- From: Mark Watson <watsonm@netflix.com>
- Date: Fri, 21 Nov 2014 07:26:38 -0800
- To: Mike West <mkwst@google.com>
- Cc: Brad Hill <hillbrad@fb.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <-1021104972022835871@unknownmsgid>
On Nov 21, 2014, at 2:34 AM, Mike West <mkwst@google.com> wrote: "features which require a verifiably secure environment" is a mouthful, and, if anything, it's _less_ precise than "powerful", since it doesn't describe anything at all about the feature itself, instead focusing on the consequence of whatever properties the feature possesses. Is there a single adjective other than "powerful" that you'd find less judgemental? "risky" has the right connotations, but I suspect you'll like it even less than "powerful". :) I guess I would at least like to have a separation between the description / definition of the properties of features and the definition of the properties of a 'secure environment' or 'authenticated origin' or whatever is the appropriate term for that. I don't think it is easy to find a definition of feature properties which maps 1-1 with whatever is defined for a 'secure environment'. So, I'd have no objection if you write a definition of 'powerful features' and a definition of 'secure environment' and then see if it makes sense to say things like 'powerful features must be restricted to secure environments' and 'non-powerful features must not be restricted to secure environments' etc. but we need the definitions of both before we can answer those questions and right now the definitions are conflated. ...Mark -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Nov 20, 2014 at 9:58 PM, Mark Watson <watsonm@netflix.com> wrote: > > > On Thu, Nov 20, 2014 at 9:51 AM, Mike West <mkwst@google.com> wrote: > >> Seems clearly covered by "features which require a verifiably secure >> environment". >> > As per my other comment, I think language like this would be a much > better - more precise, less judgmental - than "powerful". > > Btw, I'm not sure WebCrypto is good to include as an example, since the > WebCrypto WG decided at TPAC not to require an authenticated origin > (although the bug is still marked as open). > > ...Mark > > > > >> I'd prefer doing it here, but I'm easy. If folks think the TAG should >> publish, I'm sure they'll be happy to do so. >> >> -mike >> On Nov 20, 2014 6:39 PM, "Brad Hill" <hillbrad@fb.com> wrote: >> >>> Do you think that "Powerful Features" belongs as a WebAppSec >>> deliverable – and should be added to our draft charter – or as a TAG >>> finding? >>> >>> From: Mike West <mkwst@google.com> >>> Date: Thursday, November 20, 2014 at 5:21 AM >>> To: "public-webappsec@w3.org" <public-webappsec@w3.org> >>> Subject: "Requirements for Powerful Features" strawman. >>> Resent-From: <public-webappsec@w3.org> >>> Resent-Date: Thursday, November 20, 2014 at 5:22 AM >>> >>> After talking a bit more with Anne and others, I'm coming around to >>> the opinion that we should break the "powerful features" bit out of MIX. In >>> particular, the notion that we need to explain what constitutes a "powerful >>> feature" pushes this right out of MIX in my mind; it was always tangential, >>> and if we need to define the category (and I agree that we do), then MIX >>> isn't the right place for it. >>> >>> I've slapped together a strawman at >>> https://w3c.github.io/webappsec/specs/powerfulfeatures/ >>> <https://urldefense.proofpoint.com/v1/url?u=https://w3c.github.io/webappsec/specs/powerfulfeatures/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=Uny70yXyxUKM6QderEO9EitGs%2Fm7TkCqYt%2BJnGFSFSo%3D%0A&s=0fcecb0074cfb96997dfb36ca84714e3b5a266f1480943ceb8cb7d410eec3d39> >>> with lots of TODO text. If folks agree that a separate document is >>> worthwhile, I'll remove the copy/pasted bits from MIX, clean up the >>> strawman, and issue a CfC to publish a FPWD. >>> >>> Thanks! >>> >>> -- >>> Mike West <mkwst@google.com> >>> Google+: https://mkw.st/+ >>> <https://urldefense.proofpoint.com/v1/url?u=https://mkw.st/%2B&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=Uny70yXyxUKM6QderEO9EitGs%2Fm7TkCqYt%2BJnGFSFSo%3D%0A&s=1dab00db52d0d48e6baf746f4ff9a01f6e3eced390c7139ced53ecba90e1c5f2>, Twitter: >>> @mikewest, Cell: +49 162 10 255 91 >>> >>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany >>> Registergericht und -nummer: Hamburg, HRB 86891 >>> Sitz der Gesellschaft: Hamburg >>> Geschäftsführer: Graham Law, Christine Elizabeth Flores >>> (Sorry; I'm legally required to add this exciting detail to emails. >>> Bleh.) >>> >>> >
Received on Friday, 21 November 2014 15:32:43 UTC