- From: Harry Halpin <hhalpin@ibiblio.org>
- Date: Fri, 23 Mar 2007 15:14:44 -0400
- To: Jeremy Carroll <jjc@hpl.hp.com>
- Cc: GRDDL Working Group <public-grddl-wg@w3.org>
I second this, so if you have time Jeremy, I'd just go do it. The sooner we get a complete WD of the test-suite the better, and the security component is rather crucial. > > > Here are my thoughts about security tests. > > a) have section of test document with them in > b) have a test class test:SecurityTest > c) do not provide instructions for running security tests > > d) have the following para in the section of the test document. > > [[ > The following security tests are provided for implementers to > adapt and use for their implementation. > Security issues are usually system specific, and as is shown > in test TODO, it may be possible for a malicious party to access > XSLT version and vendor information concerning a specific GRDDL > agent instance. > These tests were developed during the development of the Jena > GRDDL Reader which uses the Saxon8.8 XSLT processor. They hence > illustrate how a malicious party may try to abuse features > of such an implementation. > We do not provide instructions as to how to test your system > against these tests, since they are likely to be not directly > applicable. > Developers of GRDDL aware agents are encouraged to understand > these tests, and consider how their own systems may have > potential security weaknesses. > ]] > > e) include the six Jena tests (which I can donate to W3C) > > Jeremy > > -- -harry Harry Halpin, University of Edinburgh http://www.ibiblio.org/hhalpin 6B522426
Received on Friday, 23 March 2007 19:15:10 UTC