Difference between revisions of "IG/W3C spec review"

From Web Security
< IG
Jump to: navigation, search
(Process Proposal for Reviewing Specification)
(Process Proposal for Reviewing Specification)
Line 18: Line 18:
 
== Process Proposal for Reviewing Specification ==
 
== Process Proposal for Reviewing Specification ==
  
**The following process to review W3C specification if offered for comments to the Web Security IG members, based on suggestions received by Dom Hazael-Massieux.**
+
'''The following process to review W3C specification if offered for comments to the Web Security IG members, based on suggestions received by Dom Hazael-Massieux.'''
  
 
- A W3C specification review can happen at any step of the W3C process, before it goes to Last Call (see [http://www.w3.org/2005/10/Process-20051014/tr.html#last-call W3C process]).  
 
- A W3C specification review can happen at any step of the W3C process, before it goes to Last Call (see [http://www.w3.org/2005/10/Process-20051014/tr.html#last-call W3C process]).  

Revision as of 09:25, 16 January 2014

Frequently Asked Questions

  • When should a spec be reviewed? The spec's scope should be reasonably complete but in general, the earlier the review the better.
  • Can members of the IG request review? Yes (there is no need to wait for a group to ask for a document to be reviewed).
  • Does the Web Security IG review W3C specifications only, or external specifications ? The Web Security IG task is to review technology produced by W3C WG, nevertheless it can address specifications for others SDOs or organizations, such as IETF, when requested.
  • Does the Web Security IG maintain some recommendation guidelines for security considerations ? The Web Security IG does not, but one could have a look at the IETF Security considerations guidelines

Requesting a Review

To get the Web Security IG to review a spec:


Process Proposal for Reviewing Specification

The following process to review W3C specification if offered for comments to the Web Security IG members, based on suggestions received by Dom Hazael-Massieux.

- A W3C specification review can happen at any step of the W3C process, before it goes to Last Call (see W3C process).

- When a review is conducted at the Working Draft step, the review intends to raise security concerns that may appear when developing the technology.

- When a review is conducted at the Last Call step, the review intends to be extensive, raising weaknesses and potential expected countermeasures.

- A review is conducted by a leader, who will be in charge of gathering appropriate expertise, edit the review report and shared the report with the Web Security IG. Once the report has bee made available to the The Web Security IG, members of the IG have 2 weeks to raise comments against the review. After this delay, the review is considered as the Web Security IG deliverable.

Candidates for Review

  • Encrypted Media Extensions - The API supports use cases ranging from simple clear key decryption to high value video (given an appropriate user agent implementation). License/key exchange is controlled by the application, facilitating the development of robust playback applications supporting a range of content decryption and protection technologies.
  • JOSE - Many Internet applications have a need for object-based security mechanisms in addition to security mechanisms at the network layer or transport layer. In the past, the Cryptographic Message Syntax (CMS) has provided a binary secure object format based on ASN.1. Over time, the use of binary object encodings such as ASN.1 has been overtaken by text-based encodings, for example JavaScript Object Notation. The JOSE stack enables JSON objects to be signed, encrypted, and verified.
  • Persona - Persona allows you to sign in to sites using any of your existing email addresses.
  • Secure Messaging - The Secure Messaging specification describes a simple, decentralized security infrastructure for the Web based on public key cryptography. This system enables Web applications to establish identities for agents on the Web, associate security credentials with those identities, and then use those security credentials to send and receive messages that are both encrypted and verifiable via digital signatures.
  • HTTP Signatures - When communicating over the Internet using the HTTP protocol, it is often desirable to be able to securely verify the sender of a message as well as ensure that the message was not tampered with during transit. This document describes a way to add origin authentication and message integrity to HTTP messages.
  • Web Identity -An identity is a Linked Data description of a particular entity such as a person or organization. This specification describes a mechanism of reading and writing to an online Linked Data identity. Linked Data identities are useful for storing arbitrary information, such as a person's shipping address, verified citizenship information, or age. The data is only accessible by authorized applications.

Reviews in Progress

  • @TBD

Reviews Completed

  • @TBD

Resources

  • @TBD