W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

RE: Robustness - Review of note - do we need an assumption section?

From: Doyle, Bill <wdoyle@mitre.org>
Date: Fri, 6 Jul 2007 13:23:31 -0400
Message-ID: <518C60F36D5DBC489E91563736BA4B58018A2924@IMCSRV5.MITRE.ORG>
To: "Thomas Roessler" <tlr@w3.org>
Cc: <public-wsc-wg@w3.org>

Thx, that works for me. I can then reference it.

Do we have an owner for section 5.7? Should I make a first pass at


Bill D.

-----Original Message-----
From: Thomas Roessler [mailto:tlr@w3.org] 
Sent: Friday, July 06, 2007 1:14 PM
To: Doyle, Bill
Cc: public-wsc-wg@w3.org
Subject: Re: Robustness - Review of note - do we need an assumption

On 2007-06-19 07:52:48 -0400, Doyle, Bill wrote:

> The WG knows that the user agent operates in a risk prone
> environment. We note items that are out of scope, but I don't see
> anything that states an expectation that the user agent requires
> a reliable platform.

> It is assumed that is that the user agent is operating on a
> platform that is functioning correctly. Since the web is a risk
> prone environment the user must take precautions implementing
> defense in depth techniques that include network, application and
> OS controls to ensure that the operating environment is reliable
> and will correctly interpret user and user agent requests.

That's, in fact, an excellent point.  It's somewhat inherent to 5.7,
where we declare "User agent exploits" out of scope.

It might be useful to rephrase that section roughly in the way that
you hint at, to be more explicit that this is actually a generic
assumption that we make, as opposed to a somewhat informal remark
about certain attacks.

Thomas Roessler, W3C  <tlr@w3.org>
Received on Friday, 6 July 2007 17:23:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:17 UTC