Move OTR to Privacy Working Group

[plehegar]

From AC Review: [[ The new "Off-The-Record Response Header Field" (OTR) deliverable focuses on addressing Privacy use-cases and as such it should instead be added as an OPTIONAL deliverable for the Privacy Working Group charter to take up if/when it has shown sufficient incubation. We believe it is an error (in scope, choice of most appropriate Working Group to to do the work) to add OTR to the list of deliverables for the Web Application Security Working Group charter. We could live with OTR being taken up for consideration by the Privacy CG.

We recommend the following actions, which do not require synchronization:

• The Team should amend the proposed Web Application Security Working Group Charter to drop OTR
• The Team should add OTR as an optional deliverable to the in-progress Privacy Working Charter, and then re-poll the AC with that updated Charter, which also resolves 2 of the 3 Formal Objections on the prior polled Privacy WG Charter. This also provides an opportunity to see if the remaining 3rd (anonymous) Formal Objection on the prior polled Privacy WG Charter is restated or not for the updated proposed Privacy WG Charter. We believe this path has a better chance of creating a Privacy Working Group charter more quickly than further delays in processing an anonymous Formal Objection on an outdated WG charter proposal.

We are objecting (suggesting changes) but are not making this a Formal Objection because we believe this to be a W3C Team clerical error (putting a new deliverable in the wrong Working Group) that the Team is empowered to fix without having to exercise the full Formal Objection process and mechanisms. ]]

cc https://github.com/w3c/strategy/issues/426

[plehegar]

cc @ShivanKaul

[mikewest]

The PrivacyWG didn't exist at the time we proposed the charter, and (so far as I know?) continues not to exist. :)

If the PrivacyWG is going to exist in the somewhat-near future, I agree that it's reasonable to shift OTR to that scope.

[plehegar]

That question was asked back in Sep and I asked PING about it. The conclusion was that it was fine to leave in the WebAppSec charter. That's why it did not come up during the PING review of the webappsec charter. So, not a clerical error...

[plehegar]

( @ShivanKaul is fine with having it in the Privacy WG charter. )

[plehegar]

and Privacy WG is also fine with taking it on.

[ShivanKaul]

Sorry was on PTO. Privacy WG sounds fine as a venue, though I'm a little confused by the objection given that Request OTR's goals are similar to Clear Site Data, which is an adopted item.

[mikewest]

(My feeling is that if a privacy WG had existed in 2015, we would have done clear-site-data there. :) )

[plehegar]

WebAppSec agreed to have this moved to the Privacy WG

[plehegar]

Btw, the charter change doesn't address which CG should incubate the specification. This is left to the CGs to figure it out. (and a WG charter cannot require a CG to do something anyway)