- From: Laura Arribas via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 02 Jun 2010 13:52:59 +0000
- To: public-dap-commits@w3.org
Update of /sources/public/2009/dap/policy
In directory hutz:/tmp/cvs-serv27840
Added Files:
Framework.html
Log Message:
policy framework doc updated
--- NEW FILE: Framework.html ---
<!DOCTYPE html> <html>
<head>
<title>Device API Policy Framework</title> <meta http-equiv='Content-Type'
content='text/html;charset=utf-8'/> <script src='../ReSpec.js/js/respec.js'
class='remove'></script> <script class='remove'>
var respecConfig = { specStatus: "ED", shortName: "policy",
// publishDate: "2009-10-23", previousPublishDate: "1977-03-15",
edDraftURI: "http://dev.w3.org/2009/dap/policy/",
// lcEnd: "2009-08-05",
};
</script> <script src='../common/configPolicy.js' class='remove'></script>
</head>
<body>
<section id='abstract'>
This document specifies a policy framework for device APIs.
</section> <!-- abstract -->
<section id='introduction'>
<h2>Introduction</h2> <p>
This document is an editors draft and currently does not reflect
consensus of the WG but rather is a starting point for further work. It
is based on input documents and list discussion.
</p> <p>
The policy framework described in this document is intended to be
applicable both to widgets and web applications (web site access to
Device APIs).
</p>
</section> <!-- introduction -->
<section id="security-framework">
<h2>Security Framework</h2>
<section id="framework-overview">
<h3>Framework Overview</h3>
<p>
This security model is based on a clear
separation between the definition of the general framework and the creation
of specific trust and access policies. This allows the configured policies of
a web runtime to be adapted to the needs of different stakeholders at any
time during the lifecycle of a product. This includes, but is not limited
to, the embedding and configuration of web runtimes at manufacture as well
as post-sales installation of web runtimes.
</p> <p>
As a general high-level objective, it should be noted that the security
framework is intended to protect the device and its user from web applications
that pose a security risk from unintentional but undetected implementation flaws
as well as those that are malicious.
</p> <p>
The intention is that the framework, at the most general level, allows a very
wide range of policies to be represented (although manageability and
interoperability concerns require there to be a certain level of similarity and
compatibility in policy structure). However, the framework must permit
fine-grained security policies to be represented as well as policies based on
broad groupings of APIs and assignment of web applications to a small number of
trust domains. For example, a fine-grained access policy is necessary to grant
or deny access to individual APIs for individual web applications.
</p> <p>
This framework is based on a very general model that governs both trust domain access by subjects
to resources based on a hierarchy of <a href=#trust-policy>trust policies</a>, <a href=#access-policy>access policies</a> and <a href=#policy-set>policy sets</a>, where each policy
consists of a number of <a href=#rule>rules</a>. Subjects and resources are characterised by a
number of defined <a href=#subject-attributes>subject attributes</a> and <a href=#resource-attributes>resource attributes</a>. A range of
attributes is defined so that access policies can be expressed based
on a widget resource signer’s identity, or an individual widget resource
identity, or the widget resource signature’s root certificate, or a website’s
URL. Therefore, the generality of this framework derives from the range of
attributes that are supported, as well as the flexible structure of policies and
policy sets in the security model.
</p> <p>
This general model is defined using concepts,
terminology and semantics from the eXtensible Access Control Markup Language
[[!XACML20]] framework. Trust and access policies are capable of
representation in a compact XML format (and other formats, including a compact
binary representation if necessary).
</p> <p>
It is intended that trust and access policies are also eventually capable of representation
in XACML, using a specific dictionary of attributes and a subset of XACML
elements; however this is not currently possible without defining a number of
extensions to XACML. It is hoped that this becomes possible with future
revisions of the XACML standard.
</p>
</section> <!-- framework overview-->
<section id="layer-model">
<h3>Layer Model</h3>
<p>
A web application uses a mechanism specified in this document to gain access to (or bind to)
a JavaScript API by stating one or more features exposed by the JavaScript API. This access is given on a basis of the trust domain that has been assigned to the web application.
The implementation of the API, in turn, makes use of one or more device
capabilities, defined in terms of facilities that might be provided by APIs at
the device, platform or OS level, but without reference to any particular API.
