- From: Robin Berjon <robin@berjon.com>
- Date: Fri, 11 Mar 2011 18:15:52 +0100
- To: <Ingmar.Kliche@telekom.de> <Ingmar.Kliche@telekom.de>
- Cc: <public-device-apis@w3.org>
Hi Ingmar,
On Mar 11, 2011, at 14:44 , <Ingmar.Kliche@telekom.de> <Ingmar.Kliche@telekom.de> wrote:
> Chapter 1 "Goals" explicitly mentions security and privacy and proposes
> "... reusing existing browser-based security metaphors where they apply
> and looking into innovative security and privacy mechanisms where they
> don't."
>
> On the other hand section 2.2. "Out of scope" explicitly excludes
> further thinking about a policy framework. This limits the possibilities
> of "innovative security and privacy mechanisms", since one potential
> solution is precluded beforehand. We know about the discussions in the
> past, but we think it should be left up to the discussions during the
> charter period if a policy framework is the right way to go or not.
The problem here is that the only evidence of support for policy over the past two years has been in the mobile industry. This seems to point towards a mobile-specific standard, in which case DAP is not the right place to build it.
The possibilities for "innovative security mechanisms" will naturally be limited. We can't have a huge wildcard in our charter that essentially says "the group will do whatever it can think of here", we need to at least provide some rough outlines for what our deliverables will be.
There are essentially two things that we can do with respect to "innovative security mechanisms": 1) define API-specific mechanisms (we need to do this anyway to stick to our principle that our APIs are safe in a browser) and 2) list specific deliverables for security technology (e.g. XSS mitigation, Web Introducer, etc.).
> Furthermore the scope of the work explicitly mentions different types of
> devices ("Devices in this context include desktop computers, laptop
> computers, mobile Internet devices (MIDs), cellular phones."). Therefore
> we think it would be appropriate to add another success criteria which
> requires implementations for different device types before going to W3C
> Rec (especially mobile and desktop devices) to make sure that the APIs
> are implementable in the different environments which are explicitly in
> scope of DAP.
Well, the whole Web is in the scope for DAP. But I certainly support the idea that we should ship a specification if it's not implemented in a real-world product intended to ship (i.e. not a research prototype) on at least computers and a (relatively) constrained device.
--
Robin Berjon - http://berjon.com/
Received on Friday, 11 March 2011 17:16:20 UTC