- From: Frederick Hirsch via cvs-syncmail <cvsmail@w3.org>
- Date: Fri, 18 Jun 2010 20:29:26 +0000
- To: public-dap-commits@w3.org
Update of /sources/public/2009/dap/policy
In directory hutz:/tmp/cvs-serv10251
Modified Files:
Profile.html
Log Message:
Added attribute definitions, moving from Framework. Incorporated examples
from example document.
Index: Profile.html
===================================================================
RCS file: /sources/public/2009/dap/policy/Profile.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- Profile.html 17 Jun 2010 21:22:26 -0000 1.5
+++ Profile.html 18 Jun 2010 20:29:24 -0000 1.6
@@ -24,7 +24,11 @@
outlines the role and use of policy in the context of Device
APIs. This document provides a profile of XACML 2.0
enabling such policies to be defined using the XACML
- language [[!XACML20]]. This specification does not provide an
+ language [[!XACML20]]. Trust and access policies are capable of
+ representation in a compact XML format (and other formats,
+ including a compact
+ binary representation if necessary). This specification does
+ not provide an
overview of XACML as this information is available elsewhere
[[XACML-INTRO]].</p>
<p>
@@ -646,6 +650,274 @@
</section>
</section>
</section>
+
+<section class='attribute-definitions'>
+ <h2>Attribute Definitions</h2>
+<section class='subject-attribute-definitions'>
+ <h2>Subject Attribute Definitions</h2>
+ <p> The identity of a subject is in one of the following classes. The
+ class determines which attributes are available; other
+ attributes have the undefined value. </p>
+<section class='widget-subject-attribute-definitions'>
+ <h2>Widget Subject Attribute Definitions</h2>
+<table
+ border="1" summary=""> <caption> <dfn
+ id="widget-subject-attributes-table">Widget Subject
+ Attributes Table</dfn></caption> <thead> <tr> <th
+ scope="col">Attribute</th> <th scope="col">Type</th> <th
+ scope="col">Value</th> </tr> </thead> <tbody> <tr>
+ <td>class</td> <td>string</td> <td>This has the value
+ "widget" if and only if the subject is a widget.</td>
+ </tr> <tr> <td>install-uri</td> <td>URI</td> <td>The URI
+ that the widget resource was originally retrieved from
+ before installation, if known, otherwise the empty
+ bag.</td> </tr> <tr> <td>id</td> <td>URI</td> <td>The
+ identity of the widget. For a W3C widget specification [[!WIDGETS]]
+ compliant widget resource, this is the value of the <code>id</code>
+ attribute of the <code>widget</code> element in the widget
+ configuration document converted from IRI to URI based
+ on RFC3987 [[!IRI]]. In this case, it is a URI that uniquely
+ identifies the widget. Empty bag if there is no <code>id</code>
+ attribute.</td> </tr> <tr> <td>version</td>
+ <td>string</td> <td>Version of the widget resource. For
+ a W3C widget specification compliant widget resource,
+ this is the <code>version</code> attribute of the <code>widget</code> element in
+ the widget configuration document. Empty bag if there is
+ no <code>version</code> attribute.</td> </tr> <tr>
+ <td>distributor-key-cn</td> <td>string</td> <td>The
+ common name of the end entity certificate for the
+ applicable widget resource distributor signature. Empty
+ bag if none.</td> </tr> <tr>
+ <td>distributor-key-fingerprint</td> <td>string</td>
+ <td>The fingerprint of the end-entity certificate for
+ the applicable widget resource distributor signature.
+ Empty bag if none.</td> </tr> <tr>
+ <td>distributor-key-root-cn</td> <td>string</td> <td>The
+ common name of the root certificate for the applicable
+ widget resource distributor signature. Empty bag if
+ none.</td> </tr> <tr>
+ <td>distributor-key-root-fingerprint</td>
+ <td>string</td> <td>The fingerprint of the root
+ certificate for the applicable widget resource
+ distributor signature.Empty bag if none.</td> </tr> <tr>
+ <td>author-key-cn</td> <td>string</td> <td>The common
+ name of the end entity certificate for the widget
+ resource author signature. Empty bag if none.</td> </tr>
+ <tr> <td>author-key-fingerprint</td> <td>string</td>
+ <td>The fingerprint of the end entity certificate for
+ the widget resource author signature in SDP syntax.
+ Empty bag if none.</td> </tr> <tr>
+ <td>author-key-root-cn</td> <td>string</td> <td>The
+ common name of the root certificate for the widget
+ resource author signature. Empty bag if none.</td> </tr>
+ <tr> <td>author-key-root-fingerprint</td>
+ <td>string</td> <td>The fingerprint of the root
+ certificate for the widget resource author signature.
