Next steps for Policy Requirements draft? from Frederick Hirsch on 2010-02-10 (public-device-apis@w3.org from February 2010)

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Wed, 10 Feb 2010 08:44:24 -0500
To: public-device-apis@w3.org
Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Message-Id: <1E63AA95-ECF7-4095-8772-671D0795DA1E@nokia.com>

Before we progress the Policy Requirements editors draft [1] to FPWD  
we may wish to address some issues:

1. Do we want to indicate use cases/requirements related to the REST  
discussion we have been having?

If we are serious about this approach then we probably should. Any  
volunteers to take an action?

Along the lines of "Requirement to use various web authorization  
mechanisms such as OAuth"
Note that I suspect OAuth still requires backend policy somewhere so  
may not preclude the XACML style rules on the device...

2. Incorporate material from currently open actions

- ACTION-45: David Rogers to Provide use case with threat model  
scenarios

- ACTION-48: Suresh Chitturi to Propose a definition for API access  
control, and a possible model for policy enforcement

for the definition

  - ACTION-77: John Morris to Provide a discussion of requirements  
for privacy

or is privacy requirements another document, or per API? I think  
common considerations  should be in this document, however
Retitle this document "DAP Security, Privacy and Policy use cases and  
requirements"?

    - ACTION-79: Paddy Byers to Integrate his use cases in policy  
requirements

   • Dan Applequist's TAG message about privacy per api or grouping
Add note to document that additional notes on security/privacy  
specific to APIs will appear in API docs?

3) Issues noted in document, next steps?

Features defined according to CRUD, one feature for Create, Read,  
Update, Delete?

Feature parameters to avoid explosion of capabilities and features?  
e.g. file open with either read or write parameter. ( see http:// 
lists.w3.org/Archives/Public/public-device-apis/2009Oct/att-0120/ 
minutes-2009-10-07.html#item03 )

User authorization vs other policy authority

Support for trust models other than user security decisions needed?

What is the correct granularity of security decisions presented to  
user? Perhaps this should be stated in policy. What is the linkage to  
application logic?

( see ISSUE-21 - OPEN ) Is access control at the feature level  
required or is access control at the device capability level adequate?

4) Any other next steps?



regards, Frederick

Frederick Hirsch, Nokia
Co-Chair DAP WG

[1] http://dev.w3.org/2009/dap/policy-reqs/

Received on Wednesday, 10 February 2010 13:45:09 UTC