If there is no security workshop scheduled, would someone volunteer to ask public-web-security@w3.org for comments, moderate the discussion, and come back with a recommendation agreeable to that group? Does not have to be a TAG member. Tyler? Larry -- http://larry.masinter.net -----Original Message----- From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf Of Jonathan Rees Sent: Tuesday, February 16, 2010 7:29 PM To: www-tag@w3.org Cc: Tyler Close Subject: Re: ACTION-278 Hiding metadata for security reasons - notes FWIW I scanned the correspondence on ACTION-278 in preparation for Thursday's call. I can't say I've found enlightenment. But I did compile some of the bits I thought were interesting and/or important; see: http://www.w3.org/2001/tag/2010/02/action-278-notes.txt (if someone wants to htmlify so that the links can be followed that would be great) I say *some* of the bits because certainly it leaves out many bits that are important! It's in CVS so that others can add to it. (Sometimes I wish we had a wiki.) It appears there's consensus to change the finding, but not consensus on how. I think more analysis is needed (remember Larry saying we should continue in email?), especially regarding what CSRF defenses need to look like, whether they do / can / should satisfy Larry's risk mitigation and semi-confidentiality criteria. JonathanReceived on Wednesday, 17 February 2010 18:25:41 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT