- From: Francois Daoust <fd@w3.org>
- Date: Mon, 13 Sep 2010 16:01:49 +0200
- To: David Campbell <dcampbell@owasp.org>
- CC: public-bpwg-comments@w3.org
Hi David, Just a short reminder that we'd welcome your feedback on this by tomorrow (we realize it's a rather tight schedule and that we took more time to address your comments in the first place!). Let us know if you need more time to address these responses within OWASP. Thanks, Francois. On 09/07/2010 04:21 PM, fd@w3.org wrote: > Dear David Campbell , > > The Mobile Web Best Practices Working Group has reviewed the comments you > sent [1] on the Last Call Working Draft [2] of the Mobile Web Application > Best Practices published on 13 Jul 2010. Thank you for having taken the > time to review the document and to send us comments! > > The Working Group's response to your comment is included below, and has > been implemented in the new version of the document available at: > http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/latest. > > Please review it carefully and let us know by email at > public-bpwg-comments@w3.org if you agree with it or not before 14 September > 2010 (if possible, simply tell us if you need more time). In case of > disagreement, you are requested to provide a specific solution for or a > path to a consensus with the Working Group. If such a consensus cannot be > achieved, you will be given the opportunity to raise a formal objection > which will then be reviewed by the Director during the transition of this > document to the next stage in the W3C Recommendation Track. > > Thanks, > > For the Mobile Web Best Practices Working Group, > Dominique Hazaël-Massieux > François Daoust > W3C Staff Contacts > > 1. http://www.w3.org/mid/4C5B37FA.6000206@owasp.org > 2. http://www.w3.org/TR/2010/WD-mwabp-20100713/ > > > ===== > > Your comment on the document as a whole: >> Dear Sir or Madam: >> >> I represent the Global Industry Committee of the Open Web Application >> Security Project (OWASP) and we are keenly interested in your >> forthcoming Mobile Web Application Best Practices recommendation. >> >> Attached please find a PDF document containing our comments on your >> draft recommendation. >> >> Please feel free to contact me directly with any questions, comments >> or >> concerns. >> >> Cheers, >> >> David Campbell >> Open Web Application Security Project >> dcampbell@owasp.org >> www.owasp.org > > > Working Group Resolution (LC-2412): > The group partially agrees with the comment. > > The Mobile Web Application Best Practices is explicitly scoped to best > practices that have some specific impact on the mobile context: > http://www.w3.org/TR/mwabp/#mobile-context > > The Working Group acknowledges that most "desktop" security-related best > practices also apply to mobile devices and updated the introduction text of > the "Security and Privacy" section to reflect that the one best practice > listed in that section is definitely not the end of it. The Working Group > has also decided to reference the OWASP TOP 10 work as example of usual > security measures in this text. See updated text in latest editor's draft: > > http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/latest#bp-security > > > The group does not feel it has the expertise to review and select other > best practices related to security and decided against adding more best > practices to the section. A future version of the best practices should > probably include a more comprehensive set of best practices related to > security. > > The best practice listed in this category was chosen on the grounds that > it was the most obvious client-side security hole to bridge in a mobile Web > application that might have access to personal information. In particular, > a mobile Widget could perhaps be allowed to send SMS or make phone calls > while the device is connected to an "untrusted" public Wifi connection, > thus enabling potential man-in-the-middle attacks. > > > ---- > > > >
Received on Monday, 13 September 2010 14:02:21 UTC