Where a JavaScript API is defined within the DAP model, each function definition
specifies which feature it implements, and which device capabilities it uses.
</p> <p>
The mechanisms provided in this specification to bind to APIs, and to control access (both to
the features and the device capabilities exposed by them) are generic, and are
not themselves dependent on any particular set of JavaScript APIs. This
model envisages that these controls apply, irrespective of whether the APIs in
use are defined by DAP or any independent entity. <!-- This “layering” of
JavaScript APIs and mediating access control is illustrated in the figure below. -->
</p>
<section id="trust-domain-control-layer">
<h4>Trust Domain Control Layer</h4>
<p>
The trust domain control layer controls the assignment of the appropiate
trust domain to the web application via the relevant trust policy. In
general, trust policies will select one trust domain or another
depending on the <a href=#subject-attributes>subject attributes</a> and<a href=#environment-attributes>environment attributes</a> that
identify the web application.
</p>
</section> <!-- trust domain control layer -->
<section id="api-access-control-layer">
<h4>Javascript API Access Control Layer</h4>
<p>
The JavaScript API access control layer controls access
to all JavaScript APIs exposed by the web runtime. Each feature is
identified uniquely by URI, and this security layer mediates access to
features on the basis of that ID, <a href=#api-feature><code>api-feature</code></a>.
</p>
</section> <!-- API access control layer -->
<section id="device-capability-access-control-layer">
<h4>Device Capability Access Control Layer</h4>
<p>
The device capability access Control layer controls
access to the underlying capabilities of the device when used from JavaScript
APIs. These device capabilities themselves are identified so that it is possible
to write security policies that control access to specific capabilities
independently of the JavaScript APIs used to access them.
</p>
</section> <!-- device capability access control layer -->
<section id=feature-capability-reqs>
<h4>Considerations</h4>
<p>
This explicit separation of features and their dependent device capabilities addresses a
number of significant requirements, as follows.
</p>
<ul>
<li><p><strong>Extensibility is an intrinsic part of the security model.</strong> It is expected that APIs will be defined and implemented
independently, and the nature of those APIs will not necessarily be known to the
author of a security policy. Therefore, if a security policy author wishes to
deny access to a specific device capability, then there must be a way of doing
this that is independent of the JavaScript API being used.</p></li>
<li><p><strong>The web runtime must only grant access to features that are
advertised as being dependencies of the web application.</strong> The access control system must ensure
that only requested features are accessible to the web
application. This requires that the access control system is able to
control access based on the ID of a Feature, <a href=#api-feature><code>api-feature</code></a>.</p></li>
<li><p><strong>There will not be a direct 1-1 correspondence between JavaScript APIs
and device capabilities.</strong> Although there will be simple JavaScript APIs that
provide access only to a single device capability, it must be expected that
there are also more complex APIs that expose multiple device capabilities;
examples might include a camera API that provides the ability to geotag a photo
with the current location, or a messaging API that provides the ability to
access documents stored locally and attach them to outgoing messages. Therefore,
enabling or disabling access to a specific device capability will not directly
correspond to enabling or disabling access to a single JavaScript API.</p></li>
<li><p><strong>Implementations of JavaScript APIs need not be as highly
trusted as the web runtime.</strong> Authors of access policies may require the ability to
control access to specific JavaScript APIs, or families of APIs, based on the
identity of the API (and not just the device capabilities it exposes), according
to the trustworthiness of the author of the API.</p></li>
<li><p><strong>It must be possible to represent both trust and access policies
portably.</strong> This implies that all identifiers used in a security
policy (both for features and for device capabilities) must be portably defined,
and not (for example) based on any platform-specific API names. This requires
that the identifiers for device capabilities are defined in a
platform-independent way. <!-- BONDI defines a set of these capabilities in
Appendix A.--></p></li>
</ul>
</section> <!-- feature-caps requirements -->
</section> <!-- layer model -->
<section id="logical-model">
<h3>Logical Model</h3>
<p>
On the one hand, the trust domain control system explained in this
document, from a logical perspective, represents the system by which a web
application that attempts to access device capabilities using JavaScript
APIs, is assigned a trust or security domain. This trust domain will then
be used in subsequent access requests, simplifying the whole process. On
the other hand, the access control system, implementing a specific access
control policy, has the sole effect of making and enforcing an access
control decision in relation to each attempted access. (In order to make
that decision the access control system may request interactive
confirmation from the user, but this is invisible to the requesting web
application.)
