- From: Paddy Byers <paddy.byers@gmail.com>
- Date: Wed, 5 May 2010 14:59:43 +0100
- To: "Arribas, Laura, VF-Group" <Laura.Arribas@vodafone.com>
- Cc: public-device-apis@w3.org, Frederick Hirsch <frederick.hirsch@nokia.com>
- Message-ID: <AANLkTinzMMKIwB1B_BJzIs2ngJkPy5fn3XHAwH0zbPYF@mail.gmail.com>
Hi, I'd like to introduce a proposal to merge NOKIA's submission into Policy > Framework doc. Below I try to point out how would this changes impact > the current document. It would be good to discuss it in today's call and > see what editorial changes are required and if these changes are going > to bring major improvements to the security framework. > I'm sorry but I won't be able to join the call today because of a conflict. I think there's quite a bit of investigation needed to understand how your suggestion would work. I agree with the idea that it would be useful to be able to localise the definition of the two separate concerns of trust and access (ie which subjects are grouped together, based on their identifying attributes, and what access is permitted for each group). However, I think that in doing that there is a likelihood that the functionality will change quite significantly (ie the policies that can be expressed will be different). A couple of issues that come to mind immediately: - exclusivity of trust domains: is it the case that once the trust domain for an application is determined, it belongs to that domain and no others? With a BONDI policy, this isn't the case: a subject can matche the target for a given child policy (ie belong to the "trust domain" associated with that policy) but if none of the rules of that policy apply, then the higher-level combining rules will then cause other sibling policies to be relevant. So it is possible to define "trust domains" that apply with a specific scope, and which overlap with other trust domains. - subject attributes in rule conditions: in a BONDI policy, subject attributes can be used to determine which rules apply at a rule-by-rule level, instead of only at the level of the target on a policy. It isn't clear whether or not the same policies can be described if the two aspects are made completely separate. So before thinking about changes to the document itself, I think we need to think through what it would mean in terms of the logical model, and how well the resulting model addresses the various use cases. The one I keep coming back to is the ability for user decisions to be recorded themselves in the policy language (eg permit this operation for this application, or permit this operation for all applications from the same author, or deny this operation irrespective of the trustworthiness of the application). Thanks - Paddy
Received on Wednesday, 5 May 2010 14:00:19 UTC