W3C home > Mailing lists > Public > public-xml-processing-model-comments@w3.org > September 2007

Re: Comment: untrusted environments and security

From: Norman Walsh <ndw@nwalsh.com>
Date: Wed, 26 Sep 2007 22:22:16 -0400
To: Deborah_Pickett@moldflow.com
Cc: public-xml-processing-model-comments@w3.org
Message-ID: <m2odfodezr.fsf@nwalsh.com>
/ Deborah_Pickett@moldflow.com was heard to say:
| The 20 September 2007 draft speaks only indirectly of security, so I am 
| left to conclude that implementations which fail on certain steps for 
| security reasons are not conformant.

The p:directory-list step explicitly allows an implementor to limit it
(possibly to an empty set):

   It is a dynamic error (err:XC0012) if the contents of the directory
   path are not available to the step due to access restrictions in
   the environment in which the pipeline is run.

I thought we had a similar provision in p:http-request, but I can't
find it at the moment. That's a bug, I think.

| My suggestion is that XProc explicitly allows implementations to run with 
| (implementation-specific) heightened security.  Certain steps can throw a 
| dynamic error if they would otherwise violate the security policy for the 
| environment that the pipeline is running in.  XProc need not define the 
| security requirements, nor even what the 

I think that's what we intended, though perhaps have not yet achieved.
Specific suggestions for steps that you think implementors might want
to limit would be welcome.

                                        Be seeing you,
                                          norm

-- 
Norman Walsh <ndw@nwalsh.com> | Patriotism is often an arbitrary
http://nwalsh.com/            | veneration of real estate above
                              | principles.--George Jean Nathan

Received on Thursday, 27 September 2007 02:22:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:21:42 GMT