- From: Michael[tm] Smith <mike@w3.org>
- Date: Fri, 1 Jun 2012 14:45:33 +0900
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-sysapps@w3.org
Adam Barth <w3c@adambarth.com>, 2012-05-31 12:05 -0700: > Thanks Mike. I certainly appreciate your feedback. I think we'd like > to say that the context in which these APIs are available is part of > the Web, thereby using an inclusive definition of the Web similar in > the "one web" spirit. I understand that but outside of this specific case I also often see a tendency to try to hitch all kinds of new things on terms to the point where they get watered down and risk losing the really useful meanings they had before. An example is that most of people who have been using the term "the Web platform" for over the years have a real clear idea of what they mean by it, and what the bounds of it are, what it's constrained to. But other people we work with don't like those constraints much because that well-bounded definition excludes the stuff that they work on, and wanting to see that stuff get added to places like http://platform.html5.org/ (which is already a big enough list of stuff as-is). Anyway, I realize I've taken this off into a meta-discussion so if you think we should talk about it over on www-archive instead, let's do that. For now I'll reply to the rest here. > Maybe we should speak in terms of "browsing interactions," so we might > say that these APIs aren't safe in the context of browsing the web, > but might be safe in other modes of interacting with the web. Yeah, "browsing interactions" would definitely be an improvement. > Rather than excluding these new contexts from being part of the Web, > the goal was to have the Web be an inclusive term. So I guess where I disagree with you is that I don't want the Web to be an inclusive term like that. I like the less inclusive established meaning that it already has to most of people who deal with developing actual browser technologies (like you). > I wouldn't want to say that apps that use these APIs are off-Web, they're > just a part of the Web with higher security requirements, I think that's understating things a bit. A would characterize it as, with completely different security requirements from that the model that's fundamental to what we currently think of as the Web. > the same way that device drivers in your kernel have higher security > requirements than user-land programs in Unix. I understand the analogy and understand why the proposed group has the particular name it does. And I think it's better to keep the distinction more clear instead of conflating it all together under some modified version of "the Web". > > I would think in general we want to encourage users to worry more, not less. > > Quite the opposite. I think we'd all like the web to be a safe place > where uses can go about their business free of worry. Causing the > billions of people who use the web to worry more certainly isn't the > goal of security (although it might be the goal of some security > consultants who sell their services using fear). OK, fair enough. Point taken. > Maybe the "by" is the problematic part. If we speak about browsing > the web versus other ways of interacting with the web, we can lose the > connection with drive-by shootings. :) yeah, "other ways of interacting with the Web" would definitely be better. But -- and I'm not trying to split hairs hear just for the sake of that -- but it seems to me what this really is is "other ways of interacting with web technologies" (or "web-platform technologies"). It's the same fundamental technologies, they're just being used in a very different context (which I think "off Web" does a better job of describing...) > > So it seems to me at least the place where those APIs are exposed it > > clearly not "the Web". Not as any of us know it now. It's some other place. > > So I think there'd be some benefit in making it crystal clear it's not the > > Web, and it's be better to call it the "off Web" or something. > > Why isn't it part of the web? I guess that question hinges on > semantics, and maybe isn't overly meaningful. Yeah, so I guess we should just let that go. > > You obviously know way more than me about this area, but naively speaking, > > it doesn'jt seem to be that trust model is such a great one to build on > > further without some other effort to prevent users from inadvertently > > agreeing to expose all kinds of private data that they really would not be > > agreeing to expose if they actually understood what was happening. > > I think that's why folks on this list are quite interested in the > security model deliverable. We have some ideas to contribute in this > area that might help, although we obviously don't have a silver > bullet. OK > Your comments are very helpful. We've been talking about these ideas > among ourselves for a while now, so it's good to hear a fresh > perspective. My sense is that many other folks will react similarly > to you, so it's likely something worth improving. Thanks for listening. I do think this work is really important for a lot of reasons, and looking forward to seeing how it develops. I think the terminology is going to naturally evolve anyway as you get further along. --Mike -- Michael[tm] Smith http://people.w3.org/mike
Received on Friday, 1 June 2012 05:45:38 UTC