Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ig/security] Security Interest Group Charter #449

Open
1 of 2 tasks
simoneonofri opened this issue Mar 26, 2024 · 16 comments
Open
1 of 2 tasks

[ig/security] Security Interest Group Charter #449

simoneonofri opened this issue Mar 26, 2024 · 16 comments
Assignees
@simoneonofri
Labels
AC review Accessibility review completed Advance Notice Sent Advance Notice of (re)chartering has been sent to the AC charter group charter Horizontal review requested Internationalization review completed Privacy review completed Security review completed

Comments

@simoneonofri
Copy link

simoneonofri commented Mar 26, 2024
edited
Loading

New charter proposal, reviewers please take note.

Charter Review

PROPOSED Security Interest Group Charter:

diff from charter template

What kind of charter is this? Check the relevant box / remove irrelevant branches.

  • New
  • New WG
  • New IG
  • If this is a new WG or IG charter request, link to Advance Notice, and any issue discussion:

Horizontal Reviews: apply the Github label "Horizontal review requested" to request reviews for accessibility (a11y), internationalization (i18n), privacy, security, and TAG. Also add a "card" for this issue to the Strategy Funnel.

Communities suggested for outreach: security groups, privacy groups, security researchers, cryptographers

Known or potential areas of concern:

Where would charter proponents like to see issues raised? this issue seems fine

Anything else we should think about as we review?
@simoneonofri simoneonofri added Agenda+ charter group charter labels Mar 26, 2024
@simoneonofri simoneonofri changed the title [ig/security] Securty Interest Group Charter ( Mar 26, 2024
@svgeesus svgeesus changed the title [ig/security] Securty Interest Group Charter Mar 26, 2024
@simoneonofri simoneonofri self-assigned this Apr 2, 2024
@simoneonofri simoneonofri added the Advance Notice Sent Advance Notice of (re)chartering has been sent to the AC label Apr 3, 2024
@simoneonofri
Copy link
Author

Advance Notice: https://lists.w3.org/Archives/Public/public-new-work/2024Apr/0001.html
@simoneonofri simoneonofri mentioned this issue May 4, 2024
Open
@plehegar plehegar removed the Agenda+ label May 17, 2024
@simoneonofri
Copy link
Author

Work on the charter is proceeding. A number of PRs have been prepared.

https://github.com/w3c/charter-drafts/pulls?q=is%3Apr+is%3Aopen+%5Big%2Fsecurity%5D
@simoneonofri
Copy link
Author

Updated Charter with some cosmetics and the candidate co-chairs!

https://w3c.github.io/charter-drafts/2024/ig-security.html

cc'ing @innotommy, Patrick (https://syssec.ethz.ch/people/schaller.html) @jaromil @andrea-dintino
@simoneonofri
Copy link
Author

In generaral after several discssuions and reivew in the last period, the idea behind SING for security reiveiw is as follows.

Granted that Groups often already do Threat Modeling (and it's something inherent in the human survival instinct anyway), the problem is that it's not done in a structured way and so:

  • Some threats are not considered
  • It is not fully documented (e.g., part of the output of the Threat Model are the Security Considerations)

Therefore, the Wide Review moment during the Rec Track is definitely a time to review that the work has been done correctly and documented, but it is not there to do Threat Modeling. Already the review of a Charter, where perhaps a willingness to adopt Community Group deliverables is indicated, is already better.

Since Threat Modeling, by its nature, is a brainsorming/facilitated activity in conjunction between those who know well what is being done (the Specs developers) and what can go wrong (Security, Privacy people, etc.), then figuring out together what can be done to avoid the worst.

The issue is to provide what is needed first of all to be able to do Threat Modeling properly--according to the Confucian adage "teach a man to fish"--of the technology that the various working groups want to develop and do this as early as possible (e.g., even at the Explainer level), then in the incipient stages if we take the TC39 process.

It is important to note that Threat Models are living documents, meaning that even if the standard does not change, external threats change.

The idea is to do this interactively and incrementally, as we are already doing with the FedID CG/CG group and WICG Digital Credentials side Threat Modeling for Decentralized Identities and BBS for cryptographic reviews (which always arise from some defined security/privacy requirements) but then follow a different process and need different skills (cryptography and cryptanalysis).

