RE: Requiring Authenticated Origins for Geolocation API's: Open Call for Comments (deadline - February 1, 2015)

Thanks for your reply Anne. I understand how http: provides the added security level based on the assumption that the user is capable of making an informed decision based on the origin of the web application. 

When I refer to a more general model for allowing access to sensitive APIs I can for example mention that we are implementing a model for "Trusted Hosted Web Applications" in FFOS. The model is based on a signed certificate containing CSP definitions and list of permissions as well as secure transport and certificate pinning. This is probably too much for Geolocation but could be applicable for more sensitive APIs such as SysApps TCP and UDP Socket API or a powerful Media Storage API. See slide 6-8 in 
http://lists.w3.org/Archives/Public/public-sysapps/2014Sep/att-0000/SoMC_FFOS_Trusted_Hosted_Apps.pdf.


BR
  Claes



Claes Nilsson
Master Engineer - Web Research
Advanced Application Lab, Technology

Sony Mobile Communications
Tel: +46 70 55 66 878
claes1.nilsson@sonymobile.com

sonymobile.com




> -----Original Message-----
> From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] On
> Behalf Of Anne van Kesteren
> Sent: den 7 november 2014 11:03
> To: Nilsson, Claes1
> Cc: Martin Thomson; Mounir Lamouri; public-geolocation@w3.org; Mike
> West
> Subject: Re: Requiring Authenticated Origins for Geolocation API's:
> Open Call for Comments (deadline - February 1, 2015)
> 
> On Fri, Nov 7, 2014 at 10:50 AM, Nilsson, Claes1
> <Claes1.Nilsson@sonymobile.com> wrote:
> > So is it easy for any evil guy to get a valid certificate.
> 
> It should be easy for anyone to get a certificate.
> Authenticated/secure origins is not about that. It's about protecting
> the end user against the network. The user will still have to decide
> whether to trust the domain name. (It's far from trivial for any evil
> guy to get a certificate for a domain of his choosing.
> 
> 
> > How much can we then rely on certificate revocation systems?
> 
> Not much, yet, but I'm not sure that matters much for this discussion.
> 
> 
> > If it is so that the added security of requiring https for sites
> using the Geolocation API is just "imaginary" then we may defer this
> issue and rely on more general solutions for giving web apps permission
> to use APIs. There was a workshop in Paris in September on trust and
> permissions http://www.w3.org/2014/07/permissions/minutes.html, and it
> is proposed that a W3C Community Group should be formed.
> 
> 1) It's not imaginary. 2) I don't subscribe to the "lets form a task
> force" (non-)way of dealing with problems.
> 
> 
> --
> https://annevankesteren.nl/

Received on Friday, 7 November 2014 10:41:26 UTC