Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for Separate Security and Privacy sections #1346

Open
svgeesus opened this issue Aug 5, 2021 · 10 comments
Open

Check for Separate Security and Privacy sections #1346

svgeesus opened this issue Aug 5, 2021 · 10 comments

Comments

@svgeesus
Copy link
Contributor

svgeesus commented Aug 5, 2021
edited
Loading

It has been common to have a single section for this, for example:

<h2 id="priv-sec">
Security and Privacy Considerations
</h2>

No new security or privacy considerations have been raised on this specification.

This is no longer allowed. The horizontal review guidelines mentions separate Security Considerations and Privacy Considerations sections.

Before requesting privacy and security reviews from the Privacy Interest Group (PING) and security reviewers, respectively, authors must write both "Security Considerations" and "Privacy Considerations" sections for their documents,
https://w3ctag.github.io/security-questionnaire/#reviews

Furthermore, the issue template for Privacy review states:

  • Does your document have an in-line Privacy Considerations section, separate from Security Considerations? If not, corrrect that before proceeding further.

which is an annoying thing to discover, the day you publish a CRD to start on wide review, given that pubrules give no complaint for this.
@svgeesus svgeesus mentioned this issue Aug 5, 2021
Closed
@jyasskin
Copy link
Member

The documentation for pubrules at https://www.w3.org/pubrules/doc/rules/?profile=WD#securityAndPrivacy still says they can be a single section. The mockups that @plehegar circulated in 2021-08 still have both as a single section.

@equalsJeffH ran into the Bikeshed change at w3c/webappsec-credential-management#186, but we can't find an authoritative statement that the rule has actually changed. Where's that supposed to live?

@deniak
Copy link
Member

deniak commented Jan 19, 2022

Indeed, I'm not seeing a clear statement that the paragraphs must be separated. @plehegar what's your take on this? Depending on your answer, I can take care of updating pubrules.

@samuelweiler
Copy link
Member

The TAG and the PING have made that request here:
https://www.w3.org/TR/security-privacy-questionnaire/#reviews
https://www.w3.org/TR/security-privacy-questionnaire/#considerations

I have been filing issues but not blocking specs for having the sections combined, but having the tools do the check would be grand.

@plehegar
Copy link
Member

There has not been a rule change. I'm fine with a warning but making it a requirement would be a different discussion.

@svgeesus
Copy link
Contributor Author

If people are happy to publish documents for review on /TR and then immediately get tripped up by

then okay to close this, I guess.

@jyasskin
Copy link
Member

I think the actual requirements and the documents from the horizontal review groups should be consistent. If the PING doesn't want to push its request through to the requirements, it shouldn't ask for it in the intake form.

@wseltzer
Copy link
Member

wseltzer commented Jan 24, 2022
edited
Loading

PING chairs and team don't feel that pubrules should enforce a requirement that the sections be separated.

The documentation recommends separating the sections to make it less likely that spec authors will neglect privacy-specific consideration. We encourage those starting new spec development to write separate sections, but don't insist that editors change existing specs.

@samuelweiler
Copy link
Member

I think the actual requirements and the documents from the horizontal review groups should be consistent. If the PING doesn't want to push its request through to the requirements, it shouldn't ask for it in the intake form.

I appreciate the desire for consistency. As wseltzer says, we also want to minimize friction, so while we're asking existing specs to split the sections, we aren't strictly requiring it for now.

We have, however, been adding this requirement to WG charters as the groups come up for rechartering. So there is a requirement for many groups in their charters. Soon it will be all[footnote] groups.

[footnote] Except, possibly, for one WG, which is trying to be special.

@equalsJeffH
Copy link

equalsJeffH commented Jan 31, 2022 via email

@jyasskin
Copy link
Member

Both Respec and Bikeshed have required separate sections since about Dec 22 and Jan 7, respectively. There's not exactly a process for making those tool changes. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@jyasskin @equalsJeffH @wseltzer @plehegar @deniak @svgeesus @samuelweiler and others