binding and access control from Dave Raggett on 2007-06-22 (public-uwa@w3.org from June 2007)

From: Dave Raggett <dsr@w3.org>
Date: Fri, 22 Jun 2007 19:02:08 +0100 (BST)
To: public-uwa@w3.org
Cc: tlr@w3.org
Message-ID: <Pine.LNX.4.64.0706211750160.8888@holly>
One of the new work items is for a framework for using markup or 
scripting to bind to local or remote resource such as the camera 
built into a phone, the geographic location, or real world sensors 
and effectors such as lighting and heating controls.

The basic idea is to either name the resource or to provide a 
description of it, and to then ask a binding service to make it 
available to the web application as an object that acts as a local 
proxy for the resource. The web app can then set event listeners on 
the object or target events at it, without needing to know about how 
the resource is implemented and even whether it is local or remote. 
The resource binding service needs to determine if the application 
is permitted to access the resource.

The binding service can be implemented as an extension to the 
browser. One possibility is for this to pop up a dialog box to ask 
the user if it is okay to grant access or not. The problem is that 
the user may not be in a good position to provide a reasoned 
decision. The user is also focusing on the task in hand, and the 
security dialog is likely to be perceived as getting in the way of 
completing that task.

In many cases there will be people with much better knowledge of 
whether a given website can be considered to be trustworthy or not. 
It therefore makes sense to delegate the access control decision to 
such experts. This is where network operators could find themselves 
a new role for providing trust management services.

Essentially, the access control decison would in many cases be 
handled silently and the end-user would only be bothered if the 
trust management system (TMS) considers granting access to be a bad 
idea. Users would be able to override the TMS at their own risk.

The TMS can be combined with a resource discovery service. This 
could exploit the power of the Semantic Web as a means to represent 
both resource descriptions and access control policies, along with 
associated trust, identity, privacy and security considerations.

To allow for offline access control decisions, and to reduce the 
demands on the network, the TMS could download policies to the 
device. RDF tripples are relatively lightweight (e.g. compared to an 
XML DOM), but in principle, the TMS could provide compiled versions 
of access control policies that are particularly suited to resource 
constrained embedded environments. A simple example is where 
selected previous decisions are recorded in a secure area of the 
device's persistent memory subsystem (e.g. a flash based filestore).

A fixed dialog box for access control decisions offers very limited 
usability. Much greater flexibility can be achieved through the 
means for the TMS to provide such dialogs as conventional web pages 
and composed from XHTML, SVG, CSS and images etc. Such dialogs could 
be executed in a more narrowly defined security context than normal.

As an example, when the original web page wants to bind to a 
resource (e.g. the device's location) the browser executes a local 
policy that delegates the decision to a possibly remote TMS. An 
encrypted HTTP request (HTTPS) to the TMS could return a positive 
decision to grant access, or it could return a web page for use as 
an access control dialog. When the user activates the form's submit 
button, the data collected by the form is passed to the TMS, and the 
appropriate decision returned as a result.

This approach opens the way to a much richer approach to access 
control where users can indicate their preferences for trust and 
privacy guided by the TMS. It would even be possible to exploit 
community notions of which sites can be trusted for what purposes, 
where many people contribute to a ranking of each site, in a way 
that is robust against attempts by spammers to undermine the trust 
system for their own purposes.

In case you are wondering, the interface exposed to web applications 
for binding is independent of the advanced trust management system 
concept outlined above, and can be advanced separately along the W3C 
Recommendation track. Effective security and usability are natural 
partners and We can lookforward to work on realizing the necessary 
standards.

  Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett
Received on Friday, 22 June 2007 18:02:08 UTC