Re: Trying to summarise (was Re: DAP and security)

On Thu, Nov 19, 2009 at 11:24 AM, Robin Berjon <robin@berjon.com> wrote:

> Whoa.
>
> I believe that the original renaming of the thread intended to clarify the
> DAP's mission and stance on security, but we've devolved again into more
> muddied up discussion, so I'd like to take a second stab at clarifying the
> landscape.
>
> One, DAP *will* handle security. I think everyone's on the same page on
> that one now.
>
> Second, DAP APIs are fully intended to be able to run in a browser context.
> I believe that there may have been unfortunate misunderstandings, but the
> fact of the matter is that APIs not supported by default in browsers will be
> considered a failure.


Is this practical without the major browsers being part of the DAP WG?
 (Last time I checked, there were some absences.)


> I think that some of the confusion about the fact that these would
> necessarily have to follow a security model that works inside a browser
> stems from the fact that people (including myself) have repeatedly stated
> that they wanted authors to have the same APIs irrespective of whether they
> were running in a browser or in a web runtime used in a different context.
> This does *not* mean that the security model will be the same in both
> context,


I don't understand.  If security is baked into APIs from the start (as is a
requirement for browsers) and the same API should be used in the "different
context", then what need is there for a policy model?  The policy model
seems to only be applicable when APIs are inherently insecure and trust is
required...which is the type of API a browser will not implement.


> and indeed since the entry points to said APIs are likely to be different
> in each context some part of the APIs may turn out to be different. The
> point was that those differences should be minor, and clear to authors.
>
> Finally, we can all talk about policy and trust in browsers until we're
> bluer in the face than a hypothermic smurf the fact of the matter is that I
> don't believe that this is a case where discussion can produce consensus.
> There are use cases for policy, and solutions for those will be developed at
> the very least for the widgets landscape. If it so happens that they yield
> interesting innovative stuff that could be useful in browsers, then it'll be
> easy to point to it as proof and demo. Far easier than to argue about it,
> and it'll happen faster if we create the technology rather than talk about
> it :)
>
>
> Speaking of innovation and trust in browsers, it seems that the JetPack
> elves are working on some form of social web of trust for browser extensions
> — is there a chance that they could chat about it with DAP?
>
> --
> Robin Berjon - http://berjon.com/
>
>
>
>
>

Received on Thursday, 19 November 2009 12:10:01 UTC