Re: Draft minutes of TAG teleconference of 21 January 2010

On Sat, Jan 23, 2010 at 7:55 AM, Jonathan Rees <jar@creativecommons.org> wrote:
> On Sat, Jan 23, 2010 at 5:24 AM, Tyler Close <tyler.close@gmail.com> wrote:
>> I understand that sometimes meaning is lost in email and especially in
>> meeting transcripts, so I just want to check that I understand the
>> current status of the discussion on ACTION-278.
>>
>> 1. The TAG does not dispute any of the arguments made in my web-key
>> paper <http://waterken.sf.net/web-key>.
>
> "The TAG" is a bunch of people and as a group they have formed no
> consensus.

The web-key paper reaches a series of conclusions based on arguments
from first principles. For example, the paper concludes that use of
username/password violates webarch principles of global identification
and orthogonality. I am wondering if any members of the TAG dispute
any of the arguments in the web-key paper. I am not asking if anyone
dislikes these arguments, but rather whether they believe there is a
flaw in the reasoning and what that flaw is.

> But from Thursday's discussion it seems quite clear that
> Noah disagrees with your paper.

It seems quite clear that he dislikes the paper's conclusions. I have
seen no counter-arguments for any of the arguments presented in the
paper. Counter-arguments are required in order to disagree.

> Whatever the benefits of web-keys, he
> doesn't think URIs should *ever* require protection or carry
> authority,

As I've pointed out, the current text of the finding already states
that a URI for a confidential resource should be protected. The
finding is self-contradictory.

> and given where he starts I'm not sure how your paper could
> have much effect.

I'm hoping that he will actually engage with the presented arguments,
rather than merely say "I don't like that". There's not much to be
done with the latter position.

> I think part of the problem is that "sharing" in web architecture
> means "sharing with everyone" rather than the more general web-key
> notion of "sharing with those who you want to share with". The TAG
> findings seem to take an all-or-nothing view to sharing, putting
> access control basically outside of the purview of web architecture,
> even though it has a very simple solution within it. The roots of this
> position are historical (the web was created as a global information
> space), political (let's not make it too easy to create secret things
> that "divide the web"), and technical (access control is complicated
> and if we worried about it the architecture would topple under its own
> weight). This is an awful lot of baggage to try to put aside all at
> once...

As I've argued in the web-key paper, the TAG's failure to consider
access-control resulted in the Same Origin Policy, which severely
restricts the ability to "share with everyone" on the Web. The use of
ambient authority has broken the public "share with everyone" Web.
Calling this breakage a "policy" doesn't reduce the damage done to the
Web's stated goals: it's still just "same origin", not "everyone".

>> 2. The TAG understands that unguessable URLs are used for
>> access-control by many of the most popular sites on the Web. For
>> example, this email contains a Google Docs URL [1] for a document I
>> have chosen to make readable by all readers of this mailing list, even
>> those who have never used Google Docs. Had I not so chosen, these
>> readers would not have access and I could have shared access with a
>> smaller group of people, or no one at all.
>
> Noah said that he didn't find popularity to be convincing, so this is
> irrelevant to him.

The good judgment of engineers working at these Web sites is also irrelevant?

...

> If I can paraphrase Noah's argument, he asserts that URIs, simply by
> virtue of being URIs, are so likely to be made public that they
> shouldn't ever hold bits that need to be protected. If something needs
> to be kept private it shouldn't be in a URI. Somehow the password by
> virtue of being called a password is going to be protected, while the
> URI by virtue of being called a URI is going to be exposed.

I'm calling these permission bearing URIs "web-keys". Every web-key
explicitly states that it's using the https scheme which explicitly
claims the needed security properties.

> I don't agree with this; like you I think using URIs to designate is a
> good idea. While creating public good and "network effects" is a good
> thing, and the architecture should strive to make it easy to create
> public benefit, the public aspects of web architecture are not the
> only important ones - otherwise we wouldn't have https: and access
> control at all.

Agreed, webarch and "network effects" are also valuable for
access-controlled resources.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Saturday, 23 January 2010 18:07:55 UTC