W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: comment on distributed capabilities

From: Tyler Close <tyler.close@gmail.com>
Date: Fri, 12 Feb 2010 13:53:36 -0800
Message-ID: <5691356f1002121353h18d5ac7cl3fb12fdbfe182a21@mail.gmail.com>
To: noah_mendelsohn@us.ibm.com
Cc: Jonathan Rees <jar@creativecommons.org>, www-tag@w3.org
I have two things to point out, that I think might lead to agreement
on this issue.

1. Note that nowhere does my draft text require that an unguessable
URL alone be sufficient to grant access to a resource. It only says
that private resources SHOULD use unguessable URLs. It doesn't say
that you can't use additional security measures. One battle at a time
I figure. See:

http://lists.w3.org/Archives/Public/www-tag/2010Feb/0081.html

2.

On Fri, Feb 12, 2010 at 8:50 AM,  <noah_mendelsohn@us.ibm.com> wrote:
> I do object to proposals to, at this stage, tighten
> the rules for management of URIs on the Web, in email, etc.

I don't think I've proposed any such tightening. I have only put into
words part of the security model that browsers currently attempt to
enforce. If you believe otherwise, please provide specific
counter-examples. In particular, my draft text makes no mention of
email servers or HTTP proxy servers, so it's hard to claim I aim to
restrict their behavior.

AFAICT, we should be able to agree on the substance of my draft text
at this point, even if some word smithing is desired.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Friday, 12 February 2010 21:54:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT