Re: [metadataInURI-31] New draft of metadata in URI finding includes section on malicious metadata from noah_mendelsohn@us.ibm.com on 2006-10-02 (www-tag@w3.org from October 2006)

From: <noah_mendelsohn@us.ibm.com>
Date: Mon, 2 Oct 2006 17:16:44 -0400
To: "Mark Baker" <distobj@acm.org>
Cc: "Booth, David (HP Software - Boston)" <dbooth@hp.com>, mbaker@gmail.com, www-tag@w3.org
Message-ID: <OF9568568F.ECF2C870-ON852571FB.00734392-852571FB.0074E506@lotus.com>

Mark Baker writes:

> On balance, I think I like the draft better without that new 
> section. I think the authoritative metadata finding says what needs 
> saying about that scenario; the metadata-in-the-uri angle on it 
> doesn't seem to add much.

Well, I was OK without it and I am OK with it.  When my earlier drafts 
came out without this section, I got some fairly strong encouragement from 
other TAG members to try and add something.  So, I'm personally happy to 
go either way, but my vote would be to keep it.

I think we've been discovering in writing this finding that a balance 
needs to be struck between two important perspectives when explaining the 
Web.  Clearly, we need to set out the normative rules that are the 
foundation for the Web.  In the case of this finding: the metadata either 
is covered by normative specifications or it can't be relied upon.  Early 
drafts of the finding stuck to that.  As they were reviewed, it became 
clear that there was demand to tell a complementary side of the story: 
people do guess what URIs mean, and in the case of the latest section, 
they do sometimes make dangerous assumptions about the nature of a 
resource, even when the specifications don't support such inferences. 
We're hearing that people want to hear not only the core normative rules 
for the Web, but explanations of how common practice and even common 
pitfalls can be seen in light of those normative rules.

> It could very well be that it's just that example that I'm not 
> relating to though, and another one might do a better job; not sure.

I already said that I shared some of your concern, tried to find better 
examples, but couldn't.  If others on the TAG want me to redraft with a 
different example, or agree with you that the section should be pulled 
after all, that would be fine with me.   That said, I don't think the 
example is quite as weak as you imply.  As I said before, (a) while most 
browers warn of platform binaries in particular, I don't think that's true 
of all executable or potentially damaging content, and it's certainly not 
required of user agents to do so;  and (b) I strongly suspect that there 
might be users like Bob who would go past the warning anyway, so telling a 
story about what's going on when they do, I.e. who's at fault and why, 
seems useful. 

Several reviewers have said they like this new section, and you've given 
some good reasons why you're not so happy with it.  Let's see what other 
comments come in.  Thanks!

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------

Received on Monday, 2 October 2006 21:16:58 UTC