Starting the chartering discussion -- security policy for APIs from Thomas Roessler on 2009-04-14 (public-device-apis@w3.org from April 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 14 Apr 2009 13:34:12 +0200
To: public-device-apis@w3.org
Message-Id: <DC6408CF-980A-471F-9617-5528A8A8846F@w3.org>

Hello,

it's about time that we start a chartering discussion.  Fundamentals  
that we need to sort out in order to get from here to there:

- general scope of the work (and things that are out of scope)
- basic principles for the work
- deliverables and milestones
- resources
- input documents

Based on the outcomes from the workshop [1] and the notes from the  
mobile web breakout session at the AC meeting [2], I'd propose the  
following in terms of a (rough) mission and scope, and would  
appreciate your feed-back on this mailing list:

1. The group would be chartered to produce a framework for the  
expression of security policies that govern access of Web applications  
and widgets to security-critical APIs.  To achieve this goal, the  
group will need to deal with the following items:

- policy expression proper
- identification of APIs
- identification of web applications and Widgets

2. Out of scope:

- concrete APIs
- policy management and discovery
- fundamental changes to JavaScript

3. Principles:

- before inventing a new policy expression language, existing  
languages (such as XACML) should be reviewed for suitability
- the resulting policy model must be compatible with the existing same  
origin policy (as documented in the HTML5 specification)
- the work should not be specific to either mobile or desktop  
environments, but may take differences between the environments into  
account

4. Liaisons:

- PLING (W3C Policy Languages Interest Group)
- HTML WG
- WebApps WG
- geolocation WG
- Mobile Web Best Practices WG
- BONDI
- OpenAjaxAlliance

Note that this would be a good time for interested members to indicate  
*privately* whether they're willing to make chairing or editing  
resources available.

This would also be a good time for those members who presented  
concrete technical proposals at the workshop to indicate whether  
they'll be interested in putting these proposals on the table as a  
basis for the work proposed here.

[1] http://www.w3.org/2008/security-ws/report
[2] http://lists.w3.org/Archives/Member/w3c-archive/2009Apr/0094.html

Note: [2] is member-only; I'll circulate a publicly visible summary  
some time soon.

--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 14 April 2009 11:34:23 UTC