- From: <public-council@w3.org>
- Date: Thu, 15 Jan 2015 22:48:28 +0000
- To: "Dave Raggett" <dsr@w3.org>,"Mike O'Neill" <michael.oneill@baycloud.com>,"Dominique Hazaël-Massieux" <dom@w3.org>,"Wayne Carr" <wayne.carr@linux.intel.com>,"Wendy Seltzer" <wseltzer@w3.org>,Cc: public-council@w3.org
With your support, the Trust & Permissions Community Group has been launched:
http://www.w3.org/community/trustperms/
To join:
http://www.w3.org/community/trustperms/join
This group was originally proposed on 2015-01-15
by Dave Raggett. The following people supported its
creation:
Dave Raggett
Mike O'Neill
Dominique Hazaël-Massieux
Wayne Carr
Wendy Seltzer
--------------------
As the Open Web Platform expands, and apps are developed that access
various sensitive resources, new ways of managing permissions to access
these resources are likely to arise. This Community Group will explore
and evaluate such ways based upon experience with native and hybrid
platforms, and drawing upon research studies. This follows on from the
Paris meeting on trust and permissions held on 3-4 September 2014, see
[1].
Resources vary in sensitivity and timeliness, e.g. when and to whom a
password should be disclosed is quite different from when access to the
user’s webcam should be granted. Similarly, modes of obtaining user
permission vary, including asking users upfront for permission when an
app is installed or first run (exemplified in Android and Windows) or
asking users for permission when the application is attempting to use a
given capability (exemplified in iOS) and permission can even be
obtained after the fact by inviting the user to continue or to cancel an
action after it has occurred, i.e. asking for forgiveness rather than
permission. In some cases, the user's actions can be taken as implicitly
granting permission, such as the Windows file chooser dialog. A further
approach is for users to delegate decisions on permissions to a trusted
3rd party.
The goal of this CG is to develop and articulate best practices for
which modes of obtaining permission best match which resource types, and
make these best practices available to both platform developers (browser
and operating system vendors) and app developers. Ideally the APIs
offered to apps to obtain permission to access resources should be
consistent across platforms, while allowing platforms the flexibility to
present a user experience that meets each platform’s needs.
The scope of this Community Group is limited to discussion and guidance
on best practices, to review draft APIs from individual WG's, and
pre-standardization work on promising ideas for better user experience
obtaining permission, including trusted UI and trust delegation per
Roesner et al, see [2]. Work on best practices will focus on the kinds
of resources that need protection, the enumeration of good ways to
obtain user permission, to dis-recommend permission models that are
known to be problematic, and to recommend the preferred user experience
for a given kind of resource. The main focus is on the Open Web
Platform, but packaged apps are not excluded.
This group will not publish Specifications.
[1] http://www.w3.org/2014/07/permissions/
[2]
http://research.microsoft.com/pubs/152495/user-driven-access-control-nov2011.pdf
--------------------
Thank you,
W3C Community Development Team
Received on Thursday, 15 January 2015 22:48:34 UTC