RE: ISSUE-20: Potential additions to Available Security Information from Doyle, Bill on 2007-03-26 (public-wsc-wg@w3.org from March 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Mon, 26 Mar 2007 12:37:48 -0400
To: "Johnathan Nightingale" <johnath@mozilla.com>, "Web Security Context WG" <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B58015D700D@IMCSRV5.MITRE.ORG>

Yes, I agree that it is security context within WSC charter and scope -
maybe needs a heading change. 

I agree that section 7 is not an exhaustive list even within the
context of the WG Charter and Scope, but it provides a good starting
point.  I helped write portion of the wiki "Documenting Status Quo" in
order to craft an outline with some text as to why specific security
services, capabilities and issues are of interest and actively being
pursued by the WG. Not sure if that wiki doc helps or not to set the
security context stage.

Bill D

-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Johnathan
Nightingale
Sent: Monday, March 26, 2007 9:45 AM
To: Web Security Context WG
Subject: Re: ISSUE-20: Potential additions to Available Security
Information

No objection to the additions, though they start to get a little out  
of the "web" context when you talk about traceroute data. Maybe some  
catch-all is appropriate here, "Network diagnostic information (e.g.  
ping, traceroute, etc)" or equivalent?  Catch-alls are intrinsically  
non-exhaustive, but I would think it obvious that we mean  
"exhaustive" within some context.  Maybe not?

As for rephrasing the term in the first place, my only note would be  
that whatever we rephrase it to should continue to imply that this  
list is an important and comprehensive piece of work.  Honestly,  
section 7 is a reference I've already used multiple times in my own  
conversations - I think it's important that we persist in our efforts  
to keep it comprehensive.

Basically, my feeling is that the list could be a valuable  
deliverable on its own, and the kind of thing that is very much up  
the w3's alley.

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

On 26-Mar-07, at 9:28 AM, Web Security Context Issue Tracker wrote:

>
>
> ISSUE-20: Potential additions to Available Security Information
>
> http://www.w3.org/2006/WSC/Group/track/issues/20
>
> Raised by: Mary Ellen Zurko
> On product: Note: use cases etc.
>
> http://lists.w3.org/Archives/Public/public-usable-
> authentication/2007Mar/0032.html -
> In section 7, are you that confident that you can claim it's truly an
> exhaustive list? :)  For cookies, do you want to explicitly call  
> out "both
> those sent and server requests to store"?  DNS can also provide
> reverse-mapping addresses; if example.com has IP address 1.2.3.4,
does
> 4.3.2.1.in-addr.arpa map to example.com? Also IP ping/traceroute  
> can show
> packet flows ("since when is Citibank HQ in Uzbekistan"?)  Also, IP/ 
> geo
> mapping facilities.  These aren't commonly done, but since you
mention
> repuation service...
>
> We should probably rephrase the "exhaustive". Any pushback on the  
> suggested
> additions?
>
>
>
>
>

Received on Monday, 26 March 2007 16:37:57 UTC