Re: Widget Requirements

On 02/02/07, Marcos Caceres <m.caceres@qut.edu.au> wrote:
> I agree; the security API requirements are still fairly underspecified and
> maybe it should be a MUST that all widgets include a manifest (R11). My
> feeling is that we need to make a whole new requirements section just
> devoted to the security context at large (including APIs).

That would be great.

> Is this kinda what you mean by "fully addressing"? Or are you also saying
> that it would be required that some kind of user intreface alert is
> presented to the user? Should this be part of the requirement's document or
> part of the Widgets 1.0 spec itself?

I don't think it would be useful to specify specific UI's or anything,
implementors are best placed to know the best way to handle it for
their situation.  What I would like to be able to see is something
that says provided APIs should be at more than just FULL TRUST, so I
could have a widget on my phone that was allowed to make a web
request, but not one that was allowed to make a phone call.

I'm afraid I have nothing to help you though.

> Nevertheless, I don't agree that widget
> should be able to change the update IRI as I see that as a security issue

I didn't say I agreed with it either, I just thought it was slightly
pre-judging the future for a requirements doc.  I'm happy either way
though.

Cheers,

Jim.

Received on Friday, 2 February 2007 08:29:26 UTC