Re: Comments on: Access Control for Cross-site Requests from Jon Ferraiolo on 2008-01-03 (public-appformats@w3.org from January 2008)

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Thu, 3 Jan 2008 07:18:09 -0800
To: "Anne van Kesteren" <annevk@opera.com>
Cc: "Ian Hickson" <ian@hixie.ch>, "Mark Nottingham" <mnot@yahoo-inc.com>, "public-appformats@w3.org" <public-appformats@w3.org>, "Close, Tyler J." <tyler.close@hp.com>
Message-ID: <OFFD8883A1.2A58B06D-ON882573C5.00521631-882573C5.00540F26@us.ibm.com>

My conclusion after going through various standards efforts that there
tends to be a better end result when the working group takes some time at
the beginning to write down and gain consensus on a set of target use cases
(can be described briefly) and at least a general set of requirements. This
gets the working group on the same page and allows the public to provide
early feedback about whether the specification ultimately will deliver what
the community needs. When I studied the Access Control specification a
couple of months ago, I attempted to find things that even halfway
resembled use cases and requirements, couldn't find anything, and then
attempted to hazard a guess:

*
http://www.openajax.org/member/wiki/JonFerraiolo_Thoughts_On_W3C_Access_Control#Use_cases

In terms of requirements, it is advisable to have a separate requirements
document (possibly including use cases) or a separate requirements section.
I have found that a good format for requirements is to use MUST/SHOULD/MAY
terminology where the new language MUST do this and the new language SHOULD
do that. For instance:

* The Access Control mechanism MUST not broaden the attack surface for
hackers, particularly with regard to CSRF
* The Access Control mechanism MUST be architected such that servers must
opt-in to the technology before their data can be accessed from a different
domain
* The Access Control mechanism MUST enable retrieval of information from
other domains that allow such retrieval, and MAY enable posting data to
other domains.
* The Access Control mechanism MUST support popular data transmissions
formats, including both XML and JSON
etc.

I would very much like to see at least the addition of a use cases section
at the top of the specification, but it would be nice to also see a list of
requirements.

Jon

             "Anne van                                                     
             Kesteren"                                                     
             <annevk@opera.com                                          To 
             >                         "Mark Nottingham"                   
             Sent by:                  <mnot@yahoo-inc.com>, "Ian Hickson" 
             public-appformats         <ian@hixie.ch>                      
             -request@w3.org                                            cc 
                                       "Close, Tyler J."                   
                                       <tyler.close@hp.com>,               
             01/03/2008 12:54          "public-appformats@w3.org"          
             AM                        <public-appformats@w3.org>          
                                                                   Subject 
                                       Re: Comments on: Access Control for 
                                       Cross-site Requests                 

On Thu, 03 Jan 2008 02:26:57 +0100, Mark Nottingham <mnot@yahoo-inc.com>
wrote:
> Has the working group gained consensus on this requirements list and
> documented it?

As far as I can tell the Working Group has always worked with these
constraints in mind, but we never put them in a document.

--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Attachments

image/gif attachment: graycol.gif
image/gif attachment: pic24870.gif
image/gif attachment: ecblank.gif

Received on Thursday, 3 January 2008 15:19:51 UTC