Re: Discussion regarding policy framework choices

Le mardi 22 juin 2010 à 23:15 +0200, Frederick.Hirsch@nokia.com a
écrit :
> I think we need to have a discussion regarding the choice of policy framework for standardization.
> 
> So far I've seen four options in the working group
> 
> 1) Simple markup with clear separation of trust from decision
> 2) Profile of XACML 2.0
> 3) New markup as submitted by BONDI, similar to  XACML 2.0 but different in schema and processing rules 
> 4) No policy language at all.

My personal preference based on the recent discussions would be to delay
the work on the format for policy interchange, until we have a better
sense of an actual policy model.

In practice, I think it would be useful to start with cataloging
existing in-browser JavaScript APIs that are restricted (which would be
a necessary step in any case for the “api-feature” stuff of the policy
format), with a description of these restrictions, and some leads as to
how these restrictions would need to be removed in a privileged
environment. It might be removing a prompt, it might be making new
constructors or factories methods available, it might be removing
same-origin restrictions, etc.

Based on that analysis, we could look at incorporating our findings in a
revision of the WARP spec to include more fine-grained declarations of
features/parameters, possibly seeking alignments with other similar
efforts (Firefox Jetpack extensions, Chrome extensions, Android
manifest, etc). I think such an effort could in fact also be useful for
purely Web-based applications, to facilitate the building of user
interfaces for dealing with set of permissions.

And once we all that well identified, I think we might then be in a
position to work on a policy interchange format, should that appear to
be useful.

Dom

Received on Wednesday, 23 June 2010 12:29:27 UTC