RE: ENISA Smartphone security study from Giles Hogben on 2010-05-20 (public-webapps@w3.org from April to June 2010)

From: Giles Hogben <Giles.Hogben@enisa.europa.eu>
Date: Thu, 20 May 2010 12:43:13 +0300
To: "Arthur Barstow" <art.barstow@nokia.com>
Cc: "public-webapps" <public-webapps@w3.org>
Message-ID: <3FA6AD22F0D6E64B81E89647A2A1C0E10172616C@dimitra.net1.enisa.europa.eu>
Hi Arthur, All,
Apologies - I should have explained a little more what we are looking for from the WG and you are right that some of the questions are out of scope - not answering all the questions is fine. In response to your mail:

1. I thought that some important aspects of Question 1 (the most extensive question) are relevant to the Webapps WG. In particular how the web apps access control mechanisms could be integrated with the device access control mechanisms when used on smartphones (and possibly process authentication and even key management). Are there any security issues in this integration? For example, are there any issues in integrating the CORS spec with the Android permissions model? How would widgets with device API access deal with access to resources which cost money, such as phone calls and those which collect highly sensitive data such as GPS, accelerometer etc...?

2. The questionnaire is just a tool to gather input, which we will use to write up a report. This report and its drafts will be available for review and discussion by the groups who contributed to the questionnaire. We will also clarify responses directly with each contributor. This is what is meant by "study". As such the comments are not public, but all drafts will be available to members of the group. I am happy to add the Webapps group to our mailing list if you wish.

3. From the point of view of "official position" what I meant was that we would like to be able to list the Webapps WG as contributors or consulted in our final report. This is very important to the impact of the final report, which should take into account the views of as many stakeholders as possible (and be seen to do so). This does not mean that we will suggest that you endorse the document in its entirety and we can also negotiate other forms of attribution but our default attribution text would be something like this:

"List of contributors: This paper was produced by ENISA editors using input and comments from a group selected for their expertise in the subject area, including industry, academic and government experts. The views expressed in this publication are those of the editors, unless stated otherwise, and do not necessarily reflect the opinions of the participating experts."

Note that we already have contributions from many of the individual organisations which make up the group, so while it would be nice to have as many responses as possible, we would especially like to have a representation from the Webapps WG.

Regards,

Giles Hogben


Dr Giles Hogben
Network Security Policy Expert
European Network & Information Security Agency (ENISA) 





> -----Original Message-----
> From: Arthur Barstow [mailto:art.barstow@nokia.com]
> Sent: 19 May 2010 20:23
> To: Giles Hogben
> Cc: public-webapps
> Subject: Re: ENISA Smartphone security study
> 
> Hi Giles,
> 
> The specifications in scope for the WebApplications WG  are "platform"
> neutral and device independent. As such, I do not foresee the WG
> creating an "official" position on this "Smartphone questionnaire"
> since
> most of the questions are not in scope for WebApps.
> 
> I presume it would be OK for individuals and/or W3C Member companies to
> submit comments. Would you please confirm if that is acceptable or not?
> Also, please send us the Public URL where comments for this "study" are
> archived.
> 
> Regarding the list of questions, I (speaking as an individual) have the
> following comments:
> 
> * The following questions are generally out of scope for WebApps: #1,
> #4, #5, #6, #8, #9, #11.
> 
> * The Digital Signature for Widgets spec can be viewed as applicable
> for
> #2 and #3.
> 
> * Several of our specs (e.g. CORS, UMP, Widget Interface) include
> Security Considerations that are relevant for #7 (but specific
> "channels" are not in scope).
> 
> * The proposed Web Notifications will define an alerting mechanism that
> may be relevant to #10 (e.g. the spec defines generic alerting
> mechanisms).
> 
> For a list of WG's specifications in progress, please see the
> publication status tables at:
> 
>    http://www.w3.org/2008/webapps/wiki/PubStatus
> 
> -Regards, Art Barstow
> 
> 
> On 5/19/10 10:27 AM, ext Giles Hogben wrote:
> > Hi,
> > I am a security expert at ENISA (the European Network and Information
> Security Agency). We conducting a study on smartphone security and
> would like to have input from the Web Apps WG via the attached
> questionnaire, as well as reviewing of drafts of the study when it is
> ready. The questionnaire also explains the goals of the project. Would
> it be possible to have an official position from the WG?
> >
> > Some other points about the study are:
> >
> > - If necessary, we will hold a number of conference calls to clarify
> specific issues.
> > - No information which regards sensitive corporate IP will be
> expected or published.
> > - Contributor names/organisations will be used on the final report
> only with consent
> >
> > Thanks,
> >
> > Giles Hogben
> >
> >
> > Dr Giles Hogben
> > Network Security Policy Expert
> > European Network&  Information Security Agency (ENISA)
> >
> >
> 
> 
> Email secured by Check Point
Received on Thursday, 20 May 2010 09:43:49 UTC