Threat Modeling practices are then very flexible and can safely be used to model both Security, Privacy and Human Rights threats (the latter are usually better identifiable in the Threat Models of ecosisystems).
@ruoxiran
Copy link

no comment or request from APA.
@himorin
Copy link

himorin commented Jun 27, 2024

  • filed a PR for minor points, link targets and list of HR
  • participation mentions about agreement on W3C patent policy, which seems restricted condition than patent disclosure section, and seems to be better to refer conditions in disclosure section I suppose... (not sure around legal requirement, although)
@xfq
Copy link
Member

xfq commented Jun 28, 2024

There seems to be a typo: "Shaller" should be "Schaller"?
@simoneonofri
Copy link
Author

@xfq thank you noted
@himorin
Copy link

himorin commented Jul 5, 2024

no comment or request from i18n
@plehegar
Copy link
Member

PING will talk about this charter on July 18.
@simoneonofri
Copy link
Author

Hi @plehegar, thank you.

Unfortunately, I won't be able to attend on the 18th for logistical reasons, but I have followed up on the various comments and am discussing them with the candidate co-chairs. I link them here for completeness:
@plehegar
Copy link
Member

One comment from PING:
[[
Maybe worth going into a bit more detail about how this group will coordinate with PING? It does say that one of the group's deliverables is maintained in coordination with TAG and PING, but more information might be useful. Also, under Coordination it says the group's deliverables are "accessibility, internationalization, and privacy" which doesn't seem quite right.
]]
@simoneonofri
Copy link
Author

simoneonofri commented Jul 20, 2024
edited
Loading

Hello everyone,

Thank you for all the comments. Related PR follows:

Typos

Issue/Comment: #449 (comment)
Description: I made the corrections indicated and did a general check again.
PR: w3c/charter-drafts#556
Thanks to: @xfq

Coordination

Issue/Comment: w3c/charter-drafts#547 and w3c/charter-drafts#551 and #449 (comment)
PR: w3c/charter-drafts#560
Description: Added W3C groups
Thanks to: @frivoal, @jyasskin and @plehegar

Participation

Issue/Comment: w3c/charter-drafts#550
PR: w3c/charter-drafts#558
Description: Clarified that anyone can discuss, to participate need to join. open to IEs with specified expertise
Thanks to: @jyasskin, @chrisn

Scope and Deliverables (Threat Modeling)

Issue/Comment: w3c/charter-drafts#552
PR: w3c/charter-drafts#557
Description: added emphasis in scope and deliverables
Thanks to: @jyasskin, @jaromil

[cc'ing: @innotommy, @andrea-dintino]

I'll leave them open a week for comments and revisions, then if there are no blockers I'll proceed.

Thank you,

Simone
This was referenced Jul 20, 2024
Closed
Closed
Closed
Closed
@svgeesus
Copy link
Contributor

Overall looks great. A few very minor points:

  • The Note above Motivation section can be deleted. Actually it should be deleted from the template, it serves no purpose.
  • Same for the note about charter history
  • [pick a duration within:] one week to 10 working days, Pick one, and remove the todo
  • a few leftover todo around the word "Interest"
  • you can delete or comment out the charter table rows about extension and rechartering
simoneonofri added a commit to w3c/charter-drafts that referenced this issue Jul 31, 2024
@simoneonofri
[ig/security] svgeesus's comment
ac2b7f1 
Ref w3c/strategy#449 (comment)
@simoneonofri simoneonofri mentioned this issue Jul 31, 2024
Merged
@simoneonofri
Copy link
Author

AC review started https://lists.w3.org/Archives/Public/public-new-work/2024Aug/0002.html
@simoneonofri
Copy link
Author

thx @koalie
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
AC review Accessibility review completed Advance Notice Sent Advance Notice of (re)chartering has been sent to the AC charter group charter Horizontal review requested Internationalization review completed Privacy review completed Security review completed
7 participants
@plehegar @svgeesus @xfq @koalie @himorin @simoneonofri @ruoxiran