[wg/webtransport] WebTransport Working Group rechartering

[plehegar]

New charter proposal, reviewers please take note.

Charter Review

Charter:

What kind of charter is this? Check the relevant box / remove irrelevant branches.

• Existing

• Existing WG recharter

• diff from previous charter,
• issue discussion

Horizontal Reviews: apply the Github label "Horizontal review requested" to request reviews for accessibility (a11y), internationalization (i18n), privacy, and security. Also add a "card" for this issue to the Strategy Funnel.

Communities suggested for outreach:
none?

Known or potential areas of concern:
none?

Where would charter proponents like to see issues raised? (this strategy funnel issue, a different github repo, email, ...)

w3c/charter-drafts

Anything else we should think about as we review?

Nope?

[plehegar]

Advance notice:
https://lists.w3.org/Archives/Public/public-new-work/2024Jan/0005.html

[ylafon]

Finalised charter and exit criteria, updated to latest template.

[ruoxiran]

no comments or requests from APA.

[himorin]

no comment or request from i18n

[plehegar]

no comment or request from PING

[simoneonofri]

Hi, at the Security level I review, there is Security Section in both the W3C and IETF drafts.

Since it's a communication protocol, it might be appropriate to create a Threat Model by applying RFC 3552 on the two layers, as well as making a structured reasoning about "Abuse Cases" (as it was indicated that it could be used to do Internal Discovery), structuring even better the work already done and adding further analysis.

[ylafon]

Hi, at the Security level I review, there is Security Section in both the W3C and IETF drafts.

Since it's a communication protocol, it might be appropriate to create a Threat Model by applying RFC 3552 on the two layers, as well as making a structured reasoning about "Abuse Cases" (as it was indicated that it could be used to do Internal Discovery), structuring even better the work already done and adding further analysis.

The communication protocol is worked on at IETF, not here. Do you want to have the Threat Model in the charter as a deliverable, or just part of the horizontal review for the specification when it targets CR? The latter makes more sense, and having a template and/or an explainer would be great, to guide WGs.

[simoneonofri]

The communication protocol is worked on at IETF, not here. Do you want to have the Threat Model in the charter as a deliverable, or just part of the horizontal review for the specification when it targets CR?

I still don't have a strong opinion about including the full Threat Model in the specs or only part of its output (the Security Considerations), but in general, I think that we need to have the whole Threat Model somewhere (the model itself, the scope, the assumptions, threats, and mitigation) and in general Threat Models are live documents (e.g. if the spec is stable, threats can change).

In general, Threat Modeling should be done as soon as possible (e.g., starting with the explainer, which already contains the security and consideration sections) and not only during the review (of course, for specs already in CR state, it is probably already late). This is also a suggestion by Browsers/Specs Developers (at the horizontal review, it is generally too late).

The latter makes more sense, and having a template and/or an explainer would be great, to guide WGs.

I am doing some experiments on how to do threat modeling on the specs, starting with Decentralised Identities (although then the specs are only for the Digital Credentials API), so in that case, it will be a separate deliverable.
To prepare a guide and do some Threat Modeling together with the WGs:

• I proposed a Breakout session at TPAC and maybe from there we can start writing down some points.
• Created a Threat Modeling CG (is a CG so as to have a wider participation) at the moment we have security experts here.
• Decentalized Identity Threat Model contains a methodology section on how to to and can be an example (of course it is a work in progress).

[plehegar]

At this point, I would drop the coordination with the W3C HTML Working Group. We have the WHATWG listed in the external coordination.

[ylafon]

AC Review started. Public announcement

[lu-zero]

The Web of Things IG/WG is also interested in coordinating with WebTransport.