- From: MattO <matto@tellme.com>
- Date: Thu, 10 Mar 2005 23:03:32 -0800
- To: "'Dan Connolly'" <connolly@w3.org>
- Cc: <www-voice@w3.org>
"Er... you moved something to an appendix? Can I have a look at a draft?" Look for "Before exposing the data in an XML document" in section 5 [1]. Then follow the link to Appendix E which is informative as indicated in the "Status of this Document" section. "I can't tell from your response why a namespace-qualified element or attribute won't work just as well if not better than a processing instruction, so no, I'm not satisfied by this response. Can you give me an example of something bad that would happen if you used a namespace qualified element or attribute?" Please see [2]. [1] http://www.w3.org/Voice/Group/2005/CR-voicexml21-20050308/CR-voicexml21-2005 0308.html#sec-data [2] http://lists.w3.org/Archives/Member/w3c-voice-wg/2004Oct/att-0073/00-part -----Original Message----- From: www-voice-request@w3.org [mailto:www-voice-request@w3.org] On Behalf Of Dan Connolly Sent: Thursday, March 10, 2005 6:09 PM To: MattO Cc: www-voice@w3.org Subject: Re: use namespaces and elements/attributes, not <?access-control?> PI (VBWG official response to last call issue) On Mar 10, 2005, at 6:56 PM, MattO wrote: [...formalities elided...] > In http://lists.w3.org/Archives/Public/www-voice/2004JulSep/0024.html you > raised the following issue which was registered as change requests > R85. Our > response is given inline: > > "I'm surprised by... > > 'If the XML document specifies an <?access-control?> processing > instruction, > access to the data is allowed based on the following > algorithm: ...' > -- > http://www.w3.org/TR/2004/WD-voicexml21-20040728/#sec-data-security > > Last time a processing instruction was used in a W3C spec, > it was allowed only after considerable debate... > > 'The use of XML processing instructions in this specification should > not be > taken as a precedent. The W3C does not anticipate recommending the use > of > processing instructions in any future specification.' > -- http://www.w3.org/1999/06/REC-xml-stylesheet-19990629/ > > I suggest using a namespace-qualified element or attribute instead." > > VBWG Response: Rejected > > The VBWG evaluated a number of mechanisms that would enforce the > security of > the data retrieved by the <data/> element including domain-based > restrictions, HTTP_REFERER, HTTP X-Header, XML security envelope, and > XML-ENC. The use of a processing instruction to enforce security of > the data > is a lightweight mechanism that is straightforward for data providers > and > platform vendors to understand and to implement. The VBWG considered > the > specification and practical implementation limitations of processing > instructions and determined that these did not interfere with the > intended > behavior of this mechanism. > > Upon further review, the VBWG acknowledged that specifying how > security policy and resource sandboxing must be implemented went > beyond the scope of the working group and therefore chose not to > mandate one particular mechanism. However, because resource > sandboxing is an important principle > for VoiceXML interpreters in certain deployment contexts, and > interoperability among implementations should be encouraged, the group > chose > to document this mechanism in an informative appendix. Er... you moved something to an appendix? Can I have a look at a draft? I can't tell from your response why a namespace-qualified element or attribute won't work just as well if not better than a processing instruction, so no, I'm not satisfied by this response. Can you give me an example of something bad that would happen if you used a namespace qualified element or attribute? -- Dan Connolly, W3C http://www.w3.org/People/Connolly/
Received on Friday, 11 March 2005 07:04:02 UTC