RE: Publishing From-Origin Proposal as FPWD

To the procedural points:

I am not a member of the Web Applications WG.  I do not have standing to block or make a formal objection to this moving forward as a FPWD.  Responsibility to measure consensus and the decision to move forward within that WG rests with Art.

The opinion of the proposed Web Applications Security WG (currently in the process of being chartered and of which I am a proposed co-chair)  was solicited as to whether the work should move to that forum or be a joint deliverable with the Content Security Policy.  Additionally, one of the goals of the draft was to address concerns around clickjacking, an item under the proposed charter scope of the WebAppSec WG.  Wearing that (still phantom) hat, I can say is that there isn't consensus to move this proposed mechanism as a cross-domain framing security solution to FPWD, alone or as part of the CSP, in the WebAppSec WG, at this time.  Until AC approval, we can't move anything to FPWD at this time.  :)

My other concerns with the proposal are put forward only as an interested member of the community.  I expect there will be ample opportunity to discuss them.  If Art feels that moving forward to FPWD is the best next step to foster that and other discussions, I'm more than happy to participate there to the extent the WG welcomes my feedback and finds it useful.

Thanks,

Brad Hill

-----Original Message-----
From: public-web-security-request@w3.org [mailto:public-web-security-request@w3.org] On Behalf Of Bjoern Hoehrmann
Sent: Tuesday, July 05, 2011 4:38 PM
To: Marcos Caceres
Cc: WebApps WG; public-web-security@w3.org
Subject: Re: Publishing From-Origin Proposal as FPWD

* Marcos Caceres wrote:
>On Tue, Jul 5, 2011 at 5:50 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
>> I feel that the goals of this draft are either inconsistent with the 
>> basic architecture of the web, cannot be meaningfully accomplished by 
>> the proposed mechanism, or both, and I haven't seen any discussion of 
>> these concerns yet.

I note that the Web Applications Working Group's Charter, if Brad Hill is a member, does require the rest of the Working Group to duly consider his points before moving on without consensus. If not, then the group is not required to wait with publication, but not discussing the points in a timely manner, without an argument how publication is urgent in some way, does not inspire confidence that the arguments will be heard and duly handled.

>Publication will enable wider discussion - particularly wrt the issues 
>you have raised. Not publishing it is tantamount to saying "I OBJECT TO 
>PROGRESS!". If you are correct, more people will see it and the 
>proposal will be shot down. Otherwise, other opinions will flourish 
>that may sway your position (or a new perspective will emerge all 
>together). In any case, calling for a spec not to be published, no 
>matter how bad it is, is not the right way to do this. Publishing a 
>spec is just a formality which can lead to discussion.

The more invested people are into something, the less likely they are to cut their losses; by doing things, you frame the discussion in favour of doing more. You get people to think more about how something can be fixed rather than thinking about whether to abandon the work, or use a very different approach. If you just propose an idea to me, we can talk about it more freely than if you had already invested a lot of effort on implementing the idea and asked me to review the idea after the fact.

(~ "Die normative Kraft des Faktischen")

Realizing something is a bad idea early is therefore very important and not objecting to progress. Not wasting time on bad ideas is certainly progress, even if only indirectly as you'd work on other things instead.
As such it is quite important to react timely to design critique with care and detail. Psychologically, if you press ahead, you communicate that you care more about moving on than discussing details, which is likely to turn away the people more interested in details and quality; and the same is of course true for draft of genuinely bad quality.

Which is just to say this is actually an important matter; sometimes it is best to go ahead and put your ideas into practise whatever others may be saying, other times it turns out that you should have listened more.
That is why we allow people to block actions, not necessarily progress, but only up to the point where arguments have been duly considered. And here we have yet to do that. Until that happens, short of someone making the case for urgency, I would agree the group should not publish and talk about this instead.
--
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

Received on Wednesday, 6 July 2011 03:14:33 UTC