[Global_industry_committee] Fwd: Re: Feedback from OWASP on Mobile Web Application Best Practices, W3C Working Draft 13 July 2010 ( LC-2412)

Eoin eoin.keary at owasp.org
Tue Sep 7 13:00:19 EDT 2010


Great job!!!
today w3c tomorrow the world!

On 7 September 2010 16:53, David Campbell <dcampbell at owasp.org> wrote:

>  Gents,
>
> They didn't incorporate my suggestions verbatim, but we did get a citation
> :)
>
> Colin can you add this to the citations list?
>
> Cheers
>
> DC
>
>
> -------- Original Message --------  Subject: Re: Feedback from OWASP on
> Mobile Web Application Best Practices, W3C Working Draft 13 July 2010 (
> LC-2412)  Date: Tue, 07 Sep 2010 14:21:02 +0000  From: fd at w3.org  To: David
> Campbell <dcampbell at owasp.org> <dcampbell at owasp.org>  CC:
> public-bpwg-comments at w3.org
>
>  Dear David Campbell ,
>
> The Mobile Web Best Practices Working Group has reviewed the comments you
> sent [1] on the Last Call Working Draft [2] of the Mobile Web Application
> Best Practices published on 13 Jul 2010. Thank you for having taken the
> time to review the document and to send us comments!
>
> The Working Group's response to your comment is included below, and has
> been implemented in the new version of the document available at:http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/latest.
>
> Please review it carefully and let us know by email atpublic-bpwg-comments at w3.org if you agree with it or not before 14 September
> 2010 (if possible, simply tell us if you need more time). In case of
> disagreement, you are requested to provide a specific solution for or a
> path to a consensus with the Working Group. If such a consensus cannot be
> achieved, you will be given the opportunity to raise a formal objection
> which will then be reviewed by the Director during the transition of this
> document to the next stage in the W3C Recommendation Track.
>
> Thanks,
>
> For the Mobile Web Best Practices Working Group,
> Dominique Hazaël-Massieux
> François Daoust
> W3C Staff Contacts
>
>  1. http://www.w3.org/mid/[email protected]
>  2. http://www.w3.org/TR/2010/WD-mwabp-20100713/
>
>
> =====
>
> Your comment on the document as a whole:
> > Dear Sir or Madam:
> >
> > I represent the Global Industry Committee of the Open Web Application
> > Security Project (OWASP) and we are keenly interested in your
> > forthcoming Mobile Web Application Best Practices recommendation.
> >
> > Attached please find a PDF document containing our comments on your
> > draft recommendation.
> >
> > Please feel free to contact me directly with any questions, comments
> > or
> > concerns.
> >
> > Cheers,
> >
> > David Campbell
> > Open Web Application Security Project
> > dcampbell at owasp.org
> > www.owasp.org
>
>
> Working Group Resolution (LC-2412):
> The group partially agrees with the comment.
>
> The Mobile Web Application Best Practices is explicitly scoped to best
> practices that have some specific impact on the mobile context:
>  http://www.w3.org/TR/mwabp/#mobile-context
>
> The Working Group acknowledges that most "desktop" security-related best
> practices also apply to mobile devices and updated the introduction text of
> the "Security and Privacy" section to reflect that the one best practice
> listed in that section is definitely not the end of it. The Working Group
> has also decided to reference the OWASP TOP 10 work as example of usual
> security measures in this text. See updated text in latest editor's draft:
> http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/latest#bp-security
>
>
> The group does not feel it has the expertise to review and select other
> best practices related to security and decided against adding more best
> practices to the section. A future version of the best practices should
> probably include a more comprehensive set of best practices related to
> security.
>
> The best practice listed in this category was chosen on the grounds that
> it was the most obvious client-side security hole to bridge in a mobile Web
> application that might have access to personal information. In particular,
> a mobile Widget could perhaps be allowed to send SMS or make phone calls
> while the device is connected to an "untrusted" public Wifi connection,
> thus enabling potential man-in-the-middle attacks.
>
>
> ----
>
>
>
>
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20100907/577c9c43/attachment-0001.html 


More information about the Global_industry_committee mailing list