Re: "Requirements for Powerful Features" strawman. from Brad Hill on 2014-11-20 (public-webappsec@w3.org from November 2014)

From: Brad Hill <hillbrad@fb.com>
Date: Thu, 20 Nov 2014 19:48:52 +0000
To: Mike West <mkwst@google.com>
CC: Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D0938570.1436%hillbrad@fb.com>

No strong opinions here.  If it's normative, it probably belongs here, if it is non-normative, having it be a TAG finding vs. a WG Note might carry more impact.

From: Mike West <mkwst@google.com<mailto:mkwst@google.com>>
Date: Thursday, November 20, 2014 at 11:45 AM
To: Bradley Hill <hillbrad@fb.com<mailto:hillbrad@fb.com>>
Cc: Chris Palmer <palmer@google.com<mailto:palmer@google.com>>, "public-webappsec@w3.org<mailto:public-webappsec@w3.org>" <public-webappsec@w3.org<mailto:public-webappsec@w3.org>>
Subject: Re: "Requirements for Powerful Features" strawman.

There are normative algorithms which I expect Service Worker, Web Crypto, EME, and other future specs to point to when outlining restrictions on their use (copy/pasted out of the MIX document, with slight adjustments).

There will be non-normative portions outlining which categories of feature ought to opt-into such restrictions and why.

WebAppSec seems like a natural home for this kind of document. If you think it ought to go to the TAG instead, but it seems pretty clearly covered by the draft charter we're all pretty happy with. :)

-mike

--
Mike West <mkwst@google.com<mailto:mkwst@google.com>>
Google+: https://mkw.st/+<https://urldefense.proofpoint.com/v1/url?u=https://mkw.st/%2B&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=SXo0mEZ7QIs5uoV8kVnVHsGDI1Q0WaIQRYDwPz5FCK4%3D%0A&s=54b280fcd50ea6e013f0871eae41c3ba3760e017ad9e42cf8b4a34d9fa8ce3b2>, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Nov 20, 2014 at 8:40 PM, Brad Hill <hillbrad@fb.com<mailto:hillbrad@fb.com>> wrote:
Sorry - I need to take some time and read it through, but quickly, is this
a normative document as extracted?  Can we write test cases and
demonstrate conformance?

On 11/20/14, 11:16 AM, "Chris Palmer" <palmer@google.com<mailto:palmer@google.com>> wrote:

>On Thu, Nov 20, 2014 at 9:51 AM, Mike West <mkwst@google.com<mailto:mkwst@google.com>> wrote:
>
>> Seems clearly covered by "features which require a verifiably secure
>> environment".
>>
>> I'd prefer doing it here, but I'm easy. If folks think the TAG should
>> publish, I'm sure they'll be happy to do so.
>
>I'm fine with publishing it wherever and however, but I do think it
>should be a separate document.

Received on Thursday, 20 November 2014 19:49:19 UTC