clarify IETF liaison #52
Comments
|
Cc @msporny as far as I remember, this reference came from you... |
|
It's not clear to me that we need an IETF liaison relationship in this working group. I agree with Sam's comment "That's not what IETF's SecDir does." (The SecDir performs security reviews for IETF and IRTF specs during IETF Last Call.) Unless there's something specific we want from the IETF, we should close this issue with no action. |
|
I suggested that the SecDir might be willing to perform an external review of DID. Writing it into the charter presumes that those resources will be available -- so if this does go in I'd check with them first. Happy to help facilitate that (although I agree that leaving it out is probably the best path forward; you can always request an external review without it being in the charter). |
|
@iherman wrote:
Yes, I was channeling what a few W3C AC Members had (generally) communicated to me privately, @mnot being one of those people. In general, the feedback was "If you're going to work on data models that express the inputs to or outputs from IETF cryptography standards, you need to make sure the SecDir and CFRG are apprised of your progress and have the chance to mention this to other IETF WGs that might be interested as well as review the specifications as they go from FPWD->REC... DO NOT wait until the end to do this, do this from the start of the WG's re-charter." Similarly, over the years, the work has been persistently criticized for not having "real cryptographers" involved, and when I've gone and asked "real cryptographers", they've been puzzled as to why they need to be involved in data models that express cryptographic inputs/outputs (since we're not working on any cryptographic primitives or algorithms in the VCWG). In any case, I am willing to be the liaison between SecDir, CFRG, and the VCWG (if no one else steps forward). I'm happy to work with @mnot to ensure that there is communication at least every 3-6 months on the type of information sharing and feedback we're looking for from SecDir and CFRG. I do agree with @mnot that we should probably give them a heads-up on what we're planning to do (involve them in whatever capacity SecDir and CFRG are able to be involved). Specifically, here's what I think we're looking for:
|
|
As an example, here's a security review that SRI International did on the cryptography used in Verifiable Credentials and Decentralized Identifier ecosystem: https://w3c-ccg.github.io/meetings/2022-02-15/#topic-3 Raw video of the whole presentation starts at 22 minutes in: https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2022-02-15.mp4 Report available under an open license, here: It's engagement on that sort of stuff that we're looking for from SecDir and CFRG. |
|
@msporny in your opinion are there changes to the charter text that should be made to address this issue? @samuelweiler if the conversation thus far has addressed your concerns, please let us know so that we can close the issue. |
|
Thank you for the lovely discussion of what you're looking for. @msporny , thank you for offering to do the work. I propose that SAAG is a better fit than SecDir (though it could go either way) and the text should change to:
with no specifics re: "horizontal review". |
|
@samuelweiler I have opened PR #80 with your changes. Please let me know if it address this issue to your satisfaction. |
That's not what IETF's SecDir does. If you can clarify a bit more about what you're wanting from the IETF, I might be able to steer you.
Who, specifically, does the WG envision doing IETF outreach? (This does not need to be in the charter, but it could again help clarify what outreach you're intending.)
[I wonder if we should we asking more about who's going to do each of the liaison things listed in a charter, if only as a way to validate that we really intend to do them. But that's not an issue for today.]
The text was updated successfully, but these errors were encountered: