PROPOSED Security Interest Group Charter
The mission of the Security Interest Group is to improve Security on the Web by advising groups developing standards on how to avoid and mitigate security issues with their technologies. Security Interest Group also suggests changes to existing standards and technologies to improve the security of existing systems.
This proposed charter is available on GitHub. Feel free to raise issues.
| Charter Status | See the group status page and detailed change history. |
|---|---|
| Start date | [dd monthname yyyy] (date of the "Call for Participation", when the charter is approved) |
| End date | [dd monthname yyyy] (Start date + 2 years) |
| Chairs |
Patrick Schaller (ETH Zurich) Denis Roio (Dyne.org) Tommaso Innocenti (Invited Expert) |
| Team Contacts | Simone Onofri (0.25 FTE) |
| Meeting Schedule |
Teleconferences: typically 1-2 per month, or as needed.
Face-to-face: we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, usually no more than 3 per year. |
Motivation and Background
W3C’s mission is to make the Web work based on the principles of accessibility, internationalization, privacy, and security.
The last two principles, Privacy and Security, are integral to human rights and civil liberties and have always been of the Consortium's concern.
Also, in the Ethical Web Principles, there are several principles related to security both as a societal impact The web does not cause harm to society and in terms of people's security The web is secure, and respects peoples' privacy, where the goal is to create technology that creates as few threats as possible, or mitigates those threats
Several working groups deal with security issues, such as developing mechanisms and best practices which improve the security of Web Applications, develping strong authentication functionality for Web Applications, developing APIs to allow a website to request an identity credential securely, and enhancing the security and interoperability of various Web payments technologies.
Security is also a horizontal topic that often touches other groups and standards. Security can impact any protocol or API, which can have security implications. W3C Process mandates Wide Reviews, which is one of the Interest Group’s main scope.
Scope
The Security Interest Group (SING) develops and documents guidelines, patterns, processes, and best practices for addressing security issues in Web standards.
SING supports, promotes, and structures the threat modeling for web standards and technologies. This approach can be used, along with other groups, for threats of different types such as security, privacy, and harm. Threat modeling is a joint activity with groups developing technology or other documentation and threat experts. It can be used to get an understanding of the impact of the technology and guide its development, as well as to write considerations.
SING provides "horizontal review", offering groups on-request guidance on security issues and mitigations specific to their technologies. SING aims to offer this review as early in the technology development lifecycle as requested, observing that early feedback is often more helpful. SING may also seek out technologies that benefit from earlier security reviews and conduct such reviews on its initiative.
SING incubates standards work on security issues by collecting requirements, prototyping, and/or initiating the work within the IG and recommending that the W3C move the work into other groups when appropriate.
SING may recommend mitigations for security issues in existing features of the Web platform, up to and including their deprecation.
SING may provide input to the W3C Process Community Group on process changes that will improve security in Web standards, e.g., by establishing particular requirements or threat models for identifying and mitigating security issues in W3C Recommendations.
SING may recommend to the W3C Advisory Committee and the W3C TAG regarding the security impact of proposed standards.
Out of Scope
The following features are out of scope and will not be addressed by this Interest group.
The technical development of standards is not in the scope of the Interest Group. Identified Recommendation Track opportunities will be handed over to appropriate W3C groups if such a group exists or within a dedicated Community Group or Business Group when incubation is needed.
Deliverables
Updated document status is available on the group publication status page.
- Self-Review Questionnaire for Security and Privacy
-
In joint with W3C's Technical Architecture Group (TAG) and PING, with a specific focus on Security aspect.
- Threat Modeling guide
-
In joint with relevant groups such as TAG, PING, and the Threat Modeling Community Group, a guide that contains both generic threat modeling elements to facilitate activities along with groups creating technology, and also to understand threats of different types.
- Security Request Issue template
-
To facilitate the request of Security Reivews.
SING may publish other documents consistent with the above scope, such as analyses of security issues, prototype specifications, security principles, threat models, and guidelines for standards.
Other Deliverables
Other non-normative documents may be created such as:
- Use case and requirement documents;
- Test suite and implementation report for the specification;
- Primer or Best Practice documents to support web security when designing standards and applications.
Success Criteria
- Feedback to other W3C groups, upon request, regarding security issues in their specifications.
