On Mon, 12 Oct 2009 14:50:07 +0200, Jonathan Rees
<j...@creativecommons.org> wrote:
If access to resources weren't controlled (i.e. secure in the face of
realistic risks), why would you deploy the feature?
The feature is there to enable resources talking to each other in
cross-origin fashion in a way that does not compromise existing servers.
It's not about access control. (That's why I renamed the draft and all.)
Then again, I think this was explained before as well, so I kind of
have the
feeling we are going around in circles.
That you are going around in circles is an accurate assessment. I
recommend you open an issue in your tracker for this, if you haven't
already, and that the next time you ask the W3C membership to review a
draft, if you haven't resolved the issue, that you include a note that
a possible vulnerability has been identified, but that there isn't
agreement in the WG over whether it is a real vulnerability; or if it
is, whether it needs to be addressed. [sorry, can't figure out how to
make that easier to read.]
So far the WG does not think there is a vulnerability as far as I can
tell. And neither do the security teams of the implementors.
The stakes are pretty high here, so you want to make all reasonable
efforts to ensure that the practice you're thinking of Recommending
really is something that ought to be Recommended (as opposed to just
something that's already being Done).
Sure.
And I think we'll all learn something if we get to the bottom of this!
Think of your struggle to get consensus as an opportunity, not an
annoyance.
I think if we want to get closer to consensus the party raising concerns
needs to be much more concrete as to what the problem is.
If there is a problem I certainly like to fix it. (My apologies for coming
over as annoyed, I'm not. Just somewhat confused.)
--
Anne van Kesteren
http://annevankesteren.nl/
