W3C home > Mailing lists > Public > public-device-apis@w3.org > December 2009

Re: ACTION-38: "Should issue recommendation on the granularity of the security system" + proposal for a "Secure Credential API"

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Thu, 31 Dec 2009 11:46:52 -0500
Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "'public-device-apis@w3.org'" <public-device-apis@w3.org>
Message-Id: <E40B313E-6A42-4BE2-87D6-BB80E071F73D@nokia.com>
To: "ext Nilsson, Claes1" <Claes1.Nilsson@sonyericsson.com>
Claes

Thanks for clarifying the message.

It looks like application id is  acting like role or group - this  
almost seems on the path toward attribute certificates and the related  
infrastructure.

I'm still not sure I understand how this would integrate in practice  
on a web without centralized authority - perhaps ignored unless  
understood?

regards, Frederick

Frederick Hirsch
Nokia



On Dec 21, 2009, at 5:30 AM, ext Nilsson, Claes1 wrote:

> Hi,
>
> Sorry if my previous post was difficult to follow due to missing  
> indentations. Hope this is clearer :-)
>
> Frederick,
>
> See my answers inline below and an updated version of "Fine  
> granularity access policy".
>
> Claes
>
> > -----Original Message-----
> > From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com]
> > Sent: onsdag den 16 december 2009 15:16
> > To: Nilsson, Claes1
> > Cc: Frederick Hirsch; 'public-device-apis@w3.org'
> > Subject: Re: ACTION-38: "Should issue recommendation on the  
> granularity
> > of the security system" + proposal for a "Secure Credential API"
> >
> > Claes
> >
> > Thanks for the proposals.
> >
> > Secure Cred Manager should be deferred to future work.
> >
> > I have a few questions regarding the "File Granularity Access  
> Policy",
> > to help me understand it:
> >
> > Is it correct to say that the essence of the  "file granularity  
> access
> > policy" proposal is to determine an application id from either the  
> X.
> > 509 cert or signed widget config, and then pass this application  
> id in
> > all API calls?
>
> Claes:
> Correct
> >
> > What value does this add? An example might help me understand the
> > benefit.
>
> Claes:
> I believe there are several use cases.
>
> - An obvious use case is restriction in a file API of access to  
> certain data to certain applications. This is something that is  
> supported by existing application environments.
> - Another example is restriction to "read-only" for certain  
> applications in the file or contacts API
> - And of course, a "Secure credential manager" that I am proposing,  
> is a good example where specific data must be accessible to a  
> specific application only.
>
> I have added these use cases to an updated version of my proposal  
> that I attach.
>
> >
> > Who manages application ids, is there a registry? What prevents any
> > widget from including any application id it wants?
>
> Claes:
> That must be a part of the signing process. The application id could  
> for example be included in a widget's (signed) configuration  
> document (assumes some kind of centralized widget signing) or it  
> could be included in the certificate (makes distributed signing  
> possible). I realize that I have been a bit unclear here. An  
> application identity must be relative to the origin of the  
> application, typically the PKI-identity, e.g. the Certificate  
> Authority (CA) of a signed widget's certificate. This means that the  
> CA must coordinate the application identities. So, an AppId actually  
> consists of two parts:
> - Origin of the application, typically the PKI-identity
> - Actual name/id of application
>
> I have updated my description to clarify this at page 6.
>
> >
> > What happens in a web case (not widget), where there is no such Id?
>
> Claes:
> This is more tricky but I believe that existing security mechanisms  
> such as TLS/SSL can be used. The name/id of application can be  
> included in the server certificate. The weakness here is that we can  
> only verify the server, not the origin of the application. XMLDsig  
> would be another alternative but it is not much used today.  
> Furthermore, this issue exist for any domain based access security  
> system also for verifying the TrustDomain.
>
> >
> > What if X.509 certs are not used in certain cases, where does the
> > application id come from?
>
> Claes:
> In this case there is no method to securely verify the origin and  
> integrity of the application and the application identity.
>
> >
> > Is there an "application id" lifecycle?
>
> Claes:
> Have my previous answers clarified this?
>
> >
> > regards, Frederick
> >
> > Frederick Hirsch
> > Nokia
> >
> >
> >
> > On Dec 15, 2009, at 5:15 AM, ext Nilsson, Claes1 wrote:
> >
> > > Hi,
> > >
> > > I attach two proposals:
> > >
> > > 1.       “File granularity access policy”. This is response to my
> > > action 38. The proposal is based on “Policy Based Device Access
> > > Security” (Steve Lewontin/Nokia
> > http://lists.w3.org/Archives/Public/public-device-apis/2009Nov/att-
> > 0012/SecurityPolicy_09.pdf)
> > >  that Steve presented at the Santa Clara meeting. My proposal  
> adds a
> > > finer granularity to restrict access to APIs based on application
> > > identity.
> > > 2.       “Secure Cred Manager”. This proposal is based on 1 above
> > > and is an API for retrieving securely stored data,  
> “credentials”, in
> > > the device. A major use case for this API is Social Networking
> > > Services web application application login to the service. I  
> have a
> > > humble view on this and understand the security issues with
> > > JavaScript. However, by referencing existing security mechanisms
> > > such as Digital signing, TLS/SSL and WARP, I believe that such an
> > > API is possible. Furthermore, I realize that it is not possible to
> > > include this API in the phase 1 delivery from DAP but I want to  
> have
> > > it in the list of “Future Work”.
> > >
> > > Best regards
> > >   Claes
> > > Claes Nilsson M.Sc.E.E
> > > Senior Staff Engineer
> > > CTO - R&T Europe - UI/App/Web
> > >
> > > Sony Ericsson Mobile Communications
> > >  Phone:  +46 10 80 15178
> > > Mobile: +46 705 56 68 78
> > > Switchboard: +46 10 80 00000
> > > E-Mail: mailto:claes1.nilsson@sonyericsson.com
> > > Visiting Address; Nya Vattentornet
> > > SE-221 88 LUND,
> > > Sweden
> > > Disclaimer:
> > > The information in this e-mail is confidential and may be legally
> > > privileged. It is intended solely for the named recipient(s) and
> > > access to this e-mail by anyone else is unauthorized. The views  
> are
> > > those of the sender and not necessarily the views of Sony Ericsson
> > > and Sony Ericsson accepts no responsibility or liability  
> whatsoever
> > > or howsoever arising in connection with this e-mail.Any
> > > attachment(s) to this message has been checked for viruses, but
> > > please rely on your own virus checker and procedures. If you  
> contact
> > > us by e-mail, we will store your name and address to facilitate
> > > communications. If you are not the intended recipient, please  
> inform
> > > the sender by replying this transmission and delete the e-mail and
> > > any copies of it without disclosing it.
> > >
> > >
> > > <Secure Cred Manager.pptx><File granularity access policy.pptx>
>
> <Fine granularity access policy.pptx>
Received on Thursday, 31 December 2009 16:48:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:04 GMT