Re: [UMP] Request for Last Call

On Thu, Apr 8, 2010 at 5:44 AM, Marcos Caceres <marcosc@opera.com> wrote:
> To me personally, it only really makes sense for UMP to be merged into CORS.
> Having both specs is confusing.

Given that we've created a superset-subset relationship between CORS
and UMP, we don't have divergent specs for the same functionality;
instead we simply have a modular spec. Splitting the spec this way is
useful because the UMP subset is significantly smaller and the CORS
superset involves additional, complicated security risks.

> To have UMP as an optional add-on does not
> feel right because of the DBAD issue.

Indeed, DBAD is only relevant to CORS, so adding this complexity to
UMP by putting it in the same document with the rest of CORS is
confusing.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Thursday, 8 April 2010 13:13:04 UTC