- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 26 Feb 2013 16:36:03 -0800
- To: Janusz Majnert <j.majnert@samsung.com>
- Cc: public-sysapps@w3.org
On Tue, Feb 26, 2013 at 2:02 AM, Janusz Majnert <j.majnert@samsung.com> wrote: >>> Wouldn't it be better to separate this level into two and allow >>> implementations to configure how the APIs are distributed among them? >> >> >> I think that would be worse than a "all or nothing situation" because >> some runtime will allow Foo API to be used by any installed applications >> and some runtime will not and at the end APP A that uses Foo API will >> only be usable on the runtimes allowing it to run without being >> privileged. > > My point exactly. Having the implementations or operators customise which > APIs are available to which apps could minimise legal and cultural issues we > get if we impose a single model ourselves. We absolutely must avoid the trap that the DAP fell into and which ultimately caused a lot of the work that happened there to fail. I.e. we must not defer to vague concepts of "security policies" which are defined by some omnious 3rd party which defines what security policy a particular user uses. That said, I still agree with what you are saying, we just have to be very explicit about who makes which decisions. In Firefox OS the runtime trusts a set of stores, and those stores decides which applications should get access to which privileged APIs. Likely we'll expand this so that Firefox OS trusts certain stores to only can hand out certain privileges. / Jonas
Received on Wednesday, 27 February 2013 00:37:00 UTC