- Systematizing the security review of Web standards.
Coordination
For its deliverables, this Interest Group will seek a horizontal review for accessibility, internationalization, and privacy with the relevant Working and Interest Groups and with the TAG.
This Interest Group should collaborate with all the groups developing specifications to coordinate threat modeling and security review in the early phase of their development lifecycle.
W3C Groups
- Advisory Board (AB)
- This Interest Group will coordinate with the AB to improve the process for security reviews.
- Technical Architecture Group (TAG)
- This Interest Group will coordinate with the TAG for the Self-Review Questionnaire: Security and Privacy, for a Threat Model related the Web Platform, and to harmonize and improve horizontal reviews.
- Privacy Interest Group (PING)
- This Interest Group will coordinate with PING for the Self-Review Questionnaire: Security and Privacy, for Threat Models related to Privacy and Harm, and to harmonize and improve horizontal reviews.
- Web Application Security Working Group (WebAppSec)
- This Interest Group will coordinate with WebAppSec for developing security features and mitigations, and for Threat Models related to the Web Platform.
- Threat Modeling Community Group (TMCG)
- This Interest Group will coordinate with TMCG to work on Threat Models of different types, and creating a feedback loop on the Threat Modeling guide,
- Accessible Platform Architectures (APA) Working Group
- This Interest Group will coordinate with APA to harmonize and improve horizontal reviews.
- Internationalization (i18n) Working Group
- This Interest Group will coordinate with i18n to harmonize and improve horizontal reviews.
External Organizations
W3C needs to coordinate with other security groups, alliances, and standards development organizations to improve the Web's security. The following list provides examples of organizations:
- IETF
- Coordinate with the IETF research groups and working groups, such as SecDir and CFRG, for security review activities.
- ISECOM
- Coordinate with ISECOM for security research methodologies.
- OpenJS Foundation
- Coordinate with OpenJS Foundation for JavaScript security aspects.
- OpenSSF
- Coordinate with OpenSSF for Open Source Security aspects.
- OWASP
- Coordinate with OWASP for application security requirements and testing methodologies.
Participation
To be successful, this Interest Group is expected to include Security Researchers, Threat Modeling experts, Cryptographers, Cryptoanalysts, and active Editors for each deliverable. The Chairs and Editors are expected to contribute half of a working day per week. There is no minimum requirement for other Participants.
Participation in discussions via mailing lists and GitHub is free, as described in Communication.
Participation in reviews, deliverable development, and meetings requires joining the group. The group welcomes and encourages all participants with proven specific expertise, even if they do not represent a W3C Member. In that case, they should join as Invited Experts. Invited Experts in this group are not granted access to Member-only information.
The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Conduct.
Communication
Technical discussions for this Interest Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. However, the meetings themselves are not open to public participation.
Information about the group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the Security Interest Group home page.
Most Security Interest Group teleconferences will focus on discussion of particular specifications and will be conducted on an as-needed basis.
This group primarily conducts its technical work: on the public mailing list public-security@w3.org (archive) on GitHub issues. The public is invited to review, discuss, and contribute to this work.
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
Decision Policy
This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 5.2.1, Consensus). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via email, GitHub issue or web-based survey), with a response period from one week, depending on the chair's evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Interest Group.
All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs.
This charter is written in accordance with the W3C Process Document (Section 5.2.3, Deciding by Vote) and includes no voting procedures beyond what the Process Document requires.
Patent Disclosures
The Interest Group provides an opportunity to share perspectives on the topic addressed by this charter. W3C reminds Interest Group participants of their obligation to comply with patent disclosure obligations as set out in Section 6 of the W3C Patent Policy. While the Interest Group does not produce Recommendation-track documents, when Interest Group participants review Recommendation-track specifications from Working Groups, the patent disclosure obligations do apply. For more information about disclosure obligations for this group, please see the licensing information.
Licensing
This Interest Group will use the W3C Software and Document license for all its deliverables.
About this Charter
This charter has been created according to section 3.4 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Charter History
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 4.3, Advisory Committee Review of a Charter):
| Charter Period | Start Date | End Date | Changes |
|---|---|---|---|
| Initial Charter | [dd monthname yyyy] | [dd monthname yyyy] | none |
Change log
Changes to this document are documented in this section.