PROPOSED Security Interest Group Charter
The mission of the Security Interest Group is to is to improve Security on the Web by advising groups developing standards on how to avoid and mitigate security issues with their technologies. Security Interest Group also suggests changes to existing standards and technologies to improve the security of existing systems.
This proposed charter is available on GitHub. Feel free to raise issues.
| Charter Status | See the group status page and detailed change history. |
|---|---|
| Start date | [dd monthname yyyy] (date of the "Call for Participation", when the charter is approved) |
| End date | [dd monthname yyyy] (Start date + 2 years) |
| Chairs | [chair name] (affiliation) |
| Team Contacts | Simone Onofri (0.25 FTE) |
| Meeting Schedule |
Teleconferences: typically 1-2 per month, or as needed.
Face-to-face: we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, usually no more than 3 per year. |
Note: The W3C Process Document requires “The level of confidentiality of the group's proceedings and deliverables”; however, it does not mandate where this appears. Since all W3C Working Groups should be chartered as public, this notice has been moved from the essentials table to the communication section.
Motivation and Background
The W3C’s mission is to make the Web work based on the principles of accessibility, internationalization, privacy, and security.
The last two principles, Privacy and Security, are integral to human rights and civil liberties and have always been of the Consortium's concern.
Also, in the Ethical Web Principles, there are several principles related to security both as a societal impact The web does not cause harm to society and in terms of people's security The web is secure, and respects peoples' privacy, where the goal is to create technology that creates as few threats as possible, or mitigates those threats
Several working groups deal with security issues, such as develop mechanisms and best practices which improve the security of Web Applications, develop strong authentication functionality to Web Applications, and enhance the security and interoperability of various Web payments technologies.
Security is also a horizontal topic that often touches other groups and standards. Security can impact any protocol or API, which can have security implications. W3C Process mandates Wide Reviews, which is one of the Interest Group’s main scope.
Scope
The Security Interest Group (SING) develops and documents guidelines, patterns, processes, and best practices for addressing security considerations in Web standards.
SING provides "horizontal review" - offering groups developing web standards on-request guidance on security issues and mitigations specific to their technologies. SING aims to offer this review as early in the technology development lifecycle as requested, observing that early feedback is often more helpful. SING may also seek out technologies that benefit from earlier security reviews and conduct such reviews on its initiative.
SING incubates standards work on security issues by collecting requirements, prototyping, and/or initiating the work within the IG and recommending that the W3C move the work into other groups when appropriate.
SING may recommend mitigations for security issues in existing features of the Web platform, up to and including their deprecation.
SING may provide input to the W3C Process Community Group on process changes that will improve security in Web standards, e.g., by establishing particular requirements for identifying and mitigating security issues in W3C Recommendations.
SING may recommend to the W3C Advisory Committee and the W3C TAG regarding the security impact of proposed standards.
Out of Scope
The following features are out of scope, and will not be addressed by this Interest group.
The technical development of standards is not in the scope of the Interest Group. Identified Recommendation Track opportunities will be handed over to appropriate W3C groups if such a group exists or within a dedicated Community Group or Business Group when incubation is needed.
Deliverables
Updated document status is available on the group publication status page.
In conjunction with W3C's Technical Architecture Group (TAG) and PING, SING maintains a Self-Review Questionnaire for Security and Privacy.
SING may publish other documents consistent with the above scope, such as analyses of security issues, prototype specifications, and guidelines for user interface design and future standards.
Other Deliverables
Other non-normative documents may be created such as:
- Use case and requirement documents;
- Test suite and implementation report for the specification;
- Primer or Best Practice documents to support web security when designing standards and applications.
Success Criteria
- Feedback to other W3C groups, upon request, regarding security issues in their specifications.
- Systematizing the security review of Web standards.
Coordination
SING will seek a horizontal review of its deliverables for accessibility, internationalization, performance, and privacy with the relevant Working and Interest Groups and with the TAG.
SING should collaborate with the WICG and TAG to coordinate security review of specifications early in their development lifecycle.
External Organizations
W3C needs to coordinate with other security groups, alliances, and standards development organizations to improve the Web's security. The following list provides examples of organizations:
- IETF
- OpenSSF
- OWASP
- OpenJS Foundation
- ISECOM
- ...
Participation
Participation in SING is open to the public. Participants who do not represent a W3C Member should join as Invited Experts. Invited Experts in this group are not granted access to Member-only information.
The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.
The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Conduct.
Communication
Technical discussions for this Interest Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. The meetings themselves are not open to public participation, however.
Information about the group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the Security Interest Group home page.
Most Security Interest Group teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis.
This group primarily conducts its technical work pick one, or both, as appropriate: on the public mailing list public-[email-list]@w3.org (archive) or on GitHub issues. The public is invited to review, discuss and contribute to this work.
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
Decision Policy
This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 5.2.1, Consensus). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via email, GitHub issue or web-based survey), with a response period from [pick a duration within:] one week to 10 working days, depending on the chair's evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Interest Group.
All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs.
This charter is written in accordance with the W3C Process Document (Section 5.2.3, Deciding by Vote) and includes no voting procedures beyond what the Process Document requires.
Patent Disclosures
The Interest Group provides an opportunity to share perspectives on the topic addressed by this charter. W3C reminds Interest Group participants of their obligation to comply with patent disclosure obligations as set out in Section 6 of the W3C Patent Policy. While the Interest Group does not produce Recommendation-track documents, when Interest Group participants review Recommendation-track specifications from Working Groups, the patent disclosure obligations do apply. For more information about disclosure obligations for this group, please see the licensing information.
Licensing
This Interest Group will use the W3C Software and Document license for all its deliverables.
About this Charter
This charter has been created according to section 3.4 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Charter History
Note:Display this table and update it when appropriate. Requirements for charter extension history are documented in the Charter Guidebook (section 4).
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 4.3, Advisory Committee Review of a Charter):
| Charter Period | Start Date | End Date | Changes |
|---|---|---|---|
| Initial Charter | [dd monthname yyyy] | [dd monthname yyyy] | none |
| Charter Extension | [dd monthname yyyy] | [dd monthname yyyy] | none |
| Rechartered | [dd monthname yyyy] | [dd monthname yyyy] |
[description of change to charter, with link to new deliverable item in charter] Note: use the class |
Change log
Changes to this document are documented in this section.