</p> <p>
Both the trust and access control systems consist of a number of logically distinct
elements. <!-- Specific DAP requirements and interfaces are specified in terms of
these separate functional components. --> This logical breakdown and associated
terminology is adopted from XACML [[!XACML20]] and illustrated below.
</p>
<!-- ILLUSTRATION XACML DATAFLOW -->
<!-- <object type="image/svg+xml" data="dataflow.svg"> -->
<img src="dataflow.png" alt="graphical representation of the data flow" title="Security model, derived from XACML Specification Schema" width="700" height="700"/> <!-- </object> -->
<p>
The specified functional components are as follows:
<ul>
<li><p><strong>Policy Decision Point (PDP):</strong> the module that
evaluates whether or not a device API can be accessed by a web
application, based on the current policy.</p></li>
<li><p><strong>Policy Enforcement Point (PEP):</strong> the module that
allows or prevents access to device APIs.</p></li>
<li><p><strong>Policy Information Point (PIP):</strong> the module that gathers information to
be used by the PDP to evaluate an access control request. In particular it
collects the subject attributes (i.e. how the web application was identified and
its associated security attributes), the resource attributes (i.e. which device
API is being requested and using which parameters) and the environment (i.e.
status of the device).</p></li>
<li><p><strong>Policy Administration Point (PAP):</strong> the authority that
defines the policy. It could be a network operator, a terminal manufacturer, a
web runtime developer, an enterprise or a user at run-time. Policies can be
provided by the PAP in different ways, for instance using a preloaded file or
data structure, or a remote management mechanism (e.g. OMA DM).</p></li>
</ul>
<div class="issue">
<p>OMA DM reference missing?</p>
<p>Should we include this?: In the present phase, DAP does not define any specific external interface requirements for
the PAP, although this may be in scope for later phases. The security policy
itself is not defined by DAP, although a default policy may be recommended by
DAP at a future stage.</p></div>
</p>
<p>
The functionality required in each of these components is specified in terms of the following entities:
<ul>
<li><p><strong><a href=#subject>Subject</a>:</strong> the web application
that requires access to JavaScript APIs. Examples of subjects are websites
and widgets.</p></li>
<li><p><strong><a href=#subject-attributes>Subject
attribute</a>:</strong> each subject is associated with a set of
attributes. Subject attributes allow the identification of the web
application that is attempting access to device capabilities using device
APIs. The identified web application is then assigned a trust domain
according to the appropiate trust policy. Subject attributes include
specific attributes that represent the identity of the web application
attempting access to a resource. Valid identity attributes include the
widget identifier URI for widgets and the URL for websites; other
identifiers may be supported. Subject attributes also include the
credentials used to verify the authenticity and integrity of the subject,
e.g. a TLS or code signing digital certificate. Other
credentials may be supported.</p></li>
<li><p><strong><a href=#environment-attributes>Environment
attribute</a>:</strong> the collection of device status and context
attributes that may be relevant to the circumstances of a resource access
attempt, but are not directly associated with either the subject or
resource. For example, environment attributes can include terminal
charging, network connection status, whether roaming.</p></li>
<div class="issue">
<p>environment attributes</p>
<p>in this new model, aren't env attrs directly related to subject and trust policies?</p></div>
<li><p><strong><a
href=#resource>Resource</a>:</strong> the resources that subjects may
request access to. The device features or services (e.g. the location
module or PIM database) are the actual resources that are being protected,
but from the point of view of the security framework these resources are
associated with the API Features and device capabilities used to access
them.</p></li>
<li><p><strong><a href=#resource-attributes>Resource
attribute</a>:</strong> each resource is associated with a set of
attributes. Resource attributes include an identifier. Other attributes
may be associated with a resource, and these can include specific
parameters that are specified as part of the request when attempting
access.</p></li>
</ul>
</p>
</section> <!-- logical model -->
<section id="trust-domain-policy-structure">
<h3>Policy Structure</h3>
<p>
