Re: Next steps and note to mailing list about Code of Ethics and Professional Conduct from Anders Rundgren on 2015-02-20 (public-web-security@w3.org from February 2015)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 20 Feb 2015 11:19:16 +0100
To: Harry Halpin <hhalpin@w3.org>
CC: "public-web-security@w3.org" <public-web-security@w3.org>, Dave Raggett <dsr@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Rigo Wenning <rigo@w3.org>
Message-ID: <54E70A24.2040802@gmail.com>

Hi All,
Since I'm probably the origin of this thread, I owe you all an explanation.

A problem as I see it, is that considerations regarding the viability of a certain
quest for a new standard apparently is considered as "inappropriate".

If you look very close, the fundamental model used in the Gemalto and Microsoft proposals
were in fact already rejected a couple of years ago when launched by a Korean group. I.e.
they build on the user granting exceptions from the Same Origin Policy. If this analysis of
is wrong, then the whole debate and arguments presented by Google and Facebook were missing
the point. I (of course) assumed that the analysis was correct, but worded it this in a way
which violates W3C's rules of conduct. I apologize for that.

A generic issue in standardization contexts is the gap between practitioners and standardizers
which IMO may require more efforts from both sides. FWIW I tried outlining payments using
the mentioned proposals and found a _major_disconnect_. Since the standardizing side haven't
bothered with such experiments, there is a risk that this indeed is infeasible which raises
questions regarding the scope of this work.

BTW, regarding my own suggestions I'm not "selling" anything, I'm just slightly obsessed
(no other word applies according to my wife), with researching a topic from _different_
perspectives including building fairly advanced proof-of-concept systems. After a series
of PoCs in which insurmountable deployment or privacy issues were identified, I have come
to the conclusion that a "Polished and Standardized" version of
http://blog.chromium.org/2013/10/connecting-chrome-apps-and-extensions.html
_maybe_ could support not only the applications talked about in the Mountain View WebCrypto.Next F2F,
but also play an instrumental role in future web payment systems.

Since I (using W3C terms) am a practitioner, the ball obviously is in W3C's court.

Sincerely,
Anders Rundgren

Received on Friday, 20 February 2015 10:19:48 UTC