Re: [websec] Call for Consensus: CORS to Candidate Recommendation

Arthur Barstow <art.barstow@nokia.com> Fri, 16 November 2012 13:17 UTC

Return-Path: <art.barstow@nokia.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4376821F84D4 for <websec@ietfa.amsl.com>; Fri, 16 Nov 2012 05:17:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMn3AMGUAY+R for <websec@ietfa.amsl.com>; Fri, 16 Nov 2012 05:17:55 -0800 (PST)
Received: from mgw-sa01.nokia.com (smtp.nokia.com [147.243.1.47]) by ietfa.amsl.com (Postfix) with ESMTP id 1D55521F8A2D for <websec@ietf.org>; Fri, 16 Nov 2012 05:17:52 -0800 (PST)
Received: from Barstow-MBP.local (bsdhcp17551.americas.nokia.com [172.19.175.51]) by mgw-sa01.nokia.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id qAGDHe5U023525; Fri, 16 Nov 2012 15:17:43 +0200
Message-ID: <50A63CF8.1090301@nokia.com>
Date: Fri, 16 Nov 2012 08:17:44 -0500
From: Arthur Barstow <art.barstow@nokia.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: "ext Hill, Brad" <bhill@paypal-inc.com>
References: <370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9@DEN-EXDDA-S12.corp.ebay.com>
In-Reply-To: <370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9@DEN-EXDDA-S12.corp.ebay.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Nokia-AV: Clean
X-Mailman-Approved-At: Fri, 16 Nov 2012 05:35:45 -0800
Cc: "WebApps WG \(public-webapps@w3.org\)" <public-webapps@w3.org>, "Anne van Kesteren \(annevk@annevk.nl\)" <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "websec@ietf.org" <websec@ietf.org>, "public-web-security@w3.org" <public-web-security@w3.org>
Subject: Re: [websec] Call for Consensus: CORS to Candidate Recommendation
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 13:17:56 -0000

On 11/15/12 5:31 PM, ext Hill, Brad wrote:
>
> I have placed a draft for review at:
>
> http://www.w3.org/2011/webappsec/cors-draft/
>
> And this is a Call for Consensus among the WebAppSec and WebApps WGs 
> to take this particular text (with necessary additions to the Status 
> of this Document section if approved) forward to Candidate Recommendation.
>

I support this CfC although I am wondering about the CR exit criteria.

Do you expect to re-use the CSP1.0 criteria:

[[
The entrance criteria for this document to enter the Proposed 
Recommendation stage is to have a minimum of two independent and 
interoperable user agents that implementation all the features of this 
specification, which will be determined by passing the user agent tests 
defined in the test suite developed by the Working Group.
]]

My preference is what WebApps has used in other CRs because I think it 
is clearer that a single implementation is not required to pass every 
test but that at least two implementations must pass every test. F.ex.:

    <http://www.w3.org/TR/2012/CR-websockets-20120920/#crec>

-Thanks, AB