Re: Network API (Re: [sysinfo] draft ready for review) from Max Froumentin on 2010-01-06 (public-device-apis@w3.org from January 2010)

From: Max Froumentin <maxfro@opera.com>
Date: Wed, 06 Jan 2010 12:06:20 +0100
To: Thomas Roessler <tlr@w3.org>
CC: "public-device-apis@w3.org" <public-device-apis@w3.org>
Message-ID: <4B446EAC.4090303@opera.com>

On 05/01/2010 17:39, Thomas Roessler wrote:
> A high-level comment first:  Mapping the network environment with
> lots of detail opens the door for at least two sensitive effects.
>
> 1. Providing information that's equivalent to locating the user.  The
> "MAC address of the router" piece goes into this direction, as does
> the ESSID, as does information about the relative strength of GSM and
> UMTS and Wifi signals, when combined.  The specification needs
> privacy considerations that spell this out; information that turns
> out to be location-equivalent needs a user interaction akin to the
> location one.
>
> 2. Mapping a network in detail (e.g., learning device manufacturers
> through MAC addresses) can make attacks much easier.  Now, I'm not
> advocating security through obscurity (and yes, perimeters are dead
> anyway), but we should keep in mind the side effects of this work,
> and keep the network mapping API to what we have concrete use cases
> for.


You can always provide use cases for anything. I'm sure that any web 
-technology-based platforms (Pré, Google OS) someone will want to write 
apps to show the user what the available network interfaces are, or 
provide a list of processes. The properties and attributes that are 
currently in the specification will eventually reflect the WG's 
consensus on which are the useful ones. I bet that every one of them 
will have privacy or security issues. I expect the Policy work to 
address this, as part of general considerations on retransmitting those 
data.

> On a more detailed level:
>
> - What's the use case for enumerating all IP addresses that a
> multihomed device might have, *from* *a* *Web* *application*?

Perhaps we need to establish how different a web application is from a 
system application. Admittedly I see them as being very close. Indeed in 
the aforementioned OSs they are basically the same.

> - What's the use case for the signal strength?  (There's some
> location fun to be had with signal strength from several access
> points or network devices; therefore, this information contributes is
> a piece of the location-related puzzle.)

see above.

> - What does the "encrypted" attribute mean?  Do we count weak crypto
> (e.g., current GSM ciphers or WEP)?  Do we count link-level
> encryption to some network intermediary only, or other things?

> Objection!

Overruled: you didn't offer an alternative.

Max.

Received on Wednesday, 6 January 2010 11:06:54 UTC