Quantcast

Securing the security reviews in W3C - how to proceed ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Securing the security reviews in W3C - how to proceed ?

GALINDO Virginie
Dear all,

As you know, W3C members expressed recently that security was a major topic for the open web platform [1]. Performing security reviews on future recommendations is one possible way to make sure the open web platform stays a secure platform. This email is to get feedbacks from you, and the security community :
- if you believe that creating a pool of security expert, being in charge collectively to perform security review is a reasonable way to achieve that - this is the way IETF is proceeding today,
-  give a chance to declare your interest to participate in this pool of experts, if it were to be created,
- get from you any idea that would help improving the security review efficiency,

Thanks for jumping in that thread if you believe you can help with improving security reviews in W3C !

Regards,
Virginie Galindo
Web Security IG chair and W3C AB member
Twitter : @poulpita


[1] W3C Highlights and Advisory Committee meeting https://www.w3.org/blog/2016/03/w3c-highlights-and-advisory-committee-meeting/

________________________________
 This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing the security reviews in W3C - how to proceed ?

Anne van Kesteren-4
On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie
<[hidden email]> wrote:
> Thanks for jumping in that thread if you believe you can help with improving security reviews in W3C !

I think increasing the overall security competence and understanding
of the same-origin policy, through self-review and learning, is much
more important than delegating the task to a pool of "experts". The
idea of having "accessibility", "internationalization", and now
"security" pillars has proven not to scale and has done more harm than
good. It's good to have communities where you can go for help, but
making them responsible doesn't really work.


--
https://annevankesteren.nl/

yan
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing the security reviews in W3C - how to proceed ?

yan
IIRC, the TAG has/had an informal policy of asking groups to self-review using https://www.w3.org/TR/security-privacy-questionnaire/ before a spec reached TAG review. I would be in favor of making this self-review process mandatory. 

On Thu, Jul 21, 2016 at 10:49 AM, Anne van Kesteren <[hidden email]> wrote:
On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie
<[hidden email]> wrote:
> Thanks for jumping in that thread if you believe you can help with improving security reviews in W3C !

I think increasing the overall security competence and understanding
of the same-origin policy, through self-review and learning, is much
more important than delegating the task to a pool of "experts". The
idea of having "accessibility", "internationalization", and now
"security" pillars has proven not to scale and has done more harm than
good. It's good to have communities where you can go for help, but
making them responsible doesn't really work.


--
https://annevankesteren.nl/


Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing the security reviews in W3C - how to proceed ?

Anne van Kesteren-4
On Thu, Jul 21, 2016 at 5:00 PM, Yan Zhu <[hidden email]> wrote:
> IIRC, the TAG has/had an informal policy of asking groups to self-review
> using https://www.w3.org/TR/security-privacy-questionnaire/ before a spec
> reached TAG review. I would be in favor of making this self-review process
> mandatory.

Thank you for digging up the link! And yes, that would make sense.


--
https://annevankesteren.nl/

Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing the security reviews in W3C - how to proceed ?

Léonie Watson-5
In reply to this post by Anne van Kesteren-4
On 21/07/2016 15:49, Anne van Kesteren wrote:

> On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie
> <[hidden email]> wrote:
>> Thanks for jumping in that thread if you believe you can help with improving security reviews in W3C !
>
> I think increasing the overall security competence and understanding
> of the same-origin policy, through self-review and learning, is much
> more important than delegating the task to a pool of "experts". The
> idea of having "accessibility", "internationalization", and now
> "security" pillars has proven not to scale and has done more harm than
> good. It's good to have communities where you can go for help, but
> making them responsible doesn't really work.

+1 (and then some).

We have this problem with accessibility. We spent too long doing
accessibility for other people, instead of helping them to do it for
themselves.

We now recognise this isn't sustainable, and we're trying to educate
people, and to create tools that make it easier to incorporate
accessibility into a project lifecycle. We're also trying to support
people as they gain the skills they need.
Léonie.


--
@LeonieWatson tink.uk Carpe diem

Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing the security reviews in W3C - how to proceed ?

Martin J. Dürst
In reply to this post by Anne van Kesteren-4
On 2016/07/21 23:49, Anne van Kesteren wrote:

> On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie
> <[hidden email]> wrote:
>> Thanks for jumping in that thread if you believe you can help with improving security reviews in W3C !
>
> I think increasing the overall security competence and understanding
> of the same-origin policy, through self-review and learning, is much
> more important than delegating the task to a pool of "experts". The
> idea of having "accessibility", "internationalization", and now
> "security" pillars has proven not to scale and has done more harm than
> good. It's good to have communities where you can go for help, but
> making them responsible doesn't really work.

Based on my experience with internationalization, I think both trying to
take responsibility for all aspects of your spec AND being able to ask
expert groups for help is important.

The reasons for the later are at least two-fold:

1) Most people are good at quite a lot of things, but not at everything.
    Even if they force themselves to think and work hard in some areas,
    it may be very difficult. As an example, at least some areas of
    security require a very distrusting mindset. To some extent, that can
    be learned, but it may require a lot of time. To others, it may come
    more natural.

2) Most if not all of the areas we are talking about have some easy
    things that by now we hope every average spec writer and developer
    should get. For internationalization, that might be something like
    "use Unicode". But each of these areas also comes with a long tail,
    where it may be difficult to keep reasonably current even for the
    experts.

