- From: Arribas, Laura, VF-Group <Laura.Arribas@vodafone.com>
- Date: Wed, 18 Nov 2009 15:07:55 +0100
- To: <public-device-apis@w3.org>
ACTION - 47 Provide input on trust model and access control model definitions Summary: Both the Nokia [1] and BONDI [2] approaches are significantly similar but there are some differences in the way trust and access control models are handled in the security framework. Those differences are presented below. Trust models * Nokia: o Considers 2 separate modules: trust manager and access manager. o The trust manager determines the trust domain that will be applied. The trust domain might also be determined at installation time (e.g. for widgets). o The access manager creates a security session where the access decision is made. * BONDI: o The framework must permit fine-grained security policies to be represented as well as policies based on broad groupings of APIs and assignment of web applications to a small number of trust domains. For example, a fine-grained security policy is necessary to grant or deny access to individual APIs for individual web applications. o That is, it is possible to define a security policy following a trust domain approach but there is no separate module in the BONDI architecture where trust domains are assigned. o The framework is based on a very general model that governs access by subjects to resources based on a hierarchy of policies and policy sets, where each policy consists of a number of rules. Subjects and resources are characterised by a number of defined subject attributes and resource attributes. A range of attributes is defined so that policies can be expressed controlling access based on a Widget Resource signer's identity, or an individual Widget Resource identity, or the Widget Resource signature's root certificate, or a Website's URL Policies * Nokia: o Considers 2 components of policies: trust policies and access control policies. o Trust policies provide mappings between certain properties (e.g. origin url) and trust domains. o The trust domains can be customized by the policy author. o Access control policies define the capabilities assigned to a set of trust domains. * BONDI: o Does not make differentiation between trust and access control policies. Both can be implicitely included in the same policy document. o BONDI describes mechanisms that support the structuring of security policies into a hierarchy of separately defined and managed elements with defined combining rules. When is access control applied? * Nokia: o The security engine has nothing to say about how and when the access control is applied. This is up to the implementation of the web content engine and/or device API implementation. The security engine does not itself control access, rather it acts as a Policy Decision Point (PDP). * BONDI: o The BONDI access control system, from a logical perspective, mediates any attempt by an executing Web Application to access Device Capabilities using JavaScript APIs. Other considerations about trust models from [3] and [4] * Certificates and digital signatures have been used for trust establishment with installable apps. * Dig Sigs have a tendency to centralize trust authority to individual companies, which have lots of control in the content distribution and adoption phases. * The security frameworks used by existing mobile application frameworks, such as Java and Symbian, include a policy enforcement mechanism as part of the application environment itself, and user application identity and trust models derived from certificate architectures. * Security frameworks where the notion of trust (the rule that determines what a particular application can rightfully access) can be provided by an architecturally distinct component. [1] http://lists.w3.org/Archives/Public/public-device-apis/2009Nov/att-0012/ SecurityPolicy_09.pdf [2] http://bondi.omtp.org/1.01/security/BONDI_Architecture_and_Security_v1_0 1.pdf [3] http://lib.tkk.fi/Dipl/2009/urn100073.pdf [4] http://www.w3.org/2008/security-ws/report Thanks, Laura Arribas Security Technologies Researcher Vodafone Group R&D Tel: +44 (0) 7775411861 Fax: +44 (0) 1635231776 E-mail: laura.arribas@vodafone.com Vodafone Group Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No 3802001.
Received on Wednesday, 18 November 2009 14:08:36 UTC