[ig/security] Security Interest Group Charter

[simoneonofri]

New charter proposal, reviewers please take note.

Charter Review

PROPOSED Security Interest Group Charter:

diff from charter template

What kind of charter is this? Check the relevant box / remove irrelevant branches.

• New
  • [ ] New WG
  • [x] New IG
  • If this is a new WG or IG charter request, link to Advance Notice, and any issue discussion:

Horizontal Reviews: apply the Github label "Horizontal review requested" to request reviews for accessibility (a11y), internationalization (i18n), privacy, security, and TAG. Also add a "card" for this issue to the Strategy Funnel.

Communities suggested for outreach: security groups, privacy groups, security researchers, cryptographers

Known or potential areas of concern:

Where would charter proponents like to see issues raised? this issue seems fine

Anything else we should think about as we review?

[simoneonofri]

Advance Notice: https://lists.w3.org/Archives/Public/public-new-work/2024Apr/0001.html

[simoneonofri]

Work on the charter is proceeding. A number of PRs have been prepared.

https://github.com/w3c/charter-drafts/pulls?q=is%3Apr+is%3Aopen+%5Big%2Fsecurity%5D

[simoneonofri]

Updated Charter with some cosmetics and the candidate co-chairs!

https://w3c.github.io/charter-drafts/2024/ig-security.html

cc'ing @innotommy, Patrick (https://syssec.ethz.ch/people/schaller.html) @jaromil @andrea-dintino

[simoneonofri]

In generaral after several discssuions and reivew in the last period, the idea behind SING for security reiveiw is as follows.

Granted that Groups often already do Threat Modeling (and it's something inherent in the human survival instinct anyway), the problem is that it's not done in a structured way and so:

• Some threats are not considered
• It is not fully documented (e.g., part of the output of the Threat Model are the Security Considerations)

Therefore, the Wide Review moment during the Rec Track is definitely a time to review that the work has been done correctly and documented, but it is not there to do Threat Modeling. Already the review of a Charter, where perhaps a willingness to adopt Community Group deliverables is indicated, is already better.

Since Threat Modeling, by its nature, is a brainsorming/facilitated activity in conjunction between those who know well what is being done (the Specs developers) and what can go wrong (Security, Privacy people, etc.), then figuring out together what can be done to avoid the worst.

The issue is to provide what is needed first of all to be able to do Threat Modeling properly--according to the Confucian adage "teach a man to fish"--of the technology that the various working groups want to develop and do this as early as possible (e.g., even at the Explainer level), then in the incipient stages if we take the TC39 process.

It is important to note that Threat Models are living documents, meaning that even if the standard does not change, external threats change.

The idea is to do this interactively and incrementally, as we are already doing with the FedID CG/CG group and WICG Digital Credentials side Threat Modeling for Decentralized Identities and BBS for cryptographic reviews (which always arise from some defined security/privacy requirements) but then follow a different process and need different skills (cryptography and cryptanalysis).

Threat Modeling practices are then very flexible and can safely be used to model both Security, Privacy and Human Rights threats (the latter are usually better identifiable in the Threat Models of ecosisystems).

[ruoxiran]

no comment or request from APA.

[himorin]

• filed a PR for minor points, link targets and list of HR
• participation mentions about agreement on W3C patent policy, which seems restricted condition than patent disclosure section, and seems to be better to refer conditions in disclosure section I suppose... (not sure around legal requirement, although)

[xfq]

There seems to be a typo: "Shaller" should be "Schaller"?

[simoneonofri]

@xfq thank you noted

[himorin]

no comment or request from i18n

[plehegar]

PING will talk about this charter on July 18.

[simoneonofri]

Hi @plehegar, thank you.

Unfortunately, I won't be able to attend on the 18th for logistical reasons, but I have followed up on the various comments and am discussing them with the candidate co-chairs. I link them here for completeness:

• Adding reference to the AB https://github.com/w3c/charter-drafts/issues/547
• Public/IE participation https://github.com/w3c/charter-drafts/issues/550
• Coordinate with more W3C groups https://github.com/w3c/charter-drafts/issues/551
• Put threat modeling in scope https://github.com/w3c/charter-drafts/issues/552

[plehegar]

One comment from PING: [[ Maybe worth going into a bit more detail about how this group will coordinate with PING? It does say that one of the group's deliverables is maintained in coordination with TAG and PING, but more information might be useful. Also, under Coordination it says the group's deliverables are "accessibility, internationalization, and privacy" which doesn't seem quite right. ]]

[simoneonofri]

Hello everyone,

Thank you for all the comments. Related PR follows:

Typos

Issue/Comment: https://github.com/w3c/strategy/issues/449#issuecomment-2196012859 Description: I made the corrections indicated and did a general check again. PR: https://github.com/w3c/charter-drafts/pull/556 Thanks to: @xfq

Coordination

Issue/Comment: https://github.com/w3c/charter-drafts/issues/547 and https://github.com/w3c/charter-drafts/issues/551 and https://github.com/w3c/strategy/issues/449#issuecomment-2237355230 PR: https://github.com/w3c/charter-drafts/pull/560 Description: Added W3C groups Thanks to: @frivoal, @jyasskin and @plehegar

Participation

Issue/Comment: https://github.com/w3c/charter-drafts/issues/550 PR: https://github.com/w3c/charter-drafts/pull/558 Description: Clarified that anyone can discuss, to participate need to join. open to IEs with specified expertise Thanks to: @jyasskin, @chrisn

Scope and Deliverables (Threat Modeling)

Issue/Comment: https://github.com/w3c/charter-drafts/issues/552 PR: https://github.com/w3c/charter-drafts/pull/557 Description: added emphasis in scope and deliverables Thanks to: @jyasskin, @jaromil

[cc'ing: @innotommy, @andrea-dintino]

I'll leave them open a week for comments and revisions, then if there are no blockers I'll proceed.

Thank you,

Simone

[svgeesus]

Overall looks great. A few very minor points:

• The Note above Motivation section can be deleted. Actually it should be deleted from the template, it serves no purpose.
• Same for the note about charter history
• [pick a duration within:] one week to 10 working days, Pick one, and remove the todo
• a few leftover todo around the word "Interest"
• you can delete or comment out the charter table rows about extension and rechartering

[simoneonofri]

AC review started https://lists.w3.org/Archives/Public/public-new-work/2024Aug/0002.html

[simoneonofri]

thx @koalie

[simoneonofri]

We included the new deliverable and asked the AC Reps who replied for a review in 2 weeks

REVIEW by 2024-10-19/20: Proposed changes to the Security Interest Group charter

[plehegar]

We received additional feedback during the review of proposed changes.:

• https://github.com/w3c/charter-drafts/pull/613
• https://github.com/w3c/charter-drafts/pull/614

[plehegar]

Announced