W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: ACTION-278 Hiding metadata for security reasons

From: Tyler Close <tyler.close@gmail.com>
Date: Thu, 11 Feb 2010 16:51:42 -0800
Message-ID: <5691356f1002111651v413b6e22xf9a5ef91e853ca77@mail.gmail.com>
To: Dan Connolly <connolly@w3.org>
Cc: Larry Masinter <masinter@adobe.com>, Tim Berners-Lee <timbl@w3.org>, John Kemp <john@jkemp.net>, "ashok.malhotra@oracle.com" <ashok.malhotra@oracle.com>, Jonathan Rees <jar@creativecommons.org>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
I agree with Dan's response below and am just going to clarify what I
meant by "legitimately directed", inline below...

On Thu, Feb 11, 2010 at 11:52 AM, Dan Connolly <connolly@w3.org> wrote:
> On Wed, 2010-02-10 at 15:05 -0800, Larry Masinter wrote:
>> >   A user-agent
>> > MUST NOT disclose representations or URIs, unless either explicitly
>> > instructed to do so by the user or as legitimately directed to by
>> > presented content. Since the user may wish to keep this information
>> > confidential, the user-agent must not assume it can be revealed to
>> > third-parties.
>>
>> While I'm sympathetic to the intent, this leaves undefined
>>  the scope of "user agent" here, referent of "the user",
>> and the meanings of "disclose", "legitimately", "confidential",
>> "assume" and "third-parties".
>
> Those are all sufficiently well-defined for me.

There are various standards, such as HTML, that cover what a
user-agent is expected to do when presenting content. For example,
presented content can reveal information to a third-party by using a
<form> element to send information to another host. These documented
APIs define what a user-agent may be "legitimately directed" to do by
presented content. An example of an illegitimate disclosure by
presented content would require an attack on the security model
commonly implemented in user-agents. For example, user-agents prevent
presented content from reading the user's bookmarks without the user's
consent. A bug that enabled presented content to gain such access
would be a violation of the MUST NOT requirement quoted above.

There should be nothing controversial about the quoted draft text. It
really only defines the difference between malware/spyware and the
user-agent. Malware takes information without permission from the
user.

>>   Does "user agent" apply to,
>> say, archive.org (which might pick up a mailing list archive
>> of an email and scan what is supposed to be a 'private'
>> URL)?

The archive.org crawler is a user-agent acting under the direction of
its user, the operators of archive.org. That user-agent is obeying its
user's instructions to fetch content and share it with third parties.
That crawler should only find one of my web-keys if my user-agent put
it in a mailing list email under my instructions. A web-key may
legitimately be passed from user to user, so long as each user-agent
in the chain is acting under *it's* user's instructions. There is no
expectation that your user-agent obeys my instructions, instead of
yours. I'm surprised that this is not clear and seen as the normal
state of the world.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Friday, 12 February 2010 00:52:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT