Merge pull request #612 from w3c/simoneonofri-patch-12

[ig/security] QA and refence to Groups dealing with Security

2024/ig-security.html

@@ -138,7 +138,7 @@ <h1 id="title">PROPOSED Security Interest Group Charter</h1>
               Meeting Schedule
             </th>
             <td>
-              <strong>Teleconferences:</strong> typically 1-2 per month, or as needed.
+              <strong>Teleconferences:</strong> typically 1-2 per month or as needed.
               <br>
               <strong>Face-to-face:</strong> we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, usually no more than 3 per year.
             </td>
@@ -151,14 +151,14 @@ <h2>Motivation and Background</h2>
         <p>W3C’s <a href="https://www.w3.org/mission/">mission</a> includes privacy and security for the web.
         Both of these are integral to <a href="https://www.un.org/en/about-us/universal-declaration-of-human-rights" title="Article 3: Everyone has the right to life, liberty and security of person.">human rights</a> and <a href="https://www.ohchr.org/en/instruments-mechanisms/instruments/international-covenant-civil-and-political-rights" title="Article 9: Everyone has the right to liberty and security of person">civil liberties</a> and have always been of the Consortium's concern.</p>
         <p>Also, in the <a href="https://www.w3.org/TR/ethical-web-principles/">Ethical Web Principles</a>, there are several principles related to security both as a societal impact <a href="https://www.w3.org/TR/ethical-web-principles/#noharm">The web does not cause harm to society</a> and in terms of people's security <a href="https://www.w3.org/TR/ethical-web-principles/#privacy">The web is secure, and respects peoples' privacy</a>, where the goal is to create technology that creates as few threats as possible, or mitigates those threats</p>
-        <p>Several working groups deal with security issues, such as <a href="https://www.w3.org/groups/wg/webappsec/">developing mechanisms and best practices which improve the security of Web Applications</a>, <a href="https://www.w3.org/groups/wg/webauthn/">developing strong authentication functionality for Web Applications</a>, <a href="https://www.w3.org/groups/wg/fedid/">developing APIs to allow a website to request an identity credential securely</a>, and <a href="https://www.w3.org/groups/ig/securepay/">enhancing the security and interoperability of various Web payments technologies</a>.</p>
+	      <p>Several W3C Groups deal with Security issues, developing security technologies, and applying security in different application scenarios, as specified on the <a href="https://www.w3.org/mission/security/">W3C Security Mission page</a>.</p>
         <p>Security is also a horizontal topic that often touches other groups and standards. Security can impact any protocol or API, which can have security implications. W3C Process mandates <a href="https://www.w3.org/policies/process/#wide-review">Wide Reviews</a>, which is one of the Interest Group’s main scope.</p>
       </div>
 
       <section id="scope" class="scope">
         <h2>Scope</h2>
         <p>The Security Interest Group (SING) develops and documents guidelines, patterns, processes, and best practices for addressing security issues in Web standards.</p>
-	<p>SING supports, promotes, and structures the threat modeling for web standards and technologies. This approach can be used, along with other groups, for threats of different types such as security, privacy, and other kinds of harm. Threat modeling is a joint activity with threat experts and groups developing technology or other documentation. It can be used to get an understanding of the impact of the technology and guide its development, as well as to write Security Considerations sections.</p>
+	      <p>SING supports, promotes, and structures the threat modeling for web standards and technologies. This approach can be used, along with other groups, for threats of different types, such as security, privacy, and other kinds of harm. Threat modeling is a joint activity between threat experts and groups that is developing technology or other documentation. It can be used to get an understanding of the impact of the technology and guide its development, as well as to write Security Considerations sections.</p>
         <p>SING provides "<a href="https://www.w3.org/Guide/documentreview/">horizontal review</a>", offering groups on-request guidance on security issues and mitigations specific to their technologies. SING aims to offer this review as early in the technology development lifecycle as requested, observing that early feedback is often more helpful. SING may also seek out technologies that benefit from earlier security reviews and conduct such reviews on its initiative.</p>
         <p>SING identifies standardization work on security issues by collecting requirements, prototyping, and/or developing tests within the IG and recommending that the W3C move the work into other groups when appropriate.</p>
         <p>SING may recommend mitigations for security issues in existing features of the Web platform, up to and including their deprecation.</p>
@@ -216,8 +216,7 @@ <h2>
               </p>
             </dd>
           </dl>
-	  <p>SING may publish other documents consistent with the above scope, such as analyses of security issues, prototype specifications, security principles, threat models, and guidelines for standards.</p>
-
+	        <p>SING may publish other documents consistent with the above scope, such as analyses of security issues, prototype specifications, security principles, threat models, and guidelines for standards.</p>
         </section>
 
