Anne,
On Feb 1, 2007, at 8:39 AM, ext Anne van Kesteren wrote:
# Note: The W3C has not analyzed the security problems which
# motivated the publication of this document. This document
# only addresses a subset of the security issues involved in
# exposing XML data over HTTP. This document documents an
# existing practice used under certain circumstances, but in
# no way implies that the technique would be appropriate or
# secure to protect document access under all circumstances.
# Implementors should perform their own security analysis.
This note should be made much more clear or just be dropped.
Problems I
have with the note:
This Note was probably appropriate when it was included in the Voice
Browser WG's original Working Group Note. However, given the
document's expanded scope, new algorithms, etc., I recommend it be
removed.
* Implementors should always perform security analysis. For any
specification.
At the moment it's just confusing and might led people think, for
instance, that all other specifications developed by the W3C are
reviewed
by security experts and that implementors don't really have to
think about
security themselves for most other specifications the W3C develops.
I don't view the last statement quoted above as harmful but I am
mostly indifferent here. Perhaps the basic notion could be factored
into Brad's new introduction.
