- From: Frederick Hirsch via cvs-syncmail <cvsmail@w3.org>
- Date: Tue, 30 Mar 2010 13:37:22 +0000
- To: public-dap-commits@w3.org
Update of /sources/public/2009/dap/policy
In directory hutz:/tmp/cvs-serv11501
Modified Files:
Overview.html
Log Message:
added material from David Rogers, Security Model Definition, Security Policy Document Format, Example Policies to mitigate Abuse Use Cases, added references for RFC 3279 and 4572
Index: Overview.html
===================================================================
RCS file: /sources/public/2009/dap/policy/Overview.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- Overview.html 17 Mar 2010 14:24:52 -0000 1.1
+++ Overview.html 30 Mar 2010 13:37:20 -0000 1.2
@@ -35,6 +35,751 @@
site access to Device APIs).
</p>
</section> <!-- introduction -->
+<section id="security-model-definition">
+<h2>Security Model Definition</h2>
+ <p>
+ This section defines the formal model underlying the general
+ security framework. This includes definitions of each of the
+ entities involved in the definition of an access control policy, and
+ a definition of the attributes of each entity that are recognised
+ and are required to be supported. This specification uses [[!XACML]].
+ </p>
+ <section id="application-execution-phases">
+ <h3>Application Execution Phases</h3>
+ <p>The <em>execution</em> phase of a Web Application reflects the state of that application at the time an associated access control query is made. The defined execution phases are listed below.
+ </p>
+ <table border="1" summary="">
+ <caption> <dfn id="execution-phases-table">Execution Phases Table</dfn></caption>
+ <thead>
+ <tr>
+ <th scope="col">Execution Phase</th>
+ <th scope="col">Description</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>widget-install</td>
+ <td>Applies to access control queries made by a Widget User Agent during the processing of a Widget Resource as part of an installation or update operation.</td>
+ </tr>
+ <tr>
+ <td>widget-instantiate</td>
+ <td>Applies to access control queries made by a Widget User Agent during the instantiation of a Widget.</td>
+ </tr>
+ <tr>
+ <td>website-bind</td>
+ <td>Applies to access control queries made in response to a call to requestFeature() in the course of execution of a Website</td>
+ </tr>
+ <tr>
+ <td>invoke</td>
+ <td>Applies to access control queries made in response to invocation of a JavaScript API in the course of execution of a Web Application</td>
+ </tr>
+ </tbody>
+ </table>
+</section>
+ <section id="values-and-types">
+ <h3>Values and Types</h3>
+ <p>Each value in an expression is conceptually a <em>bag</em> of potentially multiple simple values. The bag can be empty, containing no simple values. In practice almost every value encountered in the model is either an empty bag or a bag containing a single simple value. When a bag contains one or more simple values, all the simple values have the same type, one of:
+ </p>
+ <ul>
+ <li>String</li>
+ <li>IRI</li>
+ </ul>
+ <p>
+ Each modifier function (***section link***) defines its result type, and how the function's effect depends on the type of the input.
+ </p>
+ <p>
+ Each matching function (***section link***) defines how it depends on the type of its input.
+ </p>
+ <p>
+ Where a modifier function or matching function does not specify how it treats an input of a particular type, it implicitly converts the value to a bag of strings before performing its operation.
+ </p>
+ <p>
+ When evaluating an access control query at a given application Execution Phase, an expression may have undetermined value if one or more of the attributes on which it depends has undetermined value at that execution phase.
+ </p>
+ <p>
+ For each modifier function (***section link***) and matching function (***section link***), its result for a given set of inputs is determined if and only if all of its inputs are determined.
+ </p>
+ <p>
+ The syntax used for encoding a certificate fingerprint in DAP Security Policy documents is the SDP syntax defined in [[!RFC4572]] without the "fingerprint" scheme, as follows:
+ </p>
+ <pre><code>
+ dapfingerprint = hash-func SP fingerprint
+ hash-func = "sha-1" / "sha-224" / "sha-256" /
+ "sha-384" / "sha-512" /
+ "md5" / "md2" / token
+ ; Additional hash functions can only come
+ ; from updates to [[!RFC3279]]
+ Fingerprint = 2UHEX *(":" 2UHEX)
+ ; Each byte in upper-case hex, separated
+ ; by colons.
+ UHEX = DIGIT / %x41-46 ; A-F uppercase
+ </code></pre>
+ </section> <!-- values-and-types -->
+ <section id="subject-attributes">
+ <h3>Subjects and Attributes</h3>
+ <p>
+ A subject corresponds to an entity that may attempt security-relevant actions and corresponds to a single “identity”. (In practice, some Web Applications might have multiple identities – for example is a Widget Resource is signed by multiple signers – but for the purposes of this model, each access control query is considered to involve a single subject and hence a single identity.)
+ </p>
+ <p>
+ The identity of a <em>subject</em> is in one of the following classes. The class determines which attributes are available; other attributes have the undefined value.
