W3C home > Mailing lists > Public > public-grddl-wg@w3.org > February 2007

GRDDL WD comments

From: Murray Maloney <murray@muzmo.com>
Date: Wed, 21 Feb 2007 16:12:09 -0500
Message-Id: <5.1.1.6.2.20070221142350.0b8e5728@mail.muzmo.com>
To: public-grddl-wg@w3.org

Here are my collected comments on the GRDDL WD

	Gleaning Resource Descriptions from Dialects of Languages (GRDDL)
	editor's draft $Date: 2007/02/21 16:25:45 $
	$Revision: 1.228 $

I think that only one of my comments is substantial and it is identified in 
HTTP Headers.

I have taken the liberty to edit Jeremy's Security section. Feel free to 
ignore my edits.
In particular, I tried to reduce the use of "should" phrases and substitute 
"are advised" phrases.
I did this on the basis that one man's security risk is another man's 
design feature.

Caveat transformor.


In the Abstract, paragraph 2.
	Please add a sentence about HTTP Headers
	"Finally, an HTTP header allows transformation links to be associated with 
documents
	that do not have the necessary extension mechanisms in either their 
schemas or instances."

In the Introduction, rewrite:

	"Although the examples describe the exact same thing, as it stands there's 
no clear mechanism
	 through which computer software might be able to make this connection."

to

	"Although the examples above are obviously encodings of the same information,
	there remains no clear mechanism through which computer software might be 
able
	to determine this connection."

in Preface and Companion Documents
	Need mention and forward reference to HTTP Headers

in 2. Adding GRDDL to well-formed XML
	in the paragraph that follows the image labelled "extracting title and 
author information"

	"As you will see in later sections, there are other ways to add GRDDL to 
HTML documents,
	especially designed to leverage HTML's existing capabilities and thereby 
overcome constraints
	imposed by the XML DTDs for some dialects of HTML. See Using GRDDL with 
valid XHTML
	and GRDDL for HTML Profiles."

	Add a mention and forward reference to HTTP Headers

in 6. Using GRDDL With HTTP Headers (substantial comment)

	It occurs to me that it might be wise to differentiate the rel value in an 
HTTP header
	from the rel value in an HTML link element. Currently they both use 
"transformation"
	as a value from the GRDDL namespace. Just as we differentiate among the
	transformation/namespaceTransformation/profileTransformation, I think that
	we should have an httpTransformation to differentiate from transformations
	that are encoded within the document. I believe that this is a factor that 
would
	be very valuable in assessing which transformations to apply. I.E., I 
think that
	I would trust a transformation more than an httpTransformation if there were
	any dispute between their result graphs. But maybe that's just me.

in 8. GRDDL-aware Agents, edit the 2nd para as follows:

	"The appropriate policy for which results to compute and when is likely to 
involve waiting
	for a signal from user more in the Web browser case than in the query 
service case."

changes to:

	"The appropriate policy, for which results to compute and when, is more 
likely to involve waiting
	for a signal from a user in the Web browser case than in the query service 
case."

in 8. GRDDL-aware Agents, edit the 4th & 5th para as follows:

	Use alpha sub-list instead of ordinal numbers to avoid confusion
	Refer to steps 1.d and 1.e instead of 4 and 5 to avoid confusion.

in Example: A GRDDL-aware Agent protocol trace

	"While this declarative specification of GRDDL allows a variety of 
implementation strategies,
	in this appendix we trace the behavior common to a number of typical 
implementations."

becomes

	"While this declarative specification of GRDDL allows a variety of 
implementation strategies,
	in this example we trace the behavior common to a number of typical 
implementations."

in 9. Security considerations

	s/GRDDL transforms/GRDDL transformations/
	s/the transform/the transformation/

	"The execution of general-purpose programming languages as interpreters 
for transformations
	entails serious security risks, and GRDDL-aware agents should not simply 
send GRDDL
	transforms to "off-the-shelf" interpreters. "

[in my opinion] becomes

	"The execution of general-purpose programming languages as interpreters 
for transformations
	exposes serious security risks. Designers of GRDDL-aware agents are 
advised to guard against
	simply sending GRDDL transforms to untrusted interpreters. "

Using material found in 9.1-9.6, I extracted a paragraph which becomes para #2

	"GRDDL, like many Web technologies, fundamentally relies on the 
dereferencing of URIs.
	Writers of GRDDL transformations are advised against employing URL operations
	which are potentially dangerous, because these operations are more likely 
to be
	unavailable in secure GRDDL implementations. Software executing GRDDL 
transformations
	are advised to either completely disable all potentially dangerous URL 
operations or
	take special care not to delegate any special authority to their 
operation. In particular,
	operations to read or write URLs are more safely executed with the 
privileges associated
	with an untrusted party, rather than the current user. Such disabling 
and/or checking
	should be done completely outside of the reach of the transformation 
language itself;
	care should be taken to insure that no method exists for re-enabling 
full-function versions
	of these operators.

