[closed] Re: Comment: untrusted environments and security from Norman Walsh on 2008-01-09 (public-xml-processing-model-comments@w3.org from January 2008)

From: Norman Walsh <ndw@nwalsh.com>
Date: Wed, 09 Jan 2008 11:44:43 -0500
To: public-xml-processing-model-comments@w3.org
Message-ID: <m2y7azosn8.fsf@nwalsh.com>

Deborah,

We have attempted to address the concerns raised here. The XProc
specification will, alas, be going through a second Last Call so
you'll get another chance to raise any issues you feel we didn't
adequately resolve. Thank you for taking the time to review our
specification.

/ Deborah_Pickett@moldflow.com was heard to say:
| I imagine that one of the uses of XProc is to perform server-side 
| pipelines on documents to prepare them for delivery to a user agent.  If I 
| were to be running such a server, I would be worried about allowing a 
| p:directory-list step to run on the server.*
|
| The existence of an XProc MIME type hints strongly that XProc might also 
| find a home in client-side processors (e.g., user agents) doing similar 
| munging on pure input documents.  I would want to lock down any XProc 
| processor running on my desktop machine, particularly one that can both 
| query my file system with p:directory-list and can connect to arbitrary 
| servers with p:http-request.
|
| The 20 September 2007 draft speaks only indirectly of security, so I am 
| left to conclude that implementations which fail on certain steps for 
| security reasons are not conformant.
|
| My suggestion is that XProc explicitly allows implementations to run with 
| (implementation-specific) heightened security.  Certain steps can throw a 
| dynamic error if they would otherwise violate the security policy for the 
| environment that the pipeline is running in.  XProc need not define the 
| security requirements, nor even what the 
|
| * Yes, if I can't trust the pipeline itself then perhaps there are bigger 
| problems.  Server-side security may be paranoia, or it may be company 
| policy.  The client-side issue is still valid.
|
| -- 
| Deborah Pickett
| Information Architect, Moldflow Corporation, Melbourne
| Deborah_Pickett@moldflow.com

                                        Be seeing you,
                                          norm

-- 
Norman Walsh <ndw@nwalsh.com> | No man is exempt from saying silly
http://nwalsh.com/            | things; the mischief is to say them
                              | deliberately.--Michel de Montaigne

Received on Wednesday, 9 January 2008 16:41:22 UTC