W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2006

Re: [Bug 184] Clarifications requested for section 19.8 on hosting malicious content

From: Lisa Dusseault <lisa@osafoundation.org>
Date: Fri, 27 Jan 2006 11:42:06 -0800
Message-Id: <9C964258-E214-41F3-B522-DDB974D9A5E8@osafoundation.org>
To: webdav WG <w3c-dist-auth@w3.org>

Servers "need to" consider additional precautions?  If this text is  
meant to be normative, it isn't -- no MUST and "consider" is  
naturally vague.  So I assume this text is only meant to be advisory,  
do we need to make that clear?

I suggest using the same kind of wording as  used elsewhere in the  
paragraph:  "Servers that allow clients to publish arbitrary content  
can usefully implement precautions to check that content is not  
harmful to other clients."

lisa

On Jan 27, 2006, at 11:33 AM, bugzilla@soe.ucsc.edu wrote:

> http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=184
>
> fluffy@cisco.com changed:
>
>            What    |Removed                     |Added
> ---------------------------------------------------------------------- 
> ------
>          AssignedTo|fluffy@cisco.com            | 
> lisa@osafoundation.org
>              Status|ASSIGNED                    |NEW
>
>
>
> ------- Additional Comments From fluffy@cisco.com  2006-01-27 11:33  
> -------
>
> I'm proposing replacing the whole section 19.8. I'm not married to  
> any of this text and feel free to
> reorganize, fix grammar, etc but I was thinking of something along  
> lines of:
>
>
> 19.8 Hosting malicious scripts executed on client machines
>
> HTTP has the ability to host programs which are executed on client  
> machines. These programs can take
> many forms including web scripts, executables, plug in modules, and  
> macros in documents. WebDAV
> does not change any of the security concerns around these programs  
> yet often WebDAV is used in
> contexts where a wide range of users can publish documents on a  
> server. The server might not have a
> close trust relationship with the author that is publishing the  
> document.  Servers that allow clients to
> publish arbitrary content need to consider additional precautions  
> to check that content published to the
> server is not harmful to other clients. Servers could do this by  
> techniques such as restricting the types
> of content that is allowed to be published and running virus and  
> malware detection software on
> published content. Servers can also mitigate the risk by having  
> appropriate access restriction and
> authentication of users that are allowed to publish content to the  
> server.
>
>
>
>
>
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>
Received on Friday, 27 January 2006 19:42:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:13 GMT