Regards,   Martin.

Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing the security reviews in W3C - how to proceed ?

Martin J. Dürst
On 2016/07/22 18:47, Martin J. Dürst wrote:

> On 2016/07/21 23:49, Anne van Kesteren wrote:
>> On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie
>> <[hidden email]> wrote:
>>> Thanks for jumping in that thread if you believe you can help with
>>> improving security reviews in W3C !
>>
>> I think increasing the overall security competence and understanding
>> of the same-origin policy, through self-review and learning, is much
>> more important than delegating the task to a pool of "experts". The
>> idea of having "accessibility", "internationalization", and now
>> "security" pillars has proven not to scale and has done more harm than
>> good. It's good to have communities where you can go for help, but
>> making them responsible doesn't really work.
>
> Based on my experience with internationalization, I think both trying to
> take responsibility for all aspects of your spec AND being able to ask
> expert groups for help is important.
>
> The reasons for the later are at least two-fold:

One more reason:

3) From time to time, there are similar issues turning up in different
    specs. Having a common solution, or common pieces, where possible is
    of great benefit in many ways. But it's difficult for individual spec
    writers and WGs to detect such commonalities.

Regards,   Martin.


> 1) Most people are good at quite a lot of things, but not at everything.
>    Even if they force themselves to think and work hard in some areas,
>    it may be very difficult. As an example, at least some areas of
>    security require a very distrusting mindset. To some extent, that can
>    be learned, but it may require a lot of time. To others, it may come
>    more natural.
>
> 2) Most if not all of the areas we are talking about have some easy
>    things that by now we hope every average spec writer and developer
>    should get. For internationalization, that might be something like
>    "use Unicode". But each of these areas also comes with a long tail,
>    where it may be difficult to keep reasonably current even for the
>    experts.
>
> Regards,   Martin.
>
> .
>

Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing the security reviews in W3C - how to proceed ?

Anders Rundgren-2
In reply to this post by GALINDO Virginie
On 2016-07-21 16:34, GALINDO Virginie wrote:
> Dear all,
>
> As you know, W3C members expressed recently that security was a major topic for the open web platform [1]. Performing security reviews on future recommendations is one possible way to make sure the open web platform stays a secure platform. This email is to get feedbacks from you, and the security community :
> - if you believe that creating a pool of security expert, being in charge collectively to perform security review is a reasonable way to achieve that - this is the way IETF is proceeding today,
> -  give a chance to declare your interest to participate in this pool of experts, if it were to be created,
> - get from you any idea that would help improving the security review efficiency,
>
> Thanks for jumping in that thread if you believe you can help with improving security reviews in W3C !

It appears to be a fairly big job there already:
https://lists.w3.org/Archives/Public/public-payments-wg/2016Jul/0194.html

I can't help though since I wasn't invited to the party :-)

Anders


Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing the security reviews in W3C - how to proceed ?

Chaals McCathie Nevile
In reply to this post by Martin J. Dürst
On Fri, 22 Jul 2016 12:27:39 +0200, Martin J. Dürst  
<[hidden email]> wrote:

> On 2016/07/22 18:47, Martin J. Dürst wrote:
>> On 2016/07/21 23:49, Anne van Kesteren wrote:

>>> I think increasing the overall security competence and understanding
>>> of the same-origin policy, through self-review and learning, is much
>>> more important than delegating the task to a pool of "experts".

Agreed. Especially in a world where we don't have agreed ways to even  
measure the expertise of others,

One of the things experts *can* help with is precisely that learning.

>>> The idea of having "accessibility", "internationalization", and now
>>> "security" pillars has proven not to scale

Hmm. Expecting them to handle the work has generally not scaled at all  
well.

On the other hand having them describe best practices has in the long run  
turned out to be a good way to scale what expertise we have - providing a  
platform for people to learn from that is also a concrete base for those  
who are or have learned to challenge, build on, and improve.

Leading edge efforts such as WAI and i18n have taken many years to produce  
their work, with a lot of revision as we learn how to explain things in  
the first place and then how to do so in a way that takes account of the  
continuous changes in our environment. This leads me to the conclusion  
that we're not very good teachers of each other, but that it is something  
we do learn to do better over time.

>>> It's good to have communities where you can go for help, but
>>> making them responsible doesn't really work.
>>
>> Based on my experience with internationalization, I think both trying to
>> take responsibility for all aspects of your spec AND being able to ask
>> expert groups for help is important.

It seems to me you are both saying the same thing, and I agree. There is  
value in a community of experts, but one of the key values is for the  
experts to help the rest of us get to a reasonable level of competence, so  
instead of the experts having to continuously explain our beginners'  
mistake to us, we can do that amongst ourselves, and ask them to focus on  
the hard questions.

I suspect that also makes the whole thing more fun. While having fun isn't  
our end goal, if it happens that way we will likely be more productive for  
longer, and be happier about it, so it's not a bad thing to encourage.

(Alternately, we could try to gamify security reviews by making up magical  
characters you can collect if you find a bug… but that sort of thing would  
never work so it's clearly a silly idea…)

cheers

Chaals

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
  [hidden email] - - - Find more at http://yandex.com

Loading...