[wg/webappsec] Web Application Security WG 2023

[plehegar]

New charter proposal, reviewers please take note.

Charter Review

Charter:

What kind of charter is this? Check the relevant box / remove irrelevant branches.

• Existing

• Existing WG recharter
• If this is a charter extension or revision, link a diff from previous charter, and any issue discussion: (none yet, see webappsec repo)

Horizontal Reviews: apply the Github label "Horizontal review requested" to request reviews for accessibility (a11y), internationalization (i18n), privacy, and security. Also add a "card" for this issue to the Strategy Funnel.

Communities suggested for outreach:
None

Known or potential areas of concern:
None

Where would charter proponents like to see issues raised? (this strategy funnel issue, a different github repo, email, ...)
webappsec repo

Anything else we should think about as we review?
Nope

cc @mikewest @dveditz

[plehegar]

Advance notice: https://lists.w3.org/Archives/Member/w3c-ac-members/2023JulSep/0026.html

[mikewest]

We discussed the rechartering at TPAC, noting a few additions and removals from our deliverables: https://github.com/w3c/webappsec/blob/main/meetings/2023/2023-09-15-TPAC-minutes.md#rechartering.

[plehegar]

Pull requests for the comments from TPAC 2023: w3c/webappsec#635

[himorin]

• the latest entries of history table does not match with current running one at https://www.w3.org/2022/06/webappsec-charter-2022.html
• expected completion statement at 3. Deliverables seems to be needs-updated...? (should match with text in success criteria)
• (typo-ish) dt for Securer Contexts shall have class spec

[himorin]

no comment or request from i18n

[plehegar]

(from PING) Security and privacy model for cookies , Permissions best practices and APIs, and End-to-End Encryption email should be coordinated with the Privacy IG/WG.

[plehegar]

(from PING) some timelines are in 2022....

[ruoxiran]

no comments from APA.

[plehegar]

All comments have been addressed. Requesting approval from TilT.

[himorin]

1st sentence of Success Criteria in charter template seems missing from this draft? (on criteria to advance to PR; no mention about no intended to advance to REC)

[svgeesus]

1st sentence of Success Criteria in charter template seems missing from this draft?

I had assumed this was because the template makes it conditional:

Remove this clause if the Group does not intend to move to REC:

But then, in Deliverables, both options are removed!

Choose one:
Expected completion indicates when the deliverable is projected to become a Recommendation, or otherwise reach a stable state
The Working Group intends to publish the latest state of their work as Candidate Recommendation (with Snapshots) and does not intend to advance their documents to Recommendation .

[siusin]

The charter history is not yet completed. At least new deliverables like Passkey Endpoints Well-Known URL should be mentioned as changes of this version.

[svgeesus]

But then, in Deliverables, both options are removed!

Choose one:
Expected completion indicates when the deliverable is projected to become a Recommendation, or otherwise reach a stable state
The Working Group intends to publish the latest state of their work as Candidate Recommendation (with Snapshots) and does not intend to advance their documents to Recommendation .

I notice, in the changes for the previous charter:

Moved most specs to snapshot (evergreen) publication.

so please add back

The Working Group intends to publish the latest state of their work as Candidate Recommendation (with Snapshots) and does not intend to advance their documents to Recommendation .

[plehegar]

I fixed the charter. see https://github.com/w3c/webappsec/pull/641/files

[plehegar]

and https://github.com/w3c/webappsec/pull/642/files

[plehegar]

Charter review started:
https://lists.w3.org/Archives/Public/public-new-work/2024Feb/0000.html

Deadline is 2024-03-02.

[plehegar]

We received 2 requests for changes, including one substantive, w3c/webappsec#645 and w3c/webappsec#646

[plehegar]

@marcoscaceres , is there an actual proposal for email encryption that we can link from the WebAppSec charter ?

[plehegar]

status: there is an unforeseen delay on this, the proposed changes won't come out until April 3rd.

[plehegar]

Following the AC Review, we are proposing the following changes

1. Remove "Off-The-Record Response Header Field" from the charter. It will be proposed as an addition to the Privacy Working Group separately.

2. Remove "End-to-end encryption email" from the charter. This was lacking an actual proposal and might be added in a future revision of the charter.

• Proposed charter
• diff with previous proposed charter

Deadline to comment on those proposed changes is April 17.

https://lists.w3.org/Archives/Member/member-charters-review/2024Apr/0000.html

[plehegar]

no additional comments were received. Next step is for W3C to announce the new charter.

[simoneonofri]

Although the charter has already been revised, security is embedded in the fact that this is a group that develops security standards. Therefore, security is part of its mission statement.

Of course, from a methodological point of view, even a security feature can lead to additional security problems (such as the bad lock example in OSSTMM).

[plehegar]

Announced
https://lists.w3.org/Archives/Member/w3c-ac-members/2024AprJun/0018.html