W3C home > Mailing lists > Public > www-tag@w3.org > October 2006

Re: [metadataInURI-31] New draft of metadata in URI finding includes section on malicious metadata

From: Mark Baker <distobj@acm.org>
Date: Mon, 2 Oct 2006 12:24:28 -0400
Message-ID: <c70bc85d0610020924t2ce2a28er961f7d2dc4d86a14@mail.gmail.com>
To: "Booth, David (HP Software - Boston)" <dbooth@hp.com>
Cc: noah_mendelsohn@us.ibm.com, www-tag@w3.org

Moreover, it seems to me that as described, it's the user agent's
fault for executing an (unsandboxed) executable without user
prompting.  All browsers, AFAIK, warn the user in this case and
provide a "Cancel/Run"-style dialog.

P.S. s/because has heard/because he has heard/

Mark.

On 10/2/06, Booth, David (HP Software - Boston) <dbooth@hp.com> wrote:
>
> Noah,
>
> Excellent addition (malicious metadata).  I don't want to delay
> publication, but there is one little phrasing that worries me.  Section
> 2.8 says:
>
>         "Thus, the primary fault in this scenario rests with the web
>         site administrators who served an executable that was intended
>         to damage Bob's machine".
>
> But section 3 says:
>
>         "In other cases, users are responsible for the consequences
>         of any incorrect inferences."
>
> I would not want someone to use that last sentence as justification for
> something misleading.  As it stands, it's a bit of a mixed message.  How
> about rephrasing that sentence, perhaps like:
>
>         "In other cases, users should be aware that their inferences
>         may be incorrect and the effect could be malicious."
>
> David Booth, Ph.D.
> HP Software
> dbooth@hp.com
> Phone: +1 617 629 8881
>
>
> > -----Original Message-----
> > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org]
> > On Behalf Of Rice, Ed (ProCurve)
> > Sent: Sunday, October 01, 2006 11:26 PM
> > To: noah_mendelsohn@us.ibm.com; www-tag@w3.org
> > Cc: Williams, Stuart (HP Labs, Bristol)
> > Subject: RE: [metadataInURI-31] New draft of metadata in URI
> > finding includes section on malicious metadata
> >
> >
> > Hi Noah,
> >
> > I reviewed the document and am happy with the explanation.  Thanks for
> > adding that section.
> >
> > I'd say its good to publish :)
> > _Ed
> >
> >
> > -----Original Message-----
> > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
> > Of noah_mendelsohn@us.ibm.com
> > Sent: Sunday, October 01, 2006 8:49 AM
> > To: www-tag@w3.org
> > Cc: Williams, Stuart (HP Labs, Bristol)
> > Subject: [metadataInURI-31] New draft of metadata in URI finding
> > includes section on malicious metadata
> >
> >
> > I am pleased to announce the availability of a new draft of
> > the finding:
> >
> > "The use of Metadata in URIs" [1,2,3,].  The principle change is the
> > addition of a section [4] on malicious metadata, using an example of a
> > site serving a URI ending in ".jpeg" with a representation that is a
> > malicious executable.  There are a few other changes, primarily as
> > promised in response to comments made by Stuart Williams and David
> > Booth.
> > [5].  While it would probably be prudent for at least one other TAG
> > member to do an end-to-end check before we publish, I think most
> > reviewers will do fine if they focus on the new section at [4], and
> > perhaps quickly review my response to Stuart at [5].
> >
> > Although comments on TAG findings are always welcome, I
> > should point out
> > that the TAG has as early as June signaled its intention to
> > publish this
> > one, albeit now with the new section if it meets with
> > approval.  Clearly
> > review of of the recent changes is in order before we publish,  but
> > there is a good chance that comments on other aspects of the finding
> > will be queued for consideration should we later wish to
> > republish.  In
> > short, I think it's about time to ship this.
> >
> > Thank you!
> >
> > Noah
> >
> > [1] http://www.w3.org/2001/tag/doc/metaDataInURI-31
> > [2] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html
> > [3] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.xml
> > [4]
> > http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html#
> > malicious
> > [5] http://lists.w3.org/Archives/Public/www-tag/2006Sep/0110.html
> >
> > --------------------------------------
> > Noah Mendelsohn
> > IBM Corporation
> > One Rogers Street
> > Cambridge, MA 02142
> > 1-617-693-4036
> > --------------------------------------
> >
> >
> >
> >
> >
> >
> >
>
>
Received on Monday, 2 October 2006 16:24:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:42 GMT