W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

RE: Transition Request: Subresource Integrity to FPWD

From: David Ezell <David_E3@VERIFONE.com>
Date: Fri, 21 Mar 2014 10:23:24 +0000
To: Wendy Seltzer <wseltzer@w3.org>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, "Hill, Brad" <bhill@paypal.com>
CC: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <54C00E24834FCE47B11EC129A84E7F788835F3B2@VF2WDEXMB1.verifone.com>
Hi Wendy:

First of all thank you for the draft, and thank you for your answers.  But I do think Henry's two points are valid and deserve some consideration.

It's great that coordination with IETF is active and ongoing.  But some acknowledgment of the items in play would be helpful in the document.  The same is true of the "Fetch" references - succinct acknowledgement not only helps the novice reader (obviously one can follow the links) but also shows respect for the referenced work.

A "references" section helps fulfill these requirements without undue (but not zero) overhead.  It can help make explicit what is and is not important when considering the referenced work, etc.

I realize I may be old-fashioned (and maybe even out of touch with pub requirements) that as a reader, I find a references section in any document that has normative sections that refer to other documents as a comfort and a convenience.   Inline references are OK, but to me not as "public ready".

Of course, the purpose of any of these measures is to assure readers so that they don't wander into unfruitful speculation.  It's a balance.

Thanks for your consideration.

Best regards,
David Ezell


-----Original Message-----
From: Wendy Seltzer [mailto:wseltzer@w3.org]
Sent: Thursday, March 20, 2014 3:11 PM
To: Henry S. Thompson; Hill, Brad
Cc: Mike West; public-webappsec@w3.org
Subject: Re: Transition Request: Subresource Integrity to FPWD

Hi Henry,
(moving chairs to bcc, +public-webappsec)

On 03/20/2014 09:32 AM, Henry S. Thompson wrote:
> So I'm curious, perhaps even concerned, about the overlap between this
> work and the IETF.  Is the WG, or are you personally, regularly in
> touch with the right people at the IETF to be sure you're not stepping
> on toes over there, with respect to WebAppSec in general, and this
> document's proposals in particular?

What coordination are you thinking about? In general, Philippe and I are liaising with IETF and watching the saag and websec work, but if there's something you think we're missing, please say more.
>
> Um, and I'm even _more_ concerned because in trying to understand this
> spec, I read (section 3.4) that it is essentially a set of
> modifications to something called "the Fetch spec", which is not
> linked to, or in the References section, or otherwise identified.
> This should not have been allowed to be published in this state!

Fetch is in HTML5,
http://dev.w3.org/html5/spec-LC/fetching-resources.html

--Wendy


--
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)



________________________________
This electronic message, including attachments, is intended only for the use of the individual or company named above or to which it is addressed. The information contained in this message shall be considered confidential and proprietary, and may include confidential work product. If you are not the intended recipient, please be aware that any unauthorized use, dissemination, distribution or copying of this message is strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and deleting this email immediately.
Received on Friday, 21 March 2014 10:24:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC