W3C home > Mailing lists > Public > public-webapi@w3.org > October 2006

Re: [selectors-api] Security Considerations and stability

From: Charles McCathieNevile <chaals@opera.com>
Date: Thu, 12 Oct 2006 12:10:49 +0900
To: "Karl Dubost" <karl@w3.org>, "Ian Hickson" <ian@hixie.ch>
Cc: public-webapi@w3.org
Message-ID: <op.thaggb0cwxe0ny@widsith.local>

On Thu, 27 Jul 2006 11:45:53 +0900, Karl Dubost <karl@w3.org> wrote:

> Le 27 juil. 06 à 10:17, Ian Hickson a écrit :
>> Personally I think that having a separate security section is a bad way  
>> of designing a spec, since it doesn't encourage you to think of  
>> security the whole time -- it's better, IMHO, to have security right at  
>> the core of the specification text. But again, I'll leave that up to  
>> the editor.
>
> Maybe, yes.
> What you suggest, recommend practically?
> 	for this specification.
> 	and for future specifications.
> Do you have tips or hints to help editors?

Ian and I have may slightly different perspectives on how specs should  
handle security, but I think we agree that wherever, in the spec, a  
securit consideration can arise, it should be mentioned.

My approach is to have very few security requirements in an API  
specification, but to note that implementations may/should disable foo(),  
for some security problem bar, and authors should be aware of this  
possibility.

I believe it is useful to *also* have a security section, which describes  
in braod terms the security issues and how they can be handled, plus any  
requirements that are in the spec as must.

cheers

Chaals

-- 
   Charles McCathieNevile, Opera Software: Standards Group
   hablo español  -  je parle français  -  jeg lærer norsk
chaals@opera.com          Try Opera 9 now! http://opera.com
Received on Thursday, 12 October 2006 03:11:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:56 GMT