PROPOSED Security Interest Group Charter
The mission of the Security Interest Group is to improve Security on the Web by advising groups developing standards on how to avoid and mitigate security issues with their technologies. Security Interest Group also suggests changes to existing standards and technologies to improve the security of existing systems.
This proposed charter is available on GitHub. Feel free to raise issues.
| Charter Status | See the group status page and detailed change history. |
|---|---|
| Start date | [dd monthname yyyy] (date of the "Call for Participation", when the charter is approved) |
| End date | [dd monthname yyyy] (Start date + 2 years) |
| Chairs |
Patrick Schaller (ETH Zurich) Denis Roio (Dyne.org) Tommaso Innocenti (Invited Expert) |
| Team Contacts | Simone Onofri (0.25 FTE) |
| Meeting Schedule |
Teleconferences: typically 1-2 per month or as needed.
Face-to-face: we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, usually no more than 3 per year. |
Motivation and Background
W3C’s mission includes privacy and security for the web. Both of these are integral to human rights and civil liberties and have always been of the Consortium's concern.
Also, in the Ethical Web Principles, there are several principles related to security both as a societal impact The web does not cause harm to society and in terms of people's security The web is secure, and respects peoples' privacy, where the goal is to create technology that creates as few threats as possible, or mitigates those threats
Several W3C Groups deal with Security issues, developing security technologies, and applying security in different application scenarios, as specified on the W3C Security Mission page.
Security is also a horizontal topic that often touches other groups and standards. Security can impact any protocol or API, which can have security implications. W3C Process mandates Wide Reviews, which is one of the Interest Group’s main scope.
Scope
The Security Interest Group (SING) develops and documents guidelines, patterns, processes, and best practices for addressing security issues in Web standards.
SING supports, promotes, and structures the threat modeling for web standards and technologies. This approach can be used, along with other groups, for threats of different types, such as security, privacy, and other kinds of harm. Threat modeling is a joint activity between threat experts and groups that are developing technology or other documentation. It can be used to get an understanding of the impact of the technology and guide its development, as well as to write Security Considerations sections.
SING provides "horizontal review", offering groups on-request guidance on security issues and mitigations specific to their technologies. SING aims to offer this review as early in the technology development lifecycle as requested, observing that early feedback is often more helpful. SING may also seek out technologies that benefit from earlier security reviews and conduct such reviews on its initiative.
SING identifies standardization work on security issues by collecting requirements, prototyping, and/or developing tests within the IG and recommending that the W3C move the work into other groups when appropriate.
SING may recommend mitigations for security issues in existing features of the Web platform, up to and including their deprecation.
SING may provide input on W3C Process changes that will improve security in Web standards, e.g., by establishing particular requirements or threat models for identifying and mitigating security issues in W3C Recommendations.
SING may recommend to the W3C Advisory Committee and the W3C TAG regarding the security impact of proposed standards.
Out of Scope
The following features are out of scope and will not be addressed by this Interest group.
The technical development of standards is not in the scope of the Interest Group. Identified Recommendation Track opportunities will be handed over to an appropriate W3C Working Group if such a group exists or to a Community Group or Business Group when incubation is needed.
Deliverables
Updated document status is available on the group publication status page.
- Self-Review Questionnaire for Security and Privacy
-
Jointly maintained with W3C's Technical Architecture Group (TAG) and PING, with a specific focus on Security aspect.
- A Threat Model for the Web
-
The Threat Model for the Web may include goals that have not yet been achieved across the whole web platform, but which will still be applied in reviews of new and changed specifications. This will be developed with input from other relevant groups such as the TAG, PING, WebAppSec, and the Threat Modeling Community Group.
Potential input documents:
- Threat Modeling Guide
-
Section 3 "Threat Models" of the Security and Privacy Questionnaire encourages standards developers to identify and assess various threats, mitigate them, and document them in Security and Privacy Considerations sections.
One recommended process, in addition to answering the questionnaire, is to start from a Threat Model specific to the standard, considering a range of attacks and threats. This can also be useful in identifying the need for additional activities such as formal verification or cryptoanalysis.
Since Threat Modeling is a process that originated in the security field but can be used for different threat categories, SING, in collaboration with relevant groups such as TAG, PING, and the Threat Modeling Community Group, will create a how-to guide to support standards developers in creating Threat Models. This guide will also include lists of specific threats for various areas including security and privacy.
- Security Request Issue template
-
To facilitate the request of Security Reviews.
SING may publish other documents consistent with the above scope, such as analyses of security issues, prototype specifications, security principles, threat models, and guidelines for standards.
Other Deliverables
Other non-normative documents may be created, such as:
- Use case and requirement documents.
