RE: Proposal for an Application Management API

Hi Marcos,

We often come back to this issue :-)

I really like the idea of having only one type of web application and web execution environment and having all APIs available to all developers. However, I don't think it is realistic to assume that all APIs are available to all web developers. How are you seeing other SysApps APIs, for example the Telephony API? Access to certain APIs has to be limited to apps that are by some methods considered to be trusted. This trust may not have to be achieved through a specific web execution environment if we can find a way, within "the normal browser" to use existing security mechanisms such as TLS and CSP to prevent misuse of sensitive APIs. 

So we need a concept of trusted web applications and I like the idea of hosted, not packaged, trusted web apps.

Which is your view on the security issues with providing sensitive APIs such as Telephony, TCP and UDP Sockets and Application Management?

BR
  Claes 



Claes Nilsson
Master Engineer - Web Research
Advanced Application Lab, Technology

Sony Mobile Communications
Tel: +46 70 55 66 878
claes1.nilsson@sonymobile.com

sonymobile.com



> -----Original Message-----
> From: Marcos Caceres [mailto:w3c@marcosc.com]
> Sent: den 19 mars 2014 19:03
> To: public-sysapps@w3.org; Nilsson, Claes1; Kostiainen, Anssi
> Cc: Sato, Naoyuki (TDG); Isberg, Anders; Igarashi, Tatsuya; Falk,
> Mattias; Jovanovic, Zoran
> Subject: RE: Proposal for an Application Management API
> 
> 
> 
> On March 18, 2014 at 12:26:59 PM, Nilsson, Claes1
> (claes1.nilsson@sonymobile.com) wrote:
> > > As I state below the API should only be exposed to content that
> > can be verified as trusted, which is similar as for the other APIs
> > specified by SysApps. If we can consider the traditional browser as
> > trusted if use the already available security mechanisms such as
> > transport layer security, CSP, and so on, is a bigger question that
> is
> > not unique for this SysApps API. However, I don't think the API can
> be
> > exposed to a traditional browser based on a "user consent” model for
> > allowing a web app access to the API.
> 
> 
> I still don’t think we should be standardizing such APIs, tbh - not
> unless they are accessible to all developers. Even if we were to
> standardize, there would be little value in that we are not going to be
> sharing home screen management applications across vendors. I again ask
> that we focus on standardization of APIs that directly benefit
> developers (i.e., ones that don’t require any centralized authorization
> to be used).
> 
> 
> --
> Marcos Caceres

Received on Wednesday, 19 March 2014 22:44:47 UTC