W3C home > Mailing lists > Public > public-sysapps@w3.org > April 2014

Discussing security model of sysapps

From: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
Date: Tue, 1 Apr 2014 12:34:06 +0200
To: "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <239D7A53E5B17B4BB20795A7977613A40207DF5DBF14@CROEXCFWP04.gemalto.com>

Dear all,

The sys app working group aims to define APIs accessible to trusted application. Once upon a time, some discussions happened around a specification named runtime and security, which was drafting the execution environment, defining different application format, shaping a security model. The WG evolved and started to discuss other topics, develop new technologies, reuse others defind in WebApps. We believe that it is time to make a status of what we have, and what may miss in the current picture, based on living draft and specifications.


-          Today the group focuses on web app that may be installed on device, coming together with a manifest [1], enabling bookmarking with icon management, chrome, orientation.

-          The uri of the web app is defined thanks to app uri specification. This uri is generated by the execution environment at installation, and can be reset. This mechanism requires that any access to remote resources will be submitted to CORS/CSP. It may happen that the resource access could be even more restrictive thanks to the definition of a scope (which is basically an origin plus a path), which is currently discussed in Service Worker.

-          Recently some opinion were expressed saying that Sys App was defining only APIs that would be available to any application, without specific notion of being trusted. This makes that the security model of the API will rely on permissions.

Here are question where I think the SysApp WG should get consensus quickly, in order to make sure we discuss with a common framework:

-          The packaging and the way web application are landing in an environment is not discussed. Will the group address that ?

-           The permission mechanism is not integrated in the set of specifications related to sysapp or web apps. Furthermore the notion of permission, while being an interesting and important topics is treated in an inconsistent way across W3C. You can have a look at the work done by Dominique [2] in the W3C Web Mobile IG. How will the working group progress on that topic ?

-          The notion of trusted application seemed to be challenged. Where does the WG want to go on that notion ?

I'd appreciate the SysApp WG to discuss that during the next F2F meeting.

Regards,
Virginie
gemalto

[1] manifest github http://w3c.github.io/manifest/
[2] Dominique work on permission http://lists.w3.org/Archives/Public/public-web-mobile/2014Jan/0001.html


________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
Received on Tuesday, 1 April 2014 10:34:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:36:20 UTC