Re: [UMP] Request for Last Call

On Thu, Apr 8, 2010 at 3:42 PM, Tyler Close <> wrote:
> On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow <> wrote:
>> Re the relationship between CORS and UMP, I believe the last thread on that
>> subject was the following exchange between Mark and Maceij on February 3:
>> (Neither Mark nor Tyler responded to Maciej's e-mail above.)
>> We also have the Comparison of CORS and UMP document:
>> If we are going to continue with two separate specs, I think it is important
>> re expectations from Members and the Public, for there to be consensus on
>> the relationship(s) between the two models e.g. why do we have two models,
>> where do the models intersect, what use cases can only be met with one of
>> the models, why they can't these two models be merged into a single model,
>> etc.
> I believe the consensus is that UMP is a subset of CORS. A subset is
> defined because CORS creates additional complexity and security risks
> not present in UMP. I believe the consensus is that this division will
> continue to exist regardless of whether or not UMP exists, since the
> UMP functionality is part of CORS. All UMP does is tease out the
> relevant part of CORS, more fully and clearly describe it, and give it
> a name. Getting rid of UMP doesn't get rid of any complexity, it just
> merges and confuses it with the rest of CORS.
> For all use cases discussed on the mailing list, I showed how to
> implement the enforceable security properties using UMP. Some
> participants don't like the details of these solutions, though they
> meet all the stated requirements, some of which may have been
> arbitrary. There is still no CORS Cookie+Origin-based solution to the
> printer challenge problem I raised.
> Since we have a subset relationship, we could avoid publicizing the
> division to Members and the Public and simply present the division as
> a modular specification decision. If UMP proceeds through the
> standardization process at a faster pace, that's simply the natural
> result of being the subset part of the CORS whole.

Should we then expect CORS to at least make a reference to UMP as part
of a security considerations section? Like, "CORS is susceptible to
DBAD, to protect against this it is recommended that UAs consider
implementing UMP" or something?
Marcos Caceres

Received on Thursday, 8 April 2010 14:38:07 UTC