- Primer or Best Practice documents to support web security when designing standards and applications.
Success Criteria
- Feedback to other W3C groups, upon request, regarding security issues in their specifications.
- Systematizing the security review of Web standards.
Coordination
For its deliverables, this Interest Group will seek a horizontal review for accessibility, internationalization, and privacy with the relevant Working and Interest Groups and with the TAG.
This Interest Group should collaborate with all the groups developing specifications to coordinate threat modeling and security review in the early phase of their development lifecycle.
W3C Groups
- Technical Architecture Group (TAG)
- This Interest Group will collaborate with the TAG for the Self-Review Questionnaire: Security and Privacy, for a Threat Model related the Web Platform, and to harmonize and improve horizontal reviews.
- Privacy Interest Group (PING)
- This Interest Group will collaborate with PING for the Self-Review Questionnaire: Security and Privacy, for Threat Models related to Privacy and Harm, and to harmonize and improve horizontal reviews.
- Web Application Security Working Group (WebAppSec)
- This Interest Group will coordinate with WebAppSec for developing security features and mitigations, and for Threat Models related to the Web Platform.
- Threat Modeling Community Group (TMCG)
- This Interest Group will coordinate with TMCG to work on Threat Models of different types, and creating a feedback loop on the Threat Modeling guide,
- Security Web Application Guidelines Community Group (SWAG)
- This Interest Group will coordinate with SWAG to understand web developers' needs.
- Accessible Platform Architectures (APA) Working Group
- This Interest Group will coordinate with APA to harmonize and improve horizontal reviews.
- Internationalization (i18n) Working Group
- This Interest Group will coordinate with i18n to harmonize and improve horizontal reviews.
External Organizations
W3C needs to coordinate with other security groups, alliances, and standards development organizations to improve the Web's security. The following list provides examples of organizations:
- IETF
- Coordinate with the IETF research groups and working groups, such as SecDir and CFRG, for security review activities.
- ISECOM
- Coordinate with ISECOM for security research methodologies.
- TC39-TG3
- Coordinate with TC39-TG3 on ECMAScript® (JavaScript™) security model aspects.
- OpenJS Foundation
- Coordinate with OpenJS Foundation for JavaScript security aspects.
- OpenSSF
- Coordinate with OpenSSF for Open Source Security aspects.
- OWASP
- Coordinate with OWASP for application security requirements and testing methodologies.
Participation
To be successful, this Interest Group is expected to include Security Researchers, Threat Modeling experts, Cryptographers, Cryptoanalysts, and active Editors for each deliverable. The Chairs and Editors are expected to contribute half of a working day per week. There is no minimum requirement for other Participants.
Participation in discussions via mailing lists and GitHub is free, as described in Communication.
Participation in reviews, deliverable development, and meetings requires joining the group. The group welcomes and encourages all participants with proven specific expertise, even if they do not represent a W3C Member. In that case, they should join as Invited Experts. Invited Experts in this group are not granted access to Member-only information.
When a participant of this Interest Group contributes to a technical submission reviewing or marking comments on deliverables by other groups, they must agree to the terms of the W3C Patent Policy and License Grants from Non-Participants.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Conduct.
Communication
Technical discussions for this Interest Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. However, the meetings themselves are not open to public participation.
Information about the group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the Security Interest Group home page.
Most Security Interest Group teleconferences will focus on discussion of particular specifications and will be conducted on an as-needed basis.
This group primarily conducts its technical work: on the public mailing list public-security@w3.org (archive) on GitHub issues. The public is invited to review, discuss, and contribute to this work.
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
Decision Policy
This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 5.2.1, Consensus). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via email, GitHub issue or web-based survey), with a response period from one week, depending on the chair's evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Interest Group.
All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs.
This charter is written in accordance with the W3C Process Document (Section 5.2.3, Deciding by Vote) and includes no voting procedures beyond what the Process Document requires.
Patent Disclosures
The Interest Group provides an opportunity to share perspectives on the topic addressed by this charter. W3C reminds Interest Group participants of their obligation to comply with patent disclosure obligations as set out in Section 6 of the W3C Patent Policy. While the Interest Group does not produce Recommendation-track documents, when Interest Group participants review Recommendation-track specifications from Working Groups, the patent disclosure obligations do apply. For more information about disclosure obligations for this group, please see the licensing information.
Licensing
This Interest Group will use the W3C Software and Document license for all its deliverables.
About this Charter
This charter has been created according to section 3.4 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Charter History
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 4.3, Advisory Committee Review of a Charter):
| Charter Period | Start Date | End Date | Changes |
|---|---|---|---|
| Initial Charter | [dd monthname yyyy] | [dd monthname yyyy] | none |
Change log
Changes to this document are documented in this section.