W3C home > Mailing lists > Public > public-device-apis@w3.org > November 2009

ACTION - 47 Provide input on trust model and access control model definitions

From: Arribas, Laura, VF-Group <Laura.Arribas@vodafone.com>
Date: Wed, 18 Nov 2009 15:07:55 +0100
Message-ID: <E71B6B341C8C3D47AA1288D9E719D1C5030380A3@VF-MBX12.internal.vodafone.com>
To: <public-device-apis@w3.org>
ACTION - 47 Provide input on trust model and access control model

Both the Nokia [1] and BONDI [2] approaches are significantly similar
but there are some differences in the way trust and access control
models are handled in the security framework. Those differences are
presented below.

Trust models
*	Nokia:
	o	Considers 2 separate modules: trust manager and access
	o	The trust manager determines the trust domain that will
be applied. The trust domain might also be determined at installation
time (e.g. for widgets).
	o	The access manager creates a security session where the
access decision is made.
	o	The framework must permit fine-grained security policies
to be represented as well as policies based on broad groupings of APIs
and assignment of web applications to a small number of trust domains.
For example, a fine-grained security policy is necessary to grant or
deny access to individual APIs for individual web applications.
	o	That is, it is possible to define a security policy
following a trust domain approach but there is no separate module in the
BONDI architecture where trust domains are assigned.
	o	The framework is based on a very general model that
governs access by subjects to resources based on a hierarchy of policies
and policy sets, where each policy consists of a number of rules.
Subjects and resources are characterised by a number of defined subject
attributes and resource attributes. A range of attributes is defined so
that policies can be expressed controlling access based on a Widget
Resource signer's identity, or an individual Widget Resource identity,
or the Widget Resource signature's root certificate, or a Website's URL

*	Nokia:
	o	Considers 2 components of policies: trust policies and
access control policies.
	o	Trust policies provide mappings between certain
properties (e.g. origin url) and trust domains. 
	o	The trust domains can be customized by the policy
	o	Access control policies define the capabilities assigned
to a set of trust domains.
	o	Does not make differentiation between trust and access
control policies. Both can be implicitely included in the same policy
	o	BONDI describes mechanisms that support the structuring
of security policies into a hierarchy of separately defined and managed
elements with defined combining rules.

When is access control applied?
*	Nokia:
	o	The security engine has nothing to say about how and
when the access control is applied. This is up to the implementation of
the web content engine and/or device API implementation. The security
engine does not itself control access, rather it acts as a Policy
Decision Point (PDP).
	o	The BONDI access control system, from a logical
perspective, mediates any attempt by an executing Web Application to
access Device Capabilities using JavaScript APIs.

Other considerations about trust models from [3] and [4]
*	Certificates and digital signatures have been used for trust
establishment with installable apps.
*	Dig Sigs have a tendency to centralize trust authority to
individual companies, which have lots of control in the content
distribution and adoption phases.
*	The security frameworks used by existing mobile application
frameworks, such as Java and Symbian, include a policy enforcement
mechanism as part of the application environment itself, and user
application identity and trust models derived from certificate
*	Security frameworks where the notion of trust (the rule that
determines what a particular application can rightfully access) can be
provided by an architecturally distinct component.

[3] http://lib.tkk.fi/Dipl/2009/urn100073.pdf
[4] http://www.w3.org/2008/security-ws/report


Laura Arribas

Security Technologies Researcher
Vodafone Group R&D
Tel: +44 (0) 7775411861
Fax: +44 (0) 1635231776
E-mail: laura.arribas@vodafone.com

Vodafone Group Services Limited
Registered Office: Vodafone House, The Connection, Newbury, Berkshire
RG14 2FN
Registered in England No 3802001.
Received on Wednesday, 18 November 2009 14:08:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:32:13 UTC