On Sun, Jan 14, 2018 at 12:54 PM, Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
On 01/14/2018 03:49 PM, Eric Rescorla wrote:
On Sun, Jan 14, 2018 at 9:21 AM, Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
On 01/13/2018 07:14 PM, Eric Rescorla wrote:
It would be best to kill _javascript_ entirely,
given that it's the vector for a myriad of attacks and therefore that
it's become a best practice to disable it in browsers.
I would characterize this more as a minority view than a best practice. _javascript_is ubiquitous throughout the Web.
I would characterize it as both best practice and a minority view. We should never assume that best practice is synonymous with widespread practice, especially where security is concerned.
Well, IETF typically measures best practice by consensus. What community do you believe this represents the consensus view of. I doubt, for instance, the Web security community.
I was using "best practice" in the literal sense, not the IETF sense. I understand why IETF makes decisions by consensus, but don't feel that consensus reliably results in best practice in the general case. OTOH, in circumstances where having general agreement on practice is better than not having such agreement, consensus-based decision making can be a good way to choose that practice.
OK, well, absent some consensus or other decision-making mechanism, we're kind of left with this just being a matter of opinion.
I also doubt that _javascript_ as it currently exists in browsers would be able to win IETF consensus if it were proposed today.
As you're no doubt aware, the IETF is not responsible for standardizing this portion of the Web stack, so this doesn't seem very relevant.
-Ekr
Keith