+ </p>
+ <p>
+ All subject attributes are determined for all applicable application Execution Phases.
+ </p>
+ <section id="widget-resource-identity">
+ <h4>Widget Resource Identity</h4>
+ <p>
+ The Widget identity type applies to all operations associated with a Widget Resource, or occurring in the execution of a document belonging to a Widget Resource.
+ </p>
+ <p>
+ Operations occurring in the execution of a remotely hosted document that has been loaded by a Widget (for example in an iframe) use a Website identity (see the next section).
+ </p>
+ <table border="1" summary="">
+ <caption> <dfn id="widget-subject-attributes-table">Widget Subject Attributes Table</dfn></caption>
+ <thead>
+ <tr>
+ <th scope="col">Attribute</th>
+ <th scope="col">Type</th>
+ <th scope="col">Value</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>class</td>
+ <td>string</td>
+ <td>This has the value “widget” if and only if the subject is a Widget.</td>
+ </tr>
+ <tr>
+ <td>install-uri</td>
+ <td>URI</td>
+ <td>The URI that the Widget Resource was originally retrieved from before installation, if known, otherwise the empty bag.</td>
+ </tr>
+ <tr>
+ <td>id</td>
+ <td>URI</td>
+ <td>The identity of the Widget. For a W3C Widget specification compliant Widget Resource, this is the value of the id attribute of the <widget> element in the Widget Configuration Document converted from IRI to URI based on RFC3987. In this case, it is a URI that uniquely identifies the Widget. Empty bag if there is no id attribute.</td>
+ </tr>
+ <tr>
+ <td>version</td>
+ <td>string</td>
+ <td>Version of the Widget Resource. For a W3C Widget specification compliant Widget Resource, this is the version attribute of the <widget> element in the Widget Configuration Document. Empty bag if there is no version attribute.</td>
+ </tr>
+ <tr>
+ <td>distributor-key-cn</td>
+ <td>string</td>
+ <td>The common name of the end entity certificate for the applicable Widget Resource distributor signature. Empty bag if none.</td>
+ </tr>
+ <tr>
+ <td>distributor-key-fingerprint</td>
+ <td>string</td>
+ <td>The fingerprint of the end-entity certificate for the applicable Widget Resource distributor signature. Empty bag if none.</td>
+ </tr>
+ <tr>
+ <td>distributor-key-root-cn</td>
+ <td>string</td>
+ <td>The common name of the root certificate for the applicable Widget Resource distributor signature. Empty bag if none.</td>
+ </tr>
+ <tr>
+ <td>distributor-key-root-fingerprint</td>
+ <td>string</td>
+ <td>The fingerprint of the root certificate for the applicable Widget Resource distributor signature.Empty bag if none.</td>
+ </tr>
+ <tr>
+ <td>author-key-cn</td>
+ <td>string</td>
+ <td>The common name of the end entity certificate for the Widget Resource author signature. Empty bag if none.</td>
+ </tr>
+ <tr>
+ <td>author-key-fingerprint</td>
+ <td>string</td>
+ <td>The fingerprint of the end entity certificate for the Widget Resource author signature in SDP syntax. Empty bag if none.</td>
+ </tr>
+ <tr>
+ <td>author-key-root-cn</td>
+ <td>string</td>
+ <td>The common name of the root certificate for the Widget Resource author signature. Empty bag if none.</td>
+ </tr>
+ <tr>
+ <td>author-key-root-fingerprint</td>
+ <td>string</td>
+ <td>The fingerprint of the root certificate for the Widget Resource author signature. Empty bag if none.</td>
+ </tr>
+ <tr>
+ <td>widget-attr:name</td>
+ <td></td>
+ <td>The value of the named attribute of the <widget> element whose type and value are set up in the Widget Configuration Document for use in the DAP security framework. Empty bag if no such named attribute is defined.</td>
+ </tr>
+ </tbody>
+ </table>
+ </section> <!-- widget-resource-identity -->
+ <section id="website-identity">
+ <h4>Website Identity</h4>
+ <p>
+ The Website identity type applies to all operations occurring in the execution of a remotely-hosted document, whether this is the top-level docment of the Website or is associated with some child browsing context (such as an iframe).
