W3C home > Mailing lists > Public > public-prov-wg@w3.org > November 2012

Re: PROV-AQ security (privacy) considerations

From: Paul Groth <p.t.groth@vu.nl>
Date: Thu, 8 Nov 2012 11:56:30 -0500
Message-ID: <CAJCyKRpHj2Aub6OwTo3wKH3BpimgQ5=OM9Tzxr-HdTJ_5siAhA@mail.gmail.com>
To: Graham Klyne <graham.klyne@zoo.ox.ac.uk>
Cc: W3C provenance WG <public-prov-wg@w3.org>
Hi Graham

Thanks for the explanation.


On Thu, Nov 8, 2012 at 7:10 AM, Graham Klyne <graham.klyne@zoo.ox.ac.uk>wrote:

> Replying to two comments at once here.
> Paul,
> I personally think that it is very appropriate for the spec to include
> this kind
> of language.  Of course, others may (and do) disagree.  Security (of which
> privacy is a facet) is (a) of critical importance, and (b) very hard to get
> right, requiring care to be applied at every stage of design and
> implementation
> (cf. Ross Anderson's comments about "Programming Satan's computer"
> [http://www.cl.cam.ac.uk/~rja14/Papers/satan.pdf], etc).
> The IETF has a long history of requiring all specifications to give
> consideration to possible security issues they may introduce.  It's not a
> panacea, but it helps to remind specification designers, reviewers and
> developers to be aware of security issues, and to try and make explicit
> those
> considerations that have been recognized, and maybe to prompt others to
> think
> about other considerations that have not yet been recognized.
> The W3C does not (yet) have such a culture.  I think it's no accident that
> the
> web represents one of the largest and most pervasive attack surfaces today
> for
> subversion of digital information.  So yes, I think it's more than
> appropriate,
> I think it's irresponsible to NOT give some consideration to security
> considerations in the design, documentation and implementation of standards
> particularly those that are intended to widely used.
> On 07/11/2012 01:12, Yolanda Gil wrote:
> > Provenance management systems can provide mechanisms for enforcement and
> > auditing of privacy policies.
> Yolanda,
> Thank you for reminding me about audit.  I've added this slightly modified
> to
> constrain it's scope to what I think is appropriate to this spec.  The
> paragraph
> previously circulated now reads:
> [[
> Provenance information may provide a route for leakage of privacy-related
> information, combining as it does a diversity of information types with
> possible
> personally-identifying information; e.g. editing timestamps may provide
> clues to
> the working patterns of document editors, or derivation traces might
> indicate
> access to sensitive materials.  In particular, note that the fact that a
> resource is openly accessible does not mean that its provenance information
> should also be.  When publishing provenance, its sensitivity SHOULD be
> considered and appropriate access controls applied where necessary.  When a
> provenance-aware publishing service accepts some resource for publication,
> the
> contributors SHOULD have some opportunity to review and correct or conceal
> any
> provenance information that they don't wish to be exposed.  Provenance
> management systems SHOULD embody mechanisms for enforcement and auditing of
> privacy policies as they apply to provenance information.
> ]]
> #g

Dr. Paul Groth (p.t.groth@vu.nl)
Assistant Professor
- Knowledge Representation & Reasoning Group |
  Artificial Intelligence Section | Department of Computer Science
- The Network Institute
VU University Amsterdam
Received on Thursday, 8 November 2012 16:57:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 8 November 2012 16:57:01 GMT