- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 01 Feb 2007 14:39:27 +0100
- To: "WAF WG (public)" <public-appformats@w3.org>
Below some comments on the security note the status section of the access-control document currently has. ------- Forwarded message ------- From: "Anne van Kesteren" <annevk@opera.com> To: member-accesscontrol-tf@w3.org Cc: www-archive@w3.org Subject: Security note at the top of the access-control document Date: Thu, 01 Feb 2007 14:28:59 +0100 # Note: The W3C has not analyzed the security problems which # motivated the publication of this document. This document # only addresses a subset of the security issues involved in # exposing XML data over HTTP. This document documents an # existing practice used under certain circumstances, but in # no way implies that the technique would be appropriate or # secure to protect document access under all circumstances. # Implementors should perform their own security analysis. This note should be made much more clear or just be dropped. Problems I have with the note: * W3C almost never analyzes security problems with specifications (I've never seen some official rubber-stamp on a spec that says "W3C-security-approved"...) * From the document I think it's pretty clear that it has a limited scope already. * The document is not just about XML. * Implementors should always perform security analysis. For any specification. At the moment it's just confusing and might led people think, for instance, that all other specifications developed by the W3C are reviewed by security experts and that implementors don't really have to think about security themselves for most other specifications the W3C develops. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 1 February 2007 13:39:41 UTC