W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: something I don't get about the current plan...

From: Mike Belshe <mike@belshe.com>
Date: Sun, 17 Nov 2013 22:27:27 -0800
Message-ID: <CABaLYCtM_z=ziotQtgRmoKDOxg+MoG4eo1EHm1zny9Xjwq4DKw@mail.gmail.com>
To: Bruce Perens <bruce@perens.com>
Cc: httpbis mailing list <ietf-http-wg@w3.org>
On Sun, Nov 17, 2013 at 4:36 PM, Bruce Perens <bruce@perens.com> wrote:

>  On 11/17/2013 03:02 PM, Mike Belshe wrote:
>  I see no reason why you would want unauthenticated web apps any more
> than you'd want unauthenticated native apps.
> The billion instances of Javascript programs run across the web this
> morning seem to be contrary to your assumption :-)

No - we don't want them unauthenticated.  We don't want them tampered with.
 Thats just what we're stuck with in http.

> Most of those, of course, were trivial little things that controlled the
> behavior of some user interface presentation element. They were carefully
> constrained by the browser environments that ran them so that they could
> not do harm.
> Great effort has been put into making these things run quickly and with a
> minimum amount of web resources expended. These days, many web development
> environments minify javascript and carefully manage it to be cacheable.

That's what this whole show has been about, we've proven you can make
improvements to HTTP such that we can do security too without losing perf.

> Certainly a class of application that could permanently manipulate the
> state of the device running it would need to be signed. I've helped to
> manage the chain of custody for Debian. So, I'm not denying that this is
> sometimes necessary. Just not for a large class of trivial things.

>     Thanks
>     Bruce
Received on Monday, 18 November 2013 06:27:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:20 UTC