Re: [ac] Fwd: Security note at the top of the access-control document

Anne,

On Feb 1, 2007, at 8:39 AM, ext Anne van Kesteren wrote:
> # Note: The W3C has not analyzed the security problems which
> # motivated the publication of this document. This document
> # only addresses a subset of the security issues involved in
> # exposing XML data over HTTP. This document documents an
> # existing practice used under certain circumstances, but in
> # no way implies that the technique would be appropriate or
> # secure to protect document access under all circumstances.
> # Implementors should perform their own security analysis.
>
> This note should be made much more clear or just be dropped.  
> Problems I
> have with the note:

This Note was probably appropriate when it was included in the Voice  
Browser WG's original Working Group Note. However, given the  
document's expanded scope, new algorithms, etc., I recommend it be  
removed.

> * Implementors should always perform security analysis. For any
>    specification.
>
> At the moment it's just confusing and might led people think, for
> instance, that all other specifications developed by the W3C are  
> reviewed
> by security experts and that implementors don't really have to  
> think about
> security themselves for most other specifications the W3C develops.

I don't view the last statement quoted above as harmful but I am  
mostly indifferent here. Perhaps the basic notion could be factored  
into Brad's new introduction.

Received on Thursday, 1 February 2007 20:05:28 UTC