# Device APIs and Policy Working Group Teleconference ## 20 Oct 2010 [Agenda][3] See also: [IRC log][4] ## Attendees Present Robin_Berjon, Frederick_Hirsch, Cecile_Marc, Dominique_Hazael-Massieux, LauraA, Dzung_Tran, John_Morris, Niklas_Widell, Ilkka_oksanen, Claes_Nilsson, Anssi_Kostiainen, erica+newland, Richard_Tibbett, erica_newland, Maria_Oteo, Daniel_Coloma, Dong-Young_Lee Regrets Suresh_Chitturi, Marco, _Marengo, Wonsuk_Lee, Mohammed_Dadas Chair Robin_Berjon, Frederick_Hirsch Scribe jmorris ## Contents * [Topics][5] 1. [Administrative][6] 2. [Minutes approval][7] 3. [Permissions spec][8] 4. [Privacy][9] 5. [Contacts][10] 6. [Capture][11] 7. [Gallery][12] 8. [Calendar][13] 9. [Sysinfo status][14] * [Summary of Action Items][15] * * * Date: 20 October 2010 ScribeNick: jmorris ### Administrative fjh: talk about f2f ... will send f2f agenda soon ... any suggestions for agenda would be welcome ... possibly we should talk with Web Notifications about permissions stuff (it doesn't look like they will meet there) [http://www.w3.org/2010/11/TPAC/#GroupSchedule][16] (yeah, I'd be surprised if they ever met, given the group) fjh: what is going on with Geolocation Claes: I am working with Geolocation ... they are not working specifically on security/privacy right now ... perhaps discussion on geoloc privacy, but not directly related to DAP fjh: we are overlapping with HTML WG, perhaps we should talk with them darobin: I can contact Web Notification, and we should also talk to html **ACTION:** Robin to ping HTML chairs, Notifications chair to see about potential joint meetings [recorded in [http://www.w3.org/2010/10/20-dap- minutes.html#action01][17]] Created ACTION-284 - Ping HTML chairs, Notifications chair to see about potential joint meetings [on Robin Berjon - due 2010-10-27]. fjh: darobin to contact HTML, fjh to contact Web Notification **ACTION:** fjh to ping web notification group [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action02][18]] Created ACTION-285 - Ping web notification group [on Frederick Hirsch - due 2010-10-27]. darobin: possibly talk at f2f about test suites +1 on reusing PhoneGap's stuff if possible +1 too AnssiK: can re reuse test suite phonegap anssi: asks about reusing phonegap test suite [http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0031.html][19] dom, you wanted to talk on licenses [http://www.w3.org/Consortium/Legal/2008/04-testsuite-license.html][20] dom: w3c has special license for document and PST? license ... so we can probably reuse the PhoneGap test suite either because ... license covers it or we can ask if needed [http://www.w3.org/Consortium/Legal/2008/04-testsuite- copyright.html][21] jmorris: should we put an action on dom to check on license Proposed test suite methodology for e.g. Contacts: [http://www.w3.org/TR/test-methodology/][22] **ACTION:** dom to check licensing issues on phonegap test suite [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action03][23]] Created ACTION-286 - Check licensing issues on phonegap test suite [on Dominique Hazaël-Massieux - due 2010-10-27]. (I wonder if Anssi would be interested in presenting/demoing the phonegap tests) richt: discussing contacts test suite ok, it looks like we need some time at F2F to work through test suite topics +1 to AnssiK demoing the PG tests (I could probably make a quick intro to testing @w3c, and the test methodology) +1 to that fjh: could Anssi demo PhoneGap test suite +1 to dom introducing testing at w3 and ansii sharing understanding of PhoneGap test suite AnssiK: I am not a PhoneGap guy, but I will look at it **ACTION:** Anssi to introduce phonegap tests during F2F [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action04][24]] Created ACTION-287 - Introduce phonegap tests during F2F [on Anssi Kostiainen - due 2010-10-27]. **ACTION:** Dom to introduce testing@w3c during F2F [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action05][25]] Created ACTION-288 - Introduce testing@w3c during F2F [on Dominique Hazaël-Massieux - due 2010-10-27]. agree with fjh, Dom to introduce testing at W3C and demo of PG tests. ...at the F2F darobin: should we do a wiki page for the agenda? **ACTION:** Robin to create Wiki page for f2f agenda [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action06][26]] Created ACTION-289 - Create Wiki page for f2f agenda [on Robin Berjon - due 2010-10-27]. dom, you wanted