- From: Tyler Close <tyler.close@gmail.com>
- Date: Thu, 8 Apr 2010 06:42:17 -0700
- To: Arthur Barstow <art.barstow@nokia.com>
- Cc: "ext Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, Maciej Stachowiak <mjs@apple.com>, public-webapps <public-webapps@w3.org>
On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow <art.barstow@nokia.com> wrote: > Re the relationship between CORS and UMP, I believe the last thread on that > subject was the following exchange between Mark and Maceij on February 3: > > http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/0462.html > > (Neither Mark nor Tyler responded to Maciej's e-mail above.) > > We also have the Comparison of CORS and UMP document: > > http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UM > > If we are going to continue with two separate specs, I think it is important > re expectations from Members and the Public, for there to be consensus on > the relationship(s) between the two models e.g. why do we have two models, > where do the models intersect, what use cases can only be met with one of > the models, why they can't these two models be merged into a single model, > etc. I believe the consensus is that UMP is a subset of CORS. A subset is defined because CORS creates additional complexity and security risks not present in UMP. I believe the consensus is that this division will continue to exist regardless of whether or not UMP exists, since the UMP functionality is part of CORS. All UMP does is tease out the relevant part of CORS, more fully and clearly describe it, and give it a name. Getting rid of UMP doesn't get rid of any complexity, it just merges and confuses it with the rest of CORS. For all use cases discussed on the mailing list, I showed how to implement the enforceable security properties using UMP. Some participants don't like the details of these solutions, though they meet all the stated requirements, some of which may have been arbitrary. There is still no CORS Cookie+Origin-based solution to the printer challenge problem I raised. Since we have a subset relationship, we could avoid publicizing the division to Members and the Public and simply present the division as a modular specification decision. If UMP proceeds through the standardization process at a faster pace, that's simply the natural result of being the subset part of the CORS whole. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Thursday, 8 April 2010 13:42:59 UTC