W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

Re: geolocation update

From: Mark S. Miller <erights@google.com>
Date: Sat, 13 Jun 2009 14:27:21 -0700
Message-ID: <4d2fac900906131427i72e0d2ebgd22fcd8ce1f97fc5@mail.gmail.com>
To: Thomas Roessler <tlr@w3.org>
Cc: www-tag@w3.org, Matt Womer <mdw@w3.org>, Rigo Wenning <rigo@w3.org>
Bad choice of phrase. I apologize. Too fast on the send button. Please allow
me to substitute "worst ideas".

On Sat, Jun 13, 2009 at 2:21 PM, Mark S. Miller <erights@google.com> wrote:

> This looks like it means well and much of it seems good. But "The user
> interface must include the URI of the document origin ..." is one of the
> stupidest ideas I've heard in a long time. As <
> http://www.skyhunter.com/marcs/petnames/IntroPetNames.html> explains, this
> is a string chosen by the attacker. Location phishing anyone?
>
>
>
> On Sat, Jun 13, 2009 at 2:29 AM, Thomas Roessler <tlr@w3.org> wrote:
>
>> Copying Matt Womer, who serves as Team Contact on the geolocation WG.
>>  http://www.w3.org/2008/geolocation/
>>
>> The TAG had asked for a quick update on the geolocation situation.
>>
>>
>> 1. There was a liaison statement from the IETF concerning priacy and
>> security concerns with the geolocation specification.  Part of these
>> concerns was the lack of integration of the IETF's geopriv specification.
>>
>>
>> 2. The geopriv specification is mostly motivated by emergency calling use
>> cases:  E.g., a DHCP server on a local network indicates where that network
>> is physically located, a VOIP device picks up on the location data, and
>> might then include the location information as metadata as calls are made.
>>  The geopriv specification enables the DHCP server to add basic policy
>> information to the location data, in particular whether the location
>> information can be forwarded to third parties, and how long it might be
>> stored.
>>
>> You'll notice that the use case is conspicuously different from the
>> geolocation API's:  The API is designed to sit right on a trust boundary,
>> between the user controlled piece of a browser, and the web application that
>> wants to consume the location data.  Therefore, the Working group chose to
>> build its security considerations on user authorization:
>>
>>  User Agents must not send location information to Web sites without the
>>> express permission of the user. User Agents must acquire permission through
>>> a user interface, unless they have prearranged trust relationships with
>>> users, as described below. The user interface must include the URI of the
>>> document origin [DOCUMENTORIGIN]. Those permissions that are acquired
>>> through the user interface and that are preserved beyond the current
>>> browsing session (i.e. beyond the time when the browsing context
>>> [BROWSINGCONTEXT] is navigated to another URL) must be revocable and User
>>> Agents must respect revoked permissions.
>>>
>>
>>
>> There are additional explicit considerations for the recipients of
>> location information, which ask for further user consent whenever data are
>> passed on.
>>
>> In December 2008, the Working Group considered a closer coupling to the
>> geopriv WG's design, and rejected it, on the basis that it would require
>> user agent implementers to include policy authoring UI (which is known to be
>> a chronically difficult problem in user facing situations), in a situation
>> in which the Web application in question can actually ask for user consent
>> easily and directly (it's a web application, after all!).  Input from the
>> geopriv WG was further considered at the W3C device API workshop (also in
>> December 2008, actually held in the same room as the WG meeting, just a day
>> later).  Among those in the room, there seemed to be relatively little
>> interest in picking up on the geopriv WG's design for the purposes of this
>> API.
>>
>> There were numerous other times the proposals were considered as well,
>> both off and on-list; most recently last week.
>>
>>
>> 3. Over the last month or so, some in the Team (largely Matt, Rigo and I)
>> have reached out to various participants in the IETF, and discussed the
>> difference in scenario between the geopriv WG's use cases and the use cases
>> that are in scope for the geolocation WG.  Additionally, the WG has sent a
>> formal answer to the liaison note, explaining some of the steps above, and
>> noting that the WG has decided to not build its specification on the product
>> of the geopriv Working Group.
>>
>> We've also advocated for more extensive security and privacy
>> considerations, to cover some situations in which the current specification
>> material might lead to insufficient protection (based, e.g., upon user
>> error).  The Working Group is apparently going to include some of that
>> material in the specification.  We specifically haven't pushed for any
>> changes to the API signatures.
>>
>> The remaining contention is whether to call out relatively specific
>> mitigation patterns in the specification; the WG seems disinclined.
>>
>>
>> At this point, I suspect that the place where related architectural issues
>> will come up is going to be the device API Working Group.  Issues are likely
>> to include what shape and form a policy expression language should take, and
>> what deviations from the existing browser security model are acceptable (a
>> proposal that might help to mitigate some threat scenarios is to only permit
>> "dangerous" APIs from top-level frames)
>>
>> Hope this helps,
>> --
>> Thomas Roessler, W3C  <tlr@w3.org>
>>
>>
>>
>
>
> --
>    Cheers,
>    --MarkM
>



-- 
   Cheers,
   --MarkM
Received on Saturday, 13 June 2009 21:28:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:14 GMT