RE: use namespaces and elements/attributes, not <?access-control?> PI (VBWG official response to last call issue) from Dan Connolly on 2005-03-15 (www-voice@w3.org from January to March 2005)

From: Dan Connolly <connolly@w3.org>
Date: Tue, 15 Mar 2005 16:40:44 -0600
To: MattO <matto@tellme.com>
Cc: www-voice@w3.org, Dominique Hazaël-Massieux <dom@w3.org>
Message-Id: <1110926444.8271.131.camel@localhost>

On Thu, 2005-03-10 at 23:03 -0800, MattO wrote:
> "Er... you moved something to an appendix? Can I have a look at a draft?"
> 
> Look for "Before exposing the data in an XML document" in section 5 [1].
> Then follow the link to Appendix E which is informative as indicated in the
> "Status of this Document" section.

This text doesn't look informative to me:

  Before exposing an XML document referenced by the <data> element
  via the DOM to a voice application, the interpreter should
  validate that the host requesting the document is allowed to
  access the data.

though I can't quite tell how the term "interpreter" relates
to the term Conforming VoiceXML 2.1 Processor".

But even if it's informative, it's still not something I think W3C
should be advocating.

> "I can't tell from your response why a namespace-qualified element or
> attribute won't work just as well if not better than a processing 
> instruction, so no, I'm not satisfied by this response. Can you give me an
> example of something bad that would happen if you used a namespace qualified
> element or attribute?"
> 
> Please see [2].

OK, I see

[[
4)  Encode access rights as a parent envelope around the enclosed XML
data or root tag elements and have the browser enforce access to that
XML content only to the allowed domains.

Pros:
      * Allows for extensibillity of security sandboxing primitives
        through an XML namespace
Cons:
      * Probably best performed as its own specification
      * Requires structural or attribute modification to existing XML
      * Requires parsing and interpreting the XML content before
        deciding whether to grant access to that content
]]

And that doesn't persuade me that an element or attribute is a bad thing
at all. The fact that this is orthogonal to VoiceXML2.1 conformance
(as implied by the fact that appendix E is informative) would be more
clear by moving it to a separate document.

And a PI has to be parsed, so that 3rd point applies to PIs as well.

Regarding "structural or attribute modification," yes, that's what
using an element or attribute means. I don't see that as an argument
against.

I see the XML Schema WG mentioned in the related groups in your
charter...

  http://www.w3.org/2002/09/voice-charter.html#Coordination

Have they reviewed the VoiceXML last call spec? Or has XML Core?
If they've reviewed this use of PIs and OK'd it, perhaps I'll
step aside.

> [1]
> http://www.w3.org/Voice/Group/2005/CR-voicexml21-20050308/CR-voicexml21-2005
> 0308.html#sec-data 
> [2]
> http://lists.w3.org/Archives/Member/w3c-voice-wg/2004Oct/att-0073/00-part

-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E

Received on Tuesday, 15 March 2005 22:40:46 UTC