Re: [web-nfc] Verify security model

Re @sicking 
> "So we should come up with an NFC format which explicitly is 
different enough from any tags that are in existence today, that it's 
very unlikely that any existing tags can be mistaken for WebNFC tags."

and @jyasskin 

> "Separately, I think that the id NDEF record is probably too limited
 to identify WebNFC devices. We probably want the device to be able to
 express a set of origins that are allowed to access it, rather than 
just a single origin, and IIUC the id record can't hold enough data to
 do that in general."

We cannot come up with NFC formats, we need to use the already 
standardized formats for now, but with web-specific content. The 
```id``` field of NDEF records can be used, and also we can use one or
 more special NDEF records in an NDEF message designed to carry 
web-specific [security] information, which makes the NDEF message 
web-specific, the cost being less available space for payload data in 
the tag. But this would allow reprogramming existing tags with 
web-specific content, and without the need to modify HW and middleware
 level NFC stacks. All this could be encapsulated in the API 
implementations, together with the actual security policies.

We need to study if and what mandatory security policies we need to 
build into the spec, and what policies can be chosen by the UA 
(assuming the mechanisms needed for these policies are supported and 
compatible with the spec).



-- 
GitHub Notif of comment by zolkis
See https://github.com/w3c/web-nfc/issues/2#issuecomment-79224977

Received on Friday, 13 March 2015 18:31:17 UTC