W3C home > Mailing lists > Public > public-tracking@w3.org > September 2013

Re: updating Compliance doc with graduated response

From: Nicholas Doty <npdoty@w3.org>
Date: Tue, 24 Sep 2013 14:58:40 -0700
Cc: Shane M Wiley <wileys@yahoo-inc.com>, "public-tracking@w3.org List" <public-tracking@w3.org>
Message-Id: <5878C2F5-FC8D-4317-9D3D-A0DF64281638@w3.org>
To: David Singer <singer@apple.com>
On September 23, 2013, at 7:00 PM, David Singer <singer@apple.com> wrote:
> On Sep 23, 2013, at 18:39 , Shane M Wiley <wileys@yahoo-inc.com> wrote:
>> I object to this being added.  New Issue?  
>> 'Graduated Response' is not a viable approach to Security.  While I appreciate how this approach sounds perfectly acceptable from a logical perspective, in practice this doesn't work.  This was highlighted during the Sunnyvale face-to-face where the "security expert" agreed that attempting to collect more data from a user over time would likely tip off the suspected bad actor that they were being tracked in a differentiated manner - something you would not want to as they would quickly change tactics - creating another security risk/channel.
>> I've attempted to convey our security experts views in this area and thought the Sunnyvale session clearly demonstrated there is little value to this approach and creates a false expectation by placing this in the Compliance and Scope document.  More than happy to continue documenting though and have true security experts provide this feedback to the group.
> We probably need to debate this more (sadly) but the "when feasible" introduction does seem to allow your experts some…latitude.

I don't see the need for additional debate on the presence of non-normative text -- I was sending it around just so that the editors could update the text with the group decision -- but it's true that this is written (by Ian Fette, then revised by Roy Fielding and also proposed by John Simpson) specifically to allow latitude for use cases where a graduated response wouldn't make sense: both "when feasible" and "is preferred" are to that point. I believe the group supported it in part because as non-normative text it didn't add any requirements that might conflict with Shane's use case. While some preferred having a normative requirement and some preferred no mention at all, everyone on the call (2013-07-17 [0]) could live with the non-normative description.

There is an open issue and set of change proposals on security, focused on the normative text:


[0] http://www.w3.org/2013/07/17-dnt-minutes#item01

Received on Tuesday, 24 September 2013 21:58:51 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:18 UTC