W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Follow-up to TAG meeting on Powerful Features

From: Mark Watson <watsonm@netflix.com>
Date: Tue, 17 Feb 2015 07:55:41 -0800
Message-ID: <CAEnTvdB2Kw9FojuFtnwJNzUOciENfeZKxLuTORF46yJ2yFVoHg@mail.gmail.com>
To: Wendy Seltzer <wseltzer@w3.org>
Cc: Daniel Appelquist <dan@torgo.com>, "www-tag@w3.org" <www-tag@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Feb 16, 2015 at 9:07 AM, Wendy Seltzer <wseltzer@w3.org> wrote:

> Hi Dan and TAG, cc WebAppSec,
>
> Thanks for inviting discussion on "Requirements for Powerful Features"
> at the recent TAG meeting.
>
> As a proposed way forward, I heard TAG express interest in working with
> WebAppSec on the specification, to edit a joint product in which the
> requirements for "Is [insert feature here] powerful?" could be
> normative. That way, we'd combine the TAG's insight on architectural
> considerations with WebAppSec's security expertise.
>

​I'd like to re-iterate here a point I tried to make earlier to the
WebAppSec group. I think the use of language here is setting us up for
unnecessary and potentially prolonged debates about the meaning of
"powerful".

"Powerful" is a very broad term. One can imagine protracted discussions
about whether any given feature fits the English-language definition of
"powerful". But the current approach tries to make "powerful" isomorphic
with "not safe for HTTP websites". A more typical approach in such
circumstances is to coin a new or at least uncommon term so that one can
create and own a specific technical definition of that term.

Put another way, it seems at least plausible that there will be features
that fit the English-language definition of "powerful" but which are
perfectly safe to be used by HTTP sites. Conversely, there may be features
which are not very powerful at all, but which do need to be restricted to
HTTPS. Using the term "powerful" sets up up for pointless debates in such
cases.

In mathematics, it is common practice to re-purpose general english terms
for very specific means, for example "simple" groups have little to do with
the english-langage meaning of "simple". I don't think we have that luxury
here,

Could I suggest that we coin and define our own term ? I don't have a great
suggestion, perhaps "HTTP-unsafe" ?

…Mark







>
> If that's a correct recollection, who from the TAG would be interested
> in working with WebAppSec, and how can I help to bring you on-board?
>
> Best,
> --Wendy
>
> --
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>
>
>
Received on Tuesday, 17 February 2015 15:56:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC