W3C home > Mailing lists > Public > public-device-apis@w3.org > April 2010

RE: [Policy] [ACTION-152] Editor Updates to Policy Requirements and Policy Framework

From: Nilsson, Claes1 <Claes1.Nilsson@sonyericsson.com>
Date: Thu, 22 Apr 2010 10:19:22 +0200
To: "'Arribas, Laura, VF-Group'" <Laura.Arribas@vodafone.com>, "W3C Device APIs and Policy WG" <public-device-apis@w3.org>
Message-ID: <6DFA1B20D858A14488A66D6EEDF26AA3232A1FB403@seldmbx03.corpusers.net>
Hi,

I have looked at parts of the Policy Framework document. 

There are use cases for restricting access to certain data in APIs to individual web applications and section 2.1 states that "the framework must permit fine-grained security policies to be represented as well as policies based on broad groupings of APIs and assignment of web applications to a small number of trust domains. For example, a fine-grained security policy is necessary to grant or deny access to individual APIs for individual web applications."

A security policy framework is maybe most valuable for specific non-UI APIs, for example, a "Secure credential manager" for retrieving API-keys used for application login to social networking web services. 

So it must be possible to securely identify the origin and integrity of a specific web application accessing such a sensitive API.

The "Subject Attributes" described in section 3.3 are used to identify the identity of a widget or website. From these Subject Attributes it must be possible to extract the "trust domain" of the content and the application identity. 

Comments:

Section 3.3.1 Widget Attributes:
* Why is only "common name" used for distributor, distributor root, author and author root certificates? Don't we the whole "subject" to get a more flexible identification of a widget resource?

Section 3.3.2 Website Attributes: 
In order to securely identify a web site and achieve the granularity of a specific web application, don't we need attributes for the site's server certificate? I also suggest that server certificate attributes are added:
* Suggest that the whole "subject" is used instead of only "common name" for the root certificate. 
* Suggest to add: key-server-subject: The subject field of the server certificate chained to by the site certificate. Empty bag if none.
* Suggest to add: key-server-fingerprint: The fingerprint of the root certificate chained to by the site certificate. Empty bag if none.

Best regards
  Claes



> -----Original Message-----
> From: public-device-apis-request@w3.org [mailto:public-device-apis-
> request@w3.org] On Behalf Of Arribas, Laura, VF-Group
> Sent: torsdag den 8 april 2010 18:58
> To: W3C Device APIs and Policy WG
> Subject: [Policy] [ACTION-152] Editor Updates to Policy Requirements
> and Policy Framework
> 
> Policy Editorial Update
> 
> Hi,
> 
> As per ACTION-152, I've continued editing the policy framework document
> [1] using BONDI material, docs [2] and [3].
> Next step is to integrate Nokia's input [4]. I can start doing that,
> but
> probably won't finish before next week's call.
> 
> Please have a look at the current *draft* and share any comments you
> may
> have.
> 
> @Robin, there are a couple of reference entries missing (marked as
> issues). Would it be possible to include those in the database of
> references? Thanks!
> 
> Cheers,
> Laura
> 
> [1] http://dev.w3.org/2009/dap/policy/Overview.html
> [2]
> http://bondi.omtp.org/1.1/security/BONDI_Architecture_and_Security_v1.1.
> pdf
> [3]
> http://bondi.omtp.org/1.1/security/BONDI_Architecture_and_Security_Appe
> n
> dices_v1.1.pdf
> [4]
> http://lists.w3.org/Archives/Public/public-device-apis/2009Nov/att-
> 0012/
> SecurityPolicy_09.pdf
> 
> 
> -----Original Message-----
> From: public-device-apis-request@w3.org
> [mailto:public-device-apis-request@w3.org] On Behalf Of Frederick
> Hirsch
> Sent: 30 March 2010 14:42
> To: W3C Device APIs and Policy WG
> Cc: Frederick Hirsch
> Subject: [Policy] Editor Updates to Policy Requirements and Policy
> Framework
> 
> Policy Editorial Update
> 
> (1)  I added " Abuse Use Cases " provided by David Rogers to the policy
> requirements document [1].
> 
> (2) I added Security Model Definition, Security Policy Document Format,
> Example Policies to mitigate Abuse Use Cases,  and references for RFC
> 3279 and 4572 to Policy Framework draft (material provided by David
> Rogers) [2]
> 
> Also updated policy editor list to include David.
> 
> I believe the next step is for Paddy and Laura to edit the Policy
> Framework draft further, using the ReSpec source in CVS policy/
> Overview.html
> 
> regards, Frederick
> 
> Frederick Hirsch
> Nokia
> 
> 
> 
> 
> 
> 
> 
> 
Received on Thursday, 22 April 2010 08:30:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:07 GMT