W3C home > Mailing lists > Public > public-device-apis@w3.org > November 2009

Re: Security evaluation of an example DAP policy

From: Robin Berjon <robin@berjon.com>
Date: Fri, 20 Nov 2009 17:34:15 +0100
Cc: public-device-apis@w3.org, public-webapps WG <public-webapps@w3.org>
Message-Id: <353DECC7-0792-4F43-9BEA-17EC72FC7C41@berjon.com>
To: Adam Barth <w3c@adambarth.com>
On Nov 20, 2009, at 00:22 , Adam Barth wrote:
> It's emails like this that make me skeptical of the security work
> being done in the device APIs working group.

*sigh* I feel like a broken record. It feels like I've spent my time since TPAC involved in an endless repeat of the following discussion:

  - "You must support security at the API definition level!!!1"
  - "Yes. That is the plan. That is what we will do. We've already agreed to that."
  - "Okay... But... You must support security at the API definition level!!!1"
  - "..."

DAP will handle security at the API definition level. Full stop.

Now, there may be participants in the WG who believe that policy could *also* be used in browsers, or other such things. That may or may not be the possible, practical, doable, implementable, safe. You may or may not agree. The fact is, for the purpose of trusting that DAP will handle security at the API definition level, it doesn't matter because: DAP will handle security at the API definition level.

If you don't like the policy stuff, don't implement the policy stuff. You can still implement the APIs because, you know what? DAP will handle security at the API definition level.

If later a policy-based approach surfaces that changes your mind and makes you want to support it, that's also fine. But for the immediate purpose of creating DAP APIs that can work in browsers it doesn't matter because DAP will handle security at the API definition level.

Is this clearer?

Would people mind if we had this DAP conversation just on the DAP list and cut down on the cross-posting? It's not as if WebApps didn't see some traffic already.

Oh, and yeah, DAP will handle security at the API definition level.

-- 
Robin Berjon - http://berjon.com/
Received on Friday, 20 November 2009 16:34:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:01 GMT