+ Empty bag if none.</td> </tr> <tr>
+ <td>widget-attr:name</td> <td></td> <td>The value of the
+ named attribute of the <code>widget</code> element whose type
+ and value are set up in the widget configuration
+ document for use in the security framework. Empty
+ bag if no such named attribute is defined.</td> </tr>
+ </tbody> </table>
+</section>
+<section class='website-subject-attribute-definitions'>
+ <h2>Web Site Subject Attribute Definitions</h2>
+<table border="1"
+ summary=""> <caption> <dfn
+ id="website-subject-attributes-table">Website Subject
+ Attributes Table</dfn></caption> <thead> <tr> <th
+ scope="col">Attribute</th> <th scope="col">Type</th> <th
+ scope="col">Value</th> <th scope="col">Meaning</th>
+ </tr> </thead> <tbody> <tr> <td>class</td>
+ <td>string</td> <td>"website"</td> <td>Has the value
+ "website" if and only if the subject is of this
+ class.</td> </tr> <tr> <td rowspan="4">sign-schema</td>
+ <td rowspan="4">string</td> </tr> <tr> <td>"" (empty
+ string)</td> <td>Not signed.</td> </tr> <tr>
+ <td>"tls"</td> <td>The page was fetched using HTTPS and
+ the browser has verified that the site certificate’s
+ Common Name matches the host that the page was fetched
+ from, and it has already applied its own policies
+ regarding whether the root certificate is in an
+ acceptable trust domain.</td> </tr> <tr>
+ <td>"tls-ev"</td> <td>As "tls", and, additionally, the
+ site certificate has an extended validation field and
+ the browser's internal policy allows that information to
+ be passed to the security framework.</td> </tr> <tr>
+ <td>uri</td> <td>URI</td> <td colspan="2">The URI used
+ to access the document that embeds or refers to the
+ JavaScript code, corresponding to the window.location
+ property of the browsing context. In the case of that a
+ feature is accessed from a child browsing context (for
+ example from within a <iframe> within some outer
+ document), this attribute provides the location of the
+ child context.</td> </tr> <tr> <td>uri-top</td>
+ <td>URI</td> <td colspan="2">The URI used to access the
+ website that embeds or refers to the JavaScript code,
+ corresponding to the top.window property of the browsing
+ context. In the case that the feature is accessed from a
+ child browsing context (for example from within an
+ <iframe>), this attribute provides the location of
+ the top-level browsing context. If the current browsing
+ context is a child of a widget top-level browsing
+ context, this attribute contains an IRI with the widget:
+ scheme that corresponds to the top-level containing
+ document from the widget resource.</td> </tr> <tr>
+ <td>key-root-cn</td> <td>string</td> <td colspan="2">The
+ common name of the root certificate chained to by the
+ site certificate. Empty bag if none.</td> </tr> <tr>
+ <td>key-root-fingerprint</td> <td>string</td> <td
+ colspan="2">The fingerprint of the root certificate
+ chained to by the site certificate. Empty bag if
+ none.</td> </tr> </tbody> </table>
+</section>
+</section>
+<section class='resource-attribute-definitions'>
+ <h2>Resource Attribute Definitions</h2>
+<p>The resource is identified by one or more of
+ the following attributes: </p>
+<table border="1"
+ summary=""> <caption> <dfn
+ id="widget-subject-attributes-table">Widget Resource
+ Attributes Table</dfn></caption> <thead> <tr> <th
+ scope="col">Attribute</th> <th scope="col">Type</th> <th
+ scope="col">Value</th> <th scope="col">Comment</th>
+ </tr> </thead> <tbody> <tr> <td id="api-feature">api-feature (*** ref:
+ ****)</td> <td>URI</td> <td>The IRI identifier of the
+ requested Feature converted to URI as per RFC3987
+ [[!IRI]].</td> <td>This uses the same naming scheme as
+ in a widget's <code>feature</code> element. Determined for all
+ applicable application execution phases.</td> </tr> <tr>
+ <td id="device-cap">device-cap</td> <td>string</td> <td>Device
+ capability being accessed, if any. Empty bag if
+ none</td> <td>See Appendix A (*** change this ref ***).
+ Determined for all applicable application Execution
+ Phases.</td> </tr> <tr> <td id=parameter>param:name</td> <td>See
+ comment</td> <td>The value of parameter name.</td>
+ <td>The specification of each Device Capabilities lists
+ the parameters associated with that Device Capability
+ and the type and semantics of each. Empty bag if the
+ parameter is not defined. Determined in the invoke
+ execution phase. Undetermined in all other execution
+ phases.</td> </tr> <tr> <td colspan="4">The following
+ resource attributes give information on the source of
+ the implementation of the API Feature.</td> </tr> <tr>
+ <td>feature-install-uri</td> <td>URI</td> <td>The URI
+ that the API implementation was originally retrieved
+ from before installation, if known, otherwise the empty
+ bag.</td> <td>Determined for all applicable application
+ execution phases.</td> </tr> <tr>
+ <td>feature-key-cn</td> <td>string</td> <td>The common
+ name of the end entity certificate for the signature
+ associated with the Feature implementation. Empty bag if
+ none.</td> <td>Determined for all applicable application
+ execution phases.</td> </tr> <tr>
+ <td>feature-key-root-cn</td> <td>string</td> <td>The
+ common name of the root certificate for the signature
+ associated with the Feature implementation. Empty bag if
+ none</td> <td>Determined for all applicable application
+ execution phases.</td> </tr> <tr>
+ <td>feature-key-root-fingerprint</td> <td>string</td>
+ <td>The fingerprint of the root certificate of the
+ signature associated with the Feature implementation.
