On Fri, Nov 20, 2009 at 8:34 AM, Robin Berjon <[email protected]> wrote: > On Nov 20, 2009, at 00:22 , Adam Barth wrote: >> It's emails like this that make me skeptical of the security work >> being done in the device APIs working group. > > *sigh* I feel like a broken record. It feels like I've spent my time since > TPAC involved in an endless repeat of the following discussion: > > - "You must support security at the API definition level!!!1" > - "Yes. That is the plan. That is what we will do. We've already agreed to > that." > - "Okay... But... You must support security at the API definition level!!!1" > - "..." > > DAP will handle security at the API definition level. Full stop. > > Now, there may be participants in the WG who believe that policy could *also* > be used in browsers, or other such things. That may or may not be the > possible, practical, doable, implementable, safe. You may or may not agree. > The fact is, for the purpose of trusting that DAP will handle security at the > API definition level, it doesn't matter because: DAP will handle security at > the API definition level. > > If you don't like the policy stuff, don't implement the policy stuff. You can > still implement the APIs because, you know what? DAP will handle security at > the API definition level. > > If later a policy-based approach surfaces that changes your mind and makes > you want to support it, that's also fine. But for the immediate purpose of > creating DAP APIs that can work in browsers it doesn't matter because DAP > will handle security at the API definition level. > > Is this clearer? > > Would people mind if we had this DAP conversation just on the DAP list and > cut down on the cross-posting? It's not as if WebApps didn't see some traffic > already. > > Oh, and yeah, DAP will handle security at the API definition level.
Imma let you finnish, but HTML has the greatest security of all times. Of all times! :) Ok, in all seriousness. I don't think we'll be able to get any further until there are actual API proposals on the table. At that point I think the various browser vendors and other interested parties can express actual concrete opinions on the security level of the API. However I figured that people might be reluctant to come up with proposals unless they know what the requirements were. And while I don't think there are any hard and fast requirements, I was hoping to shed some light on at least how we think about these things at mozilla. I do hope that that has become somewhat clearer. And I'm looking forward to seeing actual proposals so that we can move from meta discussions to technical discussions. / Jonas
