W3C home > Mailing lists > Public > public-device-apis@w3.org > May 2009

Re: Starting the chartering discussion -- security policy for APIs

From: Arthur Barstow <art.barstow@nokia.com>
Date: Sun, 10 May 2009 07:43:35 -0400
Message-Id: <9370C5DE-A481-4A85-A376-627F4F59427B@nokia.com>
Cc: "public-device-apis@w3.org" <public-device-apis@w3.org>
To: ext Thomas Roessler <tlr@w3.org>
Thomas, All,

Regarding your request below that interested parties put forward  
concrete proposals for the work items you proposed, Nokia submits the  
Position Paper Steve Lewontin submitted to the December 2008 Workshop  
[1] for the "policy expression" work item.

If the W3C decides to Charter related work, we offer the same terms  
for this input as we did for the device service APIs we submitted on  
April 24 [2]:

[[
Nokia hereby grants to the W3C a perpetual, nonexclusive, royalty- 
free, world-wide right and license under any Nokia copyrights on this  
contribution, to copy, publish and distribute the contribution under  
the W3C document licenses.

Additionally, should the submission be used as a contribution towards  
a W3C Activity, Nokia grants a right and license of the same scope to  
any derivative works prepared by the W3C and based on, or  
incorporating all or part of, the contribution. Nokia further agrees  
that any derivative works of this contribution prepared by the W3C  
shall be solely owned by the W3C.

Nokia Corporation agrees to offer W3C members and non-members  
granting reciprocal terms a non-assignable, non-sublicensable,  
worldwide and royalty free license to make, have made, use, sell,  
have sold, offer to sell, import, and distribute and dispose of  
implementations of any portion of the submission that is subsequently  
incorporated into a W3C Recommendation. Such license shall extend to  
all Essential Claims owned or controlled by Nokia Corporation and  
shall be available as long as the Recommendation is in effect.
]]

-Regards, Art Barstow

[1] <http://www.w3.org/2008/security-ws/papers/SecurityPolicyNokia.pdf>
[2] <http://lists.w3.org/Archives/Public/public-device-apis/2009Apr/ 
0001.html>


On Apr 14, 2009, at 7:34 AM, ext Thomas Roessler wrote:

> Hello,
>
> it's about time that we start a chartering discussion.   
> Fundamentals that we need to sort out in order to get from here to  
> there:
>
> - general scope of the work (and things that are out of scope)
> - basic principles for the work
> - deliverables and milestones
> - resources
> - input documents
>
> Based on the outcomes from the workshop [1] and the notes from the  
> mobile web breakout session at the AC meeting [2], I'd propose the  
> following in terms of a (rough) mission and scope, and would  
> appreciate your feed-back on this mailing list:
>
> 1. The group would be chartered to produce a framework for the  
> expression of security policies that govern access of Web  
> applications and widgets to security-critical APIs.  To achieve  
> this goal, the group will need to deal with the following items:
>
> - policy expression proper
> - identification of APIs
> - identification of web applications and Widgets
>
> 2. Out of scope:
>
> - concrete APIs
> - policy management and discovery
> - fundamental changes to JavaScript
>
> 3. Principles:
>
> - before inventing a new policy expression language, existing  
> languages (such as XACML) should be reviewed for suitability
> - the resulting policy model must be compatible with the existing  
> same origin policy (as documented in the HTML5 specification)
> - the work should not be specific to either mobile or desktop  
> environments, but may take differences between the environments  
> into account
>
> 4. Liaisons:
>
> - PLING (W3C Policy Languages Interest Group)
> - HTML WG
> - WebApps WG
> - geolocation WG
> - Mobile Web Best Practices WG
> - BONDI
> - OpenAjaxAlliance
>
> Note that this would be a good time for interested members to  
> indicate *privately* whether they're willing to make chairing or  
> editing resources available.
>
> This would also be a good time for those members who presented  
> concrete technical proposals at the workshop to indicate whether  
> they'll be interested in putting these proposals on the table as a  
> basis for the work proposed here.
>
> [1] http://www.w3.org/2008/security-ws/report
> [2] http://lists.w3.org/Archives/Member/w3c-archive/2009Apr/0094.html
>
> Note: [2] is member-only; I'll circulate a publicly visible summary  
> some time soon.
>
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
Received on Sunday, 10 May 2009 11:44:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:13:59 GMT