- From: Ryan Sleevi <sleevi@google.com>
- Date: Thu, 15 Nov 2012 15:49:55 -0800
- To: Mark Watson <watsonm@netflix.com>
- Cc: Harry Halpin <hhalpin@w3.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Thu, Nov 15, 2012 at 3:18 PM, Mark Watson <watsonm@netflix.com> wrote: > > On Nov 15, 2012, at 2:56 PM, Ryan Sleevi wrote: > > Ryan, > > I excepted one point from your mail as I feel it is important: > >> Again, there's certainly a committment and interest in these issues. >> However, the feeling is that the most important and pressing issue is >> basic algorithm and usability support. > > This may be *your* feeling, but it is not mine. The API is essentially useless to us without support for pre-provisioned keys and so they are just as important to us as any other part of the API. Something we've made clear from the outset of this work. Mark, (Hopefully) nothing in this spec prohibits you from implementing support for pre-provisioned keys on your own. I would suggest you look at how other APIs have been specified - such as in WebApps or HTML WG - or proposed - such as in SysApps - to see how a number of other vendors and implementers are able to continue to make progress and improve the open web platform without requiring the "everything and the kitchen sink" approach to specs. Indeed, it is not at all uncommon to see specifications broken up (see, for example, CSS Modules), and independently and concurrently developed. I'm sympathetic to the need's of Netflix regarding pre-provisioned keys. I imagine you may equally feel that HTML is useless for Netflix without Encrypted Media Extensions, or that <video> is useless without the MediaSource APIs. However, it seems that both HTML and <video> have been able to progress and be useful for a number of other participants, without requiring that support, and I would suggest the same is here - a number of audiences and needs can be addressed without pre-provisioned keys, and so I do not think it useful nor considerate to those use cases to block any progress based on this specific issue. We didn't have to land on the moon in order to say we discovered flight, nor do I think we need to solve everyone's use cases in the first release to have a meaningful API for the open web. Otherwise, we'll spend the next three years discussing certificate discovery, OCSP, and Kerberos APIs, and deliver nothing in the mean time.
Received on Thursday, 15 November 2012 23:50:22 UTC