W3C home > Mailing lists > Public > public-xml-processing-model-comments@w3.org > September 2007

Re: Comment: untrusted environments and security

From: Norman Walsh <ndw@nwalsh.com>
Date: Wed, 26 Sep 2007 22:22:16 -0400
To: Deborah_Pickett@moldflow.com
Cc: public-xml-processing-model-comments@w3.org
Message-ID: <m2odfodezr.fsf@nwalsh.com>
/ Deborah_Pickett@moldflow.com was heard to say:
| The 20 September 2007 draft speaks only indirectly of security, so I am 
| left to conclude that implementations which fail on certain steps for 
| security reasons are not conformant.

The p:directory-list step explicitly allows an implementor to limit it
(possibly to an empty set):

   It is a dynamic error (err:XC0012) if the contents of the directory
   path are not available to the step due to access restrictions in
   the environment in which the pipeline is run.

I thought we had a similar provision in p:http-request, but I can't
find it at the moment. That's a bug, I think.

| My suggestion is that XProc explicitly allows implementations to run with 
| (implementation-specific) heightened security.  Certain steps can throw a 
| dynamic error if they would otherwise violate the security policy for the 
| environment that the pipeline is running in.  XProc need not define the 
| security requirements, nor even what the 

I think that's what we intended, though perhaps have not yet achieved.
Specific suggestions for steps that you think implementors might want
to limit would be welcome.

                                        Be seeing you,

Norman Walsh <ndw@nwalsh.com> | Patriotism is often an arbitrary
http://nwalsh.com/            | veneration of real estate above
                              | principles.--George Jean Nathan

Received on Thursday, 27 September 2007 02:22:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:28:24 UTC