RE: Thoughts on trust ownership...

This was a key consideration in the design of XKMS. Managing trust relationships on every desktop in a company through tools that allow configuration files to be synced onto each machine make much less sense than a centrally managed service distributing trustworthy assertions.
 
The security model of widgets 1.0 looks underspecified to me. In particular 10.168.0.1 in my network is a NAT device that can provide unrestricted access to the Internet. I have a password on my device. Most people do not. A malicious widget can easily reconfigure the routing on the box or alternatively read the configuration and work out that there are machines which can be used to proxy.
 
 
I would strongly suggest that as a minimum the specification include the ability to sign a widget by including an XML signature over the manifest of the widget components. 
 
This then needs to be tied to an installation model that ensures that the widget signature remains verifiable after installation. 
 
 
The draft hints at defining the allowable interactions here, the ports that may be accessed by the widget. My concern here is that this is essentially a line of attack that myself and others have been proposing for some time in the context of deperimeterization. It is good stuff but the potential effort is significant and probably an entirely separate specification and WG.
 
What is required there is a declaration of the set of resources that the widget MAY need access to and the associated privileges (Read/Write/Resolve...) and the widgets infrastructure will need to enforce those restrictions.
 
Its good stuff but the spec needs to anticipate a much wider scope than just Web Applications.
 


________________________________

	From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Brad Porter
	Sent: Monday, November 20, 2006 3:32 PM
	To: W3C Security (Public)
	Subject: Thoughts on trust ownership...
	
	
	I was considering the unique security challenges of the Widgets 1.0 Working Draft <http://www.w3.org/TR/2006/WD-widgets-20061109/>  (chromeless windows that want all the capabilities of the web plus more.)  I began to wonder if we should be looking to enable the IT administrator as much or more than the individual.
	
	As an IT administrator, you're forced to deal with users who place different values on personal and information security, who have different mental models for who they trust, and generally have less to lose personally than the corporation as a whole.  Consequently, as much as the responsibility for maintaining the information security policy belongs to each individual at a company, in practice, doing that consistently requires some central enforcement.  
	
	Would we consider it in-scope or out-of-scope to deal with centrally managing access and policy along side with (or in place of) making it easier for the individual user to manage his/her security and privacy?
	
	--Brad
	

Received on Monday, 20 November 2006 21:04:49 UTC