Requesting security review of POE WG Deliverables from Renato Iannella on 2017-03-08 (public-web-security@w3.org from March 2017)

From: Renato Iannella <renato.iannella@monegraph.com>
Date: Wed, 8 Mar 2017 15:48:25 +1000
To: public-web-security@w3.org
Cc: POE Comment list <public-poe-comments@w3.org>
Message-Id: <1B1D8F07-1894-455A-A987-FCF9E3A2A1C4@monegraph.com>
Hi Security IG, the Permissions and Obligations Expression (POE) Working Group would welcome review of the:
 - ODRL Information Model <https://www.w3.org/TR/odrl-model/ <https://www.w3.org/TR/odrl-model/>>
 - ODRL Vocabulary & Expression <https://www.w3.org/TR/vocab-odrl/ <https://www.w3.org/TR/vocab-odrl/>>
as we begin preparing for transition to CR.

We've completed the security questionnaire at <https://w3ctag.github.io/security-questionnaire/ <https://w3ctag.github.io/security-questionnaire/>> and the answers are below.

We have found that there are no Security issues as the ODRL documents are aimed at the *expression* of policy information and does not include any machine-machine interactions (such as an API) or exchange/exposure of credentials.

If there are any issues from the Security IG, then we would like comments by 30 April 2017 (see Wide Review details attached below for feedback options).

Many thanks in advance...


Renato Iannella, Monegraph
Co-Chair, W3C Permissions & Obligations Expression (POE) Working Group


===== Self-Review Questionnaire: Security and Privacy ==================
• 3.1 Does this specification deal with personally-identifiable information?
◦ no

• 3.2 Does this specification deal with high-value data?
◦ no

• 3.3 Does this specification introduce new state for an origin that persists across browsing sessions?
◦ no

• 3.4 Does this specification expose persistent, cross-origin state to the web?
◦ no

• 3.5 Does this specification expose any other data to an origin that it doesn’t currently have access to?
◦ no

• 3.6 Does this specification enable new script execution/loading mechanisms?
◦ no

• 3.7 Does this specification allow an origin access to a user’s location?
◦ no

• 3.8 Does this specification allow an origin access to sensors on a user’s device?
◦ no

• 3.9 Does this specification allow an origin access to aspects of a user’s local computing environment?
◦ no

• 3.10 Does this specification allow an origin access to other devices?
◦ no

• 3.11 Does this specification allow an origin some measure of control over a user agent’s native UI?
◦ no

• 3.12 Does this specification expose temporary identifiers to the web?
◦ no

• 3.13 Does this specification distinguish between behavior in first-party and third-party contexts?
◦ no

• 3.14 How should this specification work in the context of a user agent’s "incognito" mode?
◦ n/a

• 3.15 Does this specification persist data to a user’s local device?
◦ no

• 3.16 Does this specification have a "Security Considerations" and "Privacy Considerations" section?
◦ No Security Considerations section
◦ It will have a Privacy Considerations section and follow these guidelines: http://gregnorc.github.io/ping-privacy-questions/ <http://gregnorc.github.io/ping-privacy-questions/>

• 3.17 Does this specification allow downgrading default security characteristics?
◦ no

===== Self-Review Questionnaire: Security and Privacy ==================



===== WIDE REVIEW CALL ==================

The W3C Permissions and Obligations Expression (POE) Working Group [1] are delighted to announce the publication of updated Working Drafts of the ODRL Information Model [2] and ODRL Vocabulary & Expression [3].

The ODRL Information Model [2] offers a framework for the underlying concepts, entities, and relationships that form the foundational basis for the semantics of ODRL expressions. The aim of the ODRL Information Model is to support flexible Policy expressions by allowing the author to include as much, or as little, expressive detail about the terms and conditions for Asset usage, the Parties involved, and obligations.

The ODRL Vocabulary & Expression [3] describes the potential terms used in ODRL Policy expressions and how to serialise them. The terms form part of the ODRL Ontology and formalise the semantics. The wide set of terms in the vocabulary provides the support for communities to use ODRL as the primary language to express common use cases.

These deliverables are the outcome of collaborative effort from the Working Group to meet the identified requirements in the POE Use Cases and Requirements NOTE [4]. We believe the ODRL Information Model document and ODRL Vocabulary & Expression are now technically near completion, and would appreciate your final comments before the WG embarks on the W3C Candidate Recommendation process. We are also eager to hear how you are implementing, or plan to implement, the ODRL Vocabulary & Expression to enable us to better understand the serialisaton choices and normative terms.

Please send any comments or examples of how you are using ODRL via the following methods:
1 - Email to <public-poe-comments@w3.org <mailto:public-poe-comments@w3.org>> which is archived [5]
2 - Create an Issue on the POE GitHub Repository [6]

Please send feedback by the 30th April 2017.

We look forward to hearing from you and will respond to all comments.

The W3C Permissions and Obligations Expression Working Group

[1] https://www.w3.org/2016/poe/wiki/Main_Page <https://www.w3.org/2016/poe/wiki/Main_Page>
[2] https://www.w3.org/TR/odrl-model/ <https://www.w3.org/TR/odrl-model/>
[3] https://www.w3.org/TR/vocab-odrl/ <https://www.w3.org/TR/vocab-odrl/>
[4] https://www.w3.org/TR/poe-ucr/ <https://www.w3.org/TR/poe-ucr/>
[5] https://lists.w3.org/Archives/Public/public-poe-comments/ <https://lists.w3.org/Archives/Public/public-poe-comments/>
[6] https://github.com/w3c/poe/issues <https://github.com/w3c/poe/issues>

===== WIDE REVIEW CALL ==================
Received on Wednesday, 8 March 2017 05:49:05 UTC