RE: [waf] minutes from 9 January 2008 Voice Conf (fwd)


> -----Original Message-----
> From: 
> [] On Behalf Of Ian Hickson
> Sent: Friday, January 11, 2008 3:30 AM
> To:
> Subject: Re: [waf] minutes from 9 January 2008 Voice Conf (fwd)
> On a broader note, it is unclear to me why we are still discussing 
> requirements. We have a perfectly fine specification, we 
> should go ahead 
> and publish it and move on. We already have two 
> specifications that are 
> dependent on the current design (XBL2 and XMLHttpRequest2).
> I don't even understand the problems that have been raised. 
> As far as I 
> can tell nobody has raised any real problems with the current 
> design; the 
> OPTIONS suggestion seems to be based purely on theoretical 
> concerns of 
> spec purity, and the concerns of the client having the last 
> say appear to 
> miss the point of the technology (which is entirely about preventing 
> information leakage and protecting against new attack vectors on the 
> client while enabling features that clients have previously blocked).
> Why have we not gone to LC and CR already? Can we please stop running 
> around in circles and move forwards?
> I suggest that those who wish a radically different model to 
> the one in 
> the current proposal instead write an alternative 
> specification and move 
> that specification forwards through the REC track, and let the market 
> decide which technology is better.

I believe the WAF working group is operating as part of an open process
and people have comments on requirements that have never been vetted
outside the working group.  Putting ones hands over your ears when
numerous people outside the working group express very similar concerns
and comments doesn't help move an open working group forward.  You say
"why are we discussing requirements?", yet each and every requirement
you proposed had some significant comments on it during the last telcon.
It's clear that there are many people inside and outside the working
group want to have a clearly documented set of requirements and usage
scenarios and the current requirements don't satisfy that.

I further don't think the tone of some of the messages, like much of
this one, really helps the working group progress.  The best way forward
to consensus is to have a reasoned technical discussion of the issues
without trying to shut down conversation or people.  For example, you
characterize the OPTIONS suggest is purely theoretical concerns of spec
purity, which is typically a pejorative criticism.  However, my concern
as raised, is completely the opposite of "theoretical".  My concern is
about the potential abuse of the fundamental operation in the most
widely distributed computing system ever, the web.   Now I'm pretty sure
that it is your opinion that the OPTIONS or HEAD suggestion are not
viable because of technical reasons, such as it introduces new attack
vectors, and that is a fine technical point.  Just saying, to
paraphrase, "there's no problem(s) with the spec" and "why are we
talking about this" just does not help any working group move forward.
In this case, such a common concern (that spawned how many messages?)
ought not to be dismissed as quickly as one parenthetical statement.
Our discussions ought to be based on reasoned technical arguments and
the arguments need to be clear, compelling and easily available for


Received on Friday, 11 January 2008 17:03:54 UTC