Re: [UMP] Request for Last Call from Marcos Caceres on 2010-04-08 (public-webapps@w3.org from April to June 2010)

From: Marcos Caceres <marcosc@opera.com>
Date: Thu, 8 Apr 2010 16:37:10 +0200
To: Tyler Close <tyler.close@gmail.com>
Cc: Arthur Barstow <art.barstow@nokia.com>, "ext Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, Maciej Stachowiak <mjs@apple.com>, public-webapps <public-webapps@w3.org>
Message-ID: <k2pb21a10671004080737x5affbf09r88bc4c4f97f2ba02@mail.gmail.com>

On Thu, Apr 8, 2010 at 3:42 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow <art.barstow@nokia.com> wrote:
>> Re the relationship between CORS and UMP, I believe the last thread on that
>> subject was the following exchange between Mark and Maceij on February 3:
>>
>>  http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/0462.html
>>
>> (Neither Mark nor Tyler responded to Maciej's e-mail above.)
>>
>> We also have the Comparison of CORS and UMP document:
>>
>>  http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UM
>>
>> If we are going to continue with two separate specs, I think it is important
>> re expectations from Members and the Public, for there to be consensus on
>> the relationship(s) between the two models e.g. why do we have two models,
>> where do the models intersect, what use cases can only be met with one of
>> the models, why they can't these two models be merged into a single model,
>> etc.
>
> I believe the consensus is that UMP is a subset of CORS. A subset is
> defined because CORS creates additional complexity and security risks
> not present in UMP. I believe the consensus is that this division will
> continue to exist regardless of whether or not UMP exists, since the
> UMP functionality is part of CORS. All UMP does is tease out the
> relevant part of CORS, more fully and clearly describe it, and give it
> a name. Getting rid of UMP doesn't get rid of any complexity, it just
> merges and confuses it with the rest of CORS.
>
> For all use cases discussed on the mailing list, I showed how to
> implement the enforceable security properties using UMP. Some
> participants don't like the details of these solutions, though they
> meet all the stated requirements, some of which may have been
> arbitrary. There is still no CORS Cookie+Origin-based solution to the
> printer challenge problem I raised.
>
> Since we have a subset relationship, we could avoid publicizing the
> division to Members and the Public and simply present the division as
> a modular specification decision. If UMP proceeds through the
> standardization process at a faster pace, that's simply the natural
> result of being the subset part of the CORS whole.

Should we then expect CORS to at least make a reference to UMP as part
of a security considerations section? Like, "CORS is susceptible to
DBAD, to protect against this it is recommended that UAs consider
implementing UMP" or something?
-- 
Marcos Caceres
http://datadriven.com.au

Received on Thursday, 8 April 2010 14:38:07 UTC