Both trust domain and access control policies share the same underlying structure. The policy in effect in any given context is logically expressed as a collection of specific access control <strong><em><a href=#rule>rules</a></em></strong>. The rules are organised into groups, termed <strong><em><a href=#policy>policies</a></em></strong>, and these in turn are organised into groups termed <strong><em><a href=#policy-set>policy sets</a></em></strong>. This structuring serves a number of purposes:
</p>
<ul>
<!-- <li><p>the rules that apply to a specific web application, or group of web applications, can be grouped together, which simplifies writing and maintaining the policy;</p></li> -->
<li><p>it helps organise the rules into groups that can be independently created and maintained, sometimes under different authority (and subject to differing degrees of control);</p></li>
<li><p>it provides a way of ensuring that the correct precedence is applied when processing rules. This makes some rules easier to write because their applicability is more narrowly scoped by their enclosing policy. More significantly, it ensures that security requirements determined by one authority are not wrongly overridden by rules provided by a subordinate authority.</p></li>
</ul>
<p>
Simplistically, each rule is specified by defining a <strong><em><a href=#condition>condition</a></em></strong>, which is a set of statements which must be satisfied in order for that particular rule to apply, and an <strong><em><a href=#effect>effect</a></em></strong> which represents the rule's outcome – ie whether that rule indicates that the access request should be permitted or not.
</p>
<!-- ILLUSTRATION POLICY LANGUAGE MODEL -->
<object type="image/svg+xml" data="languagemodel.svg">
<img src="languagemodel.png" alt="graphical representation of the XACML policy language model" title="DAP policy language model, derived from XACML Specification Schema" width="250" /> </object>
</section> <!--policy structure -->
<section id=rule-processing>
<h3>Rule Processing</h3>
<p>
The following steps illustrate the logical processing required when a <a href=#policy-set>policy set</a> is used to determine the outcome of a particular access attempt:
</p>
<ul>
<li><p>the identity of the calling web application, <a href=#subject>subject</a>, is known and is used to determine the <a href=#subject-attributes>subject attributes</a> for that web application;</p></li>
<li><p>the application in question attempts an action (attempts to invoke a JavaScript API, say). This identifies the <a href=#resource>resource</a> and all associated <a href=#resource-attributes>resource attributes</a> including <a href=#api-feature><code>api-feature</code></a> and, where applicable, <a href=#device-cap><code>device-cap</code></a> resource attribute if the action entails use of a device capability. Any parameters used by any such device capability use, where designated as being security-relevant, are also captured within a <a href=#parameter><code>param:name</code></a> resource attribute;</p></li>
<li><p>the <a href=#environment-attributes>environment attributes</a> are also captured;</p></li>
<li><p>the set of subject, resource and environment attribute values captured is embodied in a <a href=#query>query</a> which is evaluated in the context of the top-level policy set associated with the configured security policy;</p></li>
<li><p>based on the subject, resource and environment attribute values presented in the query, the conditions associated with each rule and <a href=#target>target</a> can be evaluated, and the applicable rules, policies and policy sets can be determined;</p></li>
<li><p>the effect of each applicable rule is determined;</p></li>
<li><p>based on the evaluated effect of each applicable rule, the relevant combining rules are used to determine the policies, policy sets and rules with precedence, which in turn determines the overall effect of evaluating the query;</p></li>
<li><p>if the effect requires the user to be prompted, this is done, and the results of the user’s decision are recorded where appropriate.</p></li>
</ul>
<p>
>From a logical perspective, an access control query can be evaluated at any time between the point that the necessary attribute values become available and when the attempted operation is performed. In the case of a JavaScript API call for which arguments supplied to the call are designated resource attributes, the relevant attributes are only known once the API call has been made by the calling web application. However, in other cases the information may be known earlier. For example, if all feature requirements are stated in a widget configuration document, and none of the API access operations have conditions depending on API call parameters, then all access control queries may be evaluated fully at widget resource installation time.
