Add security and privacy questionnaire#195
Conversation
|
|
||
| > 04. How do the features in your specification deal with sensitive information? | ||
|
|
||
| WebMCP is not a source of sensitive information. Tools may wrap sensitive or high-privilege operations (e.g., purchases, account changes), but that risk is not WebMCP-specific. We discuss this risk in [Tool Implementation as Attack Targets](https://webmachinelearning.github.io/webmcp/#tool-implementation-targets). |
There was a problem hiding this comment.
One question I anticipate from privacy review is what mitigations for this issue are possible for WebMCP. I agree with Dom: well said to make clear WebMCP isn't creating the problem. However, if there are any locations to tie the agent's hands a bit and make the privacy story better (even on the level of recommendations rather than requirements) that would be an improvement. Alternatively, you should make clear that nothing is actually being done to defend against that attack in the spec with something like ... but that risk is not WebMCP-specific and is therefore not defended against in the design of the API.
There was a problem hiding this comment.
I think we can reference the https://webmachinelearning.github.io/webmcp/#mitigations section to begin with perhaps? We should also update the mitigations to include this #176, as discussed in the CG call.
Beyond that, there will just be things that will be left as recommendations for agent implementers, and thus non-normative in nature. But there should be areas where the API design can help with, and I don't want to close the doors on future mitigations by stating otherwise
There was a problem hiding this comment.
+1 to Victor here, strong normative protection might be difficult, but we should definitely try to add e.g. hints that help the agent manage risky actions.
There was a problem hiding this comment.
Sounds good, @victorhuangwq do you want to link to the mitigations section in the spec from here then?
There was a problem hiding this comment.
Linking to mitigations is a fine start.
Just to clear up a couple of misconceptions:
Beyond that, there will just be things that will be left as recommendations for agent implementers, and thus non-normative in nature.
Normative language can include non MUST RFC 2119 terms, like SHOULD and MAY.
But there should be areas where the API design can help with, and I don't want to close the doors on future mitigations by stating otherwise
Saying that you don't do anything about it is not closing the door on future mitigations, particularly if you say so.
There was a problem hiding this comment.
IMO those are two fair points from Ben here :)
There was a problem hiding this comment.
Updated based on feedback.
There was a problem hiding this comment.
It's good that we're stating we'll continue to look at further mitigations but I agree with Ben we should make the currently limitations explicit here. Something like: "The spec does not currently include normative defenses against this; the mitigations listed are recommendations for agent implementers."
victorhuangwq
force-pushed
the
security-and-privacy-questionnaire
branch
from
3b63206 to
4e84b15
Compare
|
Sorry for the delay, a few comments but L (pretty) GTM already! :) |
domfarolino
left a comment
domfarolino
left a comment
There was a problem hiding this comment.
Overall it looks like we're pretty close, but there are a few open threads to resolve:
Co-authored-by: Dominic Farolino <domfarolino@gmail.com>
Co-authored-by: Dominic Farolino <domfarolino@gmail.com>
Co-authored-by: Dominic Farolino <domfarolino@gmail.com>
Co-authored-by: Dominic Farolino <domfarolino@gmail.com>
Co-authored-by: Dominic Farolino <domfarolino@gmail.com>
Co-authored-by: Dominic Farolino <domfarolino@gmail.com>
victorhuangwq
force-pushed
the
security-and-privacy-questionnaire
branch
from
d952c46 to
3bcc77e
Compare
Added clarification that webmcp is an additional communication channel for device sensors and underlying platform Co-authored-by: Johann Hofmann <mail@johann-hofmann.com>
|
Just merged @johannhof's suggestion. @domfarolino @bvandersloot-mozilla @bwalderman ready for review and merging. |
|
This resolution touches this PR, so filing here:
Once this PR is merged it unblocks staging. FYI @domfarolino @bwalderman |
|
|
||
| > 04. How do the features in your specification deal with sensitive information? | ||
|
|
||
| WebMCP is not a source of sensitive information. Tools may wrap sensitive or high-privilege operations (e.g., purchases, account changes), but that risk is not WebMCP-specific. We discuss this risk in [Tool Implementation as Attack Targets](https://webmachinelearning.github.io/webmcp/#tool-implementation-targets). |
There was a problem hiding this comment.
It's good that we're stating we'll continue to look at further mitigations but I agree with Ben we should make the currently limitations explicit here. Something like: "The spec does not currently include normative defenses against this; the mitigations listed are recommendations for agent implementers."
| No. | ||
|
|
||
| > 22. What should this questionnaire have asked? | ||
There was a problem hiding this comment.
There's one more important addition I'd like to make here.
Violation of Same-Origin Boundaries is admittedly still a TODO in our spec but this is a novel security risk that we should raise to reviewers. Our answer at the moment may be the same as our answer about over-parameterization; that this risk in inherent in agents that can browse multiple origins and exists without WebMCP. We should still flag the issue in this questionnaire though to make sure it receives attention.
6 participants
Addresses #193
cc: @bwalderman @johannhof @domfarolino