND being able to ask > expert groups for help is important. > > The reasons for the later are at least two-fold: One more reason: 3) From time to time, there are similar issues turning up in different specs. Having a common solution, or common pieces, where possible is of great benefit in many ways. But it's difficult for individual spec writers and WGs to detect such commonalities. Regards, Martin. > 1) Most people are good at quite a lot of things, but not at everything. > Even if they force themselves to think and work hard in some areas, > it may be very difficult. As an example, at least some areas of > security require a very distrusting mindset. To some extent, that can > be learned, but it may require a lot of time. To others, it may come > more natural. > > 2) Most if not all of the areas we are talking about have some easy > things that by now we hope every average spec writer and developer > should get. For internationalization, that might be something like > "use Unicode". But each of these areas also comes with a long tail, > where it may be difficult to keep reasonably current even for the > experts. > > Regards, Martin. > > . >
Received on Friday, 22 July 2016 10:28:20 UTC