[Global_industry_committee] Fwd: Re: Feedback from OWASP on Mobile Web Application Best Practices, W3C Working Draft 13 July 2010 ( LC-2412)
dcampbell at owasp.org
Tue Sep 7 11:53:34 EDT 2010
They didn't incorporate my suggestions verbatim, but we did get a
Colin can you add this to the citations list?
-------- Original Message --------
Subject: Re: Feedback from OWASP on Mobile Web Application Best
Practices, W3C Working Draft 13 July 2010 ( LC-2412)
Date: Tue, 07 Sep 2010 14:21:02 +0000
From: fd at w3.org
To: David Campbell <dcampbell at owasp.org>
CC: public-bpwg-comments at w3.org
Dear David Campbell ,
The Mobile Web Best Practices Working Group has reviewed the comments you
sent  on the Last Call Working Draft  of the Mobile Web Application
Best Practices published on 13 Jul 2010. Thank you for having taken the
time to review the document and to send us comments!
The Working Group's response to your comment is included below, and has
been implemented in the new version of the document available at:
Please review it carefully and let us know by email at
public-bpwg-comments at w3.org if you agree with it or not before 14 September
2010 (if possible, simply tell us if you need more time). In case of
disagreement, you are requested to provide a specific solution for or a
path to a consensus with the Working Group. If such a consensus cannot be
achieved, you will be given the opportunity to raise a formal objection
which will then be reviewed by the Director during the transition of this
document to the next stage in the W3C Recommendation Track.
For the Mobile Web Best Practices Working Group,
W3C Staff Contacts
1. http://www.w3.org/mid/[email protected]
Your comment on the document as a whole:
> Dear Sir or Madam:
> I represent the Global Industry Committee of the Open Web Application
> Security Project (OWASP) and we are keenly interested in your
> forthcoming Mobile Web Application Best Practices recommendation.
> Attached please find a PDF document containing our comments on your
> draft recommendation.
> Please feel free to contact me directly with any questions, comments
> David Campbell
> Open Web Application Security Project
> dcampbell at owasp.org
Working Group Resolution (LC-2412):
The group partially agrees with the comment.
The Mobile Web Application Best Practices is explicitly scoped to best
practices that have some specific impact on the mobile context:
The Working Group acknowledges that most "desktop" security-related best
practices also apply to mobile devices and updated the introduction text of
the "Security and Privacy" section to reflect that the one best practice
listed in that section is definitely not the end of it. The Working Group
has also decided to reference the OWASP TOP 10 work as example of usual
security measures in this text. See updated text in latest editor's draft:
The group does not feel it has the expertise to review and select other
best practices related to security and decided against adding more best
practices to the section. A future version of the best practices should
probably include a more comprehensive set of best practices related to
The best practice listed in this category was chosen on the grounds that
it was the most obvious client-side security hole to bridge in a mobile Web
application that might have access to personal information. In particular,
a mobile Widget could perhaps be allowed to send SMS or make phone calls
while the device is connected to an "untrusted" public Wifi connection,
thus enabling potential man-in-the-middle attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Global_industry_committee