W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: Rechartering WebApp WG

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 10 Feb 2010 17:10:07 -0800
Message-ID: <63df84f1002101710xe7e8cc2uf642e9fa44518b99@mail.gmail.com>
To: Marcos Caceres <marcosc@opera.com>
Cc: Webapps WG <public-webapps@w3.org>
On Wed, Feb 10, 2010 at 4:59 PM, Marcos Caceres <marcosc@opera.com> wrote:
>>>>> I'm sooooooo totally for that. I want nothing more than to have more
>>>>> engagement and input from you guys. Our URI spec is in last call and so
>>>>> is
>>>>> the access request spec. The specs are really small. Please find a few
>>>>> hours
>>>>> and help us align if we haven't already. It's never too late to comment
>>>>> and
>>>>> help us fix stuff if it's borked. We are doing the best we can here,
>>>>> and
>>>>> certainly don't want to go against the web security model.
>>>> It's funny that you say that, because last I commented on a widget
>>>> spec was in relation to the signing spec. I then expressed dislike for
>>>> the use of xml canonicalization and, IIRC, a few other non-trivial
>>>> aspects of the spec. But was told that the spec was too far along and
>>>> it was too late to change :-)
>>> That is correct. Many members working on widgets believed that the use
>>> cases
>>> were met by XML digsig (even with it's reliance on xml canonicalization)
>>> and
>>> I was led to believe that it is in fact implementable. I know of one
>>> implementation thus far, so the jury is still out. It's still too early
>>> for
>>> me to say if it was a mistake to take XML digsig over JAR signing. If it
>>> proves a mistake (I.e., no one implements), then it's logical to look for
>>>  alternatives. I won't claim to understand the xml canonicalization
>>> issue,
>>> but people I talk to still tell me it won't be a problem. You want to add
>>> some tests to the test suite?:)
>> I don't doubt that it's implementable. However I still think there are
>> much simpler solutions that make things easier both for authors and
>> browser implementors. See for example the way that mozilla signs XPI
>> files.
> I don't disagree with you on the implementation side (and Im happy to hear
> that you think it can be implemented - I'll keep my fingers crossed). On the
> author side, I honestly don't know how much of a difference it will make.
> I'm sure someone will create a dead easy click once packager for widgets, if
> they haven't done so already. But is there something inherently wrong with
> our current technological choice that would not allow that? (if yes, please
> send to public-webapps, which is where we discuss widgets ;))

Ah, the old "the tools will save us" argument ;)

Yes, tools can certainly help. But that doesn't remove from the fact
that something that's simpler to author would be simpler for authors.
What about situations when you want to dynamically generate widgets,
say using PHP? Or if you don't speak the language(s) the tool is
localized to. Or if a web-based tool happens to be down because of
server upgrades?

/ Jonas
Received on Thursday, 11 February 2010 01:11:03 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:22 UTC