- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 26 Feb 2013 14:30:51 -0800
- To: Mounir Lamouri <mounir@lamouri.fr>
- Cc: public-sysapps@w3.org
On Mon, Feb 25, 2013 at 9:18 AM, Mounir Lamouri <mounir@lamouri.fr> wrote: > On 21/02/13 11:00, Janusz Majnert wrote: >> Another issue I wanted to bring up here is the number of "trust levels" >> in the specification. Do you think 2 is enough? >> With 2 levels, we would have to put all security and privacy sensitive >> APIs in the second (trusted) level. It's an all-or-nothing situation. > > It could indeed easily be a "all or nothing" situation but I believe we > can make that not happen. We need, for each API, to try to make it > available to all applications by default and, if we really can't, move > to privileged applications. Having an ecosystem where you need to be > privileged to access most APIs is going to fail so we should make sure > that any restriction has strong reasons to exist. Unless this group is hugely productive, I don't think there is any risk that we'll end up with an echosystem where most APIs are only available to privileged applications. The ecosystem that we are using is the web, and it has a huge API surface which there's no reason not to make available to all applications, including privileged ones. > For example, I think the equivalent of Raw Socket API is currently > restricted to privileged (or certified?) applications in Firefox OS but > the only harm that I can think of is listening to some ports (that would > allow an application to snif your un-encrypted emails and browsing). To > fix that, a solution would be to forbid connections on some ports or > have specific permissions for them. I am not sure why such a solution > wouldn't work for all applications (non-privileged included). No, the TCPSocket API also lets an app do port scanning and download data from behind firewalls. It essentially disables any firewall behind which the app runs. >> Wouldn't it be better to separate this level into two and allow >> implementations to configure how the APIs are distributed among them? > > I think that would be worse than a "all or nothing situation" because > some runtime will allow Foo API to be used by any installed applications > and some runtime will not and at the end APP A that uses Foo API will > only be usable on the runtimes allowing it to run without being privileged. Agreed! For each API we need to define exactly which environments it is available in and exactly how the API behaves in those environments. / Jonas
Received on Tuesday, 26 February 2013 22:31:50 UTC