Re: Are Jon's comments from IBM, the OAA, citizen Jon, ...? [Was: Re: Review of http://www.w3.org/TR/2007/WD-access-control-20071126/] from Brad Porter on 2008-01-09 (public-appformats@w3.org from January 2008)

From: Brad Porter <bwporter@yahoo.com>
Date: Wed, 9 Jan 2008 09:54:38 -0800 (PST)
To: public-appformats@w3.org
Message-ID: <792516.65168.qm@web53512.mail.re2.yahoo.com>

> I believe there are a straightforward ways to extend JSONRequest to
> accommodate XML in addition to JSON.

I'd like to understand better what this mechanism might look like as I'm not sure I agree that you could extend it without doing something nearly equivalent to what the access-control specification requires.  

JSONRequest seems to be operating under the assumption that current browsers don't have access to any protected JSON data inside protected network zones.  This works because corporate IT departments aren't typically storing confidential information in JSON blobs sitting on their web-server.  The universe of existing JSON data that relies on existing protection mechanisms is small (and the protection mechanisms don't exist.)

The universe of existing XML data that needs protection is large and there are well-established protection mechanisms already in place that need to continue to work.

> 3) I have lots of concerns about Access Control as currently formulated. 
> Others share these concerns, which seems likely to inhibit adoption if the
> spec stays as it is. If it does get adopted in its current form, I'm not
> sure how much the industry benefits from the new features and how much it
> will be harmed by the security issues and other costs.

I have to admit I'm not clear at this point as to what "the security issues and other costs" you're referring to are.  I've seen an argument that you disagree with the process and that you disagree with the solution, but I'm missing what the security issues and costs that concern you with the solution as proposed are?  

I'm trying to understand if you're saying "access-control is a bad idea for technical reason X and Y" or if you're just saying "this solution is a better solution" to which I'm trying to point out that enabling access to XML documents is a well-stated goal that JSONrequest doesn't seem to support and preserving the current border-protection security mechanisms that rely on browser sandboxing and are widely employed by most corporations is still necessary for the time-being. 

--Brad

Received on Wednesday, 9 January 2008 17:55:11 UTC