Re: [UMP] Proxy-Authorization from Adam Barth on 2010-01-12 (public-webapps@w3.org from January to March 2010)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 12 Jan 2010 15:04:12 -0800
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <7789133a1001121504p56280320xa3f86782e357e9dc@mail.gmail.com>

On Tue, Jan 12, 2010 at 1:59 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Tue, Jan 12, 2010 at 12:29 PM, Adam Barth <w3c@adambarth.com> wrote:
>> On Tue, Jan 12, 2010 at 10:51 AM, Tyler Close <tyler.close@gmail.com> wrote:
>>> It's not feasible to remove all ambient authority. For example, the
>>> client has the authority to send requests from its IP address. So we
>>> draw a line between network connectivity and issued credentials. Proxy
>>> credentials provide network connectivity.
>>>
>>> Also, as a practical matter, disallowing Proxy-Authorization might
>>> inhibit use of UMP, since a resource author would be concerned about
>>> the loss of users who are required to use a proxy.
>>
>> RIght, this is the essential point: whether we should remove a piece
>> of ambient authority is a risk management decision.  Instead of
>> dogmatically stomping out all forms of ambient authority,
>
> Are you really accusing me of being dogmatic, or is this just more of
> your hyperbole?

Quite to the contrary, you're *not* being dogmatic, which is my point.
 We ought not to be dogmatic about banning ambient authority because,
as you say, that's impractical.  Instead we ought to consider the
risks and rewards on a case-by-case basis.

> Your arguments are frequently misleading because their
> reasoning relies upon your use of hyperbole. In this case, by
> characterizing my argument as dogma, you avoid addressing the
> distinction I've drawn between network connectivity and credentials
> issued by a resource host. I think it's a principled and useful
> distinction and have explained why. Instead of logic, you respond with
> hyperbole.

I'm not sure what you mean by hyperbole, but I agree with you that
there's a distinction between network connectivity and credentials
issued by a resource host.  Credentials issued by a resource host are
both higher risk and higher benefit than network connectivity
credentials.  How these risks and benefits balance varies depending on
the deployment scenario.

> Even if we put out two APIs, one will become dominant.

Right, the market will decide which protocol is most useful (i.e.,
creates the most value).  That seems like a good thing.

Adam

Received on Tuesday, 12 January 2010 23:05:04 UTC