Re: A couple of comments on Best Practices doc from Frederick Hirsch on 2008-09-22 (public-xmlsec@w3.org from September 2008)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Mon, 22 Sep 2008 17:05:28 -0400
To: Hirsch Frederick (Nokia-OCTO/Boston) <Frederick.Hirsch@nokia.com>
Cc: XMLSec WG Public List <public-xmlsec@w3.org>
Message-Id: <368F4B10-68EB-4E67-85AA-391B8CB8064B@nokia.com>

> Section 1, Overview
>
> Both paragraphs say essentially the same thing. I suggest removing  
> the first paragraph, as the 2nd one contains useful links.

With this change (removing the first paragraph) I suggest changing the  
second paragraph to add
"and the XML Security WG" after "Maintenance WG" and adding links to  
the homepage for each. I also suggest changing "signing xml" to  
"signing XML".

---
context:
XML Security Specifications Maintenance WG as well as items brought to  
the attention of the community in a Workshop on Next Steps for XML  
Security[XMLSecNextSteps]. While most of these best practices are  
related to mitigating attacks, some are for other issues - e.g.  
signing xml that doesn't use namespaces.
---

> Section 2.1.4, 4th paragraph, last sentence:
> "Retrieval of remote references may also leak information about the  
> verifiers of a message, as with a "web bug"."
>
> There are not enough details as to what a "web bug" is and what the  
> threat is. I suggest removing it or adding more explanation.


I suggest we change ' "web bug". '  to  ' "web bug" , content that  
causes access to the server, resulting in notification being provided  
to the server regarding the web page access. An example is an image  
that cannot be seen but results in a server access. [WebBug- 
Wikipedia]. '

http://en.wikipedia.org/wiki/Web_bug

regards, Frederick

Frederick Hirsch
Nokia



On Sep 19, 2008, at 11:15 AM, Hirsch Frederick (Nokia-OCTO/Boston)  
wrote:

> resend to public list, please follow-up on public list.
>
> Begin forwarded message:
>
>> Resent-From: member-xmlsec@w3.org
>> From: "ext Sean Mullan" <Sean.Mullan@Sun.COM>
>> Date: September 17, 2008 4:06:11 PM EDT
>> To: "member-xmlsec@w3.org" <member-xmlsec@w3.org>
>> Subject: A couple of comments on Best Practices doc
>>
>>
>> Section 1, Overview
>>
>> Both paragraphs say essentially the same thing. I suggest removing  
>> the first paragraph, as the 2nd one contains useful links.
>>
>> Section 2.1.4, 4th paragraph, last sentence:
>>
>> "Retrieval of remote references may also leak information about the  
>> verifiers of a message, as with a "web bug"."
>>
>> There are not enough details as to what a "web bug" is and what the  
>> threat is. I suggest removing it or adding more explanation.
>>
>> --Sean
>>
>>
>

Received on Monday, 22 September 2008 21:14:39 UTC