+ Empty bag if none.</td> <td>Determined for all
+ applicable application execution phases.</td> </tr> <tr>
+ </tbody> </table>
+</section>
+<section 'class=context-attribute-definitions'>
+ <h2>Context Attribute Definitions</h2>
+ <p>
+<table
+ border="1" summary=""> <caption> <dfn
+ id="widget-subject-attributes-table">Context
+ Attributes Table</dfn></caption> <thead> <tr> <th
+ scope="col">Attribute</th> <th scope="col">Type</th> <th
+ scope="col">Value</th> <th scope="col">Comment</th>
+ </tr> </thead> <tbody> <tr> <td>roaming</td>
+ <td>string</td> <td>"national", "international", or
+ empty string</td> <td>Determined in the following
+ execution phases:
+ <ul> <li>widget-instantiate</li>
+ <li>website-bind</li> <li>invoke</li> </ul>
+ Undetermined in the following execution phases:
+ <ul> <li>widget-install</li> </ul>
+ </td> </tr> <tr> <td>bearer-type</td> <td>string</td>
+ <td>The type of the current network bearer over which a
+ network request will be served, either by request of the
+ application or by default (per the current serving
+ network or the one over which the request will be
+ served, if multiple networks are available). A
+ comma-separated list of one or more of the bearer types
+ given as examples in W3C DCO [[DCONTOLOGY]].</td>
+ <td>Determined in the following execution phases:
+ <ul> <li>widget-instantiate</li>
+ <li>website-bind</li> <li>invoke</li> </ul>
+ Undetermined in the following execution phases:
+ <ul> <li>widget-install</li> </ul>
+ </td> </tr> </tbody> </table>
+ </section>
+ </section>
+<section class='examples'>
+ <h2>Examples</h2>
+<section id="example-abuse-policies">
+ <h2>Example Policies to mitigate Abuse Use Cases</h2>
+ <p> This section outlines some example policies that could be used to
+ deal with abuses of device APIs. </p>
+ <section id="premium-rate-defence">
+ <h3>Defending against premium rate abuse</h3>
+ <p>The example assumes that a number of mechanisms have
+ already been defeated in the security chain – the
+ application is trusted and is on the device. If the user
+ (or the policy provider) has stated that they don’t want
+ to call premium rate numbers in the UK: </p>
+ <pre><code>
+ <code><target></code>
+ <code><subject></code>
+ <subject-match attr="author-key-root-fingerprint"
+ match="sha256 ******** root fingerprint of author ****" />
+ <-- to identify the Identified domain, the same would
+ apply for the Unidentified domain-->
+ </target>
+ <rule effect="one-shot">
+ <code><condition></code>
+ <resource-match attr="dev-cap" match="messaging.*.send"
+ param:recipients="+4409*" func="glob"/> <-- to block UK premium
+ rate numbers -->
+ </condition>
+ </rule> </pre></code>
+ We could extend this to other countries if we are concerned that premium rate
+ numbers would not only be from the host country. Here is an example of a policy
+ fragment for blocking Spanish premium rate numbers that could be added, along
+ with the condition combining operator (please note: there are probably more
+ elegant ways of expressing this by using regular expressions): <pre><code>
+ <condition combine="or">
+ <resource-match attr="dev-cap" match="messaging.*.send"
+ param:recipients="+4409*" func="glob"/> <-- to block UK premium
+ rate numbers --> <resource-match attr="dev-cap"
+ match="messaging.*.send" param:recipients="+34806*" func="glob"/>
+ <-- to block Spanish premium rate numbers -->
+ </condition>
+ </pre></code> If the malicious widget is out in the wild already and has been
+ identified, then we want to prevent it from installing and executing on devices,
+ halting the spread of the malware in its early stages of distribution. </p> <p>
+ Clearly, if the widget is prevented from installing, then it cannot call a
+ device API – these functions are shown as a belt and braces example:
+ <pre><code> <code><target></code>
+ <code><subject></code>
+ <subject-match attr="id" match="http://maliciouswidget1.example.org">
+ </subject>
+ </target> <rule effect="deny">
+ <condition combine="or">
+ <resource-match attr="widget-install" /> <resource-match
+ attr="widget-instantiate" /> <resource-match attr="api-feature" match="*"
+ /> <resource-match attr="dev-cap" match="*" /> </condition>
+ </rule>
+ </code></pre>
+ </section> <!-- premium-rate-abuse -->
+</section> <!-- example policies -->
+</section>
+</section>
<section class='appendix'>
<h2>Acknowledgements</h2>
<p>
Received on Friday, 18 June 2010 20:29:29 UTC