W3C home > Mailing lists > Public > www-tag@w3.org > October 2006

RE: [metadataInURI-31] New draft of metadata in URI finding includes section on malicious metadata

From: Booth, David (HP Software - Boston) <dbooth@hp.com>
Date: Mon, 2 Oct 2006 10:22:00 -0400
Message-ID: <EBBD956B8A9002479B0C9CE9FE14A6C201416CA1@tayexc19.americas.cpqcorp.net>
To: <noah_mendelsohn@us.ibm.com>, <www-tag@w3.org>

Noah,

Excellent addition (malicious metadata).  I don't want to delay
publication, but there is one little phrasing that worries me.  Section
2.8 says: 

	"Thus, the primary fault in this scenario rests with the web 
	site administrators who served an executable that was intended 
	to damage Bob's machine".

But section 3 says: 

	"In other cases, users are responsible for the consequences 
	of any incorrect inferences."

I would not want someone to use that last sentence as justification for
something misleading.  As it stands, it's a bit of a mixed message.  How
about rephrasing that sentence, perhaps like:

	"In other cases, users should be aware that their inferences 
	may be incorrect and the effect could be malicious."

David Booth, Ph.D.
HP Software
dbooth@hp.com
Phone: +1 617 629 8881
  

> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] 
> On Behalf Of Rice, Ed (ProCurve)
> Sent: Sunday, October 01, 2006 11:26 PM
> To: noah_mendelsohn@us.ibm.com; www-tag@w3.org
> Cc: Williams, Stuart (HP Labs, Bristol)
> Subject: RE: [metadataInURI-31] New draft of metadata in URI 
> finding includes section on malicious metadata
> 
> 
> Hi Noah,
> 
> I reviewed the document and am happy with the explanation.  Thanks for
> adding that section.
> 
> I'd say its good to publish :)
> _Ed
>  
> 
> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
> Of noah_mendelsohn@us.ibm.com
> Sent: Sunday, October 01, 2006 8:49 AM
> To: www-tag@w3.org
> Cc: Williams, Stuart (HP Labs, Bristol)
> Subject: [metadataInURI-31] New draft of metadata in URI finding
> includes section on malicious metadata
> 
> 
> I am pleased to announce the availability of a new draft of 
> the finding:
> 
> "The use of Metadata in URIs" [1,2,3,].  The principle change is the
> addition of a section [4] on malicious metadata, using an example of a
> site serving a URI ending in ".jpeg" with a representation that is a
> malicious executable.  There are a few other changes, primarily as
> promised in response to comments made by Stuart Williams and David
> Booth. 
> [5].  While it would probably be prudent for at least one other TAG
> member to do an end-to-end check before we publish, I think most
> reviewers will do fine if they focus on the new section at [4], and
> perhaps quickly review my response to Stuart at [5].
> 
> Although comments on TAG findings are always welcome, I 
> should point out
> that the TAG has as early as June signaled its intention to 
> publish this
> one, albeit now with the new section if it meets with 
> approval.  Clearly
> review of of the recent changes is in order before we publish,  but
> there is a good chance that comments on other aspects of the finding
> will be queued for consideration should we later wish to 
> republish.  In
> short, I think it's about time to ship this.
> 
> Thank you!
> 
> Noah
> 
> [1] http://www.w3.org/2001/tag/doc/metaDataInURI-31
> [2] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html
> [3] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.xml
> [4]
> http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html#
> malicious
> [5] http://lists.w3.org/Archives/Public/www-tag/2006Sep/0110.html
> 
> --------------------------------------
> Noah Mendelsohn
> IBM Corporation
> One Rogers Street
> Cambridge, MA 02142
> 1-617-693-4036
> --------------------------------------
> 
> 
> 
> 
> 
> 
> 
Received on Monday, 2 October 2006 14:31:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:42 GMT