Re: Security Use Cases - Very rough first draft from Leonard Rosenthol on 2016-08-19 (public-digipub-ig@w3.org from August 2016)

From: Leonard Rosenthol <lrosenth@adobe.com>
Date: Fri, 19 Aug 2016 17:39:04 +0000
To: Bill McCoy <bmccoy@idpf.org>, Dave Cramer <dauwhe@gmail.com>
CC: Bill McCoy <whmccoy@gmail.com>, Baldur Bjarnason <baldur@rebus.foundation>, "DPUB mailing list (public-digipub-ig@w3.org)" <public-digipub-ig@w3.org>
Message-ID: <4749DF6E-58A7-4354-B372-91E38BD33452@adobe.com>

While there may be things that come from our work on portable publications that may well be sent back to the rest of the web platform – it still needs to sart here, because we are the group currently thinking about the portability issues, not anyone else.  So let us do that thinking and then call in others as needed.

Leonard

From: Bill McCoy <bmccoy@idpf.org>
Date: Friday, August 19, 2016 at 1:01 PM
To: Dave Cramer <dauwhe@gmail.com>
Cc: Bill McCoy <whmccoy@gmail.com>, Baldur Bjarnason <baldur@rebus.foundation>, "DPUB mailing list (public-digipub-ig@w3.org)" <public-digipub-ig@w3.org>
Subject: Re: Security Use Cases - Very rough first draft
Resent-From: <public-digipub-ig@w3.org>
Resent-Date: Friday, August 19, 2016 at 1:02 PM

Hi Dave,

To be clear I share your perspective that EPUB punting on rigorously defining the execution model including security aspects (*) is unfortunate and I think that as part of the vectors towards Portable Web Publications this omission MUST be addressed. I had hoped it would be addressed horizontally for all content in the Web Platform in general not just publications and I guess I'm still thinking that this would be the ideal outcome. So this is not an argument by me to skip this work but rather that it (and anything else that comes up that isn't explicitly "publication"-y) be done generally for the overall Web Platform, if possible.

By way of example, to very slightly edit your statement "if I send that script in a [Chrome App] to Google's [Chrome] Store, then it becomes Google's problem, and why should they trust my code?"

--Bill

(*) I was remiss in not parenthetically noting that while, in my view, general EPUB specs punted on this, the draft specs for Scriptable Components developed as part of the EPUB for Education profile do add rigor for the special case of active content embedded within a publication whose outermost content is defined to be declarative only.

On Fri, Aug 19, 2016 at 9:40 AM, Dave Cramer <dauwhe@gmail.com<mailto:dauwhe@gmail.com>> wrote:
On Fri, Aug 19, 2016 at 12:13 PM, Bill McCoy <whmccoy@gmail.com<mailto:whmccoy@gmail.com>> wrote:
> Most if not all of these requirements do not seem to be  specific to "Web
> Publications" as the term is defined by DPUB IG.
>
> It is of course true that publications must not compromise the basic
> security model of the Web.
>
> Unfortunately, the definition of that general security model and the
> associated runtime life cycle isn't entirely clear, especially when it comes
> to content and applications stored on / executing from local systems.  And
> I'm not sure it's the job of DPUB IG to attempt to define with precision
> that general model. Or, if we do take on the job of fully defining that
> security model, we should realize we aren't doing it just for "Publications"
> but really for Web content in general.
>
> https://www.w3.org/TR/runtime/ is for example recent work in this area
> started by the now defunct System Applications WG. Some  of this seems very
> applicable to Web Publications. That it's unfinished orphaned work is
> perhaps a warning sign that it may not be an easy job to take on but perhaps
> someone could adopt it (which may be preferable to starting over). Whether
> that's DPUB IG or a successor vs. say the Web Platform WG is another
> question... and I guess to me this is all logically part of the Web Platform
> itself.
>
> EPUB specifications to date have clearly punted on this but one reason was
> that we were hoping that work on Web Applications at W3C would be paving the
> way in terms of more rigorously defining the Web security model especially
> for offline/local content.
>

I think this is a critical part of our work, and one of the major
limitations of EPUB. Right now most EPUB reading systems don't support
scripting, partly because of UI conflicts and partly due to security.
If I write a script on my own website, it's my responsibility. But if
I send that script ian EPUB to Google's Play Store, then n it becomes
Google's problem, and why should they trust my code?

Another informative post from Baldur:
https://www.baldurbjarnason.com/notes/some-notes-on-security/

Dave

--

Bill McCoy
Executive Director
International Digital Publishing Forum (IDPF)
email: bmccoy@idpf.org<mailto:bmccoy@idpf.org>
mobile: +1 206 353 0233

Received on Friday, 19 August 2016 17:39:35 UTC