Re: [Bug 184] Clarifications requested for section 19.8 on hosting malicious content from Cullen Jennings on 2006-01-27 (w3c-dist-auth@w3.org from January to March 2006)

From: Cullen Jennings <fluffy@cisco.com>
Date: Fri, 27 Jan 2006 11:48:10 -0800
To: Lisa Dusseault <lisa@osafoundation.org>, WebDav <w3c-dist-auth@w3.org>
Message-ID: <BFFFB8FA.6D2E6%fluffy@cisco.com>

Your text sounds fine - I did not mean it to be normative - I  don't think
we can't have normative text requiring virus checkers :-)


On 1/27/06 11:42 AM, "Lisa Dusseault" <lisa@osafoundation.org> wrote:

> 
> Servers "need to" consider additional precautions?  If this text is
> meant to be normative, it isn't -- no MUST and "consider" is
> naturally vague.  So I assume this text is only meant to be advisory,
> do we need to make that clear?
> 
> I suggest using the same kind of wording as  used elsewhere in the
> paragraph:  "Servers that allow clients to publish arbitrary content
> can usefully implement precautions to check that content is not
> harmful to other clients."
> 
> lisa
> 
> On Jan 27, 2006, at 11:33 AM, bugzilla@soe.ucsc.edu wrote:
> 
>> http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=184
>> 
>> fluffy@cisco.com changed:
>> 
>>            What    |Removed                     |Added
>> ----------------------------------------------------------------------
>> ------
>>          AssignedTo|fluffy@cisco.com            |
>> lisa@osafoundation.org
>>              Status|ASSIGNED                    |NEW
>> 
>> 
>> 
>> ------- Additional Comments From fluffy@cisco.com  2006-01-27 11:33
>> -------
>> 
>> I'm proposing replacing the whole section 19.8. I'm not married to
>> any of this text and feel free to
>> reorganize, fix grammar, etc but I was thinking of something along
>> lines of:
>> 
>> 
>> 19.8 Hosting malicious scripts executed on client machines
>> 
>> HTTP has the ability to host programs which are executed on client
>> machines. These programs can take
>> many forms including web scripts, executables, plug in modules, and
>> macros in documents. WebDAV
>> does not change any of the security concerns around these programs
>> yet often WebDAV is used in
>> contexts where a wide range of users can publish documents on a
>> server. The server might not have a
>> close trust relationship with the author that is publishing the
>> document.  Servers that allow clients to
>> publish arbitrary content need to consider additional precautions
>> to check that content published to the
>> server is not harmful to other clients. Servers could do this by
>> techniques such as restricting the types
>> of content that is allowed to be published and running virus and
>> malware detection software on
>> published content. Servers can also mitigate the risk by having
>> appropriate access restriction and
>> authentication of users that are allowed to publish content to the
>> server.
>> 
>> 
>> 
>> 
>> 
>> ------- You are receiving this mail because: -------
>> You are the assignee for the bug, or are watching the assignee.
>>

Received on Friday, 27 January 2006 19:48:08 UTC