From 60f5de7be3df4024dfe8bfcb23a7be7a53fc5e96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tantek=20=C3=87elik?= Date: Fri, 18 Oct 2024 20:14:19 -0700 Subject: [PATCH 1/2] scope: replace out-of-scope "incubates" with explores, initiating work to tests As the existing Out of Scope section says, the IG must hand over standards work or incubation to other groups, thus for consistency the scope section should drop incubation (suggested text replacement with the more abstract "exploration") and focus on security issues on standards work rather than standards work itself. Replaced "initiating the work" with a more limited suggested phrase of "developing tests" --- 2024/ig-security.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2024/ig-security.html b/2024/ig-security.html index 8d17795..c0cf60f 100644 --- a/2024/ig-security.html +++ b/2024/ig-security.html @@ -160,7 +160,7 @@

Scope

The Security Interest Group (SING) develops and documents guidelines, patterns, processes, and best practices for addressing security issues in Web standards.

SING supports, promotes, and structures the threat modeling for web standards and technologies. This approach can be used, along with other groups, for threats of different types such as security, privacy, and other kinds of harm. Threat modeling is a joint activity with threat experts and groups developing technology or other documentation. It can be used to get an understanding of the impact of the technology and guide its development, as well as to write Security Considerations sections.

SING provides "horizontal review", offering groups on-request guidance on security issues and mitigations specific to their technologies. SING aims to offer this review as early in the technology development lifecycle as requested, observing that early feedback is often more helpful. SING may also seek out technologies that benefit from earlier security reviews and conduct such reviews on its initiative.

-

SING incubates standards work on security issues by collecting requirements, prototyping, and/or initiating the work within the IG and recommending that the W3C move the work into other groups when appropriate.

+

SING explores security issues on standards work by collecting requirements, prototyping, and/or developing tests within the IG and recommending that the W3C move the work into other groups when appropriate.

SING may recommend mitigations for security issues in existing features of the Web platform, up to and including their deprecation.

SING may provide input to the Advisory Board on process changes that will improve security in Web standards, e.g., by establishing particular requirements or threat models for identifying and mitigating security issues in W3C Recommendations.

SING may recommend to the W3C Advisory Committee and the W3C TAG regarding the security impact of proposed standards.

From 6ddd1a0a790ae6847640926cc79ef147ac8ed927 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tantek=20=C3=87elik?= Date: Wed, 23 Oct 2024 16:33:35 -0700 Subject: [PATCH 2/2] Update 2024/ig-security.html @jyasskin's mitigation is also acceptable. Merging. @simoneonofri, if you want to further iterate, please feel free to offer suggestions. Co-authored-by: Jeffrey Yasskin --- 2024/ig-security.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2024/ig-security.html b/2024/ig-security.html index c0cf60f..7f14361 100644 --- a/2024/ig-security.html +++ b/2024/ig-security.html @@ -160,7 +160,7 @@

Scope

The Security Interest Group (SING) develops and documents guidelines, patterns, processes, and best practices for addressing security issues in Web standards.

SING supports, promotes, and structures the threat modeling for web standards and technologies. This approach can be used, along with other groups, for threats of different types such as security, privacy, and other kinds of harm. Threat modeling is a joint activity with threat experts and groups developing technology or other documentation. It can be used to get an understanding of the impact of the technology and guide its development, as well as to write Security Considerations sections.

SING provides "horizontal review", offering groups on-request guidance on security issues and mitigations specific to their technologies. SING aims to offer this review as early in the technology development lifecycle as requested, observing that early feedback is often more helpful. SING may also seek out technologies that benefit from earlier security reviews and conduct such reviews on its initiative.

-

SING explores security issues on standards work by collecting requirements, prototyping, and/or developing tests within the IG and recommending that the W3C move the work into other groups when appropriate.

+

SING identifies standardization work on security issues by collecting requirements, prototyping, and/or developing tests within the IG and recommending that the W3C move the work into other groups when appropriate.

SING may recommend mitigations for security issues in existing features of the Web platform, up to and including their deprecation.

SING may provide input to the Advisory Board on process changes that will improve security in Web standards, e.g., by establishing particular requirements or threat models for identifying and mitigating security issues in W3C Recommendations.

SING may recommend to the W3C Advisory Committee and the W3C TAG regarding the security impact of proposed standards.