- From: David Rogers <david.rogers@omtp.org>
- Date: Wed, 16 Jun 2010 10:16:16 +0100
- To: <arun@mozilla.com>, "SULLIVAN, BRYAN L (ATTCINW)" <BS3131@att.com>
- Cc: "Robin Berjon" <robin@berjon.com>, <public-device-apis@w3.org>, "Ian Fette" <ifette@google.com>, "Web Applications Working Group WG" <public-webapps@w3.org>
> The question of where you are represented and your ability to > participate cuts both ways - the same is true for us. I think if the > browser vendors want their products really to be seen as compatible with > the Web application space (as compared to just dynamic Web pages), they > will support the work in DAP as its there that non-obtrusive and > inherently secure models for Web application access to device resources > will be defined as APIs. > At present time, I think that the paragraph above accurately summarizes a technical rift between certain members of both working groups (DAP and WebApps). It may not be worthwhile to resolve this rift, and we should allow disparate families of specifications to bloom, taking care not to cause developer confusion with naming (a hard problem). Where specifications worked on in the DAP WG lend themselves to implementation plans, I think Mozilla participants interested in these can comment on them (e.g. Contacts API, at least for now). [DAVID] I don't think it is worth creating a schism. The file API hadn't been touched since 2006 when we started looking at this work so it is good that we have managed to help motivate some further work on it. A number of browser vendors are involved in DAP and are starting to build DAP APIs so I think this might be an incorrect assumption too. We're all in this together, so let's try and get it right for the user. The key question remains around security model. OMTP members believe in separating policy for good security reasons and to advance the general discipline away from the natural answer which would be 'provide a prompt or explicit user interaction'. If we slip back into this old way of thinking, we are destined for failure. Yes, at some point you need user interaction but let's try to minimise that in an intelligent manner which means that the user is not bombarded with prompts, making the system less secure. So, some questions from me: 1) I want to make sure that we can continue the good privacy work that has been started in DAP - please can you clarify if you would propose adopting those requirements if transferred to WebApps? 2) Also, please can you outline the security model that you will propose if it does transfer to WebApps - would it allow for management of access to the file system by policy (in the BONDI manner or by Google Powerbox or Mozilla's separate policy scheme)? 3) Would your proposed API require prompts to the user and explicit user acceptance of some sort? Thanks, David.
Received on Wednesday, 16 June 2010 09:17:05 UTC