W3C home > Mailing lists > Public > public-wai-ert@w3.org > October 2006

Re: EARL security/privacy concerns

From: Charles McCathieNevile <chaals@opera.com>
Date: Thu, 26 Oct 2006 11:02:33 +1000
To: "Carlos Iglesias" <carlos.iglesias@fundacionctic.org>, "Shadi Abou-Zahra" <shadi@w3.org>
Cc: public-wai-ert@w3.org
Message-ID: <op.thz7ujqdwxe0ny@widsith.local>

On Thu, 26 Oct 2006 02:46:38 +1000, Carlos Iglesias  
<carlos.iglesias@fundacionctic.org> wrote:

> Right now I think that there are no specially sensitive information in  
> the EARL core language, I'm not sure if we can consider pathnames  
> (adoption currently under discussion) as "sensitive enough" to be  
> encrypted.
>
> However there is some information in the "HTTP Vocabulary in RDF" that  
> is clearly sensitive. My first thoughts are for the "authorization"  
> property which contains the userid and password, specially in "Basic  
> Authentication" that relies just on a base64 encoded string.
>
> I think that exactly the same applies to "proxy-authorization" and I'm  
> not sure if there are other sensitive properties in the language.

I think that in general we should note that some information is sensitive,  
and people may not provide it (this is particularly the case for the body  
of documents held in an intranet. I might well provide an overall survey  
of XHTML validity for our intranet, but I am not going to provide you with  
the developer' notes on particular implementation issues...)

We can point to the appraoch used by foaf for mbox_sha1 to enable  
interoperability on sensitive data, as a possibility, but I don't think we  
need to work on standardising it at this stage.

cheers

Chaals

-- 
   Charles McCathieNevile, Opera Software: Standards Group
   hablo español  -  je parle français  -  jeg lærer norsk
chaals@opera.com          Try Opera 9 now! http://opera.com
Received on Thursday, 26 October 2006 01:03:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:27 GMT