Re: BIKESHED: Rename "Powerful features"? from Mark Watson on 2015-02-18 (public-webappsec@w3.org from February 2015)

From: Mark Watson <watsonm@netflix.com>
Date: Wed, 18 Feb 2015 13:00:15 -0800
To: Crispin Cowan <crispin@microsoft.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Yan Zhu <yzhu@yahoo-inc.com>, Brian Smith <brian@briansmith.org>
Message-ID: <CAEnTvdCLPZQQebh-AYGK_0Bjn5O4X1vT5puk+jiLYVp=0QMUzQ@mail.gmail.com>

It's hard to argue that a feature which exposed a vast library of advanced
mathematical functions is not "powerful", but - correctness and speed aside
- such a library could equally well be built in Javascript, so it's also
hard to argue that it requires a secure origin. One can imagine features
that access the users machine in a way that requires user permission but
which aren't otherwise all that powerful and one can well argue that such a
feature - because of the desire to know to whom permission is being granted
- should require a secure origin.

"Powerful" and "Requires a secure context" are not well aligned.

Why not call the document "Secure contexts" and the features "Features
requiring a secure context" ?

…Mark

On Wed, Feb 18, 2015 at 12:44 PM, Crispin Cowan <crispin@microsoft.com>
wrote:

>  How about we go to the required semantics, and then reverse-engineer a
> name?
>
>
>
> I have not read the spec. Rather than giving excuses or whining about it J
> I will use it as a forcing function: someone plese post no more than 100
> words why some “powerful” features need Foo treatment, and other
> “!powerful” features need bar treatment. From there we hopefully can derive
> a good name for this feature property.
>
>
>
> Why 100 words? If it takes more than that, then I submit the concept isn’t
> baked yet.
>
>
>
> *From:* Mike West [mailto:mkwst@google.com]
> *Sent:* Wednesday, February 18, 2015 8:03 AM
> *To:* Mark Watson
> *Cc:* public-webappsec@w3.org; Yan Zhu; Crispin Cowan; Brian Smith
> *Subject:* Re: BIKESHED: Rename "Powerful features"?
>
>
>
> On Wed, Feb 18, 2015 at 4:49 PM, Mark Watson <watsonm@netflix.com> wrote:
>
>  I'm sorry you feel this is a "bikeshed"
>
>
>
> That was supposed to be a joke. :) I thought your concerns were
> reasonable, and I think it's worth bringing them back to the group
> explicitly.
>
>
>
>  - the objective is to *avoid* future pointless nebulous discussions of
> the kind "is X 'powerful' ?" in favor of a more concrete "does X require a
> secure context ?". "Secure context" is a term we can own and define
> rigorously, "powerful" is not.
>
>
>
> I think you underestimate the ability of people to argue about terms. :)
> "Secure" is certainly something that folks can and will debate. See, for
> instance, the long, long threads discussing opportunistic encryption. Is
> that secure? I certainly have an opinion, and I know completely reasonable
> folks who completely disagree with me.
>
>
>
>  You could reasonably drop the qualifier "sufficiently" on the grounds
> that we don't generally bother writing specs for things that are
> "insufficient" and you could name the section "Features requiring secure
> contexts".
>
>
>
> I think at some point we need to accept that we're defining a term. If
> it's the case that defining "sufficiently secure" is as likely to cause
> debate as defining "powerful feature", then let's leave things as they are,
> because "POWER" is a totally radical name for a spec.
>
>
>    --
> Mike West <mkwst@google.com>, @mikewest
>
>
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
>
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>

Received on Wednesday, 18 February 2015 21:00:44 UTC