[ig/security] public participants

[jyasskin]

The Process says

An Interest Group charter may include provisions regarding participation, including specifying that the only requirement for participation (by anyone) in the Interest Group is subscription to the Interest Group mailing list. This type of Interest Group may have public participants.

The draft charter includes

Participation in SING is open to the public. Participants who do not represent a W3C Member should join as Invited Experts.

I see that this text is copied from the PING's charter, but this new charter should pick one: either the IG has public participants, in which case they don't need to join as Invited Experts; or it doesn't have public participants, in which case it shouldn't claim participation is open to the public and should instead give the chairs and prospective experts some guidance on how much "particular expertise" someone needs to have in order to be invited. I personally lean toward allowing public participants, but if there are reasons not to, we could say something like

The chairs expect to allow almost anyone who is interested to participate as an Invited Expert, subject to the requirements in the Process.

[simoneonofri]

Hello @jyasskin,

As always, thank you for your comment.

Yes, for the SING, the PING was very inspiring. How was your experience with this approach since you'd like to use a different one? What do you see as negative?

The question is that - at least in my experience in security auditing and reporting potential vulnerabilities - it is useful to get feedback from as many participants as possible (hence public participation) - e.g., in recent years, many Bug Bounty Programs have developed - then distinguish the people who make a valid contribution, also in terms of reward (particularly if it is voluntary work).

On the particular expertise (considering the tasks I observed in the past months), certainly we can specify different skills:

• Threat Modeling (especially for reviewing them)
• Web Platform/API/Protocols

• Cryptanalysis and cryptography

  Considering also your other issue, the distinction I see is that on the one hand, some support the specs developers in creating the threat models and thus the security consideration section, and on the other hand, those who do the verification work.

Thank you,

Simone

[chrisn]

I don't have a strong view on whether SING should be member-only or allow public participants, but public participation should be distinct from IE status, which grants member access.

[simoneonofri]

Hi @chrisn

Thank you for your comment. The idea was:

• Public people can subscribe to the list without problems, read what is happening, and discuss it freely.
• For those who want to participate by committing themselves, let them be welcomed as IEs. Usually analysing the various bounty programmes and other things it is typical that they are "external" people, which is why I had specified "not granted access to Member-only information".

Happy to receive your opinions

[jaromil]

Dears, it took me some time to better understand the context and method in place.

I am sure there are specific Threat Model (TM) competences in security as well methodology that are best overlooked by the SING, which is ultimately about security.

However what we propose as TM also includes issues on privacy, harm, fair governance, civil rights, and even more contexts; I believe that a highly interdisciplinary group is needed for TM and I can imagine most of its work would be in facilitating a cross disciplinary discourse to fit methodologies from well-established groups as PING and SING and distill clear problem definitions.

[jyasskin]

How was your experience with this approach since you'd like to use a different one? What do you see as negative?

Sorry for being unclear: I'm not proposing a change in practice from the way the PING operates. I think the PING's charter is also worded wrong to describe what they're doing.

The PING requires people to be Invited Experts in order to participate. That is, it's not "open to the public." The PING has been quite liberal in extending those invitations (which is good), but that fact isn't obvious to people who might want to participate (which is bad). As I said in my first post, I'd lean toward just allowing public participation without requiring the Invited Expert step. If that's not the way things go, I like the PING's approach to Inviting Experts, with the caveat that it should be clearer.

Re @chrisn's point about Member-only access, the PING's charter says that IE status does not grant such access, and that's allowed in https://www.w3.org/invited-experts/#memaccess, but I can't find Process wording allowing it. I've raised https://github.com/w3c/process/issues/900 for this, and I think we can decide the rest of this issue without resolving that question.

[simoneonofri]

The PING requires people to be Invited Experts in order to participate. That is, it's not "open to the public." The PING has been quite liberal in extending those invitations (which is good), but that fact isn't obvious to people who might want to participate (which is bad). As I said in my first post, I'd lean toward just allowing public participation without requiring the Invited Expert step. If that's not the way things go, I like the PING's approach to Inviting Experts, with the caveat that it should be clearer.

Thank you for the clarification. We're on the same page. When talking with potential participants, it should be good to have them as IEs without Members' access.

I'll prepare a PR, as you suggested, to explain the approach in a clear way.

[chrisn]

When talking with potential participants, it should be good to have them as IEs without Members' access.

I agree, and also on the need for clarification in the Process, thank you @jyasskin for raising the issue there.

[simoneonofri]

addressed here, we can follow up the discussion in the PR https://github.com/w3c/strategy/issues/449#issuecomment-2241282461