W3C home > Mailing lists > Public > public-dap-commits@w3.org > June 2010

2009/dap/policy Profile.html,1.5,1.6

From: Frederick Hirsch via cvs-syncmail <cvsmail@w3.org>
Date: Fri, 18 Jun 2010 20:29:26 +0000
To: public-dap-commits@w3.org
Message-Id: <E1OPiBq-0002fj-Lr@lionel-hutz.w3.org>
Update of /sources/public/2009/dap/policy
In directory hutz:/tmp/cvs-serv10251

Modified Files:
	Profile.html 
Log Message:
Added attribute definitions, moving from Framework. Incorporated examples
from example document.


Index: Profile.html
===================================================================
RCS file: /sources/public/2009/dap/policy/Profile.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- Profile.html	17 Jun 2010 21:22:26 -0000	1.5
+++ Profile.html	18 Jun 2010 20:29:24 -0000	1.6
@@ -24,7 +24,11 @@
         outlines the role and use of policy in the context of Device
         APIs. This document provides a profile of XACML 2.0 
         enabling such policies to be defined using the XACML
-        language [[!XACML20]]. This specification does not provide an
+        language [[!XACML20]]. Trust and access policies are capable of 
+      representation in a compact XML format (and other formats,
+      including a compact  
+      binary representation if necessary).  This specification does
+        not provide an 
         overview of XACML as this information is available elsewhere
         [[XACML-INTRO]].</p>
       <p>
@@ -646,6 +650,274 @@
 	</section>
   </section>
 </section>
+
+<section class='attribute-definitions'>
+  <h2>Attribute Definitions</h2>
+<section class='subject-attribute-definitions'>
+  <h2>Subject Attribute Definitions</h2>
+  <p> The identity of a subject is in one of the following classes. The
+	class determines which attributes are available; other
+	attributes have the undefined value. </p>
+<section class='widget-subject-attribute-definitions'>
+  <h2>Widget Subject Attribute Definitions</h2>
+<table
+	  border="1" summary=""> <caption> <dfn
+	  id="widget-subject-attributes-table">Widget Subject
+	  Attributes Table</dfn></caption> <thead> <tr> <th
+	  scope="col">Attribute</th> <th scope="col">Type</th> <th
+	  scope="col">Value</th> </tr> </thead> <tbody> <tr>
+	  <td>class</td> <td>string</td> <td>This has the value
+	  "widget" if and only if the subject is a widget.</td>
+	  </tr> <tr> <td>install-uri</td> <td>URI</td> <td>The URI
+	  that the widget resource was originally retrieved from
+	  before installation, if known, otherwise the empty
+	  bag.</td> </tr> <tr> <td>id</td> <td>URI</td> <td>The
+	  identity of the widget. For a W3C widget specification [[!WIDGETS]]
+	  compliant widget resource, this is the value of the <code>id</code>
+	  attribute of the <code>widget</code> element in the widget
+	  configuration document converted from IRI to URI based
+	  on RFC3987 [[!IRI]]. In this case, it is a URI that uniquely
+	  identifies the widget. Empty bag if there is no <code>id</code>
+	  attribute.</td> </tr> <tr> <td>version</td>
+	  <td>string</td> <td>Version of the widget resource. For
+	  a W3C widget specification compliant widget resource,
+	  this is the <code>version</code> attribute of the <code>widget</code> element in
+	  the widget configuration document. Empty bag if there is
+	  no <code>version</code> attribute.</td> </tr> <tr>
+	  <td>distributor-key-cn</td> <td>string</td> <td>The
+	  common name of the end entity certificate for the
+	  applicable widget resource distributor signature. Empty
+	  bag if none.</td> </tr> <tr>
+	  <td>distributor-key-fingerprint</td> <td>string</td>
+	  <td>The fingerprint of the end-entity certificate for
+	  the applicable widget resource distributor signature.
+	  Empty bag if none.</td> </tr> <tr>
+	  <td>distributor-key-root-cn</td> <td>string</td> <td>The
+	  common name of the root certificate for the applicable
+	  widget resource distributor signature. Empty bag if
+	  none.</td> </tr> <tr>
+	  <td>distributor-key-root-fingerprint</td>
+	  <td>string</td> <td>The fingerprint of the root
+	  certificate for the applicable widget resource
+	  distributor signature.Empty bag if none.</td> </tr> <tr>
+	  <td>author-key-cn</td> <td>string</td> <td>The common
+	  name of the end entity certificate for the widget
+	  resource author signature. Empty bag if none.</td> </tr>
+	  <tr> <td>author-key-fingerprint</td> <td>string</td>
+	  <td>The fingerprint of the end entity certificate for
+	  the widget resource author signature in SDP syntax.
+	  Empty bag if none.</td> </tr> <tr>
+	  <td>author-key-root-cn</td> <td>string</td> <td>The
+	  common name of the root certificate for the widget
+ 	  resource author signature. Empty bag if none.</td> </tr>
+	  <tr> <td>author-key-root-fingerprint</td>
+	  <td>string</td> <td>The fingerprint of the root
+	  certificate for the widget resource author signature.
+	  Empty bag if none.</td> </tr> <tr>
+	  <td>widget-attr:name</td> <td></td> <td>The value of the
+	  named attribute of the <code>widget</code> element whose type
+	  and value are set up in the widget configuration
+	  document for use in the security framework. Empty
+	  bag if no such named attribute is defined.</td> </tr>
+	  </tbody> </table>
+</section>
+<section class='website-subject-attribute-definitions'>
+  <h2>Web Site Subject Attribute Definitions</h2>
+<table border="1"
+	  summary=""> <caption> <dfn
+	  id="website-subject-attributes-table">Website Subject
+	  Attributes Table</dfn></caption> <thead> <tr> <th
+	  scope="col">Attribute</th> <th scope="col">Type</th> <th
+	  scope="col">Value</th> <th scope="col">Meaning</th>
+	  </tr> </thead> <tbody> <tr> <td>class</td>
+	  <td>string</td> <td>"website"</td> <td>Has the value
+	  "website" if and only if the subject is of this
+	  class.</td> </tr> <tr> <td rowspan="4">sign-schema</td>
+	  <td rowspan="4">string</td> </tr> <tr> <td>"" (empty
+	  string)</td> <td>Not signed.</td> </tr> <tr>
+	  <td>"tls"</td> <td>The page was fetched using HTTPS and
+	  the browser has verified that the site certificate’s
+	  Common Name matches the host that the page was fetched
+	  from, and it has already applied its own policies
+	  regarding whether the root certificate is in an
+	  acceptable trust domain.</td> </tr> <tr>
+	  <td>"tls-ev"</td> <td>As "tls", and, additionally, the
+	  site certificate has an extended validation field and
+	  the browser's internal policy allows that information to
+	  be passed to the security framework.</td> </tr> <tr>
+	  <td>uri</td> <td>URI</td> <td colspan="2">The URI used
+	  to access the document that embeds or refers to the
+	  JavaScript code, corresponding to the window.location
+	  property of the browsing context. In the case of that a
+	  feature is accessed from a child browsing context (for
+	  example from within a &lt;iframe&gt; within some outer
+	  document), this attribute provides the location of the
+	  child context.</td> </tr> <tr> <td>uri-top</td>
+	  <td>URI</td> <td colspan="2">The URI used to access the
+	  website that embeds or refers to the JavaScript code,
+	  corresponding to the top.window property of the browsing
+	  context. In the case that the feature is accessed from a
+	  child browsing context (for example from within an
+	  &lt;iframe&gt;), this attribute provides the location of
+	  the top-level browsing context. If the current browsing
+	  context is a child of a widget top-level browsing
+	  context, this attribute contains an IRI with the widget:
+	  scheme that corresponds to the top-level containing
+	  document from the widget resource.</td> </tr> <tr>
+	  <td>key-root-cn</td> <td>string</td> <td colspan="2">The
+	  common name of the root certificate chained to by the
+	  site certificate. Empty bag if none.</td> </tr> <tr>
+	  <td>key-root-fingerprint</td> <td>string</td> <td
+	  colspan="2">The fingerprint of the root certificate
+	  chained to by the site certificate. Empty bag if
+	  none.</td> </tr> </tbody> </table>
+</section>
+</section>
+<section class='resource-attribute-definitions'>
+  <h2>Resource Attribute Definitions</h2>
+<p>The resource is identified by one or more of
+	  the following attributes: </p> 
+<table border="1"
+	  summary=""> <caption> <dfn
+	  id="widget-subject-attributes-table">Widget Resource
+	  Attributes Table</dfn></caption> <thead> <tr> <th
+	  scope="col">Attribute</th> <th scope="col">Type</th> <th
+	  scope="col">Value</th> <th scope="col">Comment</th>
+	  </tr> </thead> <tbody> <tr> <td id="api-feature">api-feature (*** ref:
+	  ****)</td> <td>URI</td> <td>The IRI identifier of the
+	  requested Feature converted to URI as per RFC3987
+	  [[!IRI]].</td> <td>This uses the same naming scheme as
+	  in a widget's <code>feature</code> element. Determined for all
+	  applicable application execution phases.</td> </tr> <tr>
+	  <td id="device-cap">device-cap</td> <td>string</td> <td>Device
+	  capability being accessed, if any. Empty bag if
+	  none</td> <td>See Appendix A (*** change this ref ***).
+	  Determined for all applicable application Execution
+	  Phases.</td> </tr> <tr> <td id=parameter>param:name</td> <td>See
+	  comment</td> <td>The value of parameter name.</td>
+	  <td>The specification of each Device Capabilities lists
+	  the parameters associated with that Device Capability
+	  and the type and semantics of each. Empty bag if the
+	  parameter is not defined. Determined in the invoke
+	  execution phase. Undetermined in all other execution
+	  phases.</td> </tr> <tr> <td colspan="4">The following
+	  resource attributes give information on the source of
+	  the implementation of the API Feature.</td> </tr> <tr>
+	  <td>feature-install-uri</td> <td>URI</td> <td>The URI
+	  that the API implementation was originally retrieved
+	  from before installation, if known, otherwise the empty
+	  bag.</td> <td>Determined for all applicable application
+	  execution phases.</td> </tr> <tr>
+	  <td>feature-key-cn</td> <td>string</td> <td>The common
+	  name of the end entity certificate for the signature
+	  associated with the Feature implementation. Empty bag if
+	  none.</td> <td>Determined for all applicable application
+	  execution phases.</td> </tr> <tr>
+	  <td>feature-key-root-cn</td> <td>string</td> <td>The
+	  common name of the root certificate for the signature
+	  associated with the Feature implementation. Empty bag if
+	  none</td> <td>Determined for all applicable application
+	  execution phases.</td> </tr> <tr>
+	  <td>feature-key-root-fingerprint</td> <td>string</td>
+	  <td>The fingerprint of the root certificate of the
+	  signature associated with the Feature implementation.
+	  Empty bag if none.</td> <td>Determined for all
+	  applicable application execution phases.</td> </tr> <tr>
+	  </tbody> </table>
+</section>
+<section 'class=context-attribute-definitions'>
+  <h2>Context Attribute Definitions</h2>
+    <p>
+<table
+	  border="1" summary=""> <caption> <dfn
+	  id="widget-subject-attributes-table">Context
+	  Attributes Table</dfn></caption> <thead> <tr> <th
+	  scope="col">Attribute</th> <th scope="col">Type</th> <th
+	  scope="col">Value</th> <th scope="col">Comment</th>
+	  </tr> </thead> <tbody> <tr> <td>roaming</td>
+	  <td>string</td> <td>"national", "international", or
+	  empty string</td> <td>Determined in the following
+	  execution phases:
+	  <ul> <li>widget-instantiate</li>
+	  <li>website-bind</li> <li>invoke</li> </ul>
+	  Undetermined in the following execution phases:
+	  <ul> <li>widget-install</li> </ul>
+	  </td> </tr> <tr> <td>bearer-type</td> <td>string</td>
+	  <td>The type of the current network bearer over which a
+	  network request will be served, either by request of the
+	  application or by default (per the current serving
+	  network or the one over which the request will be
+	  served, if multiple networks are available). A
+	  comma-separated list of one or more of the bearer types
+	  given as examples in W3C DCO [[DCONTOLOGY]].</td>
+	  <td>Determined in the following execution phases:
+	  <ul> <li>widget-instantiate</li>
+	  <li>website-bind</li> <li>invoke</li> </ul>
+	  Undetermined in the following execution phases:
+	  <ul> <li>widget-install</li> </ul>
+	  </td> </tr> </tbody> </table>
+    </section>
+    </section>
+<section class='examples'>
+  <h2>Examples</h2>
+<section id="example-abuse-policies">
+  <h2>Example Policies to mitigate Abuse Use Cases</h2>
+    <p> This section outlines some example policies that could be used to
+    deal with abuses of device APIs. </p>
+    <section id="premium-rate-defence">
+      <h3>Defending against premium rate abuse</h3>
+	<p>The example assumes that a number of mechanisms have
+	already been defeated in the security chain – the
+	application is trusted and is on the device. If the user
+	(or the policy provider) has stated that they don’t want
+	to call premium rate numbers in the UK: </p>
+	<pre><code>
+	<code>&lt;target&gt;</code>
+	    <code>&lt;subject&gt;</code>
+		&lt;subject-match attr="author-key-root-fingerprint" 
+        match="sha256 ******** root fingerprint of author ****" /&gt; 
+        &lt;-- to identify the Identified domain, the same would
+	    apply for the Unidentified domain--&gt;
+	&lt;/target&gt;
+         &lt;rule effect="one-shot"&gt;
+	    <code>&lt;condition&gt;</code>
+		&lt;resource-match attr="dev-cap" match="messaging.*.send"
+		param:recipients="+4409*" func="glob"/&gt; &lt;-- to block UK premium
+		rate numbers --&gt;
+	    &lt;/condition&gt;
+	&lt;/rule&gt; </pre></code>
+	We could extend this to other countries if we are concerned that premium rate
+	numbers would not only be from the host country. Here is an example of a policy
+	fragment for blocking Spanish premium rate numbers that could be added, along
+	with the condition combining operator (please note: there are probably more
+	elegant ways of expressing this by using regular expressions): <pre><code>
+	    &lt;condition combine="or"&gt;
+		&lt;resource-match attr="dev-cap" match="messaging.*.send"
+		param:recipients="+4409*" func="glob"/&gt; &lt;-- to block UK premium
+		rate numbers --&gt; &lt;resource-match attr="dev-cap"
+		match="messaging.*.send" param:recipients="+34806*" func="glob"/&gt;
+		&lt;-- to block Spanish premium rate numbers --&gt;
+	    &lt;/condition&gt;
+	</pre></code> If the malicious widget is out in the wild already and has been
+	identified, then we want to prevent it from installing and executing on devices,
+	halting the spread of the malware in its early stages of distribution. </p> <p>
+	Clearly, if the widget is prevented from installing, then it cannot call a
+	device API – these functions are shown as a belt and braces example:
+	<pre><code> <code>&lt;target&gt;</code>
+	    <code>&lt;subject&gt;</code>
+		&lt;subject-match attr="id" match="http://maliciouswidget1.example.org"&gt;
+	    &lt;/subject&gt;
+	&lt;/target&gt; &lt;rule effect="deny"&gt;
+	   &lt;condition combine="or"&gt;
+	    &lt;resource-match attr="widget-install" /&gt; &lt;resource-match
+	    attr="widget-instantiate" /&gt; &lt;resource-match attr="api-feature" match="*"
+	    /&gt; &lt;resource-match attr="dev-cap" match="*" /&gt; &lt;/condition&gt;
+	  &lt;/rule&gt;
+	</code></pre>
+    </section> <!-- premium-rate-abuse -->
+</section> <!-- example policies -->
+</section>
+</section>
 <section class='appendix'>
   <h2>Acknowledgements</h2>
     <p>
Received on Friday, 18 June 2010 20:29:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 18 June 2010 20:29:29 GMT