W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 14 Dec 2009 10:16:29 -0800
Message-ID: <7789133a0912141016g9b14994r93deb75214cc068e@mail.gmail.com>
To: Jonathan Rees <jar@creativecommons.org>
Cc: Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Tyler Close <tyler.close@gmail.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Mon, Dec 14, 2009 at 5:53 AM, Jonathan Rees <jar@creativecommons.org> wrote:
> The only complaint I know of regarding UM is that it is so complicated
> to use in practice that it will not be as enabling as CORS

Actually, Tyler's UM protocol requires the user to confirm message 5
to prevent a CSRF attack.  Maciej's CORS version of the protocol
requires no such user confirmation.  I think it's safe to say that
asking the user to confirm security-critical operations is not a good

> Regarding the idea that UM is unproven or undeployed - I think this is
> a peculiar charge given that object-oriented programming dates from
> 1967, and actors date from 1973; and current use of the capability
> pattern, for example in email list validation, shared calendar access
> control, and CSRF defense (Mark can probably provide many other and
> better examples), *is* something we can build on. Ocaps have been
> essentially unchanged for 40 years, with essentially no elaboration or
> revision despite heavy stress testing. AFAIK the academic and
> practical security communities have not converged on any distributed
> (i.e. multilateral) access control system *other* than capabilities.

You're really overstating your case to the point where it's ridiculous.

Received on Monday, 14 December 2009 18:17:22 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC