W3C home > Mailing lists > Public > public-dxwg-wg@w3.org > December 2018

Re: [dxwg] Profiles Guide doc Security and Privacy (#478)

From: Annette Greiner <amgreiner@lbl.gov>
Date: Mon, 17 Dec 2018 09:58:45 -0800
To: public-dxwg-wg@w3.org
Message-ID: <6a28dc83-5e5d-2a18-0589-883322459467@lbl.gov>
oops, sorry, my comments were for the prof conneg doc, not the guidance!

-Annette


On 12/15/18 12:08 PM, Nicholas Car via GitHub wrote:
> Questions from https://w3ctag.github.io/security-questionnaire/ with 
> answers:
> **4.1 What information might this feature expose to Web sites or other 
> parties, and for what purposes is that exposure necessary?**  Guidance 
> document - no code/system exposing anything directly.
> **4.2 Is this specification exposing the minimum amount of information 
> necessary to power the feature?**  N/A
> **4.3 How does this specification deal with personal information or 
> personally-identifiable information or information derived thereof?**  
> It does not.
> **4.4 How does this specification deal with sensitive information?**  
> It does not.
> **4.5 Does this specification introduce new state for an origin that 
> persists across browsing sessions?**  No.
> **4.6 What information from the underlying platform, e.g. 
> configuration data, is exposed by this specification to an origin?**  N/A
> **4.7 Does this specification allow an origin access to sensors on a 
> user’s device?**  No.
> **4.8 What data does this specification expose to an origin? Please 
> also document what data is identical to data exposed by other 
> features, in the same or different contexts.**  N/A
> **4.9 Does this specification enable new script execution/loading 
> mechanisms?**  No.
> **4.10 Does this specification allow an origin to access other 
> devices?**  No.
> **4.11 Does this specification allow an origin some measure of control 
> over a user agent’s native UI?**  No.
> **4.12 What temporary identifiers might this this specification create 
> or expose to the web?**  No temporary identifiers. Use of it will 
> ultimately generate persistent identifiers (URIs) for documents 
> (profiles).
> **4.13 How does this specification distinguish between behavior in 
> first-party and third-party contexts?**  It does not.
> **4.14 How does this specification work in the context of a user 
> agent’s Private \ Browsing or "incognito" mode?**  N/A
> **4.15 Does this specification have a "Security Considerations" and 
> "Privacy Considerations" section?**  Yes but a trivial one for now. To 
> be updated.
> **4.16 Does this specification allow downgrading default security 
> characteristics?**  No or N/A.
> **4.17 What should this questionaire have asked?**  I can't think of 
> what it could ask to better probe potential privacy issues for this 
> kind of Guidance document.
>
>

-- 
Annette Greiner
NERSC Data and Analytics Services
Lawrence Berkeley National Laboratory
Received on Monday, 17 December 2018 17:59:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 April 2019 13:45:05 UTC