+ </p>
+ <table border="1" summary="">
+ <caption> <dfn id="widget-subject-attributes-table">Widget Subject Attributes Table</dfn></caption>
+ <thead>
+ <tr>
+ <th scope="col">Attribute</th>
+ <th scope="col">Type</th>
+ <th scope="col">Value</th>
+ <th scope="col">Meaning</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>class</td>
+ <td>string</td>
+ <td>"website"</td>
+ <td>Has the value “website” if and only if the subject is of this class.</td>
+ </tr>
+ <tr>
+ <td rowspan="4">sign-schema</td>
+ <td rowspan="4">string</td>
+ </tr>
+ <tr>
+ <td>** (empty string)</td>
+ <td>Not signed</td>
+ </tr>
+ <tr>
+ <td>“tls”</td>
+ <td>The page was fetched using HTTPS and the browser has verified that the site certificate’s Common Name matches the host that the page was fetched from, and it has already applied its own policies regarding whether the root certificate is in an acceptable trust domain.</td>
+ </tr>
+ <tr>
+ <td>“tls-ev”</td>
+ <td>As “tls”, and, additionally, the site certificate has an extended validation field and the browser's internal policy allows that information to be passed to the DAP security framework.</td>
+ </tr>
+ <tr>
+ <td>uri</td>
+ <td>URI</td>
+ <td colspan="2">The URI used to access the document that embeds or refers to the JavaScript code, corresponding to the window.location property of the browsing context. In the case of that a Feature is accessed from a child browsing context (for example from within a <iframe> within some outer document), this attribute provides the location of the child context.</td>
+ </tr>
+ <tr>
+ <td>uri-top</td>
+ <td>URI</td>
+ <td colspan="2">The URI used to access the Website that embeds or refers to the JavaScript code, corresponding to the top.window property of the browsing context. In the case that the Feature is accessed from a child browsing context (for example from within an <iframe>), this attribute provides the location of the top-level browsing context. If the current browsing context is a child of a Widget top-level browsing context, this attribute contains an IRI with the widget: scheme that corresponds to the top-level containing document from the Widget Resource.</td>
+ </tr>
+ <tr>
+ <td>key-root-cn</td>
+ <td>string</td>
+ <td colspan="2">The common name of the root certificate chained to by the site certificate. Empty bag if none.</td>
+ </tr>
+ <tr>
+ <td>key-root-fingerprint</td>
+ <td>string</td>
+ <td colspan="2">The fingerprint of the root certificate chained to by the site certificate. Empty bag if none.</td>
+ </tr>
+ </tbody>
+ </table>
+ </section> <!-- website-identity -->
+ </section> <!-- subject-attributes -->
+ <section id="resource-attributes">
+ <h3>Resource Attributes</h3>
+ <p>The <em>resource</em> is identified by one or more of the following attributes:
+ </p>
+ <table border="1" summary="">
+ <caption> <dfn id="widget-subject-attributes-table">Widget Subject Attributes Table</dfn></caption>
+ <thead>
+ <tr>
+ <th scope="col">Attribute</th>
+ <th scope="col">Type</th>
+ <th scope="col">Value</th>
+ <th scope="col">Comment</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>api-feature (*** ref: ****)</td>
+ <td>URI</td>
+ <td>The IRI identifier of the requested Feature converted to URI as per RFC3987 (*** ref: ***).</td>
+ <td>This uses the same naming scheme as in a widget's <feature> element. See Appendix A (*** change this ref ****). Determined for all applicable application Execution Phases.</td>
+ </tr>
+ <tr>
+ <td>device-cap</td>
+ <td>string</td>
+ <td>Device capability being accessed, if any. Empty bag if none</td>
+ <td>See Appendix A (*** change this ref ***). Determined for all applicable application Execution Phases.</td>
+ </tr>
+ <tr>
+ <td>param:name</td>
+ <td>See comment</td>
+ <td>The value of parameter name.</td>
+ <td>The specification of each Device Capabilities lists the parameters associated with that Device Capability and the type and semantics of each. Empty bag if the parameter is not defined. Determined in the invoke execution phase. Undetermined in all other execution phases.</td>
+ </tr>
+ <tr>
+ <td colspan="4">The following resource attributes give information on the source of the implementation of the API Feature.</td>
+ </tr>
+ <tr>
+ <td>feature-install-uri</td>
+ <td>URI</td>
+ <td>The URI that the API implementation was originally retrieved from before installation, if known, otherwise the empty bag.</td>
+ <td>Determined for all applicable application Execution Phases.</td>
+ </tr>
+ <tr>
+ <td>feature-key-cn</td>
+ <td>string</td>
+ <td>The common name of the end entity certificate for the signature associated with the Feature implementation. Empty bag if none.</td>
+ <td>Determined for all applicable application Execution Phases.</td>
+ </tr>
+ <tr>
+ <td>feature-key-root-cn</td>
+ <td>string</td>
+ <td>The common name of the root certificate for the signature associated with the Feature implementation. Empty bag if none</td>
+ <td>Determined for all applicable application Execution Phases.</td>
+ </tr>
+ <tr>
+ <td>feature-key-root-fingerprint</td>
+ <td>string</td>
+ <td>The fingerprint of the root certificate of the signature associated with the Feature implementation. Empty bag if none.</td>
+ <td>Determined for all applicable application Execution Phases.</td>
+ </tr>
+ <tr>
+ </tbody>
+ </table>
+ </section> <!-- resource-attributes -->
+ <section id="environment-attributes">
+ <h3>Environment Attributes</h3>
+ <p>Attributes of the <em>environment</em> capture contextual information relating to the device or other circumstances of the access attempt.
