"The thing is that seventeen rules of Xanadu, in themselves, aren't that much more complex than the WWW - The http protocol is not an uber simple thing."
I have to disagree. Requiring secure identification of a web server means that every web site must use an SSL certificate. Most likely, the way it was intended, it must also be an identity-verified SSL cert, i.e., "Verisign" et al, not just "some SSL cert I generated last night". Requiring secure identification of the user at all times is very onerous when propagated throughout the entire stack, as it would have had to have been. Now you have to be logged in to all sites, all the time, with some sort of universally-agreed-upon protocol which would run smack into the problem that not everybody's identification needs are the same. "Every user can store documents" means you are not allowed to browse the Xanadu without paying for hosting privileges. Backwards links complicates every CMS, ever, horrifically, and also has to manifest in the protocol. And I'm not even all the way through the list, the problems keep going, but I fear boring the reader.
If you look at what they really mean (remember, these are summaries), it is night and day. An elementary HTTP server can be bashed out in an hour, and it'll work with modern browers to at least some degree. In college, writing an HTTP proxy server was a 2 hour lab assignment in networking class, to give an example of another piece of the stack. AFAIK, nobody has ever produced a full Xanadu server, despite massive amounts of effort. This is not a coincidence; this is a reflection of the almost-impossible-to-overstate difference in complexity between the two ideas.
Actually, I think you're saying the same thing I at least meant to begin with: Xanadu's requirements are fairly simple to state but extremely complex to implement.
My further point is this show a world where things are a bit muddier than Spolsky's simple/complex division.
I have to disagree. Requiring secure identification of a web server means that every web site must use an SSL certificate. Most likely, the way it was intended, it must also be an identity-verified SSL cert, i.e., "Verisign" et al, not just "some SSL cert I generated last night". Requiring secure identification of the user at all times is very onerous when propagated throughout the entire stack, as it would have had to have been. Now you have to be logged in to all sites, all the time, with some sort of universally-agreed-upon protocol which would run smack into the problem that not everybody's identification needs are the same. "Every user can store documents" means you are not allowed to browse the Xanadu without paying for hosting privileges. Backwards links complicates every CMS, ever, horrifically, and also has to manifest in the protocol. And I'm not even all the way through the list, the problems keep going, but I fear boring the reader.
If you look at what they really mean (remember, these are summaries), it is night and day. An elementary HTTP server can be bashed out in an hour, and it'll work with modern browers to at least some degree. In college, writing an HTTP proxy server was a 2 hour lab assignment in networking class, to give an example of another piece of the stack. AFAIK, nobody has ever produced a full Xanadu server, despite massive amounts of effort. This is not a coincidence; this is a reflection of the almost-impossible-to-overstate difference in complexity between the two ideas.