W3C home > Mailing lists > Public > public-device-apis@w3.org > August 2010

RE: Updated Policy Requirements draft

From: Nilsson, Claes1 <Claes1.Nilsson@sonyericsson.com>
Date: Mon, 23 Aug 2010 12:07:35 +0200
To: "Frederick.Hirsch@nokia.com" <Frederick.Hirsch@nokia.com>, "public-device-apis@w3.org" <public-device-apis@w3.org>
Message-ID: <6DFA1B20D858A14488A66D6EEDF26AA32D5BF616FC@seldmbx03.corpusers.net>
Hi Frederick and rest of DAP,

Thanks for the updates Frederick.

I have reviewed the "Web Browser and Untrusted Widget" and the "Trusted Widget" use cases. The first use case makes sense and I have no specific comments on this one. For the second use case "Trusted Widget" the list of requirements is currently empty and I assume that this is due to the need to discuss this use case further. My comments follow concerns the case when the trusted widget use case is not combined with "delegated authority":

* Isn't it to limiting to call this use case "Trusted Widgets"? People may have different views on what a widget is but I guess most people think of an installed "live" microstate application running at the device's home screen. Isn't the important things here that the web application in this case is installable and that it trusted by the signature? So, wouldn't it be more appropriate to call the use case "Trusted Installable Web Applications? 

* Should we also consider "Trusted Web Sites", i.e. sites accessed through SSL/TLS transport? I am not sure here because the secure transport only provides security between the client and the site hosting the web application and the application itself is not signed. 

* The main issue here is in what way we could make the life easier for the user compared to case 1, i.e. in what way could we limit or simplify user interaction. An immediate thought is of course to have an approach similar to installing applications on a desktop computer, i.e. displaying certificate information and something like "Do you trust the author ....State Y/N" and have option to save the user's decision. If the user decides to install the trusted application then no explicit user interaction would be required to access device APIs during the application's work flow. This approach could be used with any installing web application, unsigned or signed, but a verified and trusted signature will make it safer for user and the amount on information about the application provided to the user could be limited.

Your thoughts?

Regards
  Claes

 

-----Original Message-----
From: public-device-apis-request@w3.org [mailto:public-device-apis-request@w3.org] On Behalf Of Frederick.Hirsch@nokia.com
Sent: den 18 augusti 2010 17:17
To: public-device-apis@w3.org
Cc: Frederick.Hirsch@nokia.com
Subject: Updated Policy Requirements draft

Based on the Resolution and discussion on today's call, I have updated the policy requirements draft with the proposal I had made earlier, removing the phrase "un-managed" from web browser, and making some tweaks accordingly.

Please review and discuss any suggested changes on the list.

http://dev.w3.org/2009/dap/policy-reqs/

Can we agree on next week's call to publish an updated WD of this document?

Thanks

regards, Frederick

Frederick Hirsch
Nokia

This should complete ACTION-254
Received on Monday, 23 August 2010 10:08:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:12 GMT