- From: Svensson, Lars <L.Svensson@dnb.de>
- Date: Mon, 7 Jan 2019 15:23:55 +0000
- To: Annette Greiner <amgreiner@lbl.gov>
- CC: "public-dxwg-wg@w3.org" <public-dxwg-wg@w3.org>
Dear Annette, On Monday, December 17, 2018 6:59 PM, Annette Greiner [mailto:amgreiner@lbl.gov] wrote: > oops, sorry, my comments were for the prof conneg doc, not the guidance! So are your comments relevant for the prof-conneg security and privacy section [1]? To me they don't directly address anything in that section or in the answers to the questionnaire [2]. [1] https://www.w3.org/TR/dx-prof-conneg/#security_and_privacy [2] https://www.w3.org/2017/dxwg/wiki/CnegPrivacyAndSecurityQuestionnaire Best, Lars > On 12/15/18 12:08 PM, Nicholas Car via GitHub wrote: > > Questions from https://w3ctag.github.io/security-questionnaire/ with > > answers: > > **4.1 What information might this feature expose to Web sites or other > > parties, and for what purposes is that exposure necessary?** Guidance > > document - no code/system exposing anything directly. > > **4.2 Is this specification exposing the minimum amount of information > > necessary to power the feature?** N/A > > **4.3 How does this specification deal with personal information or > > personally-identifiable information or information derived thereof?** > > It does not. > > **4.4 How does this specification deal with sensitive information?** > > It does not. > > **4.5 Does this specification introduce new state for an origin that > > persists across browsing sessions?** No. > > **4.6 What information from the underlying platform, e.g. > > configuration data, is exposed by this specification to an origin?** N/A > > **4.7 Does this specification allow an origin access to sensors on a > > user’s device?** No. > > **4.8 What data does this specification expose to an origin? Please > > also document what data is identical to data exposed by other > > features, in the same or different contexts.** N/A > > **4.9 Does this specification enable new script execution/loading > > mechanisms?** No. > > **4.10 Does this specification allow an origin to access other > > devices?** No. > > **4.11 Does this specification allow an origin some measure of control > > over a user agent’s native UI?** No. > > **4.12 What temporary identifiers might this this specification create > > or expose to the web?** No temporary identifiers. Use of it will > > ultimately generate persistent identifiers (URIs) for documents > > (profiles). > > **4.13 How does this specification distinguish between behavior in > > first-party and third-party contexts?** It does not. > > **4.14 How does this specification work in the context of a user > > agent’s Private \ Browsing or "incognito" mode?** N/A > > **4.15 Does this specification have a "Security Considerations" and > > "Privacy Considerations" section?** Yes but a trivial one for now. To > > be updated. > > **4.16 Does this specification allow downgrading default security > > characteristics?** No or N/A. > > **4.17 What should this questionaire have asked?** I can't think of > > what it could ask to better probe potential privacy issues for this > > kind of Guidance document. > > > > > > -- > Annette Greiner > NERSC Data and Analytics Services > Lawrence Berkeley National Laboratory >
Received on Monday, 7 January 2019 15:24:20 UTC