+ </p>
+ <table border="1" summary="">
+ <caption> <dfn id="widget-subject-attributes-table">Widget Subject Attributes Table</dfn></caption>
+ <thead>
+ <tr>
+ <th scope="col">Attribute</th>
+ <th scope="col">Type</th>
+ <th scope="col">Value</th>
+ <th scope="col">Comment</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>roaming</td>
+ <td>string</td>
+ <td>"national", "international", or empty string</td>
+ <td>Determined in the following Execution Phases:
+ <ul>
+ <li>widget-instantiate</li>
+ <li>website-bind</li>
+ <li>invoke</li>
+ </ul>
+ Undetermined in the following Execution Phases:
+ <ul>
+ <li>widget-install</li>
+ </ul>
+ </td>
+ </tr>
+ <tr>
+ <td>bearer-type</td>
+ <td>string</td>
+ <td>The type of the current network bearer over which a network request will be served, either by request of the application or by default (per the current serving network or the one over which the request will be served, if multiple networks are available). A comma-separated list of one or more of the bearer types given as examples in W3C DCO (*** ref: http://www.w3.org/TR/dcontology/#BearerType ***).</td>
+ <td>Determined in the following Execution Phases:
+ <ul>
+ <li>widget-instantiate</li>
+ <li>website-bind</li>
+ <li>invoke</li>
+ </ul>
+ Undetermined in the following Execution Phases:
+ <ul>
+ <li>widget-install</li>
+ </ul>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </section> <!-- attribute-match -->
+ <section id="attribute-match">
+ <h3>Attribute Match</h3>
+ <p>An attribute match is a statement about one attribute whose truth can be evaluated, that is it evaluates to true or false (or undetermined). An attribute match is a subject match, resource match or environment match, depending on whether the attribute being matched is a subject, resource or environment attribute.
+ </p>
+ <p>An attribute match is an expression with a boolean result whose form is limited to one of the following:
+ <ul>
+ <li>matchfunc(modifierfunc(attr), value)</li>
+ <li>matchfunc(attr, value)</li>
+ </ul>
+ Matchfunc is the matching function, a function with a boolean result and two non-boolean inputs. Its result is undetermined if either input is undetermined.
+ </p>
+ <p>In the first case, modifierfunc is a function with a non-boolean result and a single non-boolean input. The result of modifierfunc is undetermined if its input is undetermined.
+ </p>
+ <p>
+ In the second case, there is no modifierfunc.
+ </p>
+ <p>The value to match (matchfunc's second input) is a sequence of literal text and other attribute references implicitly combined using string concatenation. Thus its type is bag containing a single string, unless there is any reference to an attribute resolving to an empty bag, in which case it is an empty bag. Any reference to a non-string attribute is converted to string bag first. Any reference to an attribute whose value is a bag containing two or more values causes the whole match value to be undefined. Any reference to an undetermined attribute causes the whole value to match to be undetermined.
+ </p>
+ <p>
+ For a subject attribute match, only a single literal string is allowed, with no attribute references.
+ </p>
+ <p>
+ If the attribute does not exist, then it has the empty bag value.
+ </p>
+ </section> <!-- attribute-match -->
+ <section id="subject-specification">
+ <h3>Subject Match</h3>
+ <p>A <em>subject</em> specification consists of a conjunctive sequence of <em>subject</em> matches.
+ </p>
+ <p>
+ A specification is evaluated as follows:
+ <ul>
+ <li>is determined and has value TRUE if each of the <em>subject</em> matches has value TRUE</li>
+ <li>otherwise, is undetermined if any or the <em>subject</em> matches is undetermined</li>
+ <li>otherwise is determined and has value FALSE.</li>
+ </ul>
+ A <em>subject</em> match is an attribute match where the attribute being matched is a <em>subject</em> attribute, and the match value is a literal string and does not contain any attribute references.
+ </p>
+ </section> <!-- subject-specification -->
+ <section id="target">
+ <h3>Target</h3>
+ <p>The <em>target</em> of a <em>policy</em> or <em>policy set</em> identifies the set of <em>subjects</em> to which the <em>policy</em> or <em>policy set</em> applies.
+ </p>
+ <p>The <em>target</em> consists of a disjunctive sequence of <em>subject</em> specifications.
+ </p>
+ <p>
+ A target specification is evaluated as follows:
+ <ul>
+ <li>has value TRUE if at least one of the subject specifications has value TRUE</li>
+ <li>otherwise has value FALSE</li>
+ <li>A <em>policy</em> or <em>policy-set</em> that has no <em>target</em> explicitly specified is treated as having a <em>target</em> that evaluates unconditionally to TRUE.</li>
+ </ul>
+ </p>
+ </section> <!-- target -->
+ <section id="decision">
+ <h3>Decision</h3>
+ <p>If determined, the result of a <em>rule</em> or <em>policy</em> or <em>policy set</em> is a <em>decision</em>, either “not applicable” or any one of the <em>effects</em> “permit”, “prompt-blanket”, “prompt-session”, “prompt-oneshot” or “deny”. The <em>effects</em> are defined in (ref **** section: Effect ***)
+ </p>
+ <p>
+ The result of a <em>rule</em> or <em>policy</em> or <em>policy set</em> may be undetermined under conditions specified for each below.
