- From: Jon Ferraiolo <jferrai@us.ibm.com>
- Date: Wed, 9 Jan 2008 07:52:43 -0800
- To: Arthur Barstow <art.barstow@nokia.com>
- Cc: "David Orchard" <dorchard@bea.com>, "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org, www-tag@w3.org
- Message-ID: <OF9A99D0CE.0CB814ED-ON882573CB.0055F111-882573CB.00573955@us.ibm.com>
Hi Art, When I use the word "I", I am referring to myself as an individual. If I want to express the positions of IBM or OpenAjax Alliance, I will say that I am relaying positions shared by others at the respective organization. In terms of Access Control vs JSONRequest vs nothing: 1) Let's not have the industry do both Access Control and JSONRequest. Pick one or the other, or do nothing. 2) If adopted within browsers and by the industry, JSONRequest looks like a good thing to me and would be better than doing nothing. It provides a robust and legitimate alternative to the dynamic SCRIPT tag hack that is widely used in industry today. I believe there are a straightforward ways to extend JSONRequest to accommodate XML in addition to JSON. 3) I have lots of concerns about Access Control as currently formulated. Others share these concerns, which seems likely to inhibit adoption if the spec stays as it is. If it does get adopted in its current form, I'm not sure how much the industry benefits from the new features and how much it will be harmed by the security issues and other costs. But the caveat with my opinions listed above is that I'm not sure about the list of target use cases. JSONRequest addresses one key target use case (i.e., GET/POST to a public web service). I am assuming that other use cases are either not as important or too problematic. Jon Arthur Barstow <art.barstow@noki a.com> To Jon Ferraiolo/Menlo Park/IBM@IBMUS 01/09/2008 05:44 cc AM "David Orchard" <dorchard@bea.com>, "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org, www-tag@w3.org Subject Are Jon's comments from IBM, the OAA, citizen Jon, ...? [Was: Re: Review of http://www.w3.org/TR/2007/WD-access -control-20071126/] Jon, On Jan 8, 2008, at 9:33 PM, ext Jon Ferraiolo wrote: > But I would go further and question the whole approach of listing a > set of domains that are allowed or denied. Besides you raising concerns of the whitelist/blacklist mechanism in this thread, you also appear to posit that doing nothing would be better [1]. To help the WG understand the scope/context of your comments, would you please clarify what you mean when use "I" in your comments? Does it mean "citizen Jon", "IBM", "the Open Ajax Alliance (OAA)", something else? If you are speaking on behalf of the OAA membership [2], are you speaking based on consensus of the entire org, consensus of some OAA WG(s), unanimity of the entire org, etc.? Also, please send us the pointer to OAA's archive(s) of their related discussions. Thanks, Art Barstow --- [1] <http://lists.w3.org/Archives/Public/public-appformats/2008Jan/ 0072.html> [2] <http://www.openajax.org/member/wiki/Members>
Attachments
- image/gif attachment: graycol.gif
- image/gif attachment: pic15470.gif
- image/gif attachment: ecblank.gif
Received on Wednesday, 9 January 2008 15:55:06 UTC