-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[charter] Threat Modeling CG Charter First Draft
It is good to have a Charter to get things done, and as suggested by @jyasskin, it can be useful for enabling participation. feel free to review and PR. It's just the first draft. [cc'ing @jaromil @andrea-dintino]
- Loading branch information
1 parent
4c8dd0b
commit bc264ab
Showing
1 changed file
with
276 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,276 @@ | ||
<!DOCTYPE html> | ||
<html lang="en"> | ||
<head> | ||
<title> | ||
Threat Modeling Community Group Charter | ||
</title> | ||
<meta charset="utf-8"> | ||
<meta name="viewport" content="width=device-width"> | ||
<link rel="stylesheet" href="//www.w3.org/StyleSheets/TR/base"> | ||
<style> | ||
body { | ||
max-width: 60em; | ||
margin: auto; | ||
} | ||
*:target { | ||
background-color: yellow; | ||
} | ||
li { | ||
margin-bottom: 9pt; | ||
} | ||
.note { | ||
background-color: yellow; | ||
padding: 10px; | ||
} | ||
.remove { | ||
background-color: yellow; | ||
} | ||
</style> | ||
</head> | ||
<body> | ||
<h1> | ||
[DRAFT] Threat Modeling Community Group Charter | ||
</h1> | ||
<p> | ||
<span class="remove">{TBD: remove next sentence before submitting for | ||
approval}</span> This Charter is work in progress. To submit feedback, | ||
please use <a href="https://github.com/w3c-cg/threat-modeling/issues?q=is%3Aissue+is%3Aopen+%5Bcharter%5D">GitHub repository Issues</a> | ||
where Charter is being developed. | ||
</p> | ||
<ul> | ||
<li>This Charter: <a href="https://w3c-cg.github.io/threat-modeling/charter/threat-modeling-cg.html">https://w3c-cg.github.io/threat-modeling/charter/threat-modeling-cg.html</a> | ||
</li> | ||
<li>Previous Charter: <a href="https://w3c-cg.github.io/threat-modeling/charter/threat-modeling-cg.html">https://w3c-cg.github.io/threat-modeling/charter/threat-modeling-cg.html</a> | ||
</li> | ||
<li>Start Date: <span class="remove">{TBD: date the charter takes effect, | ||
estimate if not known. Update this if the charter is revised and include | ||
a link to the previous version of the charter.}</span> | ||
</li> | ||
<li>Last Modified: <span class="remove">{TBD: If the system does not | ||
automatically provide information about the date of the last | ||
modification, it can be useful to include that in the charter.}</span> | ||
</li> | ||
</ul> | ||
<h2 id="goals"> | ||
Goals | ||
</h2> | ||
<p> | ||
The group aims to provide a meeting point for Security, Privacy, Human Rights experts, and technology domain experts to create Threat Models together, following the <a href="https://www.threatmodelingmanifesto.org">Threat Modeling Manifesto</a>. | ||
<br/> | ||
This group will not publish Specifications. | ||
</p> | ||
<h2 id="scope-of-work"> | ||
Scope of Work | ||
</h2> | ||
<p> | ||
Create Threat Models and other groups that develop specifications or otherwise produce other deliverables, providing specific expertise related to | ||
Threat Modeling and threat categories such as Security, Privacy, and Human Rights. | ||
</p> | ||
<h3 id="out-of-scope"> | ||
Out of Scope | ||
</h3> | ||
<p> | ||
This group will not publish Specifications. | ||
</p> | ||
<h2 id="deliverables"> | ||
Deliverables | ||
</h2> | ||
<h3 id="non-normative-reports"> | ||
Non-Normative Reports | ||
</h3> | ||
<p> | ||
The group may produce other Community Group Reports within the scope of | ||
this charter but that are not Specifications, for instance, threat models, | ||
threat lists, use cases, requirements, or white papers. | ||
<br> | ||
Deliverables can be published as deliverables of the group itself or adopted by other groups. | ||
</p> | ||
<h2 id="liaisons"> | ||
Dependencies or Liaisons | ||
</h2> | ||
<p> | ||
<ul class="remove">W3C Security Interest Group (SING)<li> | ||
<ul>W3C Privacy Interest Group (PING)<li> | ||
<ul>W3C Technical Architecture Group (TAG)<li> | ||
<ul>IETF</ul> | ||
<ul>OIDF</ul> | ||
<ul>OWASP</ul> | ||
<ul>ISECOM</ul> | ||
</p> | ||
<h2 id="process"> | ||
Community and Business Group Process | ||
</h2> | ||
<p> | ||
The group operates under the <a href= | ||
"https://www.w3.org/community/about/process/">Community and Business | ||
