Re: Reminder - trust & permissions meeting 3-4 September, Paris from Marcos Caceres on 2014-08-09 (public-sysapps@w3.org from August 2014)

From: Marcos Caceres <w3c@marcosc.com>
Date: Sat, 9 Aug 2014 15:15:59 -0400
To: Kostiainen, Anssi <anssi.kostiainen@intel.com>
Cc: Dave Raggett <dsr@w3.org>, "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <51E73E4AEA35446BAC5B60FA8EE1A992@marcosc.com>

On Wednesday, August 6, 2014 at 10:20 AM, Kostiainen, Anssi wrote:

>  
> Or perhaps the most prominent projects from this section (PhoneGap ...) could be even integrated into the next section. Some of the material in this section could be also moved to an Appendix section.

It's just going to be "defer to the underlying OS". PhoneGap, or anything that sits on top of an OS, can't bypass the security and prompt of the underlying OS - and it wouldn't make any sense for PhoneGap to add its own (as that would break platform conventions and backwards/future compat).  A bad implementation would just ask for all permissions for all the things up front - but that wouldn't make any sense.  
  
> * Web-based Platforms
>  
> I’d look into Chrome Apps as well in this section, unless it is considered too similar to Firefox OS so that there’s no new information re permissions and trust problem space. I recall seeing articles on porting from one to another, suggesting that’s rather trivial for *trivial* apps. I guess when we get to nasty edge cases and more complex apps, the portability between the two becomes a real issue, as usual.
:)
  
>  
> I’d also consider dropping WAC 2.0 for the reasons Marcos mentioned unless new information re user consent resurfaces. My recollection is the system was basically Widgets + XML DigSig + WAC APIs with modal session prompts unless the widget was signed.


Exactly. Plus it was vaporware and never went to market.  

> Re Cloudberry, the relevant tidbit is (from the article): "permission-based security model that restricts the use of device-specific functionality (such as device APIs) to only those applications from trusted domains”. AFAIK there very little publicly available information on the project, so the usefulness of this project in the context of this white paper is questionable given very limited public data.
  
agree
> * Future Directions
>  
> I think the "Permissions UI & Necessary API” [3] thread had some input and ideas to add to the observations (or, perhaps you already combed through the thread?).
>  
> Another recent thread that may have input to this paper is "Proposal: Prefer secure origins for powerful new web platform features” [4].
>  
> Generally I feel that as long as we’re involving the user in the process -- and I think we should — input from UI/UX and usability experts would be very welcome too re these problems. Sometimes conducting user studies with mockups and prototypes is very helpful.
>  

Agree. However, that's hard to do unless we involve the right set of people (which I don't believe are in this WG - though a handful may be attracted to the workshop).

Received on Saturday, 9 August 2014 19:16:28 UTC