RE: Robustness - Review of note - do we need an assumption section?

Everything's group owned (though some things have specific proponents). 
Please do make a pass at a rewrite of:
http://www.w3.org/TR/wsc-usecases/#bugs

          Mez





"Doyle, Bill" <wdoyle@mitre.org> 
Sent by: public-wsc-wg-request@w3.org
07/06/2007 01:23 PM

To
"Thomas Roessler" <tlr@w3.org>
cc
<public-wsc-wg@w3.org>
Subject
RE: Robustness - Review of note - do we need an assumption section?







Thx, that works for me. I can then reference it.

Do we have an owner for section 5.7? Should I make a first pass at
rewrite?

Cheers,

Bill D.
wdoyle@mitre.org



-----Original Message-----
From: Thomas Roessler [mailto:tlr@w3.org] 
Sent: Friday, July 06, 2007 1:14 PM
To: Doyle, Bill
Cc: public-wsc-wg@w3.org
Subject: Re: Robustness - Review of note - do we need an assumption
section?

On 2007-06-19 07:52:48 -0400, Doyle, Bill wrote:

> The WG knows that the user agent operates in a risk prone
> environment. We note items that are out of scope, but I don't see
> anything that states an expectation that the user agent requires
> a reliable platform.

> It is assumed that is that the user agent is operating on a
> platform that is functioning correctly. Since the web is a risk
> prone environment the user must take precautions implementing
> defense in depth techniques that include network, application and
> OS controls to ensure that the operating environment is reliable
> and will correctly interpret user and user agent requests.

That's, in fact, an excellent point.  It's somewhat inherent to 5.7,
where we declare "User agent exploits" out of scope.

It might be useful to rephrase that section roughly in the way that
you hint at, to be more explicit that this is actually a generic
assumption that we make, as opposed to a somewhat informal remark
about certain attacks.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>