Re: Review of http://www.w3.org/TR/2007/WD-access-control-20071126/ from Anne van Kesteren on 2007-12-12 (public-appformats@w3.org from December 2007)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 12 Dec 2007 17:38:55 +0100
To: "Williams, Stuart (HP Labs, Bristol)" <skw@hp.com>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <op.t28du5p564w2qv@annevk-t60.oslo.opera.com>

On Wed, 12 Dec 2007 17:25:02 +0100, Williams, Stuart (HP Labs, Bristol)  
<skw@hp.com> wrote:
>> Security trumps purity. Not sure what else to say here.
>
> I think that's just a little too pithy! Corner cases are juts tricky to  
> get right and A trumps B doesn't really cut it IMO - plus I think it's  
> pretty to hard to make a hard security based argument - that information  
> left the origin server, it passed through numerous wires, probably in  
> clear, along with the access control headers (visible), through who  
> knows how many proxies that could 'fiddle' with them - do you  
> authenticate the access control headers (they can certainly be tampered  
> with)? should you?

The information could be behind an authenticated page protected using TLS  
or something in that direction.


>> I think there are some problems with introducing the same
>> algorithm non-normatively in a contrain-based style:
>>
>>   1. There might be differences
>>   2. It might confuse implementors
>
> What I offered doesn't present an algorithm, it was an attempt to say,  
> explicitly, what the algorithm is intended to accomplish ('what' rather  
> than 'how').
>
> The algorithm "does what it does" is hardly a good basis on which to  
> review the spec.

I think we disagree on that.


>>> Provided the algorithm is correct (ie. does what it's supposed to do)
>>> then the imperative statement of the algorithm is indeed one way of
>>> stating (implicitly) what it does. But how are we to tell if it's
>>> correct if we don't say what it's supposed to do?
>>
>> I think that's the wrong way of looking at it. You want to
>> look if for a certain (evil) input A the results of the
>> algorithm are not desirable.
>
> Well, if you don't say what the algorithm is supposed to accomplish...  
> no-one can review the spec for the correctness of the algorithm!

The algorithm is supposed to introduce no new security problems while  
allowing cross-site access and manipulation of representations of  
resources.


> Best they can says is... "well it does what it does". Maybe there's a  
> requirements document or a design document that captures what the  
> algorithm is required to do which reviewers should be reviewing the  
> document against?

There is no such document.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Wednesday, 12 December 2007 16:37:54 UTC