- From: Mark Watson <watsonm@netflix.com>
- Date: Tue, 17 Feb 2015 07:55:41 -0800
- To: Wendy Seltzer <wseltzer@w3.org>
- Cc: Daniel Appelquist <dan@torgo.com>, "www-tag@w3.org" <www-tag@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEnTvdB2Kw9FojuFtnwJNzUOciENfeZKxLuTORF46yJ2yFVoHg@mail.gmail.com>
On Mon, Feb 16, 2015 at 9:07 AM, Wendy Seltzer <wseltzer@w3.org> wrote: > Hi Dan and TAG, cc WebAppSec, > > Thanks for inviting discussion on "Requirements for Powerful Features" > at the recent TAG meeting. > > As a proposed way forward, I heard TAG express interest in working with > WebAppSec on the specification, to edit a joint product in which the > requirements for "Is [insert feature here] powerful?" could be > normative. That way, we'd combine the TAG's insight on architectural > considerations with WebAppSec's security expertise. > I'd like to re-iterate here a point I tried to make earlier to the WebAppSec group. I think the use of language here is setting us up for unnecessary and potentially prolonged debates about the meaning of "powerful". "Powerful" is a very broad term. One can imagine protracted discussions about whether any given feature fits the English-language definition of "powerful". But the current approach tries to make "powerful" isomorphic with "not safe for HTTP websites". A more typical approach in such circumstances is to coin a new or at least uncommon term so that one can create and own a specific technical definition of that term. Put another way, it seems at least plausible that there will be features that fit the English-language definition of "powerful" but which are perfectly safe to be used by HTTP sites. Conversely, there may be features which are not very powerful at all, but which do need to be restricted to HTTPS. Using the term "powerful" sets up up for pointless debates in such cases. In mathematics, it is common practice to re-purpose general english terms for very specific means, for example "simple" groups have little to do with the english-langage meaning of "simple". I don't think we have that luxury here, Could I suggest that we coin and define our own term ? I don't have a great suggestion, perhaps "HTTP-unsafe" ? …Mark > > If that's a correct recollection, who from the TAG would be interested > in working with WebAppSec, and how can I help to bring you on-board? > > Best, > --Wendy > > -- > Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) > Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) > http://wendy.seltzer.org/ +1.617.863.0613 (mobile) > > >
Received on Tuesday, 17 February 2015 15:56:09 UTC