Re: review of http://dev.w3.org/2006/waf/access-control/#requirements

Mark Nottingham wrote:
> +1
> 
> Roughly, it would be ideal if there were *no* penalty; however, if it's 
> necessary for there to be some penalty, it shouldn't be disproportionate.
> 
> Or, "non-GET SHOULD NOT be penalised more than GET, but if it is it MUST 
> NOT be unduly penalised."

I don't really agree with the first part of this sentence. It doesn't 
matter if one thing gets penalized more than anything else, what matters 
is that we penalize everything as little as possible.

The first part of the sentence seems to encourage penalizing GET more 
just to be "fair", which I would be strongly opposed.

> Your final formulation is fine as well. Of course, "unduly" is a 
> judgement call that needs to be balanced with the other requirements.

Cool, so does that mean you are fine with adding a requirement phrased 
like the one in my initial reply?

"The solution must not unduly penalize cross-site requests with 
performance degradation. Likewise, it must not unduly penalize use of a 
particular style of URI, or the use of a large number of URIs."

/ Jonas

Received on Thursday, 7 February 2008 00:04:09 UTC