IG/W3C spec review

From Web Security
< IG
Jump to: navigation, search

Frequently Asked Questions

  • When should a spec be reviewed? The spec's scope should be reasonably complete but in general, the earlier the review the better.
  • Can members of the IG request review? Yes (there is no need to wait for a group to ask for a document to be reviewed).
  • Does the Web Security IG review W3C specifications only, or external specifications ? The Web Security IG task is to review technology produced by W3C WG, nevertheless it can address specifications for others SDOs or organizations, such as IETF, when requested.
  • Does the Web Security IG maintain some recommendation guidelines for security considerations ? The Web Security IG is drafting some recommendations, but are not complete at the moment, but one could have a look at the IETF Security considerations guidelines

Requesting a Review

To get the Web Security IG to review a spec:


Process Proposal for Reviewing Specification

The following process to review specifications is offered for comments to the Web Security IG members, it is based on suggestions received by Dom Hazael-Massieux. It is currently under review by the IG. All requests for improvement are tracked under this wiki page

- A W3C specification review can happen at any step of the W3C process, ideally before it goes to Last Call (see W3C process).

- When a W3C specification review is conducted at the Working Draft step, the review intends to raise security concerns that may appear when developing the technology.

- When a W3C specification review is conducted at the Last Call step, the review intends to be extensive, raising weaknesses and potential expected countermeasures.

- When a specification review deals with a deliverable from another standardization body, the aim of the review will depend on the process of this standardization body. But the principle of a high level review for draft and deep review on stable documents should be applied, when possible.

- A review is conducted by a leader, who is in charge of indicating the required time, gathering appropriate expertise, editing the review report and sharing the report with the Web Security IG. It is expected that the review should not last more then a month. The reviewing team chooses its tool (github, wiki, calls, ..) to conduct the review. The review report will include the details about the way the review was conducted and by whom, with references to public archives (github, minutes call, wiki pages...). The report will contain warnings and recommendations for improving the specification (when possible).

- Once the specification review report is made available to the The Web Security IG, members of the IG have 2 weeks to raise comments against the review. After this period, the review is considered as the Web Security IG deliverable.

Note : an example of reviewing process by the Internationalization Core WG can be found under http://www.w3.org/International/wiki/Review_radar

Formal Review requests

  • W3C Manifest Public Working Draft - The security review was requested by Marco Carceres on the public mailing list [1] on the 26th of May.

Potential candidates for Review

  • Encrypted Media Extensions - The API supports use cases ranging from simple clear key decryption to high value video (given an appropriate user agent implementation). License/key exchange is controlled by the application, facilitating the development of robust playback applications supporting a range of content decryption and protection technologies.
  • Web Crypto API - This specification describes a JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. Additionally, it describes an API for applications to generate and/or manage the keying material necessary to perform these operations. Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications.
  • Service Worker - This concept is enabling offline webapp improvement. This technology is under definition by Alex Russel (from Google and W3C TAG) et al. and may land in W3C soon.
  • Promises also discussed in whatwg - This technology will introduce management of asynchronicity. Read more in this tutorial by Jake Archibald.
  • JOSE - Many Internet applications have a need for object-based security mechanisms in addition to security mechanisms at the network layer or transport layer. In the past, the Cryptographic Message Syntax (CMS) has provided a binary secure object format based on ASN.1. Over time, the use of binary object encodings such as ASN.1 has been overtaken by text-based encodings, for example JavaScript Object Notation. The JOSE stack enables JSON objects to be signed, encrypted, and verified.
  • Persona - Persona allows you to sign in to sites using any of your existing email addresses.
  • Secure Messaging - The Secure Messaging specification describes a simple, decentralized security infrastructure for the Web based on public key cryptography. This system enables Web applications to establish identities for agents on the Web, associate security credentials with those identities, and then use those security credentials to send and receive messages that are both encrypted and verifiable via digital signatures.
  • HTTP Signatures - When communicating over the Internet using the HTTP protocol, it is often desirable to be able to securely verify the sender of a message as well as ensure that the message was not tampered with during transit. This document describes a way to add origin authentication and message integrity to HTTP messages.
  • Web Identity -An identity is a Linked Data description of a particular entity such as a person or organization. This specification describes a mechanism of reading and writing to an online Linked Data identity. Linked Data identities are useful for storing arbitrary information, such as a person's shipping address, verified citizenship information, or age. The data is only accessible by authorized applications.

Reviews in Progress

  • @TBD

Reviews Completed

  • @TBD

Drafting a security guideline

  • The W3C Web Security IG is collecting some material to build a security guideline for chairs and editors, to make sure they treat the security appropriately and get basic support to fill the Security Considerations section. The raw list can be found under here