W3C home > Mailing lists > Public > www-tag@w3.org > January 2008

Re: Are Jon's comments from IBM, the OAA, citizen Jon, ...? [Was: Re: Review of http://www.w3.org/TR/2007/WD-access-control-20071126/]

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Wed, 9 Jan 2008 07:52:43 -0800
To: Arthur Barstow <art.barstow@nokia.com>
Cc: "David Orchard" <dorchard@bea.com>, "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org, www-tag@w3.org
Message-ID: <OF9A99D0CE.0CB814ED-ON882573CB.0055F111-882573CB.00573955@us.ibm.com>

Hi Art,
When I use the word "I", I am referring to myself as an individual. If I
want to express the positions of IBM or OpenAjax Alliance, I will say that
I am relaying positions shared by others at the respective organization.

In terms of Access Control vs JSONRequest vs nothing:

1) Let's not have the industry do both Access Control and JSONRequest. Pick
one or the other, or do nothing.
2) If adopted within browsers and by the industry, JSONRequest looks like a
good thing to me and would be better than doing nothing. It provides a
robust and legitimate alternative to the dynamic SCRIPT tag hack that is
widely used in industry today. I believe there are a straightforward ways
to extend JSONRequest to accommodate XML in addition to JSON.
3) I have lots of concerns about Access Control as currently formulated.
Others share these concerns, which seems likely to inhibit adoption if the
spec stays as it is. If it does get adopted in its current form, I'm not
sure how much the industry benefits from the new features and how much it
will be harmed by the security issues and other costs.

But the caveat with my opinions listed above is that I'm not sure about the
list of target use cases. JSONRequest addresses one key target use case
(i.e., GET/POST to a public web service). I am assuming that other use
cases are either not as important or too problematic.

Jon



                                                                           
             Arthur Barstow                                                
             <art.barstow@noki                                             
             a.com>                                                     To 
                                       Jon Ferraiolo/Menlo Park/IBM@IBMUS  
             01/09/2008 05:44                                           cc 
             AM                        "David Orchard" <dorchard@bea.com>, 
                                       "WAF WG (public)"                   
                                       <public-appformats@w3.org>,         
                                       public-appformats-request@w3.org,   
                                       www-tag@w3.org                      
                                                                   Subject 
                                       Are Jon's comments from IBM, the    
                                       OAA, citizen Jon, ...? [Was: Re:    
                                       Review of                           
                                       http://www.w3.org/TR/2007/WD-access 
                                       -control-20071126/]                 
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Jon,

On Jan 8, 2008, at 9:33 PM, ext Jon Ferraiolo wrote:
> But I would go further and question the whole approach of listing a
> set of domains that are allowed or denied.
Besides you raising concerns of the whitelist/blacklist mechanism in
this thread, you also appear to posit that doing nothing would be
better [1].

To help the WG understand the scope/context of your comments, would
you please clarify what you mean when use "I" in your comments? Does
it mean "citizen Jon", "IBM", "the Open Ajax Alliance (OAA)",
something else?

If you are speaking on behalf of the OAA membership [2], are you
speaking based on consensus of the entire org, consensus of some  OAA
WG(s), unanimity of the entire org, etc.? Also, please send us the
pointer to OAA's archive(s) of their related discussions.

Thanks, Art Barstow
---

[1] <http://lists.w3.org/Archives/Public/public-appformats/2008Jan/
0072.html>
[2] <http://www.openajax.org/member/wiki/Members>









graycol.gif
(image/gif attachment: graycol.gif)

pic15470.gif
(image/gif attachment: pic15470.gif)

ecblank.gif
(image/gif attachment: ecblank.gif)

Received on Wednesday, 9 January 2008 15:55:06 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:55 UTC