W3C home > Mailing lists > Public > public-geolocation@w3.org > June 2009

Re: Additional security and privacy considerations?

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 3 Jun 2009 14:52:31 +0200
To: Andrei Popescu <andreip@google.com>
Message-Id: <36308FE8-6CDA-4B14-9B19-82474C84DD51@w3.org>
Cc: Doug Turner <doug.turner@gmail.com>, Greg Bolsinga <bolsinga@apple.com>, Rigo Wenning <rigo@w3.org>, public-geolocation <public-geolocation@w3.org>
On 2 Jun 2009, at 23:35, Andrei Popescu wrote:

> I think we need to close this discussion. After discussing with Thomas
> offline, we have one wording proposal and one question for our group.

Indeed.  The plan is to have one last go-around on the open question,  
perhaps fine-tune the rest of the language, and then see where we are  
in terms of decision.

> Here is the wording proposal:

First of all, thanks a lot for your work on this.

> //-------------------------------------------------------
> //-------------------------------------------------------
>
> I think such wording captures well the privacy concerns that were
> raised by Thomas while clearly indicating that the defenses against
> potential problems are completely up to the implementations to
> consider. We also both think that listing these privacy concerns in
> the spec is a responsible thing for us to do.
>
> And here is the question:
>
> Should the wording also contain the following additional sentence:
>
> "Additional defense measures might include limiting the scope of
> authorizations in time by asking for re-authorization in certain time
> intervals."
>
> My personal opinion is that it should not. This sentence suggests a
> concrete solution direction to solve the above mentioned concerns. I
> think we should not add it to the spec because:
>

I disagree with your view on this one.

The point of limiting the scope of authorizations has come up in this  
discussion, and I haven't heard any reasoned technical argument why  
scoping (in principle) is a bad idea.  More importantly, I haven't  
heard any other (hopefully better!) solution approach that would be  
similarly likely to limit user exposure to errors.

I've heard push-back against specific implementation choices and their  
impact on users.  To address that push-back, I've suggested to move  
the limitation in time into an example, out of anything that resembles  
normative language.  The goal here is precisely *not* to prescribe  
implementation, but to get implementers started to think about  
limiting attack surface.  The goal is also to document that the group  
has had discussions.

That said, if there is a preference to extend that example by adding  
some of the considerations that come in as complicating factors, I  
think that would be fine.

> 1. Adding such concrete implementation recommendations, especially
> without any implementation experience or user studies to back them up,
> is dangerous. They are likely to get ignored by implementers who will
> do what they think best for their product, making the spec less
> credible. At the same time, people can wrongly accuse implementers of
> ignoring the spec, as Doug rightly pointed out.

For what it's worth, we're talking about an example in a non-normative  
considerations section, not about normative language.

> 2. I have concerns about this solution. There is no expiry interval
> magic constant that applies well to all Web applications, while the
> user experience of having to repeatedly and for no apparent reason
> grant permissions to the same origins is terrible.

See above; I'd be happy to add more detailed discussion.

(I acknowledge that a "whack a mole" user experience is indeed  
terrible and needs to be avoided; however, I'm confident that one  
could avoid this problem while following through on the example.)
Received on Wednesday, 3 June 2009 12:52:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 22 March 2012 18:13:44 GMT