W3C home > Mailing lists > Public > public-device-apis@w3.org > January 2010

Re: Why aren't most devices virtual web services?

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Fri, 8 Jan 2010 15:34:29 -0500
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, W3C Device APIs and Policy WG <public-device-apis@w3.org>, Ashok Malhotra <ashok.malhotra@ORACLE.COM>
Message-Id: <7C0EA538-6207-42B7-9AFC-93DEA24747FB@nokia.com>
To: "ext Mark S. Miller" <erights@google.com>
Welcome to the group Mark, and thank you for your suggestion.

Isn't privacy a bit different than authorization, which seems to be  
what you are talking about?

For example, the privacy concern is not only whether I have access to  
some contact information (I might)  but whether I might retain it,  
pass it on to others, use it inappropriately and so on. In that sense  
I'm not sure what you mention addresses the concern, though it might.

To repeat what I think you said,  you suggest that we might adopt a  
universal approach of having Javascript APIs that all act as if they  
made a remote invocation even if  locally implemented  and thus be  
able to reuse other network mechanisms for authorization. Would this  
impact performance, requiring unnecessary messaging? Would this  
presume constant connectivity? What are the assumptions here?  
Apologies if I am asking the obvious.


regards, Frederick

Frederick Hirsch

On Jan 7, 2010, at 9:47 PM, ext Mark S. Miller wrote:

> Hi,
> I'm new to this working group. I recently joined because a number of  
> people had privately expressed alarm to me over the approaches to  
> security being taken in this WG. Several of them made the same  
> suggestion, I think independently. Of the others, they found this  
> suggestion plausible, so I thought I'd pass it on. For most devices,  
> why not treat each device as a virtual web service, exposing its API  
> as a RESTful API in terms of GETs and POSTs. This would reduce the  
> present security problems to a previously unsolved problem, of how  
> one web site becomes authorized to use web services provided by  
> another site.
> The case is clearest for contacts. Why should authorizing Facebook  
> to access my local contacts be different than, for example,  
> authorizing Facebook to access my gmail contacts? There are already  
> several proposed solutions to this problem, including the debate  
> between CORS and UMP at the public-webapps group. For current  
> browsers, it is also the motivating problem behind OAuth. I am *not*  
> suggesting that we at the public-device-apis WG attempt to pick a  
> winner among these three. Rather, that we should merely provide  
> device APIs as RESTful GET/POST APIs, so that we can make use of  
> whatever comes to be the resolution of this debate. The scheme of  
> device URLs might be something other than http: or https:, but they  
> should still be accessible through XHR and its successors.
> For some devices, an objection that has been raised: receiving and  
> reacting to notifications from RESTful web services is awkward.  
> However, once again, the problem is a problem with web services in  
> general. It should be solved for web services in general. Then,  
> devices can again be made polymorphic with web services providing  
> similar functionality.
> Let's please avoid introducing unnecessary cases into web standards.  
> -- 
>    Cheers,
>    --MarkM
Received on Friday, 8 January 2010 20:35:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:53:41 UTC