Difference between revisions of "IG/W3C spec review"

From Web Security
< IG
Jump to: navigation, search
(Candidates for Review)
(Candidates for Review)
Line 40: Line 40:
 
* [https://github.com/slightlyoff/ServiceWorker Service Worker] - This concept is enabling offline webapp improvement. This technology is under definition by Alex Russel (from Google and W3C TAG) et al. and may land in W3C soon.  
 
* [https://github.com/slightlyoff/ServiceWorker Service Worker] - This concept is enabling offline webapp improvement. This technology is under definition by Alex Russel (from Google and W3C TAG) et al. and may land in W3C soon.  
  
* "Promises"? http://www.w3.org/TR/2013/WD-dom-20131107/#promises and http://dom.spec.whatwg.org/#promises
+
* [http://www.w3.org/TR/2013/WD-dom-20131107/#promises Promises], also discussed in [http://dom.spec.whatwg.org/#promises whatwg]
  
 
* [https://ietf.org/wg/jose/ JOSE] - Many Internet applications have a need for object-based security mechanisms in addition to security mechanisms at the network layer or transport layer.  In the past, the Cryptographic Message Syntax (CMS) has provided a binary secure object format based on ASN.1.  Over time, the use of binary object encodings such as ASN.1 has been overtaken by text-based encodings, for example JavaScript Object Notation. The JOSE stack enables JSON objects to be signed, encrypted, and verified.
 
* [https://ietf.org/wg/jose/ JOSE] - Many Internet applications have a need for object-based security mechanisms in addition to security mechanisms at the network layer or transport layer.  In the past, the Cryptographic Message Syntax (CMS) has provided a binary secure object format based on ASN.1.  Over time, the use of binary object encodings such as ASN.1 has been overtaken by text-based encodings, for example JavaScript Object Notation. The JOSE stack enables JSON objects to be signed, encrypted, and verified.

Revision as of 11:01, 17 January 2014

Frequently Asked Questions

  • When should a spec be reviewed? The spec's scope should be reasonably complete but in general, the earlier the review the better.
  • Can members of the IG request review? Yes (there is no need to wait for a group to ask for a document to be reviewed).
  • Does the Web Security IG review W3C specifications only, or external specifications ? The Web Security IG task is to review technology produced by W3C WG, nevertheless it can address specifications for others SDOs or organizations, such as IETF, when requested.
  • Does the Web Security IG maintain some recommendation guidelines for security considerations ? The Web Security IG does not, but one could have a look at the IETF Security considerations guidelines

Requesting a Review

To get the Web Security IG to review a spec:


Process Proposal for Reviewing Specification

The following process to review specifications if offered for comments to the Web Security IG members, it is based on suggestions received by Dom Hazael-Massieux.

- A W3C specification review can happen at any step of the W3C process, before it goes to Last Call (see W3C process).

- When a W3C specification review is conducted at the Working Draft step, the review intends to raise security concerns that may appear when developing the technology.

- When a W3C specification review is conducted at the Last Call step, the review intends to be extensive, raising weaknesses and potential expected countermeasures.

- When a specification review deal with a deliverable from another standardization body, the aim of the review will depend on the process of this standardization body. But the principle of a high level review for draft and deep review on stable documents should be applied, when possible.

- A review is conducted by a leader, who will be in charge of indicating the required time, gathering appropriate expertise, edit the review report and shared the report with the Web Security IG. It is expected that the review should not last more then a month.

- Once the specification review report has bee made available to the The Web Security IG, members of the IG have 2 weeks to raise comments against the review. After this delay, the review is considered as the Web Security IG deliverable.

Note : an example of reviewing process by the Internationalization Core WG can be found under http://www.w3.org/International/wiki/Review_radar

Candidates for Review

  • Encrypted Media Extensions - The API supports use cases ranging from simple clear key decryption to high value video (given an appropriate user agent implementation). License/key exchange is controlled by the application, facilitating the development of robust playback applications supporting a range of content decryption and protection technologies.
  • Service Worker - This concept is enabling offline webapp improvement. This technology is under definition by Alex Russel (from Google and W3C TAG) et al. and may land in W3C soon.
  • JOSE - Many Internet applications have a need for object-based security mechanisms in addition to security mechanisms at the network layer or transport layer. In the past, the Cryptographic Message Syntax (CMS) has provided a binary secure object format based on ASN.1. Over time, the use of binary object encodings such as ASN.1 has been overtaken by text-based encodings, for example JavaScript Object Notation. The JOSE stack enables JSON objects to be signed, encrypted, and verified.
  • Persona - Persona allows you to sign in to sites using any of your existing email addresses.
  • Secure Messaging - The Secure Messaging specification describes a simple, decentralized security infrastructure for the Web based on public key cryptography. This system enables Web applications to establish identities for agents on the Web, associate security credentials with those identities, and then use those security credentials to send and receive messages that are both encrypted and verifiable via digital signatures.
  • HTTP Signatures - When communicating over the Internet using the HTTP protocol, it is often desirable to be able to securely verify the sender of a message as well as ensure that the message was not tampered with during transit. This document describes a way to add origin authentication and message integrity to HTTP messages.
  • Web Identity -An identity is a Linked Data description of a particular entity such as a person or organization. This specification describes a mechanism of reading and writing to an online Linked Data identity. Linked Data identities are useful for storing arbitrary information, such as a person's shipping address, verified citizenship information, or age. The data is only accessible by authorized applications.

Reviews in Progress

  • @TBD

Reviews Completed

  • @TBD

Resources

  • @TBD