Group Process</a>. Terms in this Charter that conflict with those of the | ||
Community and Business Group Process are void. | ||
</p> | ||
<p> | ||
As with other Community Groups, W3C seeks organizational licensing | ||
commitments under the <a href= | ||
'https://www.w3.org/community/about/process/cla/'>W3C Community | ||
Contributor License Agreement (CLA)</a>. When people request to | ||
participate without representing their organization's legal interests, | ||
W3C will in general approve those requests for this group with the | ||
following understanding: W3C will seek and expect an organizational | ||
commitment under the CLA starting with the individual's first request to | ||
make a contribution to a group <a href="#deliverables">Deliverable</a>. | ||
The section on <a href="#contrib">Contribution Mechanics</a> describes | ||
how W3C expects to monitor these contribution requests. | ||
</p> | ||
|
||
<p> | ||
The <a href="https://www.w3.org/Consortium/cepc/">W3C Code of | ||
Ethics and Professional Conduct</a> applies to participation in | ||
this group. | ||
</p> | ||
|
||
<h2 id="worklimit"> | ||
Work Limited to Charter Scope | ||
</h2> | ||
<p> | ||
The group will not publish Specifications. | ||
See below for <a href="#charter-change">how to modify the charter</a>. | ||
</p> | ||
<h2 id="contrib"> | ||
Contribution Mechanics | ||
</h2> | ||
<p> | ||
Substantive Contributions to Specifications can only be made by Community | ||
Group Participants who have agreed to the <a href= | ||
"https://www.w3.org/community/about/process/cla/">W3C Community | ||
Contributor License Agreement (CLA)</a>. | ||
</p> | ||
<p> | ||
Specifications created in the Community Group must use the <a href= | ||
"http://www.w3.org/Consortium/Legal/2015/copyright-software-and-document"> | ||
W3C Software and Document License</a>. All other documents produced by | ||
the group should use that License where possible. | ||
</p> | ||
<p class="remove"> | ||
{TBD: if CG doesn't use GitHub replace the remaining paragraphs in this | ||
section with: "All Contributions are made on the groups public mail list | ||
or public contrib list"} | ||
</p> | ||
<p> | ||
Community Group participants agree to make all contributions in the | ||
GitHub repo the group is using for the particular document. This may be | ||
in the form of a pull request (preferred), by raising an issue, or by | ||
adding a comment to an existing issue. | ||
</p> | ||
<p id="githublicense"> | ||
All Github repositories attached to the Community Group must contain a | ||
copy of the <a href= | ||
"https://github.com/w3c/licenses/blob/master/CG-CONTRIBUTING.md">CONTRIBUTING</a> | ||
and <a href= | ||
"https://github.com/w3c/licenses/blob/master/CG-LICENSE.md">LICENSE</a> | ||
files. | ||
</p> | ||
<h2 id="transparency"> | ||
Transparency | ||
</h2> | ||
<p> | ||
The group will conduct all of its technical work in public. If the group | ||
uses GitHub, all technical work will occur in its GitHub repositories | ||
(and not in mailing list discussions). This is to ensure contributions | ||
can be tracked through a software tool. | ||
</p> | ||
<p> | ||
Meetings may be restricted to Community Group participants, but a public | ||
summary or minutes must be posted to the group's public mailing list, or | ||
to a GitHub issue if the group uses GitHub. | ||
</p> | ||
<h2 id="decision"> | ||
Decision Process | ||
</h2> | ||
<p class="remove"> | ||
If the decision policy is documented somewhere, update this section accordingly to link to it. | ||
</p> | ||
<p> | ||
This group will seek to make decisions where there is consensus. Groups | ||
are free to decide how to make decisions (e.g. Participants who have | ||
earned Committer status for a history of useful contributions assess | ||
consensus, or the Chair assesses consensus, or where consensus isn't | ||
clear there is a Call for Consensus [CfC] to allow multi-day online | ||
feedback for a proposed course of action). It is expected that | ||
participants can earn Committer status through a history of valuable | ||
contributions as is common in open source projects. After discussion and | ||
