- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Thu, 24 Sep 2015 11:57:20 -0400
- To: Harry Halpin <hhalpin@w3.org>
- CC: public-web-security@w3.org, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 09/24/2015 01:07 AM, Harry Halpin wrote: > On 09/23/2015 11:56 PM, Dave Longley wrote: >> As this has degenerated into what I consider flaming, I've removed >> others from the CC list and I don't plan on responding further. >> >> On 09/23/2015 09:12 PM, Harry Halpin wrote: >>> TL;DR >>> >>> As its pretty clear we're just rehashing known problems with >>> violating same origin policy and basic crypto key management >>> issues, I will now turn my spam filter back on :) >> I do agree we're getting no where, but for different reasons. >> Accusing someone of positions they don't hold and then telling them >> any response will be considered spam isn't a discussion. No wonder >> the motivations of others are unclear to you. > > I apologize if I've misconstrued your position from specs you've > written, code you've written, or blog posts. Thank you, apology accepted. Also, as always, we do plan on updating our specs as time permits. Unfortunately, there's typically a lot going on ... all the time. Please keep in mind the "credentials-retrospective" post you referenced is a draft. Perhaps we should add a section on differentiating technologies from how they are spec'd at the protocol level (as I'm sure you know, OAuth 2.0 removed signatures from the spec, with much controversy and fallout [1][2]) vs. how they are used or could be used and augmented in practice. The same treatment should be applied to all specs and feedback is welcome. 1. http://hueniverse.com/2010/09/15/oauth-2-0-without-signatures-is-bad-for-the-web/ 2. http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/ -- Dave Longley CTO Digital Bazaar, Inc. http://digitalbazaar.com
Received on Thursday, 24 September 2015 15:57:47 UTC