W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: [UMP] Request for Last Call

From: Mark S. Miller <erights@google.com>
Date: Thu, 8 Apr 2010 07:36:47 -0700
Message-ID: <r2r4d2fac901004080736k7b19625ep26ab14e17e554c8a@mail.gmail.com>
To: Arthur Barstow <art.barstow@nokia.com>
Cc: Anne van Kesteren <annevk@opera.com>, Maciej Stachowiak <mjs@apple.com>, Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow <art.barstow@nokia.com> wrote:

> We also have the Comparison of CORS and UMP document:
>
>  http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UM
>
> If we are going to continue with two separate specs, I think it is important
> re expectations from Members and the Public, for there to be consensus on
> the relationship(s) between the two models e.g. why do we have two models,
> where do the models intersect, what use cases can only be met with one of
> the models, why they can't these two models be merged into a single model,
> etc.

Hi Arthur, I think I'm a bit confused about what you mean by "model"
here. The web's current access control model is based on ambient
authority, due to the combination of the Same Origin Policy and the
cross-origin presentation of cookies (resulting in CSRF and
clickjacking). Adding to this a spec that says:

  if (some flag) {
    send messages without ambient authority tokens
    and teach developers to use explicit authority tokens
  } else {
    send messages with additional ambient authority tokens
    and teach developers "don't be a deputy"
  }

may result is one spec. But this spec would still represent two
different models. CORS as a whole is not a model. It is simply an
operational spec that enables one to switch between mechanisms derived
from (at least) two different access control models.


-- 
    Cheers,
    --MarkM
Received on Thursday, 8 April 2010 14:37:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT