- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Fri, 21 Jun 2013 07:13:26 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Dave Raggett <dsr@w3.org>, "public-sysapps@w3.org" <public-sysapps@w3.org>
On 2013-06-21 01:22, Jonas Sicking wrote: > Given that we still haven't made much progress on the basis of all of > our specs, the runtime and security model, I think it's too early to > start looking at the phase 2 specs. If I restrict myself to the Security Element API: TrustedComputingGroup which I'm an invited expert member of haven't been able to get the web-interface-topic on the table in the 13 years they have been operating... Microsoft has introduced a proprietary VSC (Virtual Smart Card) scheme using TPM 2.0 in Windows 8 while Google is working on a new kind of smart card for U2F (Universal 2-Factor Authentication) in FIDO Alliance. Intel has launched something called IPT (Identity Protection Technology) which is another "candidate". Trustonic (ARM offspring) is presumably working on something similar under the wrappers. Regarding Jonas' reference to security model, the examples above use fundamentally different security models, ranging from signed code, user opt-ins, and SOP :-) That is, the subject is already toast from an SDO point-of-view unless rubber-stamping the existing Gemalto proposal is a viable option. I would consider a brief poll to see if the Security Element API should remain a chartered item. Anders > > We still don't have much of an understanding of what the security > model is. How trusted is the code that is accessing the APIs that > we're designing? When are there security dialogs presented to the > user? What checks did the store that the user got the app from do on > the code before publishing the app? Are we ok with apps fingerprinting > the user? Does the user have the ability to turn off certain > permissions from a given app? Is that considered part of the normal > flow of user behavior, or just the normal "the user can do whatever > the heck he wants with his useragent, but he shouldn't be surprised if > things break when he does freaky things"? > > / Jonas > > On Thu, Jun 20, 2013 at 6:29 PM, Dave Raggett <dsr@w3.org> wrote: >> We now have first public working drafts for all of the phase 1 work items >> with the exception of App URI, and the manifest extension spec. >> >> Several of the specs have been updated since the FPWD was published, and are >> candidates for updated public working drafts. Any suggestions for which ones >> are ready, or soon will be? >> >> I am also interested in a crisper understanding of where we are in respect >> to the manifest and App URI work items. We handed the JSON manifest format >> over to WebApps, with the understanding that we would develop an extension >> spec to cover the specific requirements for SysApps. WebApps have started >> discussion on the manifest format, along with the realization that it should >> be usable for ebooks as well as packaged apps. However, I am now quite sure >> where things stand with respect to the SysApps extension spec, and the >> SysApps AppURI spec. >> >> A further question is where are in respect to starting phase 2? Am I >> correct in assuming that we are already welcoming contributions on use cases >> and requirements? Are we expecting to see draft specifications in time for >> the Toronto face to face in late August? >> >> -- >> Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett >> > >
Received on Friday, 21 June 2013 05:14:03 UTC