On Wed, Jan 10, 2018 at 10:42 PM, Ryan Sleevi <r...@sleevi.com> wrote: > > > I do not know why you say that, considering the Forum explicitly decided > to make .10 flexible as it is to accommodate both solutions. > > The goal was explicitly NOT to make an ideal-secure solution, it was to > document what is practiced in favor of replacing “any other method” > > To that end, it is more useful to point out, “As written, X is > permissible, but not desired, while restricting to Y reduces that risk”. > The goal is honestly less to provide solutions (“I think it should be > this”) and more to provide risk assessments and suggestions. The latter is > far more beneficial for walking folks through the risks and concerns and > how to mitigate. >
Ouch. I was not aware of that aspect of the historical part of the picture. What I recall most was there there was some IPR drama over some of the blessed methods. So, essentially, the bargain that was struck was something along the lines of "Confess your validation method sins and let them -- at least for a time -- be blessed, as long as they're not entirely egregious and in exchange for killing the ability to hide behind `or any other method`?" _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
