Here are the comments I have so far on this charter, based on the
thread. I'd note that this is a relatively large set of demands to make
in the charter review stage at the AC, especially for a recharter of a
WG that we're involved in. So it may come across to W3C staff as
somewhat demanding.
I'm particularly interested in review of point (3) in what I've written;
I feel that the argument I've written so far is weak, I think because I
don't particularly understand the concerns about the powerfulfeatures
draft.
I also haven't included anything about Brian's objection to the
suborigin namespaces work because I don't understand the objection, and
I don't see how to extract any actionable charter feedback directly from
Brian's message. (Or is it that the deliverable should be removed from
the charter? If so, I could use an explanation as to why.)
In any case, here's the feedback I have so far. Comments are
welcome through roughly 5pm California time on Friday --
particularly actionable ones that suggest how to revise this
feedback or at least say how the charter should be different!
(Sorry for not getting this gathered together sooner.)
-David
There are a number of problematic aspects to this charter to which
we object:
(1) The "Confinement with Origin Web Labels" deliverable is described
in a way that makes it unclear what the deliverable would do. It
should be clearer. Furthermore, the lack of clarity means we
couldn't evaluate whether we are comfortable with it being in the
charter.
(2) The "Entry Point Regulation for Web Applications" deliverable seems
to have serious risks of breaking the ability to link. It's not
clear that the security benefits of this specification outweigh the
risks to the abilities of Web users.
(3) In the scope section, the item "Application awareness of powerful
features which may require explicit user permission to enable."
It's not clear whether this part of the scope is intended to
allow
https://w3c.github.io/permissions/ to be a document in the
working group (which may be comfortable with, although some of us
have serious concerns about whether it is actually workable), or
whether it's intended to put
https://w3c.github.io/webappsec/specs/powerfulfeatures/ in the scope
of the working group, which we believe should not be, because we
don't believe the WebAppSec WG should be in the role of policing the
specifications of other groups (which is not the role it has
historically held), and we believe that in general specifications
about how to write other specifications have not been successful,
particularly if they attempt to have any mandatory status.
At a minimum, it would be good to rephrase this item so that it
doesn't use the term "powerful features". It would probably be
preferable to explicitly state that work like the powerfulfeatures
draft is not in the scope of the working group.
(4) We believe the charter should have provision for asynchronous
decision making, perhaps as in
http://www.w3.org/2012/webapps/charter/#decisions .