- From: Arthur Barstow <art.barstow@nokia.com>
- Date: Thu, 1 Feb 2007 15:04:31 -0500
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
Anne, On Feb 1, 2007, at 8:39 AM, ext Anne van Kesteren wrote: > # Note: The W3C has not analyzed the security problems which > # motivated the publication of this document. This document > # only addresses a subset of the security issues involved in > # exposing XML data over HTTP. This document documents an > # existing practice used under certain circumstances, but in > # no way implies that the technique would be appropriate or > # secure to protect document access under all circumstances. > # Implementors should perform their own security analysis. > > This note should be made much more clear or just be dropped. > Problems I > have with the note: This Note was probably appropriate when it was included in the Voice Browser WG's original Working Group Note. However, given the document's expanded scope, new algorithms, etc., I recommend it be removed. > * Implementors should always perform security analysis. For any > specification. > > At the moment it's just confusing and might led people think, for > instance, that all other specifications developed by the W3C are > reviewed > by security experts and that implementors don't really have to > think about > security themselves for most other specifications the W3C develops. I don't view the last statement quoted above as harmful but I am mostly indifferent here. Perhaps the basic notion could be factored into Brad's new introduction.
Received on Thursday, 1 February 2007 20:05:28 UTC