- From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
- Date: Wed, 21 Oct 2009 14:16:27 +0200
- To: "Nilsson, Claes1" <Claes1.Nilsson@sonyericsson.com>, "'Paddy Byers'" <paddy.byers@gmail.com>, Peter-Paul Koch <pp.koch@gmail.com>, Frederick Hirsch <frederick.hirsch@nokia.com>
- CC: Robin Berjon <robin@robineko.com>, "public-device-apis@w3.org" <public-device-apis@w3.org>
- Message-ID: <FAA1D89C5BAF1142A74AF116630A9F2C2890D48C07@OBEEX01.obe.access-company.com>
Hi, I think it is important to distinguish between protecting APIs and protecting data. At present we focus mainly on protection of the APIs. What about the case that the filesystem API is enabled for everyone, but the rights are related to some paths in the filesystem? If we just concentrate on protecting APIs, we would probably need to define new APIs for the secure storage case. So I would rephrase: "SHOULD provide secure storage and management of secret information, e.g. server login credentials or API keys." to "SHOULD provide means to protect or restrict access to the parts of a given file system based on some security model, possibly different from the API security model". (depending on what we will be able to agree on in the future). This is the area that has been disputed in BONDI for a long time and there is currently no standardized end-2-end (from developer to policy writer) solution to that. It is in general the area where the APIs meet security, the coupling is quite tight, although may not be so visible at first sight. Thanks, Marcin Marcin Hanclik ACCESS Systems Germany GmbH Tel: +49-208-8290-6452 | Fax: +49-208-8290-6465 Mobile: +49-163-8290-646 E-Mail: marcin.hanclik@access-company.com From: public-device-apis-request@w3.org [mailto:public-device-apis-request@w3.org] On Behalf Of Nilsson, Claes1 Sent: Wednesday, October 21, 2009 1:58 PM To: 'Paddy Byers'; Peter-Paul Koch; Frederick Hirsch Cc: Robin Berjon; public-device-apis@w3.org Subject: RE: ISSUE-11: Gathering requirements [FileSystem API] I fully agree with Paddy. This is a general discussion that applies to all sensitive JavaScript APIs that we need to protect from unauthorized access. However, the issue remains whether we should add a requirement to the FileSystem API. I suggest: "SHOULD provide secure storage and management of secret information, e.g. server login credentials or API keys." Best regards Claes From: Paddy Byers [mailto:paddy.byers@gmail.com] Sent: onsdag den 21 oktober 2009 11:36 To: Peter-Paul Koch; Frederick Hirsch Cc: Nilsson, Claes1; Robin Berjon; public-device-apis@w3.org Subject: Re: ISSUE-11: Gathering requirements [FileSystem API] Hi, > 1) Signing gives: ... I think this discussion is common to all APIs and belongs to a new issue which should be raised. This issue should be confined to the filesystem API discussion. I suggest raising a new issue: widget signing and trust models. Thanks - Paddy ________________________________ ________________________________________ Access Systems Germany GmbH Essener Strasse 5 | D-46047 Oberhausen HRB 13548 Amtsgericht Duisburg Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda www.access-company.com CONFIDENTIALITY NOTICE This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited. If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.
Received on Wednesday, 21 October 2009 12:17:17 UTC