- From: Nicholas Doty <npdoty@w3.org>
- Date: Tue, 24 Sep 2013 14:58:40 -0700
- To: David Singer <singer@apple.com>
- Cc: Shane M Wiley <wileys@yahoo-inc.com>, "public-tracking@w3.org List" <public-tracking@w3.org>
- Message-Id: <5878C2F5-FC8D-4317-9D3D-A0DF64281638@w3.org>
On September 23, 2013, at 7:00 PM, David Singer <singer@apple.com> wrote: > On Sep 23, 2013, at 18:39 , Shane M Wiley <wileys@yahoo-inc.com> wrote: > >> I object to this being added. New Issue? >> >> 'Graduated Response' is not a viable approach to Security. While I appreciate how this approach sounds perfectly acceptable from a logical perspective, in practice this doesn't work. This was highlighted during the Sunnyvale face-to-face where the "security expert" agreed that attempting to collect more data from a user over time would likely tip off the suspected bad actor that they were being tracked in a differentiated manner - something you would not want to as they would quickly change tactics - creating another security risk/channel. >> >> I've attempted to convey our security experts views in this area and thought the Sunnyvale session clearly demonstrated there is little value to this approach and creates a false expectation by placing this in the Compliance and Scope document. More than happy to continue documenting though and have true security experts provide this feedback to the group. > > We probably need to debate this more (sadly) but the "when feasible" introduction does seem to allow your experts some…latitude. I don't see the need for additional debate on the presence of non-normative text -- I was sending it around just so that the editors could update the text with the group decision -- but it's true that this is written (by Ian Fette, then revised by Roy Fielding and also proposed by John Simpson) specifically to allow latitude for use cases where a graduated response wouldn't make sense: both "when feasible" and "is preferred" are to that point. I believe the group supported it in part because as non-normative text it didn't add any requirements that might conflict with Shane's use case. While some preferred having a normative requirement and some preferred no mention at all, everyone on the call (2013-07-17 [0]) could live with the non-normative description. There is an open issue and set of change proposals on security, focused on the normative text: http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security http://www.w3.org/2011/tracking-protection/track/issues/24 Thanks, Nick [0] http://www.w3.org/2013/07/17-dnt-minutes#item01
Received on Tuesday, 24 September 2013 21:58:51 UTC