- From: Paul Groth <p.t.groth@vu.nl>
- Date: Thu, 8 Nov 2012 11:56:30 -0500
- To: Graham Klyne <graham.klyne@zoo.ox.ac.uk>
- Cc: W3C provenance WG <public-prov-wg@w3.org>
- Message-ID: <CAJCyKRpHj2Aub6OwTo3wKH3BpimgQ5=OM9Tzxr-HdTJ_5siAhA@mail.gmail.com>
Hi Graham Thanks for the explanation. cheers Paul On Thu, Nov 8, 2012 at 7:10 AM, Graham Klyne <graham.klyne@zoo.ox.ac.uk>wrote: > Replying to two comments at once here. > > Paul, > > I personally think that it is very appropriate for the spec to include > this kind > of language. Of course, others may (and do) disagree. Security (of which > privacy is a facet) is (a) of critical importance, and (b) very hard to get > right, requiring care to be applied at every stage of design and > implementation > (cf. Ross Anderson's comments about "Programming Satan's computer" > [http://www.cl.cam.ac.uk/~rja14/Papers/satan.pdf], etc). > > The IETF has a long history of requiring all specifications to give > consideration to possible security issues they may introduce. It's not a > panacea, but it helps to remind specification designers, reviewers and > developers to be aware of security issues, and to try and make explicit > those > considerations that have been recognized, and maybe to prompt others to > think > about other considerations that have not yet been recognized. > > The W3C does not (yet) have such a culture. I think it's no accident that > the > web represents one of the largest and most pervasive attack surfaces today > for > subversion of digital information. So yes, I think it's more than > appropriate, > I think it's irresponsible to NOT give some consideration to security > considerations in the design, documentation and implementation of standards > particularly those that are intended to widely used. > > On 07/11/2012 01:12, Yolanda Gil wrote: > > Provenance management systems can provide mechanisms for enforcement and > > auditing of privacy policies. > > Yolanda, > > Thank you for reminding me about audit. I've added this slightly modified > to > constrain it's scope to what I think is appropriate to this spec. The > paragraph > previously circulated now reads: > > [[ > Provenance information may provide a route for leakage of privacy-related > information, combining as it does a diversity of information types with > possible > personally-identifying information; e.g. editing timestamps may provide > clues to > the working patterns of document editors, or derivation traces might > indicate > access to sensitive materials. In particular, note that the fact that a > resource is openly accessible does not mean that its provenance information > should also be. When publishing provenance, its sensitivity SHOULD be > considered and appropriate access controls applied where necessary. When a > provenance-aware publishing service accepts some resource for publication, > the > contributors SHOULD have some opportunity to review and correct or conceal > any > provenance information that they don't wish to be exposed. Provenance > management systems SHOULD embody mechanisms for enforcement and auditing of > privacy policies as they apply to provenance information. > ]] > > #g > > -- -- Dr. Paul Groth (p.t.groth@vu.nl) http://www.few.vu.nl/~pgroth/ Assistant Professor - Knowledge Representation & Reasoning Group | Artificial Intelligence Section | Department of Computer Science - The Network Institute VU University Amsterdam
Received on Thursday, 8 November 2012 16:57:01 UTC