New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expand security privacy considerations, emphasize minimum viable features #4

Merged
merged 2 commits into from Mar 19, 2015

Conversation

Projects
None yet
3 participants
@tantek
Contributor

tantek commented Mar 10, 2015

I've tried to expand security and privacy considerations according to the question I initially posed about doing what we can to reduce overall security surface, of WebAPIs, and the web platform in general. Have posted a blog post on this as well at http://tantek.com/2015/068/b1/security-towards-minimum-viable-web-platform

tantek added some commits Mar 10, 2015

Expand security and privacy considerations
I've tried to expand security and privacy considerations according to the question I initially posed about doing what we can to reduce overall security surface, of WebAPIs, and the web platform in general. Have scheduled a blog post for later tonight on this as well (previewable at http://tantek.com/2015/068/b1/security-towards-minimum-viable-web-platform )
then say so inline in the spec section for that feature:
<blockquote>
There are no known security or privacy impacts of this feature.

This comment has been minimized.

@marcoscaceres

marcoscaceres Mar 10, 2015

Contributor

Scary. I've never encountered such a feature.

Ideally this is one of many motivations to reduce each of those to the minimum viable:
<ol>
<li>
Minimum viable feature:

This comment has been minimized.

@marcoscaceres

marcoscaceres Mar 10, 2015

Contributor

Maybe convert this to a definition list (dl) with corresponding dts and dds?

@marcoscaceres

This comment has been minimized.

Contributor

marcoscaceres commented Mar 10, 2015

I'm sympathetic to specifying minimal viable features (not only for privacy and security reasons, but also because it aligns firmly with the principles of the extensible web manifesto). However, the above should provide more guidance on how to continue to evolve features of the platform.

It's pretty well understood, IMO, by the community that adding anything to the platform adds exponential complexity to maintenance, security, privacy, interoperability, etc. as those features interact with the rest of the platform.

@tantek

This comment has been minimized.

Contributor

tantek commented Mar 14, 2015

@marcoscaceres IMO "how to continue to evolve features of the platform" is out of scope for a document on security. I mention minimizing because that directly impacts reducing the security attack surface.

And I have to completely disagree with your second paragraph "It's pretty well understood, IMO, by the community... " - IMO the opposite is true. The community as a whole developing Web APIs (perhaps even the open web platform as a whole) is more often than not overdoing it with needless complexity and featuritis, apparently sacrificing maintenance, security, privacy, interoperability. This is why I am ringing the alarm bell on this one.

@mikewest

This comment has been minimized.

Owner

mikewest commented Mar 19, 2015

(Sorry! I remember we emailed about this, and then I got distracted, and never came back to this PR. My apologies; I appreciate the work you've done, and will try to be more responsive going forward.)

I think I agree with the core sentiment you're expressing in this PR: guilty until proven innocent is a reasonable approach to use when considering new platform features. I'm not sure I agree that this document is the right place to espouse the viewpoint that the platform should err towards minimum viable, but until there's a better document for that sentiment, expressing it here in some form is pretty reasonable.

mikewest added a commit that referenced this pull request Mar 19, 2015

Merge pull request #4 from tantek/patch-1
Expand security privacy considerations, emphasize minimum viable features

@mikewest mikewest merged commit 0b982d1 into mikewest:master Mar 19, 2015

@tantek

This comment has been minimized.

Contributor

tantek commented Mar 23, 2015

Thanks @mikewest! I appreciate the "until there's a better document" methodology and at least capturing the thinking in some form. I didn't bother with updating the (presumably Bikeshed?) generated index.html, assuming you might be merging other patches and it would be better to leave updating of that to you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment