- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Tue, 12 Dec 2006 13:01:40 -0500
- To: "Close, Tyler J." <tyler.close@hp.com>, <public-wsc-wg@w3.org>
I was thinking of a different way to clarify out of scope - out-of-scope Data sessions that are specifically not included in in scope and data session that are not protected by security context (e.g. userID, Passwords, X.509 Certificates, public key technology). User sessions that are not protected by a security context do not have the mechanisms to evaluate risk. Bill D. wdoyle@mitre.org -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Close, Tyler J. Sent: Tuesday, December 12, 2006 12:54 PM To: public-wsc-wg@w3.org Subject: Content based detection out of scope (Was: What problems are we trying to solve?) I've updated the "Out of scope" section at: http://www.w3.org/2006/WSC/wiki/NoteOutOfScope to summarize the two bullet points: * Code based techniques to detect spoofing attacks such as cross site comparisons of URL or graphical similiarity. * Calculations, algorithms, and functions that attempt to determine whether or not an attack is underway, including intrusion or virus detection techniques, such as sense of self and "signature" of known attacks. And turned them into the "Out of scope" section: """ Content based detection Techniques commonly used by intrusion detection systems, virus checkers and spam filters to detect illegitimate requests based on their content are out of scope for this Working Group. These techniques include comparing the served URLs, graphics or markup to known legitimate sites, or to known attacks. The heuristics used in these tools are a moving target and so not a suitable subject for standardization. The working group will not recommend any checks on the content served by web sites. """ I think this text reflects the conversation we just had on the tele-conference. There's still the issue of whether or not the display of the results of these out-of-scope techniques is in-scope. I have doubts that it's a good idea to sanction these techniques, since they have the effect of making content that is valid according to a content specification, illegal in practice. It might be an anti-pattern to break content specifications in this way. It might be worth pinging the TAG on this issue. Tyler
Received on Tuesday, 12 December 2006 18:02:14 UTC