RE: FW: ACTION-660: Input to BP2, on Security and Privacy

Sean,
The basic objective is to address security and privacy of personal
information clearly for developers and content providers. Since no other
activity outside the MWI is doing this, it falls to the MWI to address
this in the BP2 since it is of significance to mobile web applications
in particular based upon the reasons I provided. The fact that it has
broader significance as well (though perhaps not so pressing a
significance) is not a reason to avoid discussing it in this context.

On the delivery of personal information, the methods available to users
are not limited to headers. The XML/XHTML documents that user agents
post can carry any number of sensitive data items. DCCI in particular is
providing mechanisms for exposure of device characteristics and dynamic
info. The particular characteristics items are not defined or limited in
any way by DCCI, therefore basically any property awareness that can be
designed into a user agent and provided by the underlying platform can
be exchanged using it.

On MIDP, there is no presumption I believe that only native OS
user-agents are in scope. There are a few very well known and successful
browsers (both web and syndicated content) running under MIDP. The
issues there are just as significant as with native browser
implementations, and additional API's may be accessed by them.

Everything I have proposed is current technology; again, because one
type of user agent implementation environment doesn't support a current
feature of another environment, is no reason to avoid discussing the
implications of the more advanced environment. But overall the
objectives are not to focus on the specifics of APIs, environments, or
even user-agent types. The objective is to define proper behavior of any
web-technology based user agent in general, but focused at core on the
browsing service "model" which of course is not limited to "web
browsers". I can browse RSS feeds (or maps) just as usefully as web
pages, using the same basic web technologies. We need to address the
issues in commmon to those various types of web applications.

Best regards,
Bryan Sullivan | AT&T 
-----Original Message-----
From: Sean Owen [mailto:srowen@google.com] 
Sent: Thursday, February 14, 2008 3:54 PM
To: Sullivan, Bryan
Cc: BPWG-Public
Subject: Re: FW: ACTION-660: Input to BP2, on Security and Privacy

On Thu, Feb 14, 2008 at 6:25 PM, Sullivan, Bryan <BS3131@att.com> wrote:
>  Because the related web/internet technologies are standardized, the  
> specific methods may not be mobile specific, but the basic fact that  
> their use is more important in the mobile environment is what is  
> important. That's why the recommendations are included, and verifying

> compliance to the recommendations is important.

I may be splitting hairs too early, but, you're saying that while
security in general is not an unimportant issue in mobile, of course, it
is not specific to mobile. So sure, we do not need to go over general
security stuff again, and if that's what you're thinking, I agree. Then
we need to see what's mobile-specific here...

>  Any network API's or device API's (data or device internal functions)

> that are callable from a web application context can result in private

> information exchange. Certainly these functions are callable as device

> vendors publish API's for their use, and MIDP for example provides  
> specific API's. Some browsers may be more isolated than others, and 
> not  provide application access to these functions. But others do, and

> web  applications can likely call the functions natively.

Again we go back to scoping. We are not writing about MIDP (right??) and
I don't know of any HTML or HTTP mechanisms that transmit location info
or contacts (unless there are X- headers that are semi-standard?) If no
in-scope, existing technologies raise this problem, what will we say
about this?

We aren't chartered to write a document musing on future issues for
potential mobile technologies -- well, are we? I don't want to do that,
it's not what I had in mind.

Received on Friday, 15 February 2008 08:07:55 UTC