On Mon, Apr 12, 2010 at 1:00 PM, Maciej Stachowiak <[email protected]> wrote: > > On Apr 12, 2010, at 10:33 AM, Tyler Close wrote: > >> On Mon, Apr 12, 2010 at 6:49 AM, Arthur Barstow <[email protected]> >> wrote: >>> >>> Maciej, Tyler - thanks for continuing this discussion. I think it would >>> be >>> helpful to have consensus on what we mean by subsetting in this context. >>> (Perhaps the agreed definition could be added to the CORS and UMP >>> Comparison >>> [1].) >> >> I've added a new section to the wiki page, "UMP as subset of CORS": >> >> >> http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UMP#UMP_as_subset_of_CORS >> > > I do not think the set of subset criteria posted there matches what I > proposed and what we've been discussing in this thread.
I intended criteria #3 to correspond to conditions A1+B2 in our last email exchange, which covers an UMP API to CORS resource message exchange. The last unnumbered criteria corresponds to conditions A2+B1 in our last email exchange, which covers a CORS API to UMP resource message exchange. Criteria #1 and #2 correspond to the additional safety aspects of condition C that you wanted explicitly stated. What aspect of the subset criteria have I missed? > Should I put some > abbreviated form of my proposal in the wiki? I am not sure what the > conventions are for editing this wiki page. > > I think the points you make on the wiki about cross-endangerment are good, > but they are not really subset criteria, that's a property we want for any > two Web platform features, and it could be achieved with a strategy of > making things completely different instead of the subset strategy. They do > represent relations that we should maintain however. I included these because our last email exchange indicated to me that you wanted them explicitly stated. > I think even taken together, your set of subset conditions does guarantee > that a CORS client implementation is automatically also a UMP client > implementation. If we went that way, then we would have to consider whether > there will ever be client implementors of UMP itself, or it will be > impossible to fulfill CR exit criteria. If there are implementers of CORS, then by definition, there are implementers of UMP. I don't see anything in CR exit criteria that requires implementers to swear not to also implement other specifications. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
