RE: DAP and security (was: Rename "File API" to "FileReader API"?) from David Rogers on 2009-11-19 (public-webapps@w3.org from October to December 2009)

From: David Rogers <david.rogers@omtp.org>
Date: Thu, 19 Nov 2009 10:53:33 -0000
To: "Dominique Hazael-Massieux" <dom@w3.org>, <robert@ocallahan.org>
Cc: "Marcin Hanclik" <Marcin.Hanclik@access-company.com>, "Jonas Sicking" <jonas@sicking.cc>, "Maciej Stachowiak" <mjs@apple.com>, "Robin Berjon" <robin@berjon.com>, <public-device-apis@w3.org>, "public-webapps WG" <public-webapps@w3.org>
Message-ID: <4C83800CE03F754ABA6BA928A6D94A0601E5FACF@exch-be14.exchange.local>

My comments:

-----Original Message-----
From: Dominique Hazael-Massieux [mailto:dom@w3.org] 
Sent: 19 November 2009 09:52
To: robert@ocallahan.org
Cc: Marcin Hanclik; Jonas Sicking; David Rogers; Maciej Stachowiak; Robin Berjon; public-device-apis@w3.org; public-webapps WG
Subject: Re: DAP and security (was: Rename "File API" to "FileReader API"?)

Le jeudi 19 novembre 2009 à 22:39 +1300, Robert O'Callahan a écrit :
>         The abstraction of the security concerns within a policy may
>         allow delegation of the security to some third parties.
> 
> There are usually no third parties to delegate to.

That’s true to a certain extent, but a reason for that might well be
that the Web platform hasn’t left enough room for third parties in that
realm.

One could very well imagine that by allowing a certain level of
abstraction in security concerns, we would allow businesses to offer
guarantees against data-loss or data-thief if the user install a
third-party extension that would check Web sites based on a number of
their security aspects.

I’m pretty sure I don’t like all the implications of such a system, and
I’m generally rather in the skeptic side when it comes to the use of a
full-blown policy framework for the Web; but I don’t think it’s fair to
conclude that it is not useful simply based on the fact that it hasn’t
been put to use yet, esp. if it’s currently difficult or impossible to
put it to use.

[DAVID] I agree whole-heartedly with Dom's comments here, we need to open our minds to a better future here - the history of the web in security-terms is very nasty. Why not make it better? As I said in a previous email, we would like to give the user the choice about who they trust to make decisions for them. The vast majority of users on the web have no clue about security or any of the technical terms (I will hopefully add another usability study as a submission in the coming months which OMTP carried out). Why sandbox yourself to the browser? The very rationale of opening up physical 'things' to the web means you have to do something.

Dom

Received on Thursday, 19 November 2009 10:54:36 UTC