to comment on agenda dom: at f2f, we should spend time on roadmap dom suggests review of RoadMap dom: we should have a written roadmap by end of year TPAC registration (for in-person attendees) [http://www.w3.org/2002/09/wbs/35125/TPAC2010reg/][27] fjh: our home page is our roadmap, do we need another document? TPAC registration fee increases on 22 October DST difference to consider if dialing in to TPAC - [http://lists.w3.org/Archives/Member/member-device-apis/2010Oct/0002.html][28] (we have 32 registered participants for the F2F, not too bad) [TPAC 10 agenda scratchpad][29] fjh: registration for TPAC closes soon File API updates [http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0027.html][30] fjh: if you are dialing in you must be careful about timezones, daylight savings, etc. ... update of file permissions spec ### Minutes approval Approve 6 October minutes [http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/att-0014/minutes-2010-10-06.html][31] proposed RESOLUTION: Minutes from 6 October 2010 approved **RESOLUTION: Minutes from 6 October 2010 approved** ### Permissions spec I'm here parameterization, [http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0034.html][32] fjh: niklas sent a message re granuality (the permissions may need to be parametrized per recipient/sender) niklas: problem is not what you mentioned ... problem is that widget will be notified for every message on system ... need to be clear on what kinds of messages the widget can see dom: one way would be to paramaterize the permissions, or have the API be minimized so you can only use it for a well defined set or recipients issue is limiting permission on api to only allow messages to/from given address etc. also separate different types of messaging dom: messaging API should give access only to well defined set of recipients ACTION-132? ACTION-132 -- Max Froumentin to look at messaging subscribe with filtering and events -- due 2010-03-25 -- OPEN [http://www.w3.org/2009/dap/track/actions/132][33] see also [http://lists.w3.org/Archives/Public/public-device- apis/2010Mar/att-0180/minutes-2010-03-18.html#item01][34] nwidell: want to have permission up front ... when get it otherwise? fjh: how would I assign permissions ... I might want to receive from someone I did not anticipate dom: it is about the application, not the user ... I agree that we need to decide on defining up front or not ... we need use cases for messaging where we can define a proper security model +1 to knowing what it is we want to do with messaging in the first place fjh, you wanted to ask about use case Mozilla released their Open Web Apps platform I think yesterday, they'reeyeing at "Permissions for Device API Access" spec and might have good feedback based on impl experiences: [https://apps.mozillalabs.com/web_or_native.html][35] AnssiK: openwebapps platform is attacking similar problems ... they are stating that they are looking into permissions for device API ... who would be a good mozilla contact ... we should get feedback from people implementing stuff (I hadn't seen the ref to the permissions draft in [https://apps.mozillalabs.com/web_or_native.html][35] - cool!) AnssiK: hanson from mozilla seems to be working on plug ins ... those guys seem to be following what we are doing ... I do not know the mozilla people personally Mike Hanson **ACTION:** contact mozilla for thoughts on messaging and permission spec [recorded in [http://www.w3.org/2010/10/20-dap- minutes.html#action07][36]] Sorry, couldn't find user - contact **ACTION:** fjh contact mozilla for thoughts on messaging and permission spec [recorded in [http://www.w3.org/2010/10/20-dap- minutes.html#action08][37]] Created ACTION-290 - Contact mozilla for thoughts on messaging and permission spec [on Frederick Hirsch - due 2010-10-27]. (not sure we need to contacts Mozilla on messaging; permissions sounds enough) (agreed) dom: asking re who is working on messaging spec **ACTION:** Maria to work on security model for messaging [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action09][38]] Created ACTION-291 - Work on security model for messaging [on Maria Angeles Oteo - due 2010-10-27]. (the Moz Open Web Apps experiment at GitHub: [http://github.com/mozilla/openwebapps)][39] ### Privacy ACTION-210? ACTION-210 -- Alissa Cooper to summarize and add issues to ruleset doc -- due 2010-07-21 -- OPEN [http://www.w3.org/2009/dap/track/actions/210][40] fjh: Alissa added issues to ruleset document darobin: do we discuss publishing at f2f dom: we want to have idea of how to address issues raised at f2f ... some of the issues are fundamental ... before issuing document we need to understand that some issues are not addressable ... we need to get an idea of what issues we would not be able to address dom: starting a FPWD suggests we know what we are doing ... ... fjh: all, please look at issues listed in Rulesets document ... before the f2f **ACTION:** fjh to review ruleset issues [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action10][41]] Created ACTION-292 - Review ruleset issues [on Frederick Hirsch - due 2010-10-27]. ### Contacts fjh: clickjacking Clickjacking threat and countermeasures [http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0017.html][42] darobin: it is not clear that clickjacking is something we need to solve at API level [http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0018.html][43] darobin: or something that needs to be solved more generally [CSP][44] darobin: this might provide a path toward solution ... but I'm not a security expert +1 agree with Robin but not too sure on the CSP connection :/ dom: CSP may help solve some of problem but cannot dom: CSP is server side, so not enough for client-side API dom: use is as a security argument in API darobin: soluitons will come from broader options +1 to not doing anything new AnssiK: we should not do anything that has not been done before ... let's not open can of worms ... so let's use, for example, fileinput, rather than obscure way for user input ... if we use general mechanisms that have been tested, we are safer darobin: agree not to invent new input methods richt: looked only briefly at it ... idea is to go straight to trusted events ... talks about synthesized events and how they can be mitigated ... but I still need to put some language into the contact spec [http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0021.html][45] [https://developer.mozilla.org/en/Using_files_from_web_applications# Using_hidden_file_input_elements_using_the_click%28%29_method][46] AnssiK: robin's e-mail raises issue - Anssi could not find it in spec darobin: look at link ... if they make this possible, it may suggest that the security issue has been solved that's is an important point Robin. Thanks for the link. richt: this is helpful input ... this reenforces our approach to this darobin: this helps decide the issue richt: a synthesized event is possible ... I will put some of this into document by TPAC darobin: now to phonegap implemention ... good that they have implemented, but not sure we need to discuss more now richt: good we have phonegap reenforcing what we are doing ... good that UI is nonnormative AnssiK: android is having hard time including all elements ? richt: we should clarify spec re whether all fields included darobin: phonegap is implemeting read and write? richt: yes, both darobin: read only is one way to avoid quirks [quirks in Contacts][47] darobin: worth looking at quirks in Android implementation ... many of them are "not supported" and "will return null" "In order to save the Contact object on the device call the save method on the Contact object." [save support][48] ### Capture ACTION-251? ACTION-251 -- John Morris to review privacy text related to ISSUE-78 for capture -- due 2010-10-20 -- OPEN [http://www.w3.org/2009/dap/track/actions/251][49] ### Gallery ACTION-216? ACTION-216 -- WonSuk Lee to reformulate gallery API to look like contacts API -- due 2010-07-21 -- OPEN [http://www.w3.org/2009/dap/track/actions/216][50] jmorris: re Capture - I will turn to action 251 (I think starting with readonly for gallery makes plenty of sense) Anssi: we can look to reuse contacts approach ... we can make major changes to gallery ... let's proceed with contacts design model darobin: do we need to wait another week? PROPOSED RESOLUTION: move forward with read-only gallery AnssiK: could we just copy the contacts scheme, with media parts ... we can move faster if we split into smaller parts +1 RESOLUTION: move forward with read-only gallery **RESOLUTION: move forward with read-only gallery** ### Calendar No discussion as Suresh is not on the call. ### Sysinfo status darobin: reviewing Sysinfo ... almost done, finding small nits ... anything else