W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: comment on distributed capabilities

From: Tyler Close <tyler.close@gmail.com>
Date: Fri, 12 Feb 2010 13:53:36 -0800
Message-ID: <5691356f1002121353h18d5ac7cl3fb12fdbfe182a21@mail.gmail.com>
To: noah_mendelsohn@us.ibm.com
Cc: Jonathan Rees <jar@creativecommons.org>, www-tag@w3.org
I have two things to point out, that I think might lead to agreement
on this issue.

1. Note that nowhere does my draft text require that an unguessable
URL alone be sufficient to grant access to a resource. It only says
that private resources SHOULD use unguessable URLs. It doesn't say
that you can't use additional security measures. One battle at a time
I figure. See:



On Fri, Feb 12, 2010 at 8:50 AM,  <noah_mendelsohn@us.ibm.com> wrote:
> I do object to proposals to, at this stage, tighten
> the rules for management of URIs on the Web, in email, etc.

I don't think I've proposed any such tightening. I have only put into
words part of the security model that browsers currently attempt to
enforce. If you believe otherwise, please provide specific
counter-examples. In particular, my draft text makes no mention of
email servers or HTTP proxy servers, so it's hard to claim I aim to
restrict their behavior.

AFAICT, we should be able to agree on the substance of my draft text
at this point, even if some word smithing is desired.


"Waterken News: Capability security on the Web"
Received on Friday, 12 February 2010 21:54:12 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:05 UTC