ACTION-38: "Should issue recommendation on the granularity of the security system" + proposal for a "Secure Credential API"


I attach two proposals:

1.       "File granularity access policy". This is response to my action 38. The proposal is based on "Policy Based Device Access Security" (Steve Lewontin/Nokia that Steve presented at the Santa Clara meeting. My proposal adds a finer granularity to restrict access to APIs based on application identity.

2.       "Secure Cred Manager". This proposal is based on 1 above and is an API for retrieving securely stored data, "credentials", in the device. A major use case for this API is Social Networking Services web application application login to the service. I have a humble view on this and understand the security issues with JavaScript. However, by referencing existing security mechanisms such as Digital signing, TLS/SSL and WARP, I believe that such an API is possible. Furthermore, I realize that it is not possible to include this API in the phase 1 delivery from DAP but I want to have it in the list of "Future Work".

Best regards
Claes Nilsson M.Sc.E.E
Senior Staff Engineer
CTO - R&T Europe - UI/App/Web

Sony Ericsson Mobile Communications
 Phone:  +46 10 80 15178
Mobile: +46 705 56 68 78
Switchboard: +46 10 80 00000
Visiting Address; Nya Vattentornet
SE-221 88 LUND,
The information in this e-mail is confidential and may be legally privileged. It is intended solely for the named recipient(s) and access to this e-mail by anyone else is unauthorized. The views are those of the sender and not necessarily the views of Sony Ericsson and Sony Ericsson accepts no responsibility or liability whatsoever or howsoever arising in connection with this e-mail.Any attachment(s) to this message has been checked for viruses, but please rely on your own virus checker and procedures. If you contact us by e-mail, we will store your name and address to facilitate communications. If you are not the intended recipient, please inform the sender by replying this transmission and delete the e-mail and any copies of it without disclosing it.

Received on Tuesday, 15 December 2009 10:16:14 UTC