-
Notifications
You must be signed in to change notification settings - Fork 46
-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ig/security] Security Interest Group Charter #449
Comments
Work on the charter is proceeding. A number of PRs have been prepared. https://github.com/w3c/charter-drafts/pulls?q=is%3Apr+is%3Aopen+%5Big%2Fsecurity%5D |
Updated Charter with some cosmetics and the candidate co-chairs! https://w3c.github.io/charter-drafts/2024/ig-security.html cc'ing @innotommy, Patrick (https://syssec.ethz.ch/people/schaller.html) @jaromil @andrea-dintino |
In generaral after several discssuions and reivew in the last period, the idea behind SING for security reiveiw is as follows. Granted that Groups often already do Threat Modeling (and it's something inherent in the human survival instinct anyway), the problem is that it's not done in a structured way and so:
Therefore, the Wide Review moment during the Rec Track is definitely a time to review that the work has been done correctly and documented, but it is not there to do Threat Modeling. Already the review of a Charter, where perhaps a willingness to adopt Community Group deliverables is indicated, is already better. Since Threat Modeling, by its nature, is a brainsorming/facilitated activity in conjunction between those who know well what is being done (the Specs developers) and what can go wrong (Security, Privacy people, etc.), then figuring out together what can be done to avoid the worst. The issue is to provide what is needed first of all to be able to do Threat Modeling properly--according to the Confucian adage "teach a man to fish"--of the technology that the various working groups want to develop and do this as early as possible (e.g., even at the Explainer level), then in the incipient stages if we take the TC39 process. It is important to note that Threat Models are living documents, meaning that even if the standard does not change, external threats change. The idea is to do this interactively and incrementally, as we are already doing with the FedID CG/CG group and WICG Digital Credentials side Threat Modeling for Decentralized Identities and BBS for cryptographic reviews (which always arise from some defined security/privacy requirements) but then follow a different process and need different skills (cryptography and cryptanalysis). Threat Modeling practices are then very flexible and can safely be used to model both Security, Privacy and Human Rights threats (the latter are usually better identifiable in the Threat Models of ecosisystems). |
no comment or request from APA. |
|
There seems to be a typo: "Shaller" should be "Schaller"? |
@xfq thank you noted |
no comment or request from i18n |
PING will talk about this charter on July 18. |
Hi @plehegar, thank you. Unfortunately, I won't be able to attend on the 18th for logistical reasons, but I have followed up on the various comments and am discussing them with the candidate co-chairs. I link them here for completeness:
|
One comment from PING: |
Hello everyone, Thank you for all the comments. Related PR follows: TyposIssue/Comment: #449 (comment) CoordinationIssue/Comment: w3c/charter-drafts#547 and w3c/charter-drafts#551 and #449 (comment) ParticipationIssue/Comment: w3c/charter-drafts#550 Scope and Deliverables (Threat Modeling)Issue/Comment: w3c/charter-drafts#552 [cc'ing: @innotommy, @andrea-dintino] I'll leave them open a week for comments and revisions, then if there are no blockers I'll proceed. Thank you, Simone |
Overall looks great. A few very minor points:
|
AC review started https://lists.w3.org/Archives/Public/public-new-work/2024Aug/0002.html |
thx @koalie |
New charter proposal, reviewers please take note.
Charter Review
PROPOSED Security Interest Group Charter:
diff from charter template
What kind of charter is this? Check the relevant box / remove irrelevant branches.
Horizontal Reviews: apply the Github label "Horizontal review requested" to request reviews for accessibility (a11y), internationalization (i18n), privacy, security, and TAG. Also add a "card" for this issue to the Strategy Funnel.
Communities suggested for outreach: security groups, privacy groups, security researchers, cryptographers
Known or potential areas of concern:
Where would charter proponents like to see issues raised? this issue seems fine
Anything else we should think about as we review?
The text was updated successfully, but these errors were encountered: