RE: ISSUE-28: \"available security information\" from Mary Ellen Zurko on 2007-04-12 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Thu, 12 Apr 2007 15:45:44 -0400
To: tyler.close@hp.com
Cc: "Web Security Context WG" <public-wsc-wg@w3.org>
Message-ID: <OF648D21EF.CBB93AA7-ON852572BA.0051D52F-852572BB.006C9029@LocalDomain>

The only issue I have is that it will be a "point in time" statement. But 
the current timeline doesn't really say when wsc-usecases will be done. If 
we assume that wsc-usecases includes all information sources we consider, 
it is not "done" until November 2007. That would mean moving "finalize 
wsc-usecases" from May to November. Anyone see any issues with that? 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

"Close, Tyler J." <tyler.close@hp.com> 
Sent by: public-wsc-wg-request@w3.org
04/10/2007 02:41 PM

To
"Web Security Context WG" <public-wsc-wg@w3.org>
cc

Subject
RE: ISSUE-28: \"available security information\"

I think having an exhaustive list of all the information sources we can 
use when creating recommendations is valuable to ensure we're not 
neglecting a valuable source of information. In drafting the intro to this 
section, I purposely used the word "exhaustive" so as to draw a big fat 
target on my back. If there's something important that's not covered by 
this list we want to know about it and add it to the list if it is 
in-scope. I think it is a mistake to weasel word around "exhaustive" as 
that might discourage people from pointing out the discrepancies that we 
really want them to point out.

Thomas' ISSUE-28 picks at the word "exhaustive" without pointing out even 
a single omission. I guess we need a word even more provocative than 
"exhaustive", in order to get the feedback we need. ;)

Tyler

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Johnathan Nightingale
Sent: Monday, April 09, 2007 3:52 PM
To: Timothy Hahn
Cc: Web Security Context WG
Subject: Re: ISSUE-28: \"available security information\"

Echoing comments I've made on the calls, I am also a fan of this section. 
Not only does it document the context in which recommendations were 
generated (Mez's point) but it is also a reasonably useful list to which 
to refer; at least for me.  I'm fine with changing the language though, so 
that we don't claim to be something we're not. 

Cheers,

J

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

On 9-Apr-07, at 8:22 AM, Timothy Hahn wrote:

+1 on keeping the section. 

I think we could come up with a better adjective than "exhaustive". 
Perhaps "well known" or "known" would be sufficiently precise for now. 

Regards, 
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530

"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> 
Sent by: public-wsc-wg-request@w3.org 
04/09/07 10:26 AM 

To
Web Security Context WG <public-wsc-wg@w3.org> 
cc

Subject
Re: ISSUE-28: \"available security information\"

> However, in its current state, I'm inclined to consider this section 
neither
> "exhaustive" (as the text claims it is), nor particularly useful.

I disagree on the utility. 

It's good to see an overview of the available security information that 
we've identified. Readers don't need to ask "have you thought about using 
x?", since they can just check the list. And it has useful references as 
well. 

I would argue against removing it, even in its current form. 

       Mez

Received on Thursday, 12 April 2007 19:45:48 UTC