Re: Security Use Cases - Very rough first draft

Hi Tzviya, understood, especially the need to conform to horizontal
dependencies. But to me it's a different story when said horizontal
dependencies aren't clearly defined, and I think the DPUB IG should
consider carefully if & when to take on the job of creating such
clarification for aspects that don't have, as you say,
"publication"-ness...  vs. for example making requests to e.g. Web Platform
WG.

Baldur's note has lots of good stuff in it but also (especially in the
Introduction) many minimally referenced statements about what the Web model
is in general... to me the issue is that some of the assertions are (while
perhaps reasonable and correct) not necessarily written down with formality
in any W3C specs. IMO they should be, but not necessarily by DPUB IG.

--Bill

On Fri, Aug 19, 2016 at 9:26 AM, Siegman, Tzviya - Hoboken <
tsiegman@wiley.com> wrote:

> Hi Bill,
>
>
>
> While it’s true that the details of security may not be resolved in a PWP
> specifications, all W3C specs must conform to some horizontal dependencies.
> We’ve outlined this in one of the fundamental use cases [1]. Just as we’ve
> detailed the use cases for Accessibility, we asked Baldur to begin the
> discussion on use cases for Security. I believe the main issue is the
> “portability” not the “publication”-ness.
>
>
>
> We would be very happy to have contributions for i18n and privacy as well.
> We think we have covered device independence, but feel free to add use
> cases if we have not.
>
>
>
> Thanks,
>
> Tzviya
>
>
>
> [1] http://w3c.github.io/dpub-pwp-ucr/#the-publication-should-
> conform-to-all-the-requirements-of-horizontal-dependencies
>
>
>
> *Tzviya Siegman*
>
> Information Standards Lead
>
> Wiley
>
> 201-748-6884
>
> tsiegman@wiley.com
>
>
>
> *From:* Bill McCoy [mailto:whmccoy@gmail.com]
> *Sent:* Friday, August 19, 2016 12:14 PM
> *To:* Baldur Bjarnason
> *Cc:* DPUB mailing list (public-digipub-ig@w3.org)
> *Subject:* Re: Security Use Cases - Very rough first draft
>
>
>
> Most if not all of these requirements do not seem to be  specific to "Web
> Publications" as the term is defined by DPUB IG.
>
>
>
> It is of course true that publications must not compromise the basic
> security model of the Web.
>
>
> Unfortunately, the definition of that general security model and the
> associated runtime life cycle isn't entirely clear, especially when it
> comes to content and applications stored on / executing from local
> systems.  And I'm not sure it's the job of DPUB IG to attempt to define
> with precision that general model. Or, if we do take on the job of fully
> defining that security model, we should realize we aren't doing it just for
> "Publications" but really for Web content in general.
>
>
>
> https://www.w3.org/TR/runtime/ is for example recent work in this area
> started by the now defunct System Applications WG. Some  of this seems very
> applicable to Web Publications. That it's unfinished orphaned work is
> perhaps a warning sign that it may not be an easy job to take on but
> perhaps someone could adopt it (which may be preferable to starting over).
> Whether that's DPUB IG or a successor vs. say the Web Platform WG is
> another question... and I guess to me this is all logically part of the Web
> Platform itself.
>
>
>
> EPUB specifications to date have clearly punted on this but one reason was
> that we were hoping that work on Web Applications at W3C would be paving
> the way in terms of more rigorously defining the Web security model
> especially for offline/local content.
>
>
>
> --Bill
>
>
>
>
>
> On Fri, Aug 19, 2016 at 5:34 AM, Baldur Bjarnason <baldur@rebus.foundation>
> wrote:
>
> Security Use Cases - Very rough first draft
>
> Here it is on Google Docs:
>
> https://docs.google.com/document/d/1i8vm8cg5iqxWgpPFRR3Qae5loj-
> DWcrsbBUIf2IeGaU/edit?usp=sharing
>
> Let me know if you can’t access it and I’ll find another way to share it
> with the list or fiddle with the sharing settings on the document itself.
>
> It’s a very rough draft, half-baked, doesn’t conform to spec style or
> structure etc. etc.
>
> All of the links included are there more as informative references for
> context and will have to be turned into proper spec references or removed
> in a later draft.
>
> If the scenarios seem paranoid downers then bear in mind that my biggest
> worry while writing it is that I might not be paranoid enough.
>
> - best
> - Baldur Bjarnason
>   baldur@rebus.foundation
>
>
>
>
>
>



-- 

Bill McCoy
Executive Director
International Digital Publishing Forum (IDPF)
email: bmccoy@idpf.org
mobile: +1 206 353 0233

Received on Friday, 19 August 2016 16:41:24 UTC