The latest published Editors Draft includes this, and there has been
quite a bit of mailing about it over the past few days. We hope to
finalize the requirements at wednesdays conference call.
I agree that it is unfortunate that these requirements haven't been
formalized earlier.
/ Jonas
T.V Raman wrote:
All of what Jon's nice-to-have will ensure that this spec gets
reviewed appropriately --- having reviewers guess at the intent
is usually a recipe for disaster.
Jon Ferraiolo writes:
>
> My conclusion after going through various standards efforts that there
> tends to be a better end result when the working group takes some time at
> the beginning to write down and gain consensus on a set of target use cases
> (can be described briefly) and at least a general set of requirements. This
> gets the working group on the same page and allows the public to provide
> early feedback about whether the specification ultimately will deliver what
> the community needs. When I studied the Access Control specification a
> couple of months ago, I attempted to find things that even halfway
> resembled use cases and requirements, couldn't find anything, and then
> attempted to hazard a guess:
>
> *
>
http://www.openajax.org/member/wiki/JonFerraiolo_Thoughts_On_W3C_Access_Control#Use_cases
>
> In terms of requirements, it is advisable to have a separate requirements
> document (possibly including use cases) or a separate requirements section.
> I have found that a good format for requirements is to use MUST/SHOULD/MAY
> terminology where the new language MUST do this and the new language SHOULD
> do that. For instance:
>
> * The Access Control mechanism MUST not broaden the attack surface for
> hackers, particularly with regard to CSRF
> * The Access Control mechanism MUST be architected such that servers must
> opt-in to the technology before their data can be accessed from a different
> domain
> * The Access Control mechanism MUST enable retrieval of information from
> other domains that allow such retrieval, and MAY enable posting data to
> other domains.
> * The Access Control mechanism MUST support popular data transmissions
> formats, including both XML and JSON
> etc.
>
> I would very much like to see at least the addition of a use cases section
> at the top of the specification, but it would be nice to also see a list of
> requirements.
>
> Jon
>
>
>
>
> "Anne van
> Kesteren"
> <[EMAIL PROTECTED] To
> > "Mark Nottingham"
> Sent by: <[EMAIL PROTECTED]>, "Ian Hickson"
> public-appformats <[EMAIL PROTECTED]>
> [EMAIL PROTECTED] cc
> "Close, Tyler J."
> <[EMAIL PROTECTED]>,
> 01/03/2008 12:54 "[email protected]"
> AM <[email protected]>
> Subject
> Re: Comments on: Access Control for
> Cross-site Requests
>
>
>
>
>
>
>
>
>
>
>
> On Thu, 03 Jan 2008 02:26:57 +0100, Mark Nottingham <[EMAIL PROTECTED]>
> wrote:
> > Has the working group gained consensus on this requirements list and
> > documented it?
>
> As far as I can tell the Working Group has always worked with these
> constraints in mind, but we never put them in a document.
>
>
> --
> Anne van Kesteren
> <http://annevankesteren.nl/>
> <http://www.opera.com/>
>