for call? ## Summary of Action Items **[NEW]** **ACTION:** Anssi to introduce phonegap tests during F2F [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action04][24]] **[NEW]** **ACTION:** contact mozilla for thoughts on messaging and permission spec [recorded in [http://www.w3.org/2010/10/20-dap- minutes.html#action07][36]] **[NEW]** **ACTION:** dom to check licensing issues on phonegap test suite [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action03][23]] **[NEW]** **ACTION:** Dom to introduce testing@w3c during F2F [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action05][25]] **[NEW]** **ACTION:** fjh contact mozilla for thoughts on messaging and permission spec [recorded in [http://www.w3.org/2010/10/20-dap- minutes.html#action08][37]] **[NEW]** **ACTION:** fjh to ping web notification group [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action02][18]] **[NEW]** **ACTION:** fjh to review ruleset issues [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action10][41]] **[NEW]** **ACTION:** Maria to work on security model for messaging [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action09][38]] **[NEW]** **ACTION:** Robin to create Wiki page for f2f agenda [recorded in [http://www.w3.org/2010/10/20-dap-minutes.html#action06][26]] **[NEW]** **ACTION:** Robin to ping HTML chairs, Notifications chair to see about potential joint meetings [recorded in [http://www.w3.org/2010/10/20-dap- minutes.html#action01][17]] [End of minutes] * * * Minutes formatted by David Booth's [scribe.perl][51] version 1.135 ([CVS log][52]) $Date: 2009-03-02 03:52:20 $ [1]: http://www.w3.org/Icons/w3c_home [2]: http://www.w3.org/ [3]: http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0043.html [4]: http://www.w3.org/2010/10/20-dap-irc [5]: #agenda [6]: #item01 [7]: #item02 [8]: #item03 [9]: #item04 [10]: #item05 [11]: #item06 [12]: #item07 [13]: #item08 [14]: #item09 [15]: #ActionSummary [16]: http://www.w3.org/2010/11/TPAC/#GroupSchedule [17]: http://www.w3.org/2010/10/20-dap-minutes.html#action01 [18]: http://www.w3.org/2010/10/20-dap-minutes.html#action02 [19]: http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0031.html [20]: http://www.w3.org/Consortium/Legal/2008/04-testsuite-license.html [21]: http://www.w3.org/Consortium/Legal/2008/04-testsuite-copyright.html [22]: http://www.w3.org/TR/test-methodology/ [23]: http://www.w3.org/2010/10/20-dap-minutes.html#action03 [24]: http://www.w3.org/2010/10/20-dap-minutes.html#action04 [25]: http://www.w3.org/2010/10/20-dap-minutes.html#action05 [26]: http://www.w3.org/2010/10/20-dap-minutes.html#action06 [27]: http://www.w3.org/2002/09/wbs/35125/TPAC2010reg/ [28]: http://lists.w3.org/Archives/Member/member-device- apis/2010Oct/0002.html [29]: http://www.w3.org/2009/dap/wiki/TPAC10Agenda [30]: http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0027.html [31]: http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/att-0014/minutes-2010-10-06.html [32]: http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0034.html [33]: http://www.w3.org/2009/dap/track/actions/132 [34]: http://lists.w3.org/Archives/Public/public-device- apis/2010Mar/att-0180/minutes-2010-03-18.html#item01 [35]: https://apps.mozillalabs.com/web_or_native.html [36]: http://www.w3.org/2010/10/20-dap-minutes.html#action07 [37]: http://www.w3.org/2010/10/20-dap-minutes.html#action08 [38]: http://www.w3.org/2010/10/20-dap-minutes.html#action09 [39]: http://github.com/mozilla/openwebapps) [40]: http://www.w3.org/2009/dap/track/actions/210 [41]: http://www.w3.org/2010/10/20-dap-minutes.html#action10 [42]: http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0017.html [43]: http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0018.html [44]: http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0025.html [45]: http://lists.w3.org/Archives/Public/public-device- apis/2010Oct/0021.html [46]: https://developer.mozilla.org/en/Using_files_from_web_applications#Us ing_hidden_file_input_elements_using_the_click%28%29_method [47]: http://www.w3.org/mid/23694B98-A35D-4572-8C2A-FA5E00D708D7@nokia.com [48]: http://www.w3.org/mid/AANLkTimTRDn=8eXwyY=HFqBSNbYFM4xfeBTU+h3M7PCo@m ail.gmail.com [49]: http://www.w3.org/2009/dap/track/actions/251 [50]: http://www.w3.org/2009/dap/track/actions/216 [51]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [52]: http://dev.w3.org/cvsweb/2002/scribe/