On Thu, 27 Jul 2006 11:45:53 +0900, Karl Dubost <[EMAIL PROTECTED]> wrote:
Le 27 juil. 06 à 10:17, Ian Hickson a écrit :
Personally I think that having a separate security section is a bad way
of designing a spec, since it doesn't encourage you to think of
security the whole time -- it's better, IMHO, to have security right at
the core of the specification text. But again, I'll leave that up to
the editor.
Maybe, yes.
What you suggest, recommend practically?
for this specification.
and for future specifications.
Do you have tips or hints to help editors?
Ian and I have may slightly different perspectives on how specs should
handle security, but I think we agree that wherever, in the spec, a
securit consideration can arise, it should be mentioned.
My approach is to have very few security requirements in an API
specification, but to note that implementations may/should disable foo(),
for some security problem bar, and authors should be aware of this
possibility.
I believe it is useful to *also* have a security section, which describes
in braod terms the security issues and how they can be handled, plus any
requirements that are in the spec as must.
cheers
Chaals
--
Charles McCathieNevile, Opera Software: Standards Group
hablo español - je parle français - jeg lærer norsk
[EMAIL PROTECTED] Try Opera 9 now! http://opera.com
