Security Review of Network Service Discovery from Frederick.Hirsch@nokia.com on 2014-01-28 (public-webappsec@w3.org from January 2014)

From: <Frederick.Hirsch@nokia.com>
Date: Tue, 28 Jan 2014 19:26:50 +0000
To: <public-webappsec@w3.org>
CC: <Frederick.Hirsch@nokia.com>, <dom@w3.org>, <wseltzer@w3.org>, <richt@opera.com>, <bhill@paypal.com>, <ekr@rtfm.com>
Message-ID: <E2E26963-A2BA-465B-8A5B-A4DB764972C7@nokia.com>

The Device APIs WG (DAP) is currently working on a specification called "Network Security Discovery", working drafts have been published and since the last publication we have incorporated use of CORs into the editors draft. We anticipate publishing an updated WD in the next month unless there are reasons for delay (my preference is to publish WDs frequently as needed).

We are seeking security review both early in the process to help us work in the right direction as well as later once we are in LC. We are also requesting Privacy review from PING and have scheduled an overview session on the PING call 30 January, so you may wish to attend that for an overview [1].

This is a request for the Web Application Security WG Group to review this specification as appropriate, to make sure we aren't missing any good ideas or concerns. We've also shared this request with the Web Security Interest Group.

Editors draft: https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html

Issues: http://www.w3.org/2009/dap/track/products/31

Extract from non-normative introduction text:

[[

This specification defines the NavigatorNetworkService<https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html#navigatornetworkservice> interface to enable Web pages to connect and communicate with Local-networked Services provided over HTTP. This enables access to services and content provided by home network devices, including the discovery and playback of content available to those devices, both from services such as traditional broadcast media and internet based services as well as local services. Initial design goals and requirements provided by the W3C Web & TV interest group<http://www.w3.org/2011/webtv/> are documented in [hnreq<https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html#bib-hnreq>].

Using this API consists of requesting a well-known service type, known by developers and advertised by Local-networked Devices. User authorization, where the user connects the web page to discovered services, is expected before the web page is able to interact with any Local-networked Services.

A web page creates a request to obtain connectivity to services running in the network by specifying a well-known discovery service type that it wishes to interact with.

...

]]

Thanks

regards, Frederick

Frederick Hirsch, Nokia
Chair, W3C DAP Working Group

[1] http://lists.w3.org/Archives/Public/public-privacy/2014JanMar/0009.html

Received on Tuesday, 28 January 2014 19:29:16 UTC