         <section id="ig-other-deliverables">
@@ -240,19 +239,19 @@ <h2>Success Criteria</h2>
             <li>Systematizing the security review of Web standards.</li>
         </ul>
 	</section>
-      <section id="coordination">
-         <h2>Coordination</h2>
-         <p>For its deliverables, this Interest Group will seek a horizontal review for accessibility, internationalization, and privacy with the relevant Working and Interest Groups and with the TAG.</p>
-         <p>This Interest Group should collaborate with all the groups developing specifications to coordinate threat modeling and security review in the early phase of their development lifecycle.</p>
-         <section>
+  <section id="coordination">
+      <h2>Coordination</h2>
+      <p>For its deliverables, this Interest Group will seek a horizontal review for accessibility, internationalization, and privacy with the relevant Working and Interest Groups and with the TAG.</p>
+      <p>This Interest Group should collaborate with all the groups developing specifications to coordinate threat modeling and security review in the early phase of their development lifecycle.</p>
+      <section>
            <h3 id="w3c-coordination">W3C Groups</h3>
            <dl>
              <dt><a href="https://www.w3.org/groups/other/tag/">Technical Architecture Group (TAG)</a></dt><dd>This Interest Group will collaborate with the TAG for the Self-Review Questionnaire: Security and Privacy, for a Threat Model related the Web Platform, and to harmonize and improve horizontal reviews.</dd>
              <dt><a href="https://www.w3.org/groups/ig/privacy/">Privacy Interest Group (PING)</a></dt><dd>This Interest Group will collaborate with PING for the Self-Review Questionnaire: Security and Privacy, for Threat Models related to Privacy and Harm, and to harmonize and improve horizontal reviews.</dd>
              <dt><a href="https://www.w3.org/groups/wg/webappsec/">Web Application Security Working Group (WebAppSec)</a></dt><dd>This Interest Group will coordinate with WebAppSec for developing security features and mitigations, and for Threat Models related to the Web Platform.</dd>
              <dt><a href="https://www.w3.org/community/tmcg/">Threat Modeling Community Group (TMCG)</a></dt><dd>This Interest Group will coordinate with TMCG to work on Threat Models of different types, and creating a feedback loop on the Threat Modeling guide,</dd>
              <dt><a href="https://www.w3.org/community/swag/">Security Web Application Guidelines Community Group (SWAG)</a></dt><dd>This Interest Group will coordinate with SWAG to understand web developers' needs.</dd>
-	     <dt><a href="https://www.w3.org/groups/wg/apa/">Accessible Platform Architectures (APA) Working Group</a></dt><dd>This Interest Group will coordinate with APA to harmonize and improve horizontal reviews.</dd>
+	           <dt><a href="https://www.w3.org/groups/wg/apa/">Accessible Platform Architectures (APA) Working Group</a></dt><dd>This Interest Group will coordinate with APA to harmonize and improve horizontal reviews.</dd>
              <dt><a href="https://www.w3.org/groups/wg/i18n-core/">Internationalization (i18n) Working Group</a></dt><dd>This Interest Group will coordinate with i18n to harmonize and improve horizontal reviews.</dd>
  	  </dl>
  	</section>
@@ -262,7 +261,7 @@ <h3 id="external-coordination">External Organizations</h3>
           <dl>
             <dt><a href="https://www.ietf.org">IETF</a></dt><dd>Coordinate with the IETF research groups and working groups, such as SecDir and CFRG, for security review activities. </dd>
             <dt><a href="https://isecom.org">ISECOM</a></dt><dd>Coordinate with ISECOM for security research methodologies.</dd>
-	    <dt><a href="https://ecma-international.org/task-groups/tc39-tg3/">TC39-TG3</a></dt><dd>Coordinate with TC39-TG3 on ECMAScript® (JavaScript™) security model aspects.</dd>
+	          <dt><a href="https://ecma-international.org/task-groups/tc39-tg3/">TC39-TG3</a></dt><dd>Coordinate with TC39-TG3 on ECMAScript® (JavaScript™) security model aspects.</dd>
             <dt><a href="https://openjsf.org">OpenJS Foundation</a></dt><dd>Coordinate with OpenJS Foundation for JavaScript security aspects.</dd>
             <dt><a href="https://openssf.org">OpenSSF</a></dt><dd>Coordinate with OpenSSF for Open Source Security aspects.</dd>
             <dt><a href="https://owasp.org">OWASP</a></dt><dd>Coordinate with OWASP for application security requirements and testing methodologies.</dd>
@@ -276,9 +275,9 @@ <h2 id="participation">
         </h2>
 
         <p>To be successful, this Interest Group is expected to include Security Researchers, Threat Modeling experts, Cryptographers, Cryptoanalysts, and active Editors for each deliverable. The Chairs and Editors are expected to contribute half of a working day per week. There is no minimum requirement for other Participants.</p>
-	<p>Participation in discussions via mailing lists and GitHub is free, as described in <a href="#communication">Communication</a>.</p>
-	<p>Participation in reviews, deliverable development, and meetings requires joining the group. The group welcomes and encourages all participants with proven specific expertise, even if they do not represent a W3C Member. In that case, they should join as <a href="https://www.w3.org/invited-experts/">Invited Experts</a>. Invited Experts in this group are not granted access to Member-only information.</p>
-	<p>When a participant of this Interest Group contributes to a technical submission reviewing or marking comments on deliverables by other groups, they must agree to the terms of the <a href="https://www.w3.org/policies/patent-policy/">W3C Patent Policy</a> and <a href="https://www.w3.org/policies/process/#contributor-license">License Grants from Non-Participants</a>.</p>
+	      <p>Participation in discussions via mailing lists and GitHub is free, as described in <a href="#communication">Communication</a>.</p>
+	      <p>Participation in reviews, deliverable development, and meetings requires joining the group. The group welcomes and encourages all participants with proven specific expertise, even if they do not represent a W3C Member. In that case, they should join as <a href="https://www.w3.org/invited-experts/">Invited Experts</a>. Invited Experts in this group are not granted access to Member-only information.</p>
+	      <p>When a participant of this Interest Group contributes to a technical submission reviewing or marking comments on deliverables by other groups, they must agree to the terms of the <a href="https://www.w3.org/policies/patent-policy/">W3C Patent Policy</a> and <a href="https://www.w3.org/policies/process/#contributor-license">License Grants from Non-Participants</a>.</p>
         <p>Participants in the group are required (by the <a href="https://www.w3.org/policies/process/#ParticipationCriteria">W3C Process</a>) to follow the W3C <a href="https://www.w3.org/policies/code-of-conduct/">Code of Conduct</a>.</p>
       </section>
       <section id="communication">