RE: [metadataInURI-31] New draft of metadata in URI finding includes section on malicious metadata from noah_mendelsohn@us.ibm.com on 2006-10-02 (www-tag@w3.org from October 2006)

From: <noah_mendelsohn@us.ibm.com>
Date: Mon, 2 Oct 2006 14:40:58 -0400
To: "Booth, David (HP Software - Boston)" <dbooth@hp.com>
Cc: www-tag@w3.org
Message-ID: <OF016ABDA8.0CA79A24-ON852571FB.006677F9-852571FB.0066A271@lotus.com>
David:

I think you've raised a good issue, but I want to chew a bit on exactly 
how I'd proposed to resolve it.  I agree that some tweak to section 3 
would be helpful, at the very least to point to the new "malicious" 
section, and maybe to do something along the lines of what you've 
suggested.  It's in my queue of small things to wrap up before publishing. 
 Thanks.  Your input now and in earlier comments has been particularly 
helpful!

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------








"Booth, David (HP Software - Boston)" <dbooth@hp.com>
10/02/2006 10:22 AM
 
        To:     <noah_mendelsohn@us.ibm.com>, <www-tag@w3.org>
        cc: 
        Subject:        RE: [metadataInURI-31]  New draft of metadata in 
URI finding includes section  on malicious metadata


Noah,

Excellent addition (malicious metadata).  I don't want to delay
publication, but there is one little phrasing that worries me.  Section
2.8 says: 

                 "Thus, the primary fault in this scenario rests with the 
web 
                 site administrators who served an executable that was 
intended 
                 to damage Bob's machine".

But section 3 says: 

                 "In other cases, users are responsible for the 
consequences 
                 of any incorrect inferences."

I would not want someone to use that last sentence as justification for
something misleading.  As it stands, it's a bit of a mixed message.  How
about rephrasing that sentence, perhaps like:

                 "In other cases, users should be aware that their 
inferences 
                 may be incorrect and the effect could be malicious."

David Booth, Ph.D.
HP Software
dbooth@hp.com
Phone: +1 617 629 8881
 

> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] 
> On Behalf Of Rice, Ed (ProCurve)
> Sent: Sunday, October 01, 2006 11:26 PM
> To: noah_mendelsohn@us.ibm.com; www-tag@w3.org
> Cc: Williams, Stuart (HP Labs, Bristol)
> Subject: RE: [metadataInURI-31] New draft of metadata in URI 
> finding includes section on malicious metadata
> 
> 
> Hi Noah,
> 
> I reviewed the document and am happy with the explanation.  Thanks for
> adding that section.
> 
> I'd say its good to publish :)
> _Ed
> 
> 
> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
> Of noah_mendelsohn@us.ibm.com
> Sent: Sunday, October 01, 2006 8:49 AM
> To: www-tag@w3.org
> Cc: Williams, Stuart (HP Labs, Bristol)
> Subject: [metadataInURI-31] New draft of metadata in URI finding
> includes section on malicious metadata
> 
> 
> I am pleased to announce the availability of a new draft of 
> the finding:
> 
> "The use of Metadata in URIs" [1,2,3,].  The principle change is the
> addition of a section [4] on malicious metadata, using an example of a
> site serving a URI ending in ".jpeg" with a representation that is a
> malicious executable.  There are a few other changes, primarily as
> promised in response to comments made by Stuart Williams and David
> Booth. 
> [5].  While it would probably be prudent for at least one other TAG
> member to do an end-to-end check before we publish, I think most
> reviewers will do fine if they focus on the new section at [4], and
> perhaps quickly review my response to Stuart at [5].
> 
> Although comments on TAG findings are always welcome, I 
> should point out
> that the TAG has as early as June signaled its intention to 
> publish this
> one, albeit now with the new section if it meets with 
> approval.  Clearly
> review of of the recent changes is in order before we publish,  but
> there is a good chance that comments on other aspects of the finding
> will be queued for consideration should we later wish to 
> republish.  In
> short, I think it's about time to ship this.
> 
> Thank you!
> 
> Noah
> 
> [1] http://www.w3.org/2001/tag/doc/metaDataInURI-31
> [2] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html
> [3] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.xml
> [4]
> http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html#
> malicious
> [5] http://lists.w3.org/Archives/Public/www-tag/2006Sep/0110.html
> 
> --------------------------------------
> Noah Mendelsohn
> IBM Corporation
> One Rogers Street
> Cambridge, MA 02142
> 1-617-693-4036
> --------------------------------------
> 
> 
> 
> 
> 
> 
>
Received on Monday, 2 October 2006 18:41:11 UTC