W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: [UMP] Request for Last Call

From: Tyler Close <tyler.close@gmail.com>
Date: Thu, 8 Apr 2010 06:42:17 -0700
Message-ID: <p2u5691356f1004080642jd9aa99eap4de6d9fcf512d2a2@mail.gmail.com>
To: Arthur Barstow <art.barstow@nokia.com>
Cc: "ext Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, Maciej Stachowiak <mjs@apple.com>, public-webapps <public-webapps@w3.org>
On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow <art.barstow@nokia.com> wrote:
> Re the relationship between CORS and UMP, I believe the last thread on that
> subject was the following exchange between Mark and Maceij on February 3:
>
>  http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/0462.html
>
> (Neither Mark nor Tyler responded to Maciej's e-mail above.)
>
> We also have the Comparison of CORS and UMP document:
>
>  http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UM
>
> If we are going to continue with two separate specs, I think it is important
> re expectations from Members and the Public, for there to be consensus on
> the relationship(s) between the two models e.g. why do we have two models,
> where do the models intersect, what use cases can only be met with one of
> the models, why they can't these two models be merged into a single model,
> etc.

I believe the consensus is that UMP is a subset of CORS. A subset is
defined because CORS creates additional complexity and security risks
not present in UMP. I believe the consensus is that this division will
continue to exist regardless of whether or not UMP exists, since the
UMP functionality is part of CORS. All UMP does is tease out the
relevant part of CORS, more fully and clearly describe it, and give it
a name. Getting rid of UMP doesn't get rid of any complexity, it just
merges and confuses it with the rest of CORS.

For all use cases discussed on the mailing list, I showed how to
implement the enforceable security properties using UMP. Some
participants don't like the details of these solutions, though they
meet all the stated requirements, some of which may have been
arbitrary. There is still no CORS Cookie+Origin-based solution to the
printer challenge problem I raised.

Since we have a subset relationship, we could avoid publicizing the
division to Members and the Public and simply present the division as
a modular specification decision. If UMP proceeds through the
standardization process at a faster pace, that's simply the natural
result of being the subset part of the CORS whole.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Thursday, 8 April 2010 13:42:59 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT