[ac] Fwd: Security note at the top of the access-control document

Below some comments on the security note the status section of the  
access-control document currently has.


------- Forwarded message -------
From: "Anne van Kesteren" <annevk@opera.com>
To: member-accesscontrol-tf@w3.org
Cc: www-archive@w3.org
Subject: Security note at the top of the access-control document
Date: Thu, 01 Feb 2007 14:28:59 +0100

# Note: The W3C has not analyzed the security problems which
# motivated the publication of this document. This document
# only addresses a subset of the security issues involved in
# exposing XML data over HTTP. This document documents an
# existing practice used under certain circumstances, but in
# no way implies that the technique would be appropriate or
# secure to protect document access under all circumstances.
# Implementors should perform their own security analysis.

This note should be made much more clear or just be dropped. Problems I
have with the note:

* W3C almost never analyzes security problems with specifications
    (I've never seen some official rubber-stamp on a spec that says
    "W3C-security-approved"...)
* From the document I think it's pretty clear that it has a limited
    scope already.
* The document is not just about XML.
* Implementors should always perform security analysis. For any
    specification.

At the moment it's just confusing and might led people think, for
instance, that all other specifications developed by the W3C are reviewed
by security experts and that implementors don't really have to think about
security themselves for most other specifications the W3C develops.



-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Thursday, 1 February 2007 13:39:41 UTC