W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

RE: Comments on: Access Control for Cross-site Requests

From: David Orchard <dorchard@bea.com>
Date: Mon, 7 Jan 2008 15:31:20 -0800
Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E0136CFE4@repbex01.amer.bea.com>
To: "Close, Tyler J." <tyler.close@hp.com>
Cc: <public-appformats@w3.org>

> -----Original Message-----
> From: public-appformats-request@w3.org 
> [mailto:public-appformats-request@w3.org] On Behalf Of Close, Tyler J.
> Sent: Wednesday, January 02, 2008 5:57 PM
> To: Ian Hickson
> Cc: Jonas Sicking; Anne van Kesteren; public-appformats@w3.org
> Subject: RE: Comments on: Access Control for Cross-site Requests

> (I still doubt the utility of these constraints, but 
> whatever, I'll play)
> --Tyler

I personally haven't heard clear compelling evidence why client-side PEP
is worth the complexity.  By my read of the WG, I see a few folks for
client-side PEP and a few folks interested in the server-side only PEP.
I take the review of the Security Context WG very seriously.  The fact
that apparently, you, Doug Crockford, Jon F, Mark N, and others are
concerned about this, perhaps the largest, part of the design gives me
cause for serious concern.  I think that if the Working Group members
won't explore the server-side PEP design, then I think a number of WG
members and non-members but interested parties would be grateful for
design(s) that you choose to offer.  I'm not sure that there is
consensus in the WG for the client-side PEP approach given yours and
others similar comments and I think that you've added some useful new

Received on Monday, 7 January 2008 23:31:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC