W3C home > Mailing lists > Public > public-device-apis@w3.org > November 2009

Re: Policy work items - request for proposals

From: イアンフェッティ <ifette@google.com>
Date: Wed, 4 Nov 2009 07:27:44 -0800
Message-ID: <bbeaa26f0911040727t41f1f25ya21e86d2d2f0a6cf@mail.gmail.com>
To: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Cc: Suresh Chitturi <schitturi@rim.com>, W3C Device APIs and Policy WG <public-device-apis@w3.org>
I'm not really interested or vested in the contacts API. I would be willing
to help with use cases for the filesystem API though.

2009/11/4 Frederick Hirsch <Frederick.Hirsch@nokia.com>

> Are you able to help with documenting use cases, say for the contacts API?
>
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
>
> On Nov 4, 2009, at 7:22 AM, ext Ian Fette (イアンフェッティ) wrote:
>
>  I'm not sure I follow the reasoning of starting off by defining capability
>> definitions "in conjunction with the API development" -- I would much rather
>> say "Here are the use cases we're intending to support. To do that, we think
>> we need an API that vaguely does the following things. Now how can we design
>> that API in such a way that it has some reasonable security model?"
>>
>> I think the first step is to collect use cases for each proposal, before
>> that exists I think trying to define "capabilities" is going the wrong
>> direction.
>>
>> 2009/11/4 Frederick Hirsch <Frederick.Hirsch@nokia.com>
>> Ian
>>
>> I agree that security needs to be considered in conjunction with the APIs,
>> I don't think we disagree.
>>
>> WG members can help by taking actions, and to do this we need to break a
>> bigger problem into smaller aspects and get  concrete proposals.
>>
>> For example we can make proposals regarding capability definitions in
>> conjunction with the API development - I proposed this be in the API
>> documents themselves, Robin suggested a separate document, but regardless I
>> think we can start on this work.
>>
>> Do you have any additional suggestions on how to move this work forward?
>> Are you able to help generate any proposals related to policy and security?
>>
>> Thanks
>>
>>
>> regards, Frederick
>>
>> Frederick Hirsch
>> Nokia
>>
>>
>>
>> On Nov 2, 2009, at 5:36 PM, ext Ian Fette (イアンフェッティ) wrote:
>>
>> I don't really know what this means. I think the point that we tried to
>> make in the joint WebApps/DAP f2f was that it doesn't make sense to separate
>> the discussion of API from security considerations and UI. I don't
>> understand what any of 1-3, or "access control model" in the abstract, mean.
>>
>> I for one remain highly skeptical of a "policy framework" that is
>> independent of security UI and APIs, and think that designing APIs that then
>> plug into some framework as a way to avoid having discussions about security
>> aspects in the design of said APIs, is a recipe for disaster.
>>
>> -Ian
>>
>> 2009/11/2 Suresh Chitturi <schitturi@rim.com>
>> Hi Frederick, all,
>>
>> I would be happy to look at the security aspects in general for the
>> API/features and access control model for the same.
>>
>> To be concrete I guess this translates to items 2 and 5? If there are
>> others who are also interested perhaps it can be a joint action item.
>>
>> Regards,
>> Suresh
>>
>> -----Original Message-----
>> From: public-device-apis-request@w3.org
>> [mailto:public-device-apis-request@w3.org] On Behalf Of Frederick Hirsch
>> Sent: Monday, November 02, 2009 2:15 PM
>> To: W3C Device APIs and Policy WG
>> Cc: Frederick Hirsch
>> Subject: Policy work items - request for proposals
>>
>> During the morning F2F session I recorded the following somewhat
>> independent work items:
>>
>> 1. trust model definition
>> 2. access control model definition
>> 3 capability definitions for APIs in DAP charter and related W3C APIs
>> 4. features - definition
>> 5 security considerations for each API,  privacy concerns for each
>> API, definition of likely user prompts based on API functionality that
>> have security implications (e.g. take picture query also gives
>> security permission)
>> 6 security threat models and countermeasures/ security use cases
>> 7 Context for security decisions - what additional information can be
>> included in decision
>> 8. FileAPI security model and simplification
>>
>> Is this list complete, are the items somewhat orthogonal?
>>
>> Do we have volunteers to help with concrete proposals, especially for
>> the list of capability definitions, API security considerations,
>> security use cases/threats.
>>
>> regards, Frederick
>>
>> Frederick Hirsch, Nokia
>> Co-Chair, W3C DAP Working Group
>>
>>
>>
>> ---------------------------------------------------------------------
>> This transmission (including any attachments) may contain confidential
>> information, privileged material (including material protected by the
>> solicitor-client or other applicable privileges), or constitute non-public
>> information. Any use of this information by anyone other than the intended
>> recipient is prohibited. If you have received this transmission in error,
>> please immediately reply to the sender and delete this information from your
>> system. Use, dissemination, distribution, or reproduction of this
>> transmission by unintended recipients is not authorized and may be unlawful.
>>
>>
>>
>>
>>
>>
>
Received on Wednesday, 4 November 2009 15:28:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:01 GMT