- From: Charles McCathieNevile <chaals@opera.com>
- Date: Thu, 12 Oct 2006 12:10:49 +0900
- To: "Karl Dubost" <karl@w3.org>, "Ian Hickson" <ian@hixie.ch>
- Cc: public-webapi@w3.org
On Thu, 27 Jul 2006 11:45:53 +0900, Karl Dubost <karl@w3.org> wrote: > Le 27 juil. 06 à 10:17, Ian Hickson a écrit : >> Personally I think that having a separate security section is a bad way >> of designing a spec, since it doesn't encourage you to think of >> security the whole time -- it's better, IMHO, to have security right at >> the core of the specification text. But again, I'll leave that up to >> the editor. > > Maybe, yes. > What you suggest, recommend practically? > for this specification. > and for future specifications. > Do you have tips or hints to help editors? Ian and I have may slightly different perspectives on how specs should handle security, but I think we agree that wherever, in the spec, a securit consideration can arise, it should be mentioned. My approach is to have very few security requirements in an API specification, but to note that implementations may/should disable foo(), for some security problem bar, and authors should be aware of this possibility. I believe it is useful to *also* have a security section, which describes in braod terms the security issues and how they can be handled, plus any requirements that are in the spec as must. cheers Chaals -- Charles McCathieNevile, Opera Software: Standards Group hablo español - je parle français - jeg lærer norsk chaals@opera.com Try Opera 9 now! http://opera.com
Received on Thursday, 12 October 2006 03:11:08 UTC