In 9.1
	"GRDDL, like many Web technologies, fundamentally relies on the 
dereferencing of URIs.
	With unconstrained use of GRDDL, untrusted transform may access URLs which
	the end-user has read or write permission, while the author of the 
transform does not."

becomes

	"With unconstrained use of GRDDL, untrusted transformations may access 
URLs for which
	the end-user has read or write permission, while the author of the 
transformation does not."

In 9.2

	Delete 2nd paragraph. It has been moved up

In 9.3

	"Some implementations of the transform language may provide nonstandard 
facilities
	for the direct loading and execution of other programming language code. 
For example,
	an XSLT implementation may provide a method of calling Java code. Such 
facilities are
	quite obviously open to substantial abuse. GRDDL transforms should not 
make use of
	such features. Besides being totally implementation-specific, they are 
also likely to be
	unavailable in secure implementations of the transformation langauge. 
Software executing
	GRDDL transforms should not allow such operators to be used if they exist."

becomes

	"Some transformation language implementations may provide facilities
	for loading and executing other programming language code. For example,
	an XSLT implementation may provide a method for executing Java code. Such 
facilities are
	obviously open to abuse. Designers of GRDDL transformations are advised 
against making use of
	such features. Besides being implementation-specific, they are more likely 
to be
	unavailable in secure implementations of the transformation language. The 
use of
	such operators in software executing GRDDL transformations should protect 
against
	such operators in case they are encountered."

In 9.4

	"XSLT is an extensible language, and many, if not most, implementations of it
	provide a number of their own extensions. This document does not deal with
	such extensions explicitly since they constitute an unknown factor.
	GRDDL transforms should not make use of nonstandard extensions;
	they are likely to be missing from some implementations.
	Software executing GRDDL transforms should make sure that any nonstandard 
operations
	are secure and don't present any kind of threat."

becomes

	"XSLT implementations often provide their own extensions.
	Designers of GRDDL transformations are advised not make use of extensions
	because they are not guaranteed to be present in all implementations.
	Software executing GRDDL transformations should make sure that extensions
	are secure and do not present any kind of threat."
	
In 9.5

	"It is possible to write transforms that consumes huge amounts of various 
system resources.
	It is also possible to write transforms that loop indefinitely. Both types 
of transforms have
	the potential to cause damage if sent to unsuspecting recipients. Authors 
of GRDDL source
	documents should avoid the construction and dissemination of such transforms.
	Software executing GRDDL transforms should provide appropriate mechanisms
	to abort processing after a reasonable amount of time has elapsed. In 
addition,
	GRDDL software should be limited to the consumption of only a reasonable 
amount
	of any given system resource."

becomes

	"Since it is possible to write transformations that inordinately consume 
system resources
	or that loop indefinitely. Both types of transforms have the potential to 
cause damage
	if sent to unsuspecting recipients. Designers of GRDDL transformations are 
advised
	to avoid the construction and dissemination of such transformations.
	Software executing GRDDL transformations should provide appropriate 
mechanisms
	to abort processing after a reasonable amount of time has elapsed. In 
addition,
	GRDDL software should be limited to the consumption of only a reasonable 
amount
	of any given system resource."

in 9.6

	"Finally, bugs may exist in some interpreters of the transform language which
	could possibly be exploited to gain unauthorized access to a recipient's 
system.
	Apart from noting this possibility, there is no specific action to take to 
prevent this,
	apart from the timely correction of such bugs if any are found."

becomes

	"Finally, bugs may exist in some interpreters of a transformation language 
which
	might be exploited to gain unauthorized access to a recipient's system.
	Apart from noting this possibility, no specific action is advised to take 
to prevent this
	aside from timely correction of such bugs as they are discovered."

in Appendix: Implementation Experience: Test Cases, Software, and Services

	s/identifyable/identifiable/


There may be other spelling/grammatical errors which I have not detected.

These are my comments. After these comments are considered by the editor,
I will be prepared to vote in favor of sending this WD to the next stage.

Just in case I am unavailable over the next few weeks, my proxy is in Dan's 
hands.

Regards,

Murray
Received on Wednesday, 21 February 2007 21:29:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:11:47 GMT