W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: CORS versus Uniform Messaging?

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 14 Dec 2009 00:03:29 -0800
Message-ID: <7789133a0912140003o1b29457bicf832cc2a43f7074@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Tyler Close <tyler.close@gmail.com>, Ian Hickson <ian@hixie.ch>, Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
I'm not really sure what we're discussing anymore.  Do you have any
new information to add, or are we just going in circles?

On Sun, Dec 13, 2009 at 1:29 PM, Mark S. Miller <erights@google.com> wrote:
> On Sun, Dec 13, 2009 at 12:26 PM, Adam Barth <w3c@adambarth.com> wrote:
>> On Sun, Dec 13, 2009 at 8:54 AM, Mark S. Miller <erights@google.com>
>> wrote:
>> > On Sat, Dec 12, 2009 at 7:17 PM, Adam Barth <w3c@adambarth.com> wrote:
>> >> I agree with Jonas.  It seems unlikely we'll be able to
>> >> design-by-commitee around a difference in security philosophy dating
>> >> back to the 70s.
>> >
>> > Hi Adam, the whole point of arguing is to settle controversies. That is
>> > how
>> > human knowledge advances. If after 40 years the ACL side has no defenses
>> > left for its position, ACL advocates should have the good grace to
>> > concede
>> > rather than cite the length of the argument as a reason not to
>> > resolve the
>> > argument.
>> I seriously doubt we're going to advance the state of human knowledge
>> by debating this topic on this mailing list.  The scientific community
>> is better equipped for that than the standards community.
> AFAICT, the last words on this debate in the scientific literature are the
> Horton paper

Is your position that the academic community has resoundingly decided
that object-capabilities are superior to access control?  That seems
unlikely to me.


> In either of the first two cases, since you are a member both of the
> scientific community and of this standards committee, if you don't respond
> in the scientific literature, please don't cite merely the lack of response
> in the scientific literature in support of your points.

As I said before, I don't know of any experiments we can run or data
we can measure to settle this issue, which is why science hasn't made
much progress in answering these questions in the past 40 years and
why we won't make much progress resolving them here either.

With respect to your specific question, here's a recent paper of mine
about the dangers of mixing object-capabilities and access control in
a single system, which is exactly what we'd be doing by mixing UniMess
with the same-origin policy:


In any case, I don't think spamming this list with a bunch of
citations to hundreds of pages of dense prose that no one is going
read will help us make progress.

Received on Monday, 14 December 2009 08:04:34 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC