- From: Philippe Le Hegaret <plh@w3.org>
- Date: Fri, 31 Oct 2014 11:28:23 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: public-w3process <public-w3process@w3.org>
On Thu, 2014-10-30 at 18:17 +0100, Anne van Kesteren wrote: > Without due security review implementers end up implementing drafts > and then we cannot fix the broken security and privacy > characteristics. > > See e.g. https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#128 and > the rest of that thread for how hard it is to do this > post-publication. > > Requiring TLS for an API is something that should be considered very early on. I'm all for improving security on the Web and encouraging early reviews but I'm concerned about raising the bar before a FPWD can be published. Take that as a list of things to consider rather than objections. If the effect is increased delays in publication, it means that: 1. the Working Group will work under a longer time without any firm IP commitment (since the PP won't start its clock until the FPWD is published [1]). 2. unless you're in the group/list, you're also delaying the opportunity from the wider community to pay attention to it. We should make sure we can clear willingness/commitments from the appropriate groups/forums/experts to do those early reviews, otherwise we're about to add additional steps without having the ability to fulfill them. Finally, why stop at security (and privacy)? What about accessibility, i18n, device independence, performance, etc? We would effectively send a message that security/privacy is more important for early reviews than those other areas. This will be acceptable for some but not all. And if we add additional reviews, we're delaying the clock even further. Philippe [1] http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-exclusion-resign
Received on Friday, 31 October 2014 18:28:30 UTC