Moreover, it seems to me that as described, it's the user agent's fault for executing an (unsandboxed) executable without user prompting. All browsers, AFAIK, warn the user in this case and provide a "Cancel/Run"-style dialog. P.S. s/because has heard/because he has heard/ Mark. On 10/2/06, Booth, David (HP Software - Boston) <dbooth@hp.com> wrote: > > Noah, > > Excellent addition (malicious metadata). I don't want to delay > publication, but there is one little phrasing that worries me. Section > 2.8 says: > > "Thus, the primary fault in this scenario rests with the web > site administrators who served an executable that was intended > to damage Bob's machine". > > But section 3 says: > > "In other cases, users are responsible for the consequences > of any incorrect inferences." > > I would not want someone to use that last sentence as justification for > something misleading. As it stands, it's a bit of a mixed message. How > about rephrasing that sentence, perhaps like: > > "In other cases, users should be aware that their inferences > may be incorrect and the effect could be malicious." > > David Booth, Ph.D. > HP Software > dbooth@hp.com > Phone: +1 617 629 8881 > > > > -----Original Message----- > > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] > > On Behalf Of Rice, Ed (ProCurve) > > Sent: Sunday, October 01, 2006 11:26 PM > > To: noah_mendelsohn@us.ibm.com; www-tag@w3.org > > Cc: Williams, Stuart (HP Labs, Bristol) > > Subject: RE: [metadataInURI-31] New draft of metadata in URI > > finding includes section on malicious metadata > > > > > > Hi Noah, > > > > I reviewed the document and am happy with the explanation. Thanks for > > adding that section. > > > > I'd say its good to publish :) > > _Ed > > > > > > -----Original Message----- > > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf > > Of noah_mendelsohn@us.ibm.com > > Sent: Sunday, October 01, 2006 8:49 AM > > To: www-tag@w3.org > > Cc: Williams, Stuart (HP Labs, Bristol) > > Subject: [metadataInURI-31] New draft of metadata in URI finding > > includes section on malicious metadata > > > > > > I am pleased to announce the availability of a new draft of > > the finding: > > > > "The use of Metadata in URIs" [1,2,3,]. The principle change is the > > addition of a section [4] on malicious metadata, using an example of a > > site serving a URI ending in ".jpeg" with a representation that is a > > malicious executable. There are a few other changes, primarily as > > promised in response to comments made by Stuart Williams and David > > Booth. > > [5]. While it would probably be prudent for at least one other TAG > > member to do an end-to-end check before we publish, I think most > > reviewers will do fine if they focus on the new section at [4], and > > perhaps quickly review my response to Stuart at [5]. > > > > Although comments on TAG findings are always welcome, I > > should point out > > that the TAG has as early as June signaled its intention to > > publish this > > one, albeit now with the new section if it meets with > > approval. Clearly > > review of of the recent changes is in order before we publish, but > > there is a good chance that comments on other aspects of the finding > > will be queued for consideration should we later wish to > > republish. In > > short, I think it's about time to ship this. > > > > Thank you! > > > > Noah > > > > [1] http://www.w3.org/2001/tag/doc/metaDataInURI-31 > > [2] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html > > [3] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.xml > > [4] > > http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html# > > malicious > > [5] http://lists.w3.org/Archives/Public/www-tag/2006Sep/0110.html > > > > -------------------------------------- > > Noah Mendelsohn > > IBM Corporation > > One Rogers Street > > Cambridge, MA 02142 > > 1-617-693-4036 > > -------------------------------------- > > > > > > > > > > > > > > > >Received on Monday, 2 October 2006 16:24:43 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:42 GMT