W3C home > Mailing lists > Public > public-sysapps@w3.org > June 2012

Re: please come with some term other than "browse-by Web"

From: Michael[tm] Smith <mike@w3.org>
Date: Fri, 1 Jun 2012 14:45:33 +0900
To: Adam Barth <w3c@adambarth.com>
Cc: public-sysapps@w3.org
Message-ID: <20120601054531.GF47436@sideshowbarker>
Adam Barth <w3c@adambarth.com>, 2012-05-31 12:05 -0700:

> Thanks Mike.  I certainly appreciate your feedback.  I think we'd like
> to say that the context in which these APIs are available is part of
> the Web, thereby using an inclusive definition of the Web similar in
> the "one web" spirit.

I understand that but outside of this specific case I also often see a
tendency to try to hitch all kinds of new things on terms to the point
where they get watered down and risk losing the really useful meanings they
had before.

An example is that most of people who have been using the term "the Web
platform" for over the years have a real clear idea of what they mean by
it, and what the bounds of it are, what it's constrained to. But other
people we work with don't like those constraints much because that
well-bounded definition excludes the stuff that they work on, and wanting
to see that stuff get added to places like http://platform.html5.org/
(which is already a big enough list of stuff as-is).

Anyway, I realize I've taken this off into a meta-discussion so if you
think we should talk about it over on www-archive instead, let's do that.
For now I'll reply to the rest here.

> Maybe we should speak in terms of "browsing interactions," so we might
> say that these APIs aren't safe in the context of browsing the web,
> but might be safe in other modes of interacting with the web.

Yeah, "browsing interactions" would definitely be an improvement.

> Rather than excluding these new contexts from being part of the Web,
> the goal was to have the Web be an inclusive term.

So I guess where I disagree with you is that I don't want the Web to be an
inclusive term like that. I like the less inclusive established meaning
that it already has to most of people who deal with developing actual
browser technologies (like you).

> I wouldn't want to say that apps that use these APIs are off-Web, they're
> just a part of the Web with higher security requirements,

I think that's understating things a bit. A would characterize it as, with
completely different security requirements from that the model that's
fundamental to what we currently think of as the Web.

> the same way that device drivers in your kernel have higher security
> requirements than user-land programs in Unix.

I understand the analogy and understand why the proposed group has the
particular name it does. And I think it's better to keep the distinction
more clear instead of conflating it all together under some modified
version of "the Web".

> > I would think in general we want to encourage users to worry more, not less.
> 
> Quite the opposite.  I think we'd all like the web to be a safe place
> where uses can go about their business free of worry.  Causing the
> billions of people who use the web to worry more certainly isn't the
> goal of security (although it might be the goal of some security
> consultants who sell their services using fear).

OK, fair enough. Point taken.

> Maybe the "by" is the problematic part.  If we speak about browsing
> the web versus other ways of interacting with the web, we can lose the
> connection with drive-by shootings.  :)

yeah, "other ways of interacting with the Web" would definitely be better.
But -- and I'm not trying to split hairs hear just for the sake of that --
but it seems to me what this really is is "other ways of interacting with
web technologies" (or "web-platform technologies"). It's the same
fundamental technologies, they're just being used in a very different
context (which I think "off Web" does a better job of describing...)

> > So it seems to me at least the place where those APIs are exposed it
> > clearly not "the Web". Not as any of us know it now. It's some other place.
> > So I think there'd be some benefit in making it crystal clear it's not the
> > Web, and it's be better to call it the "off Web" or something.
> 
> Why isn't it part of the web?  I guess that question hinges on
> semantics, and maybe isn't overly meaningful.

Yeah, so I guess we should just let that go.

> > You obviously know way more than me about this area, but naively speaking,
> > it doesn'jt seem to be that trust model is such a great one to build on
> > further without some other effort to prevent users from inadvertently
> > agreeing to expose all kinds of private data that they really would not be
> > agreeing to expose if they actually understood what was happening.
> 
> I think that's why folks on this list are quite interested in the
> security model deliverable.  We have some ideas to contribute in this
> area that might help, although we obviously don't have a silver
> bullet.

OK

> Your comments are very helpful.  We've been talking about these ideas
> among ourselves for a while now, so it's good to hear a fresh
> perspective.  My sense is that many other folks will react similarly
> to you, so it's likely something worth improving.

Thanks for listening. I do think this work is really important for a lot of
reasons, and looking forward to seeing how it develops. I think the
terminology is going to naturally evolve anyway as you get further along.

  --Mike

-- 
Michael[tm] Smith http://people.w3.org/mike
Received on Friday, 1 June 2012 05:45:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 June 2012 05:45:39 GMT