Re: Security Use Cases - Very rough first draft from Bill McCoy on 2016-08-20 (public-digipub-ig@w3.org from August 2016)

From: Bill McCoy <bmccoy@idpf.org>
Date: Sat, 20 Aug 2016 11:03:51 -0700
To: Ivan Herman <ivan@w3.org>
Cc: Bill McCoy <whmccoy@gmail.com>, Baldur Bjarnason <baldur@rebus.foundation>, W3C Digital Publishing IG <public-digipub-ig@w3.org>
Message-ID: <CADMjS0bb1Qci88PahWhUFnob18pMy7D=1=ujOodFL1OY1Gn+kA@mail.gmail.com>
Even though it was not specifically a reply to my comment I want to +1
Ivan's take on this.

And I also want to +1 something Leonard said about ad hoc (P2P) use cases
for sharing documents also being important, and to tease out an implication
of that.

PDF is of course the prevalent portable document format today, especially
for P2P. And PDFs can contain active content - JavaScript - just like EPUBs
and Web pages - and arguably that active content represents a far more
dangerous security risk:

- 99% of PDF rendering (gross estimate) is done via closed source solutions
that aren't subject to objective security analysis or security
vulnerability correction by third parties (unlike 3 out of the 4 top
browser, including the browser engines built-in to both top mobile OS's)

- the most widely used PDF implementation, Adobe Reader, has 3 different
instantiations of JavaScript, each with their own set of unique APIs (at
one point in the past 4 instantiations and at that time all different
versions of the JS interpreter!)... these are for general JS code in the
main context, for JS used with XML Forms Architecture (XFA) content, and JS
used with 3D content.

- the PDF specifications do not formally define the document execution life
cycle or security model of executing script code in a rigorous way. For
example while in Adobe Reader some (but not all) cases of remote network
access from scripting in PDF produce user-visible warnings the behavior
depends on preference settings which are application implementation
details, not part of the PDF specification itself.

- in particular in PDF there is no model of encapsulation of less trusted
content inside a container of more trusted content, everything operates at
the same (implicit) trust level.. Whereas for OWP, IFRAME et. al. provide
an encapsulation model (further elaborated in EPUB with Embedded Scriptable
Components).

-
https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html
(enough said)

I believe that today's EPUB 3 solutions built on OWP with its more
well-defined security model and predominantly open source implementations,
is very arguably more secure than PDF, or at least there's no clear
evidence that it's less secure. Yet we very rarely hear publishers or end
users distributing documents being seriously worried about scripting in
PDFs (even if, objectively, they should be).

Therefore I believe part of this is a marketing issue not a technical
issue. As more and more of the online Web seems ridden with sketchy ads and
malware, commercial publishers fear similar things happening with their
premium paid content. That is not necessarily an irrational fear and I
support that we should be taking security very seriously, but since at a
technical level PDF sets a very low bar for PWP, which EPUB 3 may already
have exceeded, we shouldn't presume that we have a technical disaster
already on our hands,

--Bill


On Sat, Aug 20, 2016 at 12:22 AM, Ivan Herman <ivan@w3.org> wrote:

> (This not a reply on this mail specifically but rather on the  resulting
> thread… the result of being in a different timezone:-)
>
> I think that, at this point and mainly for the purpose of the UCR
> document, what we have to concentrate on is what extra security
> requirements PWP-s have over the general Web security aspect. I realize
> that Baldur's use cases are in this direction (thanks Baldur:-), but I also
> agree that, at this point, we should not, in this document, go into
> specific technical solutions; this is not the goal of the UCR (but will be
> the topic of a future Working Group if and when we get there).
>
> To put it another way: when I talk to my Web Application friends, I do
> tell them that publishers are more nervous about security than many other
> content providers on the Web, they are nervous of using Javascript for the
> these reasons, etc. I think these high(er) level fears and concerns, and
> their reasons, should be clearly spelled out in this document (and, for
> example, these *are* related to issues in this document, like the problem
> of origin; I guess it also goes for the integrity of the publication as a
> whole that gets copied around but is also, at the same time, possibly
> copyrighted, etc). Web Application people should understand that there is a
> community out there that may be more stringent in this sense. At the same
> time, Publishing people should understand that the PWP community does take
> these concerns seriously and it is not the intention of ignore them in a
> big and happy kumbaya with Web technologies. *This* is what the UCR
> document should reflect, without getting into the technical weeds…
>
> My 2 cents…
>
> Ivan
>
>
>
> On 19 Aug 2016, at 18:13, Bill McCoy <whmccoy@gmail.com> wrote:
>
> Most if not all of these requirements do not seem to be  specific to "Web
> Publications" as the term is defined by DPUB IG.
>
> It is of course true that publications must not compromise the basic
> security model of the Web.
>
> Unfortunately, the definition of that general security model and the
> associated runtime life cycle isn't entirely clear, especially when it
> comes to content and applications stored on / executing from local
> systems.  And I'm not sure it's the job of DPUB IG to attempt to define
> with precision that general model. Or, if we do take on the job of fully
> defining that security model, we should realize we aren't doing it just for
> "Publications" but really for Web content in general.
>
> https://www.w3.org/TR/runtime/ is for example recent work in this area
> started by the now defunct System Applications WG. Some  of this seems very
> applicable to Web Publications. That it's unfinished orphaned work is
> perhaps a warning sign that it may not be an easy job to take on but
> perhaps someone could adopt it (which may be preferable to starting over).
> Whether that's DPUB IG or a successor vs. say the Web Platform WG is
> another question... and I guess to me this is all logically part of the Web
> Platform itself.
>
> EPUB specifications to date have clearly punted on this but one reason was
> that we were hoping that work on Web Applications at W3C would be paving
> the way in terms of more rigorously defining the Web security model
> especially for offline/local content.
>
> --Bill
>
>
> On Fri, Aug 19, 2016 at 5:34 AM, Baldur Bjarnason <baldur@rebus.foundation
> > wrote:
>
>> Security Use Cases - Very rough first draft
>>
>> Here it is on Google Docs:
>>
>> https://docs.google.com/document/d/1i8vm8cg5iqxWgpPFRR3Qae5l
>> oj-DWcrsbBUIf2IeGaU/edit?usp=sharing
>>
>> Let me know if you can’t access it and I’ll find another way to share it
>> with the list or fiddle with the sharing settings on the document itself.
>>
>> It’s a very rough draft, half-baked, doesn’t conform to spec style or
>> structure etc. etc.
>>
>> All of the links included are there more as informative references for
>> context and will have to be turned into proper spec references or removed
>> in a later draft.
>>
>> If the scenarios seem paranoid downers then bear in mind that my biggest
>> worry while writing it is that I might not be paranoid enough.
>>
>> - best
>> - Baldur Bjarnason
>>   baldur@rebus.foundation
>>
>>
>>
>>
>>
>>
>
>
> ----
> Ivan Herman, W3C
> Digital Publishing Lead
> Home: http://www.w3.org/People/Ivan/
> mobile: +31-641044153
> ORCID ID: http://orcid.org/0000-0003-0782-2704
>
>
>
>
>


-- 

Bill McCoy
Executive Director
International Digital Publishing Forum (IDPF)
email: bmccoy@idpf.org
mobile: +1 206 353 0233
Received on Saturday, 20 August 2016 18:04:21 UTC