</p>
</section> <!-- rule processing -->
</section> <!-- security framework-->
<section id="security-model-definition">
<h2>Security Model Definition</h2>
<p> This section defines the formal model underlying the general security
framework. This includes definitions of each of the entities involved in the
definition of an access control policy, and a definition of the attributes of
each entity that are recognised and are required to be supported. This
specification uses [[!XACML20]]. </p>
<section id="application-execution-phases">
<h3>Application Execution Phases</h3>
<p>The <em>execution</em> phase of a web application
reflects the state of that application at the time an
associated access control query is made. The defined
execution phases are listed below. </p> <table
border="1" summary=""> <caption> <dfn
id="execution-phases-table">Execution Phases
Table</dfn></caption> <thead> <tr> <th
scope="col">Execution Phase</th> <th
scope="col">Description</th> </tr> </thead> <tbody> <tr>
<td>widget-install</td> <td>Applies to access control
queries made by a widget user agent during the
processing of a widget resource as part of an
installation or update operation.</td> </tr> <tr>
<td>widget-instantiate</td> <td>Applies to access
control queries made by a widget user agent during the
instantiation of a widget.</td> </tr> <tr>
<td>website-bind</td> <td>Applies to access control
queries made in response to a call to requestFeature()
in the course of execution of a website</td> </tr> <tr>
<td>invoke</td> <td>Applies to access control queries
made in response to invocation of a JavaScript API in
the course of execution of a web application</td> </tr>
</tbody> </table>
</section>
<section id="subject-attributes">
<h3>Subject Attributes</h3>
<p> A <strong><em><a id="subject">subject</a></em></strong> corresponds to an entity that may attempt
security-relevant actions and corresponds to a single
“identity”. (In practice, some web applications might
have multiple identities – for example is a widget
resource is signed by multiple signers – but for the
purposes of this model, each access control query is
considered to involve a single subject and hence a
single identity.) </p>
<p> The identity of a subject is in one of the following classes. The
class determines which attributes are available; other
attributes have the undefined value. </p>
<p> All <strong><em>subject attributes</em></strong> are determined for all applicable
application Execution Phases. </p>
<section id="widget-resource-identity">
<h4>Widget Resource Identity</h4>
<p> The widget identity type applies to all operations
associated with a widget resource, or occurring in the
execution of a document belonging to a widget resource.
</p> <p> Operations occurring in the execution of a
remotely hosted document that has been loaded by a
widget (for example in an iframe) use a <a
href=#website-identity>website identity</a>. </p> <table
border="1" summary=""> <caption> <dfn
id="widget-subject-attributes-table">Widget Subject
Attributes Table</dfn></caption> <thead> <tr> <th
scope="col">Attribute</th> <th scope="col">Type</th> <th
scope="col">Value</th> </tr> </thead> <tbody> <tr>
<td>class</td> <td>string</td> <td>This has the value
“widget” if and only if the subject is a widget.</td>
</tr> <tr> <td>install-uri</td> <td>URI</td> <td>The URI
that the widget resource was originally retrieved from
before installation, if known, otherwise the empty
bag.</td> </tr> <tr> <td>id</td> <td>URI</td> <td>The
identity of the widget. For a W3C widget specification
compliant widget resource, this is the value of the id
attribute of the <widget> element in the widget
configuration document converted from IRI to URI based
on RFC3987. In this case, it is a URI that uniquely
identifies the widget. Empty bag if there is no id
attribute.</td> </tr> <tr> <td>version</td>
<td>string</td> <td>Version of the widget resource. For
a W3C widget specification compliant widget resource,
this is the version attribute of the <widget> element in
the widget Configuration Document. Empty bag if there is
no version attribute.</td> </tr> <tr>
<td>distributor-key-cn</td> <td>string</td> <td>The
common name of the end entity certificate for the
applicable widget resource distributor signature. Empty
bag if none.</td> </tr> <tr>
<td>distributor-key-fingerprint</td> <td>string</td>
<td>The fingerprint of the end-entity certificate for
the applicable widget resource distributor signature.
Empty bag if none.</td> </tr> <tr>
<td>distributor-key-root-cn</td> <td>string</td> <td>The
common name of the root certificate for the applicable
widget resource distributor signature. Empty bag if
none.</td> </tr> <tr>
<td>distributor-key-root-fingerprint</td>
<td>string</td> <td>The fingerprint of the root
certificate for the applicable widget resource
distributor signature.Empty bag if none.</td> </tr> <tr>
<td>author-key-cn</td> <td>string</td> <td>The common
name of the end entity certificate for the widget
resource author signature. Empty bag if none.</td> </tr>
<tr> <td>author-key-fingerprint</td> <td>string</td>
<td>The fingerprint of the end entity certificate for
the widget resource author signature in SDP syntax.
