Re: ACTION-515 and ACTION-516: Publishing John Kemp's TAG work on security from john.1.kemp@nokia.com on 2011-08-10 (www-tag@w3.org from August 2011)

From: <john.1.kemp@nokia.com>
Date: Wed, 10 Aug 2011 18:03:39 +0000
To: <tlr@w3.org>
CC: <www-tag@w3.org>, <mnot@mnot.net>, <masinter@adobe.com>, <tobias.gondrom@gondrom.org>, <nrm@arcanedomain.com>
Message-ID: <DF898F7E-F492-4EC7-B896-93F333FD755E@nokia.com>

Hello,

On Aug 9, 2011, at 5:06 PM, ext Thomas Roessler wrote:

> On Aug 9, 2011, at 21:41 , Tobias Gondrom wrote:
>> 
>> actually am not quite sure about the purpose of this document and how I can help.
>> Agree with Mark, the page is a basic introduction, but the aspired value and for whom and why is not clear to me.
>> 
>> If work/input is needed to help the IAB/TAG on the security topic or wiki pages, please let me know (with link to wiki/work item and aspired goals/results).
>> 
>> Btw. just fyi: a somewhat related doc in websec is http://tools.ietf.org/id/draft-hodges-websec-framework-reqs-00.txt (where we try to define requirements to be used by websec and W3C WebAppSec). But still very rough, i.e. work in progress.
> 
> Another related document is, of course, the excellent Browser Security Handbook:
> 	http://code.google.com/p/browsersec/wiki/Main
> 
> I'd recommend to review the existing documents first and to find out what exactly the TAG is trying to add to those.

Being the person who started this document, I feel like I should probably explain what was intended. 

It is certainly NOT intended as an introductory document, but one documenting the state of security on the Web at the time, and giving some reasoning for why we got here, as well as to mention some current controversial topics (CORS vs. UMP and the relation to XHR2).  See http://www.w3.org/2001/tag/2010/06/01-cross-domain.html for more about that. 

There are certainly many advocates of origin-based security, but there are also dissenters. I wanted to accurately capture that dissent, and point out that 'origin' was based on the immediate need to solve a specific problem with the creation of cookies, and it has been turned into something that may have a significant architectural impact on the Web. It's also the case that several large systems on the Web are not reliant on the origin/cookie-based model (see http://en.wikipedia.org/wiki/Caja_project)

I don't believe that any of this is captured either in Adam Barth's work to document the origin-based security model, or the Web Security Framework requirements document referenced in this discussion. In other words, I don't think the TAG (or anyone else at W3C or IETF) is looking beyond the current security model of the Web, which I would say is not ideal. 

Regards,

- John

Received on Wednesday, 10 August 2011 18:04:33 UTC