W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2006

Re: [Bug 184] Clarifications requested for section 19.8 on hosting malicious content

From: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
Date: Fri, 27 Jan 2006 14:51:31 -0500
To: Lisa Dusseault <lisa@osafoundation.org>
Cc: webdav WG <w3c-dist-auth@w3.org>, w3c-dist-auth-request@w3.org
Message-ID: <OFFFF2FC27.1B8EE388-ON85257103.006CE27B-85257103.006D1977@us.ibm.com>
I personally prefer Cullen's original text.  I believe it is clearer
and more direct, and I do not think there is any issue wrt confusing
the phrase "need to" with the normative "MUST".

Cheers,
Geoff

Lisa wrote on 01/27/2006 02:42:06 PM:
> Servers "need to" consider additional precautions?  If this text is 
> meant to be normative, it isn't -- no MUST and "consider" is 
> naturally vague.  So I assume this text is only meant to be advisory, 
> do we need to make that clear?
> 
> I suggest using the same kind of wording as  used elsewhere in the 
> paragraph:  "Servers that allow clients to publish arbitrary content 
> can usefully implement precautions to check that content is not 
> harmful to other clients."
> 
> lisa

> > ------- Additional Comments From fluffy@cisco.com  2006-01-27 11:33 
> > I'm proposing replacing the whole section 19.8. I'm not married to 
> > any of this text and feel free to
> > reorganize, fix grammar, etc but I was thinking of something along 
> > lines of:
> >
> >
> > 19.8 Hosting malicious scripts executed on client machines
> >
> > HTTP has the ability to host programs which are executed on client 
> > machines. These programs can take
> > many forms including web scripts, executables, plug in modules, and 
> > macros in documents. WebDAV
> > does not change any of the security concerns around these programs 
> > yet often WebDAV is used in
> > contexts where a wide range of users can publish documents on a 
> > server. The server might not have a
> > close trust relationship with the author that is publishing the 
> > document.  Servers that allow clients to
> > publish arbitrary content need to consider additional precautions 
> > to check that content published to the
> > server is not harmful to other clients. Servers could do this by 
> > techniques such as restricting the types
> > of content that is allowed to be published and running virus and 
> > malware detection software on
> > published content. Servers can also mitigate the risk by having 
> > appropriate access restriction and
> > authentication of users that are allowed to publish content to the 
> > server.
> >
> >
> >
> >
> >
> > ------- You are receiving this mail because: -------
> > You are the assignee for the bug, or are watching the assignee.
> >
> 
> 
Received on Friday, 27 January 2006 19:51:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:13 GMT