W3C home > Mailing lists > Public > public-device-apis@w3.org > April 2009

Re: Starting the chartering discussion -- security policy for APIs

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 28 Apr 2009 14:05:17 +0200
To: Arthur Barstow <art.barstow@nokia.com>
Message-Id: <35D92E4D-1F88-439E-B238-5744D50E3C6E@w3.org>
Cc: "public-device-apis@w3.org" <public-device-apis@w3.org>
On 28 Apr 2009, at 13:19, Arthur Barstow wrote:

> We support the creation of a new WG as proposed below and would like  
> to see that important work started as soon as possible.  
> Additionally, we are willing to contribute to the creation of a  
> formal charter.

Thanks Art, that's good to hear.

> One item that would be useful is an expansion of what you mean by  
> "identification of APIs" and "identification of web applications and  
> Widgets".

Essentially, an access control policy needs to have a way to identify  
the thing that access is granted to, and the thing that can accesses  
it -- each of which could be anything between a large random number  
and a URI, depending on use cases and design philosophies.

More to the point, one could identify an API by URI reference, or  
perhaps by the name of a constructor (if each API was actually using a  
constructor pattern), or perhaps by the name of an object that exposes  
requisite methods (if each API was using the geolocation API's pattern).

Likewise, there will be a need to identify the web application (or  
widget) that wants to access an API -- or, more precisely, the  
properties of a given web application or widget that feed into the  
access control decision.  That might be things such as the origin for  
a Web application, or some information about a signing party for a  

Perhaps this point is too low-level to call out in a charter; thoughts  
Received on Tuesday, 28 April 2009 12:05:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:32:09 UTC