Re: Security Use Cases - Very rough first draft

Most if not all of these requirements do not seem to be  specific to "Web
Publications" as the term is defined by DPUB IG.

It is of course true that publications must not compromise the basic
security model of the Web.

Unfortunately, the definition of that general security model and the
associated runtime life cycle isn't entirely clear, especially when it
comes to content and applications stored on / executing from local
systems.  And I'm not sure it's the job of DPUB IG to attempt to define
with precision that general model. Or, if we do take on the job of fully
defining that security model, we should realize we aren't doing it just for
"Publications" but really for Web content in general.

https://www.w3.org/TR/runtime/ is for example recent work in this area
started by the now defunct System Applications WG. Some  of this seems very
applicable to Web Publications. That it's unfinished orphaned work is
perhaps a warning sign that it may not be an easy job to take on but
perhaps someone could adopt it (which may be preferable to starting over).
Whether that's DPUB IG or a successor vs. say the Web Platform WG is
another question... and I guess to me this is all logically part of the Web
Platform itself.

EPUB specifications to date have clearly punted on this but one reason was
that we were hoping that work on Web Applications at W3C would be paving
the way in terms of more rigorously defining the Web security model
especially for offline/local content.

--Bill


On Fri, Aug 19, 2016 at 5:34 AM, Baldur Bjarnason <baldur@rebus.foundation>
wrote:

> Security Use Cases - Very rough first draft
>
> Here it is on Google Docs:
>
> https://docs.google.com/document/d/1i8vm8cg5iqxWgpPFRR3Qae5loj-
> DWcrsbBUIf2IeGaU/edit?usp=sharing
>
> Let me know if you can’t access it and I’ll find another way to share it
> with the list or fiddle with the sharing settings on the document itself.
>
> It’s a very rough draft, half-baked, doesn’t conform to spec style or
> structure etc. etc.
>
> All of the links included are there more as informative references for
> context and will have to be turned into proper spec references or removed
> in a later draft.
>
> If the scenarios seem paranoid downers then bear in mind that my biggest
> worry while writing it is that I might not be paranoid enough.
>
> - best
> - Baldur Bjarnason
>   baldur@rebus.foundation
>
>
>
>
>
>

Received on Friday, 19 August 2016 16:14:22 UTC