Skip to content

Commit

Permalink
[charter] Threat Modeling CG Charter First Draft
Browse files Browse the repository at this point in the history
It is good to have a Charter to get things done, and as suggested by @jyasskin, it can be useful for enabling participation.

feel free to review and PR. It's just the first draft.

[cc'ing @jaromil @andrea-dintino]
  • Loading branch information
simoneonofri authored Aug 27, 2024
1 parent 4c8dd0b commit bc264ab
Showing 1 changed file with 276 additions and 0 deletions.
276 changes: 276 additions & 0 deletions charters/threat-modeling-cg.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,276 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>
Threat Modeling Community Group Charter
</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<link rel="stylesheet" href="//www.w3.org/StyleSheets/TR/base">
<style>
body {
max-width: 60em;
margin: auto;
}
*:target {
background-color: yellow;
}
li {
margin-bottom: 9pt;
}
.note {
background-color: yellow;
padding: 10px;
}
.remove {
background-color: yellow;
}
</style>
</head>
<body>
<h1>
[DRAFT] Threat Modeling Community Group Charter
</h1>
<p>
<span class="remove">{TBD: remove next sentence before submitting for
approval}</span> This Charter is work in progress. To submit feedback,
please use <a href="https://github.com/w3c-cg/threat-modeling/issues?q=is%3Aissue+is%3Aopen+%5Bcharter%5D">GitHub repository Issues</a>
where Charter is being developed.
</p>
<ul>
<li>This Charter: <a href="https://w3c-cg.github.io/threat-modeling/charter/threat-modeling-cg.html">https://w3c-cg.github.io/threat-modeling/charter/threat-modeling-cg.html</a>
</li>
<li>Previous Charter: <a href="https://w3c-cg.github.io/threat-modeling/charter/threat-modeling-cg.html">https://w3c-cg.github.io/threat-modeling/charter/threat-modeling-cg.html</a>
</li>
<li>Start Date: <span class="remove">{TBD: date the charter takes effect,
estimate if not known. Update this if the charter is revised and include
a link to the previous version of the charter.}</span>
</li>
<li>Last Modified: <span class="remove">{TBD: If the system does not
automatically provide information about the date of the last
modification, it can be useful to include that in the charter.}</span>
</li>
</ul>
<h2 id="goals">
Goals
</h2>
<p>
The group aims to provide a meeting point for Security, Privacy, Human Rights experts, and technology domain experts to create Threat Models together, following the <a href="https://www.threatmodelingmanifesto.org">Threat Modeling Manifesto</a>.
<br/>
This group will not publish Specifications.
</p>
<h2 id="scope-of-work">
Scope of Work
</h2>
<p>
Create Threat Models and other groups that develop specifications or otherwise produce other deliverables, providing specific expertise related to
Threat Modeling and threat categories such as Security, Privacy, and Human Rights.
</p>
<h3 id="out-of-scope">
Out of Scope
</h3>
<p>
This group will not publish Specifications.
</p>
<h2 id="deliverables">
Deliverables
</h2>
<h3 id="non-normative-reports">
Non-Normative Reports
</h3>
<p>
The group may produce other Community Group Reports within the scope of
this charter but that are not Specifications, for instance, threat models,
threat lists, use cases, requirements, or white papers.
<br>
Deliverables can be published as deliverables of the group itself or adopted by other groups.
</p>
<h2 id="liaisons">
Dependencies or Liaisons
</h2>
<p>
<ul class="remove">W3C Security Interest Group (SING)<li>
<ul>W3C Privacy Interest Group (PING)<li>
<ul>W3C Technical Architecture Group (TAG)<li>
<ul>IETF</ul>
<ul>OIDF</ul>
<ul>OWASP</ul>
<ul>ISECOM</ul>
</p>
<h2 id="process">
Community and Business Group Process
</h2>
<p>
The group operates under the <a href=
"https://www.w3.org/community/about/process/">Community and Business
Group Process</a>. Terms in this Charter that conflict with those of the
Community and Business Group Process are void.
</p>
<p>
As with other Community Groups, W3C seeks organizational licensing
commitments under the <a href=
'https://www.w3.org/community/about/process/cla/'>W3C Community
Contributor License Agreement (CLA)</a>. When people request to
participate without representing their organization's legal interests,
W3C will in general approve those requests for this group with the
following understanding: W3C will seek and expect an organizational
commitment under the CLA starting with the individual's first request to
make a contribution to a group <a href="#deliverables">Deliverable</a>.
The section on <a href="#contrib">Contribution Mechanics</a> describes
how W3C expects to monitor these contribution requests.
</p>

<p>
The <a href="https://www.w3.org/Consortium/cepc/">W3C Code of
Ethics and Professional Conduct</a> applies to participation in
this group.
</p>