Empty bag if none.</td> </tr> <tr>
<td>author-key-root-cn</td> <td>string</td> <td>The
common name of the root certificate for the widget
resource author signature. Empty bag if none.</td> </tr>
<tr> <td>author-key-root-fingerprint</td>
<td>string</td> <td>The fingerprint of the root
certificate for the widget resource author signature.
Empty bag if none.</td> </tr> <tr>
<td>widget-attr:name</td> <td></td> <td>The value of the
named attribute of the <widget> element whose type
and value are set up in the widget configuration
document for use in the DAP security framework. Empty
bag if no such named attribute is defined.</td> </tr>
</tbody> </table>
</section> <!-- widget-resource-identity -->
<section id="website-identity">
<h4>Website Identity</h4>
<p> The website identity type applies to all operations
occurring in the execution of a remotely-hosted
document, whether this is the top-level docment of the
website or is associated with some child browsing
context (such as an iframe). </p> <table border="1"
summary=""> <caption> <dfn
id="widget-subject-attributes-table">Widget Subject
Attributes Table</dfn></caption> <thead> <tr> <th
scope="col">Attribute</th> <th scope="col">Type</th> <th
scope="col">Value</th> <th scope="col">Meaning</th>
</tr> </thead> <tbody> <tr> <td>class</td>
<td>string</td> <td>"website"</td> <td>Has the value
“website” if and only if the subject is of this
class.</td> </tr> <tr> <td rowspan="4">sign-schema</td>
<td rowspan="4">string</td> </tr> <tr> <td>** (empty
string)</td> <td>Not signed</td> </tr> <tr>
<td>“tls”</td> <td>The page was fetched using HTTPS and
the browser has verified that the site certificate’s
Common Name matches the host that the page was fetched
from, and it has already applied its own policies
regarding whether the root certificate is in an
acceptable trust domain.</td> </tr> <tr>
<td>“tls-ev”</td> <td>As “tls”, and, additionally, the
site certificate has an extended validation field and
the browser's internal policy allows that information to
be passed to the DAP security framework.</td> </tr> <tr>
<td>uri</td> <td>URI</td> <td colspan="2">The URI used
to access the document that embeds or refers to the
JavaScript code, corresponding to the window.location
property of the browsing context. In the case of that a
Feature is accessed from a child browsing context (for
example from within a <iframe> within some outer
document), this attribute provides the location of the
child context.</td> </tr> <tr> <td>uri-top</td>
<td>URI</td> <td colspan="2">The URI used to access the
website that embeds or refers to the JavaScript code,
corresponding to the top.window property of the browsing
context. In the case that the Feature is accessed from a
child browsing context (for example from within an
<iframe>), this attribute provides the location of
the top-level browsing context. If the current browsing
context is a child of a widget top-level browsing
context, this attribute contains an IRI with the widget:
scheme that corresponds to the top-level containing
document from the widget resource.</td> </tr> <tr>
<td>key-root-cn</td> <td>string</td> <td colspan="2">The
common name of the root certificate chained to by the
site certificate. Empty bag if none.</td> </tr> <tr>
<td>key-root-fingerprint</td> <td>string</td> <td
colspan="2">The fingerprint of the root certificate
chained to by the site certificate. Empty bag if
none.</td> </tr> </tbody> </table> </section> <!--
website-identity -->
</section> <!-- subject-attributes -->
<section id="resource-attributes">
<h3>Resource Attributes</h3>
<p>
The device features or services (e.g. the location module or PIM
database) are the actual <strong><em><a id="resource">resources</a></em></strong> that are being protected, but from
the point of view of the security framework these resources
are associated with the API features and device capabilities used to
access them.