+ </p>
+ </section> <!-- decision -->
+ <section id="rule">
+ <h3>Rule</h3>
+ <p>The <em>condition</em> of a <em>rule</em> specifies extra criteria that need to be matched before the <em>rule</em> becomes applicable.
+ </p>
+ <p>
+ The <em>condition</em> consists of one or more attribute matches, combined with AND and OR operators into an arbitrarily nested tree.
+ </p>
+ <p>
+ The AND operator is evaluated as follows:
+ <ul>
+ <li>is determined and has value “no match” if any input is “no match</li>
+ <li>otherwise is undetermined if any input is undetermined</li>
+ <li>otherwise is determined and has value “match”</li>
+ </ul>
+ The OR operator is evaluated as follows:
+ <ul>
+ <li>is determined and has value “match” if any input is “match</li>
+ <li>otherwise is undetermined if any input is undetermined</li>
+ <li>otherwise is determined and has value “no match</li>
+ </ul>
+ </p>
+ </section> <!-- decision -->
+ <section id="policy">
+ <h3>Policy</h3>
+ <p>A <em>policy</em> has a <em>target</em>, and a list of zero or more <em>rules</em> combined using a <em>rule-combining algorithm</em>. See section B.19 (**** ref: Combining Algorithm ****) for the combining algorithms. Where a directive attribute query finds more than one applicable directive attribute set, the first one is used.
+ </p>
+ <p>A <em>policy</em> optionally has a textual description.
+ </p>
+ <p>
+ A <em>policy</em> optionally has an id. If an implementation provides a means to provision a security policy fragment to replace an existing one, this id can be used to identify the <em>policy</em> or <em>policy set</em> to replace. No management of ids is mandated, therefore it is recommended that a standardised textual representation of a UUID should be used as the id.
+ </p>
+ <p>
+ The result of a policy is determined if and only if its combining rule has determined value.
+ </p>
+ </section> <!-- policy -->
+ <section id="policy-set">
+ <h3>Policy Set</h3>
+ <p>The overall security framework is a <em>policy set</em>.
+ </p>
+ <p>
+ A <em>policy set</em> is a target with a list of zero or more <em>policies</em> and <em>policy sets</em> combined using a <em>policy-combining algorithm</em>. See section B.19 (*** ref: Combining Algorithms ***) for the combining algorithms. Where a directive attribute query finds more than one applicable directive attribute set, the first one is used.
+ </p>
+ <p>
+ A <em>policy set</em> optionally has an id. If an implementation provides a means to provision a security policy fragment to replace an existing one, this id can be used to identify the <em>policy</em> or <em>policy set</em> to replace. No management of ids is mandated, therefore it is recommended that a standardised textual representation of a UUID should be used as the id.
+ </p>
+ <p>
+ The result of a policy is determined if and only if its combining rule has determined value.
+ </p>
+ </section> <!-- policy-set -->
+ <section id="policy-document">
+ <h3>Policy Document</h3>
+ <p>Where the implementation supports deployment of a fragment of policy to add to the existing security policy framework or to replace a part of it, the <em>policy document</em> is the unit of addition or replacement. A <em>policy document</em> can be either a <em>policy</em> or a <em>policy set</em>.
+ </p>
+ </section> <!-- policy-document -->
+ <section id="signed-policy-document">
+ <h3>Signed Policy Document</h3>
+ <p>Where the implementation supports deployment of policy fragments as above, the <em>signed policy document</em> is the cryptographically signed unit of deployment. It contains one or more <em>policy documents</em> as well as a single signature.
+ </p>
+ </section> <!-- signed-policy-document -->
+ <section id="matching-function">
+ <h3>Matching Function</h3>
+ <p>The matching function used in an attribute match is one of the following.
+ </p>
+ <section id="string-equality-matching-function">
+ <h4>String Equality Matching Function</h4>
+ <p>True if and only if some string from one input string bag is byte-for-byte equal to some string from the other input string bag. Thus an empty bag is not equal to anything, not even another empty bag. An input of type other than empty bag or string bag is converted to string bag first.
+ </p>
+ </section> <!-- string-equality-matching-function -->
+ <section id="globbing-matching-function">
+ <h4>Globbing Matching Function</h4>
+ <p>True if and only if, for some string in the first input string bag, the entire string matches the glob pattern in some string in the second input string bag. If either input is the empty bag, the result is false. An input of type other than empty bag or string bag is converted to string bag first.
+ </p>
+ <p>A glob pattern is as described in SUSv3 (**** ref: http://www.unix.org/single_unix_specification/ ****) section 2.13 Pattern Matching Notation but excluding 2.13.3 Patterns Used for Filename Expansion.
+ </p>
+ <p>Using this function with a glob pattern of “*” (a single asterisk) is a convenient way to test whether the first input is not an empty bag.
+ </p>
+ </section> <!-- globbing-matching-function -->
+
+ <section id="regular-expression-matching-function">
+ <h4>Regular Expression Matching Function</h4>
+ <p>Edit TBD
+ </p>
+ <p>This uses the definition of regular expressions in ECMAScript 3rd edition (*** ref: http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf ***)
+ </p>
+ </section> <!-- regular-expression-matching-function -->
+ </section> <!-- matching-function -->
+ <section id="modifier-function">
+ <h3>Modifier Function</h3>
+ <p>The modifier function optionally specified in each attribute in a target or condition is one of the following.
+ </p>
+ <section id="uri-scheme-modifier-function">
+ <h4>URI-Scheme Modifier Function</h4>
+ <p>If the input is a string bag, first it is converted to a URI bag by interpreting each string as a URI. Any string that does not have the form of a URI is removed from the bag.
+ </p>
+ <p>Each URI in the bag is converted to a string by taking the URI’s scheme component.
+ </p>
+ <p>Thus the result type is either the empty bag or string bag.
+ </p>
+ </section> <!-- uri-scheme-modifier-function -->
+ <section id="uri-authority-modifier-function">
+ <h4>URI-Authority Modifier Function</h4>
+ <p>If the input is a string bag, first it is converted to a URI bag by interpreting each string as a URI. Any string that does not have the form of a URI is removed from the bag.
+ </p>
+ <p>Each URI in the bag is converted to a string by taking the URI’s scheme and authority components. If the URI does not have an authority component, it is removed from the bag.
+ </p>
+ <p>Thus the result type is either the empty bag or string bag.
+ </p>
+ </section> <!-- uri-authority-modifier-function -->
+ <section id="uri-scheme-authority-modifier-function">
+ <h4>URI-Scheme-Authority Modifier Function</h4>
+ <p>If the input is a string bag, first it is converted to a URI bag by interpreting each string as a URI. Any string that does not have the form of a URI is removed from the bag.
+ </p>
+ <p>Each URI in the bag is converted to a string by taking the URI’s scheme and authority components. If the URI does not have an authority component, it is removed from the bag.
+ </p>
+ <p>Thus the result type is either the empty bag or string bag.
+ </p>
+ </section> <!-- uri-scheme-authority-modifier-function -->
+ <section id="uri-host-modifier-function">
+ <h4>URI-Host Modifier Function</h4>
+ <p>If the input is a string bag, first it is converted to a URI bag by interpreting each string as a URI. Any string that does not have the form of a URI is removed from the bag.
+ </p>
+ <p>Each URI in the bag is converted to a string by taking the URI’s scheme and authority components. If the URI does not have an authority component, it is removed from the bag.
+ </p>
+ <p>Thus the result type is either the empty bag or string bag.
+ </p>
+ </section> <!-- uri-host-modifier-function -->
+ <section id="uri-path-modifier-function">
+ <h4>URI-Path Modifier Function</h4>
+ <p>If the input is a string bag, first it is converted to a URI bag by interpreting each string as a URI. Any string that does not have the form of a URI is removed from the bag.
+ </p>
+ <p>Each URI in the bag is converted to a string by taking the URI’s scheme and authority components. If the URI does not have an authority component, it is removed from the bag.
+ </p>
+ <p>Thus the result type is either the empty bag or string bag.
+ </p>
+ </section> <!-- uri-path-modifier-function -->
+ </section> <!-- modifier-function -->
+ <section id="combining-algorithm">
+ <h3>Combining Algorithm</h3>
+ <p>The <em>policy-combining algorithm</em> for a <em>policy set</em> determines how child <em>policies</em> and <em>policy sets</em> are combined.
+ </p>
+ <p>The <em>rule-combining algorithm</em> for a <em>policy</em> determines how child <em>rules</em> are combined.
+ </p>
+ <p>The algorithms are described in the following subsections. The term <em>child</em> is used to mean the child <em>rules</em> in the <em>policy</em> when applying the <em>policy's rule-combining algorithm</em>, or the child <em>policies</em> and <em>policy sets</em> in the <em>policy set</em> when applying the <em>policy set's policy-combining algorithm</em>.
+ </p>
+
+ <section id="deny-overrides-combining-algorithm">
+ <h4>Deny-Overrides Combining Algorithm</h4>
+ <p>The Deny-Overrides Combining Algorithm is usable as a policy-combining algorithm and as a rule-combining algorithm.
+ </p>
+ <p>The overall result of a <em>query</em> is evaluated as follows.
+ <ul>
+ <li>If any child evaluates to "deny", then the overall result is "deny".</li>
+ <li>Otherwise, if any child is undetermined, then the overall result is undetermined.</li>
+ <li>Otherwise, if any child evaluates to "prompt-oneshot", then the overall result is "prompt-oneshot".</li>
+ <li>Otherwise, if any child evaluates to "prompt-session", then the overall result is "prompt-session".</li>
+ <li>Otherwise, if any child evaluates to "prompt-blanket", then the overall result is "prompt-blanket".</li>
+ <li>Otherwise, if any child evaluates to "permit", then the overall result is "permit".</li>
+ <li>Otherwise, the overall result is "inapplicable".</li>
+ </ul>
+ </p>
+ </section> <!-- deny-overrides-combining-algorithm -->
+ <section id="permit-overrides-combining-algorithm">
+ <h4>Permit-Overrides Combining Algorithm</h4>
+ <p>The Permit-Overrides Combining Algorithm is usable as a policy-combining algorithm and as a rule-combining algorithm. The overall result of a <em>query</em> is evaluated as follows.
+ <ul>
+ <li>If any child evaluates to "permit", then the overall result is "permit".</li>
+ <li>Otherwise, if any child is undetermined, then the overall result is undetermined.</li>
+ <li>Otherwise, if any child evaluates to "prompt-blanket", then the overall result is "prompt-blanket".</li>
+ <li>Otherwise, if any child evaluates to "prompt-session", then the overall result is "prompt-session".</li>
+ <li>Otherwise, if any child evaluates to "prompt-oneshot", then the overall result is "prompt-oneshot".</li>
+ <li>Otherwise, if any child evaluates to "deny", then the overall result is "deny".</li>
+ <li>Otherwise, the overall result is "inapplicable".</li>
+ </ul>
+ </p>
+ </section> <!-- permit-overrides-combining-algorithm -->
+ <section id="first-applicable-rule-combining-algorithm">
+ <h4>First-Applicable Rule Combining Algorithm</h4>
+ <p>The First-Applicable Rule Combining Algorithm is usable as a rule-combining algorithm.
+ </p>
+ <p>The overall result of a query is evaluated by processing the children in written order as follows:
+ <ul>
+ <li>if the current child is determined and does not evaluate to "inapplicable", the overall result is the result of the current child;</li>
+ <li>otherwise, if the current child is undetermined, the overall result is undetermined;</li>
+ <li>otherwise, if the current child is determined and has value "inapplicable", continue processing at the next child. If already processing the final child, the overall result is "inapplicable".</li>
+ </ul>
+ </p>
+ </section> <!-- first-applicable-rule-combining-algorithm -->
+ <section id="first-matching-target-policy-combining-algorithm">
+ <h4>First-Matching-Target Policy Combining Algorithm</h4>
+ <p>The First-Matching-Target Policy Combining Algorithm is usable as a policy-combining algorithm.
+ </p>
+ <p>The overall result of a query is evaluated by processing the children in written order as follows:
+ <ul>
+ <li>if the current child has a target that matches the overall result is the result of the current child;</li>
+ <li>otherwise, continue processing at the next child. If already processing the final child, the overall result is "inapplicable".</li>
+ </ul>
+ </p>
+ </section> <!-- first-matching-target-policy-combining-algorithm -->
+ </section> <!-- combining-algorithm -->
+ <section id="effect">
+ <h3>Effect</h3>
+ <p>The <em>effect</em> of a <em>rule</em> is one of the following:
+ </p>
+ <section id="permit">
+ <h4>Permit</h4>
+ <p>This <em>effect</em> allows requested access without user interaction.
+ </p>
+ </section> <!-- permit -->
+ <section id="deny">
+ <h4>Deny</h4>
+ <p>This <em>effect</em> denies requested access without user interaction.
+ </p>
+ </section> <!-- deny -->
+ <section id="prompt-x">
+ <h4>Prompt-x</h4>
+ <p>The prompt-oneshot, prompt-session and prompt-blanket effects allow requested access after explicit confirmation by the user. The implementation <em title="must" class="rfc2119">must</em> prompt the user before allowing access.
+ </p>
+ <p>The implementation <em title="must" class="rfc2119">must</em> only provide the user the option to grant permission up to the maximum allowed by the <em>effect</em>, ie:
+ <ul>
+ <li>prompt-oneshot: "deny always", "deny this time", "allow this time";</li>
+ <li>prompt-session: prompt-oneshot options plus "deny for this session", "allow for this session";</li>
+ <li>prompt-blanket: prompt-session options plus "allow always".</li>
+ </ul>
+ The implementation <em title="must" class="rfc2119">must</em> provide a means to respond with any available option that is applicable in the context in which the prompt is displayed.
+ </p>
+ <p>
+ Any default action <em title="must" class="rfc2119">must</em> be at least as restrictive as "deny this time".
+ </p>
+ <p>
+ If the user has the option of deferring a response indefinitely and the user does not respond explicitly, the requested access <em title="must not" class="rfc2119">must not</em> be allowed.
+ </p>
+ <p>
+ For a Widget, a session lasts while the application is still running and the terminal has not been switched off or placed in standby mode.
+ </p>
+ <p>
+ For a Website, another visit to the same page in the same Browser tab or window is part of the same session.
+ </p>
+ </section> <!-- prompt-x -->
+ </section> <!-- effect -->
+ <section id="query">
+ <h3>Query</h3>
+ <p>A <em>query</em> represents a specific instance of a security policy being evaluated in order to make an access control decision relating to an attempted operation by a Web Application.
+ </p>
+ <p>A <em>query</em> is characterised by the collection of <em>subject attributes</em> associated with the Web Application instance, the collection of <em>resource attributes</em> associated with the attempted operation, and the collection of <em>environment attributes</em> associated with the circumstances of the attempt. The determinedness of each of these attributes is in accordance with the <em>execution phase</em> of the attempt.
+ </p>
+ <p>A <em>query</em> is evaluated against a <em>policy-set</em>, resulting in a <em>decision</em> in accordance with the evaluation rules defined in this specification.
+ </p>
+ </section> <!-- effect -->
+ </section> <!-- security-model-definition -->
+<section id="security-policy-document-format">
+<h2>Security Policy Document Format</h2>
+ <p>
+ This section defines a method for representing a Security Policy (e.g. for interchange or device management purposes).
+ </p>
+ <section id="schema">
+ <h3>Schema</h3>
+ <section id="signed-policy">
+ <h4><signed-policy></h4>
+ <p>The root element of a signed policy document is a <signed-policy>.
+ </p>
+ <p><signed-policy> contains, in any order, exactly one <signature> element and one or more elements each of which is either <policy-set> or <policy>.
+ </p>
+</section>
+</section>
+</section>
+
+ <section id="example-abuse-policies">
+<h2>Example Policies to mitigate Abuse Use Cases</h2>
+ <p>
+ This section outlines some example policies that could be used to deal with abuses of device APIs.
+ </p>
+ <section id="premium-rate-defence">
+ <h3>Defending against premium rate abuse</h3>
+ <p>The example assumes that a number of mechanisms have already been defeated in the security chain – the application is trusted and is on the device. If the user (or the policy provider) has stated that they don’t want to call premium rate numbers in the UK:
+ </p>
+ <p>
+ <pre><code>
+<target>
+ <subject>
+ <subject-match attr="author-key-root-fingerprint">sha256 ******** root fingerprint of author **** />
+ </subject> <-- to identify the Identified domain, the same would apply for the Unidentified domain-->
+</target>
+<rule effect=one-shot>
+ <condition>
+ <resource-match attr="dev-cap" match="messaging.*.send" param:recipients="+4409*" func="glob"/> <-- to block UK premium rate numbers -->
+ </condition>
+</rule>
+</pre></code>
+
+We could extend this to other countries if we are concerned that premium rate numbers would not only be from the host country. Here is an example of a policy fragment for blocking Spanish premium rate numbers that could be added, along with the condition combining operator (please note: there are probably more elegant ways of expressing this by using regular expressions):
+<pre><code>
+ <condition combine=or>
+ <resource-match attr="dev-cap" match="messaging.*.send" param:recipients="+4409*" func="glob"/> <-- to block UK premium rate numbers -->
+ <resource-match attr="dev-cap" match="messaging.*.send" param:recipients="+34806*" func="glob"/> <-- to block Spanish premium rate numbers -->
+ </condition>
+</pre></code>
+If the malicious widget is out in the wild already and has been identified, then we want to prevent it from installing and executing on devices, halting the spread of the malware in its early stages of distribution.
+</p>
+<p>
+Clearly, if the widget is prevented from installing, then it cannot call a device API – these functions are shown as a belt and braces example:
+
+<pre><code>
+<target>
+ <subject>
+ <subject-match attr="id" match="http://www.maliciouswidget1.org" />
+ </subject>
+</target>
+<rule effect=deny>
+ <condition combine=or>
+ <resource-match attr=widget-install />
+ <resource-match attr=widget-instantiate />
+ <resource-match attr=api-feature match=* />
+ <resource-match attr=dev-cap match=* />
+ </condition>
+ </rule>
+</code></pre>
+ </section> <!-- premium-rate-abuse -->
+</section> <!-- example policies -->
+
+<section id="out-of-scope">
+<h2>Out of Scope</h2>
+ <p>
+ </p>
+ <ul>
+ <li>The management of security policies ... is out of scope
+ (charter)</li>
+ <li>Identity Revocation</li>
+ </ul>
+</section>
+
<section class='appendix'>
<h2>Acknowledgements</h2>
Received on Tuesday, 30 March 2010 13:37:30 UTC