- From: Mike Belshe <mike@belshe.com>
- Date: Sun, 17 Nov 2013 22:27:27 -0800
- To: Bruce Perens <bruce@perens.com>
- Cc: httpbis mailing list <ietf-http-wg@w3.org>
- Message-ID: <CABaLYCtM_z=ziotQtgRmoKDOxg+MoG4eo1EHm1zny9Xjwq4DKw@mail.gmail.com>
On Sun, Nov 17, 2013 at 4:36 PM, Bruce Perens <bruce@perens.com> wrote: > On 11/17/2013 03:02 PM, Mike Belshe wrote: > > > I see no reason why you would want unauthenticated web apps any more > than you'd want unauthenticated native apps. > > The billion instances of Javascript programs run across the web this > morning seem to be contrary to your assumption :-) > No - we don't want them unauthenticated. We don't want them tampered with. Thats just what we're stuck with in http. > > Most of those, of course, were trivial little things that controlled the > behavior of some user interface presentation element. They were carefully > constrained by the browser environments that ran them so that they could > not do harm. > > Great effort has been put into making these things run quickly and with a > minimum amount of web resources expended. These days, many web development > environments minify javascript and carefully manage it to be cacheable. > That's what this whole show has been about, we've proven you can make improvements to HTTP such that we can do security too without losing perf. > > Certainly a class of application that could permanently manipulate the > state of the device running it would need to be signed. I've helped to > manage the chain of custody for Debian. So, I'm not denying that this is > sometimes necessary. Just not for a large class of trivial things. > > Thanks > > Bruce >
Received on Monday, 18 November 2013 06:27:55 UTC