<h2 id="worklimit">
Work Limited to Charter Scope
</h2>
<p>
The group will not publish Specifications.
See below for <a href="#charter-change">how to modify the charter</a>.
</p>
<h2 id="contrib">
Contribution Mechanics
</h2>
<p>
Substantive Contributions to Specifications can only be made by Community
Group Participants who have agreed to the <a href=
"https://www.w3.org/community/about/process/cla/">W3C Community
Contributor License Agreement (CLA)</a>.
</p>
<p>
Specifications created in the Community Group must use the <a href=
"http://www.w3.org/Consortium/Legal/2015/copyright-software-and-document">
W3C Software and Document License</a>. All other documents produced by
the group should use that License where possible.
</p>
<p class="remove">
{TBD: if CG doesn't use GitHub replace the remaining paragraphs in this
section with: "All Contributions are made on the groups public mail list
or public contrib list"}
</p>
<p>
Community Group participants agree to make all contributions in the
GitHub repo the group is using for the particular document. This may be
in the form of a pull request (preferred), by raising an issue, or by
adding a comment to an existing issue.
</p>
<p id="githublicense">
All Github repositories attached to the Community Group must contain a
copy of the <a href=
"https://github.com/w3c/licenses/blob/master/CG-CONTRIBUTING.md">CONTRIBUTING</a>
and <a href=
"https://github.com/w3c/licenses/blob/master/CG-LICENSE.md">LICENSE</a>
files.
</p>
<h2 id="transparency">
Transparency
</h2>
<p>
The group will conduct all of its technical work in public. If the group
uses GitHub, all technical work will occur in its GitHub repositories
(and not in mailing list discussions). This is to ensure contributions
can be tracked through a software tool.
</p>
<p>
Meetings may be restricted to Community Group participants, but a public
summary or minutes must be posted to the group's public mailing list, or
to a GitHub issue if the group uses GitHub.
</p>
<h2 id="decision">
Decision Process
</h2>
<p class="remove">
If the decision policy is documented somewhere, update this section accordingly to link to it.
</p>
<p>
This group will seek to make decisions where there is consensus. Groups
are free to decide how to make decisions (e.g. Participants who have
earned Committer status for a history of useful contributions assess
consensus, or the Chair assesses consensus, or where consensus isn't
clear there is a Call for Consensus [CfC] to allow multi-day online
feedback for a proposed course of action). It is expected that
participants can earn Committer status through a history of valuable
contributions as is common in open source projects. After discussion and
due consideration of different opinions, a decision should be publicly
recorded (where GitHub is used as the resolution of an Issue).
</p>
<p>
If substantial disagreement remains (e.g. the group is divided) and the
group needs to decide an Issue in order to continue to make progress, the
Committers will choose an alternative that had substantial support (with
a vote of Committers if necessary). Individuals who disagree with the
choice are strongly encouraged to take ownership of their objection by
taking ownership of an alternative fork. This is explicitly allowed (and
preferred to blocking progress) with a goal of letting implementation
experience inform which spec is ultimately chosen by the group to move
ahead with.
</p>
<p>
Any decisions reached at any meeting are tentative and should be recorded
in a GitHub Issue for groups that use GitHub and otherwise on the group's
public mail list. Any group participant may object to a decision reached
at an online or in-person meeting within 7 days of publication of the
decision provided that they include clear technical reasons for their
objection. The Chairs will facilitate discussion to try to resolve the
objection according to this decision process.
</p>
<p>
It is the Chairs' responsibility to ensure that the decision process is
fair, respects the consensus of the CG, and does not unreasonably favour
or discriminate against any group participant or their employer.
</p>
<h2 id="chairs">
Chair Selection
</h2>
<p>
Participants in this group choose their Chair(s) and can replace their
Chair(s) at any time using whatever means they prefer. However, if 5
participants, no two from the same organisation, call for an election,
the group must use the following process to replace any current Chair(s)
with a new Chair, consulting the Community Development Lead on election
operations (e.g., voting infrastructure and using <a href=
"https://tools.ietf.org/html/rfc2777">RFC 2777</a>).
</p>
<ol>
<li>Participants announce their candidacies. Participants have 14 days to
announce their candidacies, but this period ends as soon as all
participants have announced their intentions. If there is only one
candidate, that person becomes the Chair. If there are two or more
candidates, there is a vote. Otherwise, nothing changes.
</li>
<li>Participants vote. Participants have 21 days to vote for a single
candidate, but this period ends as soon as all participants have voted.
The individual who receives the most votes, no two from the same
organisation, is elected chair. In case of a tie, RFC2777 is used to
break the tie. An elected Chair may appoint co-Chairs.
</li>
</ol>
<p>
Participants dissatisfied with the outcome of an election may ask the
Community Development Lead to intervene. The Community Development Lead,
after evaluating the election, may take any action including no action.
</p>
<h2 id="charter-change">
Amendments to this Charter
</h2>
<p>
The group can decide to work on a proposed amended charter, editing the
text using the <a href="#decision">Decision Process</a> described above.
The decision on whether to adopt the amended charter is made by
conducting a 30-day vote on the proposed new charter. The new charter, if
approved, takes effect on either the proposed date in the charter itself,
or 7 days after the result of the election is announced, whichever is
later. A new charter must receive 2/3 of the votes cast in the approval
vote to pass. The group may make simple corrections to the charter such
as deliverable dates by the simpler group decision process rather than
this charter amendment process. The group will use the amendment process
for any substantive changes to the goals, scope, deliverables, decision
process or rules for amending the charter.
</p>
</body>
</html>

0 comments on commit bc264ab

Please sign in to comment.