W3C home > Mailing lists > Public > www-archive@w3.org > February 2007

Security note at the top of the access-control document

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 01 Feb 2007 14:28:59 +0100
To: member-accesscontrol-tf@w3.org
Cc: www-archive@w3.org
Message-ID: <op.tm2nqlom64w2qv@id-c0020>

# Note: The W3C has not analyzed the security problems which
# motivated the publication of this document. This document
# only addresses a subset of the security issues involved in
# exposing XML data over HTTP. This document documents an
# existing practice used under certain circumstances, but in
# no way implies that the technique would be appropriate or
# secure to protect document access under all circumstances.
# Implementors should perform their own security analysis.

This note should be made much more clear or just be dropped. Problems I  
have with the note:

* W3C almost never analyzes security problems with specifications
   (I've never seen some official rubber-stamp on a spec that says
   "W3C-security-approved"...)
* From the document I think it's pretty clear that it has a limited
   scope already.
* The document is not just about XML.
* Implementors should always perform security analysis. For any
   specification.

At the moment it's just confusing and might led people think, for  
instance, that all other specifications developed by the W3C are reviewed  
by security experts and that implementors don't really have to think about  
security themselves for most other specifications the W3C develops.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 1 February 2007 13:29:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 7 November 2012 14:18:02 GMT