- From: Janusz Majnert <j.majnert@samsung.com>
- Date: Thu, 21 Feb 2013 12:00:19 +0100
- To: public-sysapps@w3.org
Hi, On 2013-02-19 16:56, Mounir Lamouri wrote: > On 18/02/13 17:38, John Lyle wrote: >> I guess the main value in standardising a 'certified' level is that it >> would allow a manufacturer with this requirement to implement an API on >> multiple web app platforms with similar access control and security >> expectations. However, I agree that this is a fairly small aspect of >> the security model, and the benefit of standardisation is minimal. But >> as it is common to webinos, Tizen and Firefox OS (sorry, I'll stop >> calling it B2G soon) perhaps it would be harmless to make it an optional >> part of the specification? > > Your usage of the third level seems to be very close to ours then. I > wouldn't mind specifying that third level but I'm not sure all our > implementations give access to that third level the same way. Also, I'm > not sure any standardized API will ever request to be limited to that > third level. But I guess adding the level wouldn't hurt and we could > simply remove it if it appears to be useless. I think there is no reason to specify the third level if we already assume it's going to be just for platform-specific or proprietary APIs. We should however make sure that the spec doesn't prohibit implementations adding it on their own. Another issue I wanted to bring up here is the number of "trust levels" in the specification. Do you think 2 is enough? With 2 levels, we would have to put all security and privacy sensitive APIs in the second (trusted) level. It's an all-or-nothing situation. Wouldn't it be better to separate this level into two and allow implementations to configure how the APIs are distributed among them? /Janusz Majnert Samsung Electronics Poland
Received on Thursday, 21 February 2013 11:00:56 UTC