- From: David Orchard <dorchard@bea.com>
- Date: Mon, 7 Jan 2008 15:31:20 -0800
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: <public-appformats@w3.org>
> -----Original Message----- > From: public-appformats-request@w3.org > [mailto:public-appformats-request@w3.org] On Behalf Of Close, Tyler J. > Sent: Wednesday, January 02, 2008 5:57 PM > To: Ian Hickson > Cc: Jonas Sicking; Anne van Kesteren; public-appformats@w3.org > Subject: RE: Comments on: Access Control for Cross-site Requests > <snip/> > > (I still doubt the utility of these constraints, but > whatever, I'll play) > > --Tyler > > I personally haven't heard clear compelling evidence why client-side PEP is worth the complexity. By my read of the WG, I see a few folks for client-side PEP and a few folks interested in the server-side only PEP. I take the review of the Security Context WG very seriously. The fact that apparently, you, Doug Crockford, Jon F, Mark N, and others are concerned about this, perhaps the largest, part of the design gives me cause for serious concern. I think that if the Working Group members won't explore the server-side PEP design, then I think a number of WG members and non-members but interested parties would be grateful for design(s) that you choose to offer. I'm not sure that there is consensus in the WG for the client-side PEP approach given yours and others similar comments and I think that you've added some useful new information. Cheers, Dave
Received on Monday, 7 January 2008 23:31:47 UTC