ISSUE-27: [Policy] Is revocation in scope [Security Policy Framework ??? General] from Device APIs and Policy Working Group Issue Tracker on 2009-10-06 (public-device-apis@w3.org from October 2009)

From: Device APIs and Policy Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 6 Oct 2009 19:27:13 +0000 (GMT)
To: public-device-apis@w3.org
Message-Id: <20091006192713.E46CD5F76D@stu.w3.org>

ISSUE-27: [Policy] Is revocation in scope [Security Policy Framework — General]

http://www.w3.org/2009/dap/track/issues/27

Raised by: Frederick Hirsch
On product: Security Policy Framework — General

Is revocation in scope of the DAP policy v1, or should it be deferred to v.next?

Proposal: defer to v.next

Rationale:  More than one mechanism might be used to implement revocation, so it can be deployment specific.

For example, one could consider

1. Associated X.509 certificate revocation, either by CRL or OCSP 

2. Reputation/Community  based revocation as suggested by Marcos in position paper 
http://www.w3.org/2008/security-ws/papers/marcos-policy-widgets.txt

3. Non-X.509 directory listing

If this is not deferred we probably would need to define a "Revocation decision point" by URI and not define the details of that point.

Received on Tuesday, 6 October 2009 19:27:15 UTC