W3C home > Mailing lists > Public > public-device-apis@w3.org > November 2009

Re: Trying to summarise (was Re: DAP and security)

From: Jeremy Orlow <jorlow@chromium.org>
Date: Thu, 19 Nov 2009 12:09:08 +0000
Message-ID: <5dd9e5c50911190409j105ada48w3a5837a948664de0@mail.gmail.com>
To: Robin Berjon <robin@berjon.com>
Cc: public-device-apis@w3.org, public-webapps WG <public-webapps@w3.org>
On Thu, Nov 19, 2009 at 11:24 AM, Robin Berjon <robin@berjon.com> wrote:

> Whoa.
> I believe that the original renaming of the thread intended to clarify the
> DAP's mission and stance on security, but we've devolved again into more
> muddied up discussion, so I'd like to take a second stab at clarifying the
> landscape.
> One, DAP *will* handle security. I think everyone's on the same page on
> that one now.
> Second, DAP APIs are fully intended to be able to run in a browser context.
> I believe that there may have been unfortunate misunderstandings, but the
> fact of the matter is that APIs not supported by default in browsers will be
> considered a failure.

Is this practical without the major browsers being part of the DAP WG?
 (Last time I checked, there were some absences.)

> I think that some of the confusion about the fact that these would
> necessarily have to follow a security model that works inside a browser
> stems from the fact that people (including myself) have repeatedly stated
> that they wanted authors to have the same APIs irrespective of whether they
> were running in a browser or in a web runtime used in a different context.
> This does *not* mean that the security model will be the same in both
> context,

I don't understand.  If security is baked into APIs from the start (as is a
requirement for browsers) and the same API should be used in the "different
context", then what need is there for a policy model?  The policy model
seems to only be applicable when APIs are inherently insecure and trust is
required...which is the type of API a browser will not implement.

> and indeed since the entry points to said APIs are likely to be different
> in each context some part of the APIs may turn out to be different. The
> point was that those differences should be minor, and clear to authors.
> Finally, we can all talk about policy and trust in browsers until we're
> bluer in the face than a hypothermic smurf the fact of the matter is that I
> don't believe that this is a case where discussion can produce consensus.
> There are use cases for policy, and solutions for those will be developed at
> the very least for the widgets landscape. If it so happens that they yield
> interesting innovative stuff that could be useful in browsers, then it'll be
> easy to point to it as proof and demo. Far easier than to argue about it,
> and it'll happen faster if we create the technology rather than talk about
> it :)
> Speaking of innovation and trust in browsers, it seems that the JetPack
> elves are working on some form of social web of trust for browser extensions
>  is there a chance that they could chat about it with DAP?
> --
> Robin Berjon - http://berjon.com/
Received on Thursday, 19 November 2009 12:10:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:53:40 UTC