Add Security Considerations and Privacy Considerations sections

[adamroach]

This is a recommendation from the Security and Privacy Checklist review. See https://docs.google.com/document/d/1w7ginyzNg-xZUmITK4vzcGUKB4gbMOAvlkWWaRtX14k/edit?usp=sharing for additional detail

The Payment Method Identifier specification should at least point to a URI spec (e.g., RFC 3986) and its security considerations section.

[sideshowbarker]

The Payment Method Identifier specification should at least point to a URI spec (e.g., RFC 3986) and its security considerations section.

I agree that it should point to something but I don’t agree it should be the (legacy) URI spec. It should instead be https://url.spec.whatwg.org/#security-considerations and if what is currently there isn’t sufficient, then bugs should be raised against that (the current URL standard) to get that section made more complete in any ways it which it is currently deficient.

[adamroach]

I have a problem in principle (independent of the URL issue) with normatively referencing specifications produced by a private organization with no clear governance model and no formal IPR policy.

I have a problem in particular with the WHATWG URL specification because uncoordinated competing specifications that claim to cover the same technology are actively harmful to interoperation. The IETF remains the authority for specification of URLs.

[sideshowbarker]

I have a problem in principle (independent of the URL issue) with normatively referencing specifications produced by a private organization with no clear governance model and no formal IPR policy.

The W3C organizationally does not have any problem in principle with referencing WHATWG standards. (And incidentally the WHATWG is not a private organization.)

[annevk]

@adamroach how can it be the authority if implementations follow something else?

[adrianhopebailie]

The W3C organizationally does not have any problem in principle with referencing WHATWG standards. (And incidentally the WHATWG is not a private organization.)

I'm not sure that's entirely true for all WHATWG specs. There was certainly a lot of back-and-forth recently about this exact issue in WebAppSec. We need to tread carefully here or we will simply create delays for ourselves in resolving this later.