W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: BIKESHED: Rename "Powerful features"?

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Wed, 18 Feb 2015 10:05:57 -0800
Message-ID: <CANh-dXk4K1Gm+6WBVLjay-pocJNgU1iherhjtjHiHMP2bzXogQ@mail.gmail.com>
To: Yan Zhu <yzhu@yahoo-inc.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mark Watson <watsonm@netflix.com>, Crispin Cowan <crispin@microsoft.com>, Brian Smith <brian@briansmith.org>
"Privileged" is currently used by
https://developer.mozilla.org/en-US/Marketplace/Options/Packaged_apps#Privileged_app
to refer to native-but-not-system-level APIs, so it overlaps some with
the packaging spec in addition to [POWER].

[POWER] is currently mostly about secure transport, rather than things
like XSS resistance. Does this group anticipate extending it toward
other kinds of secure contexts in the future? e.g. it could be named
"Secure Contexts" and define terms like "delivered via secure
transport", "resistant to untrusted script", "backend has been
audited", etc.

Since the definition of a "powerful feature" is going to be left to
the new TAG/WebAppSec collaboration, [POWER] won't be about "features"
anymore, so that doesn't need to go in the title.

Jeffrey

On Wed, Feb 18, 2015 at 9:12 AM, Yan Zhu <yzhu@yahoo-inc.com> wrote:
> Correct me if I'm wrong, but from recent discussions it sounded like the normative focus is more likely to be the "is X a secure context" section than the "is Y powerful" section. So if people think the word "powerful" is too radicalizing/distracting, maybe a reasonable title would be "Requirements for security-sensitive features" or "Security requirements for privileged features".
>
>
>
>
> On Wednesday, February 18, 2015 7:22 AM, Mike West <mkwst@google.com> wrote:
>
>
>
> Brian, Crispin, and Mark have all expressed various degrees of displeasure with the "powerful features" name, arguing that it invites debate about the word "powerful" rather than the content of the spec (I'm paraphrasing: see https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0304.html for a more detailed description).
>
> Mark suggested "HTTP-unsafe" to get the conversation started. I'm not a huge fan of that formulation, as it seems equally question-begging.
>
> If the normative focus of the specification is going to be the details in https://w3c.github.io/webappsec/specs/powerfulfeatures/#algorithms, and not the discussion in https://w3c.github.io/webappsec/specs/powerfulfeatures/#is-feature-powerful, then renaming the spec "Sufficiently Secure Contexts" might make sense. We could then drop the term "powerful" entirely in https://w3c.github.io/webappsec/specs/powerfulfeatures/#is-feature-powerful, and land on the verbose-but-tautologically-correct "Features which are only available in sufficiently secure contexts"?
>
>
> WDYT?
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
Received on Wednesday, 18 February 2015 18:06:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC