RE: Content based detection out of scope (Was: What problems are we trying to solve?) from Doyle, Bill on 2006-12-12 (public-wsc-wg@w3.org from December 2006)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 12 Dec 2006 13:01:40 -0500
To: "Close, Tyler J." <tyler.close@hp.com>, <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801301D1E@IMCSRV5.MITRE.ORG>

I was thinking of a different way to clarify out of scope - 

out-of-scope

Data sessions that are specifically not included in in scope and data
session that are not protected by security context (e.g. userID,
Passwords, X.509 Certificates, public key technology). User sessions
that are not protected by a security context do not have the mechanisms
to evaluate risk.

Bill D.
wdoyle@mitre.org



-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Close, Tyler J.
Sent: Tuesday, December 12, 2006 12:54 PM
To: public-wsc-wg@w3.org
Subject: Content based detection out of scope (Was: What problems are
we trying to solve?)


I've updated the "Out of scope" section at:

http://www.w3.org/2006/WSC/wiki/NoteOutOfScope

to summarize the two bullet points:

 * Code based techniques to detect spoofing attacks such as cross site
comparisons of URL or graphical similiarity. 
 * Calculations, algorithms, and functions that attempt to determine
whether or not an attack is underway, including intrusion or virus
detection techniques, such as sense of self and "signature" of known
attacks.

And turned them into the "Out of scope" section:

"""
Content based detection

Techniques commonly used by intrusion detection systems, virus checkers
and spam filters to detect illegitimate requests based on their content
are out of scope for this Working Group. These techniques include
comparing the served URLs, graphics or markup to known legitimate
sites,
or to known attacks. The heuristics used in these tools are a moving
target and so not a suitable subject for standardization. The working
group will not recommend any checks on the content served by web sites.
"""

I think this text reflects the conversation we just had on the
tele-conference. There's still the issue of whether or not the display
of the results of these out-of-scope techniques is in-scope. I have
doubts that it's a good idea to sanction these techniques, since they
have the effect of making content that is valid according to a content
specification, illegal in practice. It might be an anti-pattern to
break
content specifications in this way. It might be worth pinging the TAG
on
this issue.

Tyler

Received on Tuesday, 12 December 2006 18:02:14 UTC