due consideration of different opinions, a decision should be publicly | ||
recorded (where GitHub is used as the resolution of an Issue). | ||
</p> | ||
<p> | ||
If substantial disagreement remains (e.g. the group is divided) and the | ||
group needs to decide an Issue in order to continue to make progress, the | ||
Committers will choose an alternative that had substantial support (with | ||
a vote of Committers if necessary). Individuals who disagree with the | ||
choice are strongly encouraged to take ownership of their objection by | ||
taking ownership of an alternative fork. This is explicitly allowed (and | ||
preferred to blocking progress) with a goal of letting implementation | ||
experience inform which spec is ultimately chosen by the group to move | ||
ahead with. | ||
</p> | ||
<p> | ||
Any decisions reached at any meeting are tentative and should be recorded | ||
in a GitHub Issue for groups that use GitHub and otherwise on the group's | ||
public mail list. Any group participant may object to a decision reached | ||
at an online or in-person meeting within 7 days of publication of the | ||
decision provided that they include clear technical reasons for their | ||
objection. The Chairs will facilitate discussion to try to resolve the | ||
objection according to this decision process. | ||
</p> | ||
<p> | ||
It is the Chairs' responsibility to ensure that the decision process is | ||
fair, respects the consensus of the CG, and does not unreasonably favour | ||
or discriminate against any group participant or their employer. | ||
</p> | ||
<h2 id="chairs"> | ||
Chair Selection | ||
</h2> | ||
<p> | ||
Participants in this group choose their Chair(s) and can replace their | ||
Chair(s) at any time using whatever means they prefer. However, if 5 | ||
participants, no two from the same organisation, call for an election, | ||
the group must use the following process to replace any current Chair(s) | ||
with a new Chair, consulting the Community Development Lead on election | ||
operations (e.g., voting infrastructure and using <a href= | ||
"https://tools.ietf.org/html/rfc2777">RFC 2777</a>). | ||
</p> | ||
<ol> | ||
<li>Participants announce their candidacies. Participants have 14 days to | ||
announce their candidacies, but this period ends as soon as all | ||
participants have announced their intentions. If there is only one | ||
candidate, that person becomes the Chair. If there are two or more | ||
candidates, there is a vote. Otherwise, nothing changes. | ||
</li> | ||
<li>Participants vote. Participants have 21 days to vote for a single | ||
candidate, but this period ends as soon as all participants have voted. | ||
The individual who receives the most votes, no two from the same | ||
organisation, is elected chair. In case of a tie, RFC2777 is used to | ||
break the tie. An elected Chair may appoint co-Chairs. | ||
</li> | ||
</ol> | ||
<p> | ||
Participants dissatisfied with the outcome of an election may ask the | ||
Community Development Lead to intervene. The Community Development Lead, | ||
after evaluating the election, may take any action including no action. | ||
</p> | ||
<h2 id="charter-change"> | ||
Amendments to this Charter | ||
</h2> | ||
<p> | ||
The group can decide to work on a proposed amended charter, editing the | ||
text using the <a href="#decision">Decision Process</a> described above. | ||
The decision on whether to adopt the amended charter is made by | ||
conducting a 30-day vote on the proposed new charter. The new charter, if | ||
approved, takes effect on either the proposed date in the charter itself, | ||
or 7 days after the result of the election is announced, whichever is | ||
later. A new charter must receive 2/3 of the votes cast in the approval | ||
vote to pass. The group may make simple corrections to the charter such | ||
as deliverable dates by the simpler group decision process rather than | ||
this charter amendment process. The group will use the amendment process | ||
for any substantive changes to the goals, scope, deliverables, decision | ||
process or rules for amending the charter. | ||
</p> | ||
</body> | ||
</html> |