</p> <p>The resource is identified by one or more of
the following attributes: </p> <table border="1"
summary=""> <caption> <dfn
id="widget-subject-attributes-table">Widget Subject
Attributes Table</dfn></caption> <thead> <tr> <th
scope="col">Attribute</th> <th scope="col">Type</th> <th
scope="col">Value</th> <th scope="col">Comment</th>
</tr> </thead> <tbody> <tr> <td id="api-feature">api-feature (*** ref:
****)</td> <td>URI</td> <td>The IRI identifier of the
requested Feature converted to URI as per RFC3987
[[!IRI]].</td> <td>This uses the same naming scheme as
in a widget's <feature> element. See Appendix A
(*** change this ref ****). Determined for all
applicable application Execution Phases.</td> </tr> <tr>
<td id="device-cap">device-cap</td> <td>string</td> <td>Device
capability being accessed, if any. Empty bag if
none</td> <td>See Appendix A (*** change this ref ***).
Determined for all applicable application Execution
Phases.</td> </tr> <tr> <td id=parameter>param:name</td> <td>See
comment</td> <td>The value of parameter name.</td>
<td>The specification of each Device Capabilities lists
the parameters associated with that Device Capability
and the type and semantics of each. Empty bag if the
parameter is not defined. Determined in the invoke
execution phase. Undetermined in all other execution
phases.</td> </tr> <tr> <td colspan="4">The following
resource attributes give information on the source of
the implementation of the API Feature.</td> </tr> <tr>
<td>feature-install-uri</td> <td>URI</td> <td>The URI
that the API implementation was originally retrieved
from before installation, if known, otherwise the empty
bag.</td> <td>Determined for all applicable application
Execution Phases.</td> </tr> <tr>
<td>feature-key-cn</td> <td>string</td> <td>The common
name of the end entity certificate for the signature
associated with the Feature implementation. Empty bag if
none.</td> <td>Determined for all applicable application
Execution Phases.</td> </tr> <tr>
<td>feature-key-root-cn</td> <td>string</td> <td>The
common name of the root certificate for the signature
associated with the Feature implementation. Empty bag if
none</td> <td>Determined for all applicable application
Execution Phases.</td> </tr> <tr>
<td>feature-key-root-fingerprint</td> <td>string</td>
<td>The fingerprint of the root certificate of the
signature associated with the Feature implementation.
Empty bag if none.</td> <td>Determined for all
applicable application Execution Phases.</td> </tr> <tr>
</tbody> </table>
</section> <!-- resource-attributes -->
<section id="environment-attributes">
<h3>Environment Attributes</h3>
<p>Attributes of the <em>environment</em> capture
contextual information relating to the device or other
circumstances of the access attempt. </p> <table
border="1" summary=""> <caption> <dfn
id="widget-subject-attributes-table">Widget Subject
Attributes Table</dfn></caption> <thead> <tr> <th
scope="col">Attribute</th> <th scope="col">Type</th> <th
scope="col">Value</th> <th scope="col">Comment</th>
</tr> </thead> <tbody> <tr> <td>roaming</td>
<td>string</td> <td>"national", "international", or
empty string</td> <td>Determined in the following
Execution Phases:
<ul> <li>widget-instantiate</li>
<li>website-bind</li> <li>invoke</li> </ul>
Undetermined in the following Execution Phases:
<ul> <li>widget-install</li> </ul>
</td> </tr> <tr> <td>bearer-type</td> <td>string</td>
<td>The type of the current network bearer over which a
network request will be served, either by request of the
application or by default (per the current serving
network or the one over which the request will be
served, if multiple networks are available). A
comma-separated list of one or more of the bearer types
given as examples in W3C DCO [[DCONTOLOGY]].</td>
<td>Determined in the following Execution Phases:
<ul> <li>widget-instantiate</li>
<li>website-bind</li> <li>invoke</li> </ul>
Undetermined in the following Execution Phases:
<ul> <li>widget-install</li> </ul>
</td> </tr> </tbody> </table>
</section> <!-- environment-attributes -->
</section>
<section class='appendix'>
<h2>Acknowledgements</h2>
<p>
The editors would like to extend special thanks to Nokia, OMTP BONDI,
and PhoneGap for providing the foundation of the working group's
requirements discussion.
</p>
</section>
</body>
</html>
Received on Wednesday, 2 June 2010 13:53:02 UTC