W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Proxy-Authorization

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 12 Jan 2010 13:24:16 -0800
Cc: Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
Message-id: <B0CB434F-88B1-4AEA-BFA7-03BDFA2B6D47@apple.com>
To: Adam Barth <w3c@adambarth.com>

On Jan 12, 2010, at 12:29 PM, Adam Barth wrote:

> On Tue, Jan 12, 2010 at 10:51 AM, Tyler Close  
> <tyler.close@gmail.com> wrote:
>> It's not feasible to remove all ambient authority. For example, the
>> client has the authority to send requests from its IP address. So we
>> draw a line between network connectivity and issued credentials.  
>> Proxy
>> credentials provide network connectivity.
>>
>> Also, as a practical matter, disallowing Proxy-Authorization might
>> inhibit use of UMP, since a resource author would be concerned about
>> the loss of users who are required to use a proxy.
>
> RIght, this is the essential point: whether we should remove a piece
> of ambient authority is a risk management decision.  Instead of
> dogmatically stomping out all forms of ambient authority, we ought to
> weigh the costs of removing the authority (in this case compatibility
> issues with existing proxy deployments) with the benefits (greater
> resilience to a class of vulnerabilities).
>
> The reason we have different beliefs about whether CORS or UMP is a
> better protocol is because we perceve the risks and rewards
> differently.  Ultimately, authors are in a better position to weigh
> these factors than we are, which is why we should provide both APIs.

+1

  - Maciej
Received on Tuesday, 12 January 2010 21:24:56 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT