W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re:

From: Brad Porter <bwporter@yahoo.com>
Date: Thu, 10 Jan 2008 21:56:36 -0800 (PST)
To: Mark Nottingham <mnot@yahoo-inc.com>
Cc: public-appformats@w3.org
Message-ID: <384226.78668.qm@web53511.mail.re2.yahoo.com>
Yes, I thought about it more as the discussion progressed and I have persuaded myself of the same -- that the trust relationship between browser and webserver wouldn't need to exist.  Though I haven't had time to try to work through all the potential edge-cases.

I think many IT departments are struggling with how to deal with the problems introduced by poor browser security.  I have no doubt that given the choice between properly implemented browser security or dealing with the problems all in the IT infrastructure, they would rather trust the browser as it would be a far far cheaper solution.  Given that trust has been significantly eroded, I agree that the desire for more control over their own destiny is likely very prevalent right now.

--Brad

Mark Nottingham <mnot@yahoo-inc.com> wrote: 
On 09/01/2008, at 9:38 AM, Brad Porter wrote:

> In particular, moving to server-based access-control requires:
>
> a) browsers to provide verifiable REFERER, unique user, or other  
> equivalent identity information


I don't follow this. It requires data to be provided by the browser  
(Referer-Root in the current proposal), but it doesn't require it to  
be verifiable, any more than you require the client's application of  
the policy to be verifiable.


If anything, I'd imagine the server-side model to be more attractive  
to the corporate IT department, because it requires so much less of  
the browser (where so many security bugs have originated, and  
something entirely outside their ability to fix).


--
Mark Nottingham       mnot@yahoo-inc.com
Received on Friday, 11 January 2008 06:03:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC