- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Wed, 23 Jun 2010 14:29:17 +0200
- To: Frederick.Hirsch@nokia.com
- Cc: public-device-apis@w3.org
Le mardi 22 juin 2010 à 23:15 +0200, Frederick.Hirsch@nokia.com a écrit : > I think we need to have a discussion regarding the choice of policy framework for standardization. > > So far I've seen four options in the working group > > 1) Simple markup with clear separation of trust from decision > 2) Profile of XACML 2.0 > 3) New markup as submitted by BONDI, similar to XACML 2.0 but different in schema and processing rules > 4) No policy language at all. My personal preference based on the recent discussions would be to delay the work on the format for policy interchange, until we have a better sense of an actual policy model. In practice, I think it would be useful to start with cataloging existing in-browser JavaScript APIs that are restricted (which would be a necessary step in any case for the “api-feature” stuff of the policy format), with a description of these restrictions, and some leads as to how these restrictions would need to be removed in a privileged environment. It might be removing a prompt, it might be making new constructors or factories methods available, it might be removing same-origin restrictions, etc. Based on that analysis, we could look at incorporating our findings in a revision of the WARP spec to include more fine-grained declarations of features/parameters, possibly seeking alignments with other similar efforts (Firefox Jetpack extensions, Chrome extensions, Android manifest, etc). I think such an effort could in fact also be useful for purely Web-based applications, to facilitate the building of user interfaces for dealing with set of permissions. And once we all that well identified, I think we might then be in a position to work on a policy interchange format, should that appear to be useful. Dom
Received on Wednesday, 23 June 2010 12:29:27 UTC