W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: something I don't get about the current plan...

From: Mike Belshe <mike@belshe.com>
Date: Sun, 17 Nov 2013 22:27:27 -0800
Message-ID: <CABaLYCtM_z=ziotQtgRmoKDOxg+MoG4eo1EHm1zny9Xjwq4DKw@mail.gmail.com>
To: Bruce Perens <bruce@perens.com>
Cc: httpbis mailing list <ietf-http-wg@w3.org>
On Sun, Nov 17, 2013 at 4:36 PM, Bruce Perens <bruce@perens.com> wrote:

>  On 11/17/2013 03:02 PM, Mike Belshe wrote:
>
>
>  I see no reason why you would want unauthenticated web apps any more
> than you'd want unauthenticated native apps.
>
> The billion instances of Javascript programs run across the web this
> morning seem to be contrary to your assumption :-)
>

No - we don't want them unauthenticated.  We don't want them tampered with.
 Thats just what we're stuck with in http.




>
> Most of those, of course, were trivial little things that controlled the
> behavior of some user interface presentation element. They were carefully
> constrained by the browser environments that ran them so that they could
> not do harm.
>
> Great effort has been put into making these things run quickly and with a
> minimum amount of web resources expended. These days, many web development
> environments minify javascript and carefully manage it to be cacheable.
>

That's what this whole show has been about, we've proven you can make
improvements to HTTP such that we can do security too without losing perf.


>
> Certainly a class of application that could permanently manipulate the
> state of the device running it would need to be signed. I've helped to
> manage the chain of custody for Debian. So, I'm not denying that this is
> sometimes necessary. Just not for a large class of trivial things.
>

>     Thanks
>
>     Bruce
>
Received on Monday, 18 November 2013 06:27:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC