- From: Tyler Close <tyler.close@gmail.com>
- Date: Fri, 12 Feb 2010 13:53:36 -0800
- To: noah_mendelsohn@us.ibm.com
- Cc: Jonathan Rees <jar@creativecommons.org>, www-tag@w3.org
I have two things to point out, that I think might lead to agreement on this issue. 1. Note that nowhere does my draft text require that an unguessable URL alone be sufficient to grant access to a resource. It only says that private resources SHOULD use unguessable URLs. It doesn't say that you can't use additional security measures. One battle at a time I figure. See: http://lists.w3.org/Archives/Public/www-tag/2010Feb/0081.html 2. On Fri, Feb 12, 2010 at 8:50 AM, <noah_mendelsohn@us.ibm.com> wrote: > I do object to proposals to, at this stage, tighten > the rules for management of URIs on the Web, in email, etc. I don't think I've proposed any such tightening. I have only put into words part of the security model that browsers currently attempt to enforce. If you believe otherwise, please provide specific counter-examples. In particular, my draft text makes no mention of email servers or HTTP proxy servers, so it's hard to claim I aim to restrict their behavior. AFAICT, we should be able to agree on the substance of my draft text at this point, even if some word smithing is desired. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Friday, 12 February 2010 21:54:12 UTC