plehegar
commented
9 months ago Closed plehegar closed 2 months ago
plehegar
commented
9 months ago 
ylafon
commented
5 months ago Finalised charter and exit criteria, updated to latest template.
ruoxiran
commented
5 months ago no comments or requests from APA.
himorin
commented
5 months ago no comment or request from i18n
plehegar
commented
5 months ago no comment or request from PING
simoneonofri
commented
5 months ago Hi, at the Security level I review, there is Security Section in both the W3C and IETF drafts.
Since it's a communication protocol, it might be appropriate to create a Threat Model by applying RFC 3552 on the two layers, as well as making a structured reasoning about "Abuse Cases" (as it was indicated that it could be used to do Internal Discovery), structuring even better the work already done and adding further analysis.
ylafon
commented
4 months ago Hi, at the Security level I review, there is Security Section in both the W3C and IETF drafts.
Since it's a communication protocol, it might be appropriate to create a Threat Model by applying RFC 3552 on the two layers, as well as making a structured reasoning about "Abuse Cases" (as it was indicated that it could be used to do Internal Discovery), structuring even better the work already done and adding further analysis.
The communication protocol is worked on at IETF, not here. Do you want to have the Threat Model in the charter as a deliverable, or just part of the horizontal review for the specification when it targets CR? The latter makes more sense, and having a template and/or an explainer would be great, to guide WGs.
simoneonofri
commented
4 months ago The communication protocol is worked on at IETF, not here. Do you want to have the Threat Model in the charter as a deliverable, or just part of the horizontal review for the specification when it targets CR?
I still don't have a strong opinion about including the full Threat Model in the specs or only part of its output (the Security Considerations), but in general, I think that we need to have the whole Threat Model somewhere (the model itself, the scope, the assumptions, threats, and mitigation) and in general Threat Models are live documents (e.g. if the spec is stable, threats can change).
In general, Threat Modeling should be done as soon as possible (e.g., starting with the explainer, which already contains the security and consideration sections) and not only during the review (of course, for specs already in CR state, it is probably already late). This is also a suggestion by Browsers/Specs Developers (at the horizontal review, it is generally too late).
The latter makes more sense, and having a template and/or an explainer would be great, to guide WGs.
I am doing some experiments on how to do threat modeling on the specs, starting with Decentralised Identities (although then the specs are only for the Digital Credentials API), so in that case, it will be a separate deliverable. To prepare a guide and do some Threat Modeling together with the WGs:
plehegar
commented
4 months ago At this point, I would drop the coordination with the W3C HTML Working Group. We have the WHATWG listed in the external coordination.
ylafon
commented
4 months ago 
lu-zero
commented
4 months ago The Web of Things IG/WG is also interested in coordinating with WebTransport.
plehegar
commented
2 months ago (Team is processing comments)
New charter proposal, reviewers please take note.
Charter Review
Charter
diff from previous charter
diff from charter template
chair dashboard
What kind of charter is this? Check the relevant box / remove irrelevant branches.
Existing
,
issue discussion
Horizontal Reviews: apply the Github label "Horizontal review requested" to request reviews for accessibility (a11y), internationalization (i18n), privacy, and security. Also add a "card" for this issue to the Strategy Funnel.
Communities suggested for outreach: none?
Known or potential areas of concern: none?
Where would charter proponents like to see issues raised? (this strategy funnel issue, a different github repo, email, ...)
w3c/charter-drafts
Anything else we should think about as we review?
Nope?