- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 12 Jan 2010 17:22:25 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webapps <public-webapps@w3.org>
On Tue, Jan 12, 2010 at 3:04 PM, Adam Barth <w3c@adambarth.com> wrote: > On Tue, Jan 12, 2010 at 1:59 PM, Tyler Close <tyler.close@gmail.com> wrote: >> On Tue, Jan 12, 2010 at 12:29 PM, Adam Barth <w3c@adambarth.com> wrote: >>> On Tue, Jan 12, 2010 at 10:51 AM, Tyler Close <tyler.close@gmail.com> wrote: >>>> It's not feasible to remove all ambient authority. For example, the >>>> client has the authority to send requests from its IP address. So we >>>> draw a line between network connectivity and issued credentials. Proxy >>>> credentials provide network connectivity. >>>> >>>> Also, as a practical matter, disallowing Proxy-Authorization might >>>> inhibit use of UMP, since a resource author would be concerned about >>>> the loss of users who are required to use a proxy. >>> >>> RIght, this is the essential point: whether we should remove a piece >>> of ambient authority is a risk management decision. Instead of >>> dogmatically stomping out all forms of ambient authority, >> >> Are you really accusing me of being dogmatic, or is this just more of >> your hyperbole? > > Quite to the contrary, you're *not* being dogmatic, which is my point. > We ought not to be dogmatic about banning ambient authority because, > as you say, that's impractical. Instead we ought to consider the > risks and rewards on a case-by-case basis. > >> Your arguments are frequently misleading because their >> reasoning relies upon your use of hyperbole. In this case, by >> characterizing my argument as dogma, you avoid addressing the >> distinction I've drawn between network connectivity and credentials >> issued by a resource host. I think it's a principled and useful >> distinction and have explained why. Instead of logic, you respond with >> hyperbole. > > I'm not sure what you mean by hyperbole, but I agree with you that > there's a distinction between network connectivity and credentials > issued by a resource host. Credentials issued by a resource host are > both higher risk and higher benefit than network connectivity > credentials. How these risks and benefits balance varies depending on > the deployment scenario. Thank you for addressing this distinction. Hyperbole is extreme and misleading exaggeration. In some cases, your arguments take the form of presenting a choice between your position and an obviously ridiculous position. For example, above you say we must choose between a case-by-case approach and a dogmatic approach. Such arguments preclude the existence of a third way that is not ridiculous. In the above case, I am advocating such a third way. I think we can take a principled approach that establishes the criteria by which we decide what ambient authority is allowed: network connectivity versus credentials issued by a resource host. The advantage of a principled approach versus a case-by-case approach is that it establishes the goal to be achieved and so creates a coherent policy that others can implement to. In contrast, the Same Origin Policy was clearly defined on a case-by-case basis and so has become incoherent. The form of argument you used in this case is known as a "false dichotomy". Please refrain from using this tactic. It is deceptive. Be careful whenever you engage in exaggeration. It is always misleading, and often rude. >> Even if we put out two APIs, one will become dominant. > > Right, the market will decide which protocol is most useful (i.e., > creates the most value). That seems like a good thing. That would abdicate our responsibility as a standards body. If that's the best we can accomplish in this case, then so be it. It is not what we should be aiming for. Sometimes, choosing a standard way creates the most value. I believe this is one of those cases. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 13 January 2010 01:22:59 UTC