Received: from relay14.mail.ox.ac.uk (163.1.2.162) by HUB05.ad.oak.ox.ac.uk (163.1.154.231) with Microsoft SMTP Server id 14.2.318.1; Tue, 26 Feb 2013 23:12:58 +0000 Received: from postie.cs.ox.ac.uk ([129.67.151.82]) by relay14.mail.ox.ac.uk with esmtp (Exim 4.80) (envelope-from ) id 1UAThi-0006Sp-ko for kebl3317@nexus.ox.ac.uk; Tue, 26 Feb 2013 23:12:58 +0000 Received: from mailer.cs.ox.ac.uk ([129.67.151.81]:41063) by postie.cs.ox.ac.uk with esmtp (Exim 4.80) (envelope-from ) id 1UAThQ-0000E6-DX for john.lyle@cs.ox.ac.uk; Tue, 26 Feb 2013 23:12:40 +0000 Received: from relay16.mail.ox.ac.uk ([163.1.2.166]:44342) by mailer.cs.ox.ac.uk with esmtp (Exim 4.76) (envelope-from ) id 1UAThQ-000570-3V for john.lyle@cs.ox.ac.uk; Tue, 26 Feb 2013 23:12:40 +0000 Received: from frink.w3.org ([128.30.52.56]) by relay16.mail.ox.ac.uk with esmtp (Exim 4.80) (envelope-from ) id 1UAThP-0004kn-q5 for john.lyle@cs.ox.ac.uk; Tue, 26 Feb 2013 23:12:40 +0000 Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from ) id 1UATh5-0004cx-7Y for public-sysapps-dist@listhub.w3.org; Tue, 26 Feb 2013 23:12:19 +0000 Resent-Date: Tue, 26 Feb 2013 23:12:19 +0000 Resent-Message-ID: Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from ) id 1UATh1-0004cI-VR for public-sysapps@listhub.w3.org; Tue, 26 Feb 2013 23:12:16 +0000 Received: from mail-ve0-f172.google.com ([209.85.128.172]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from ) id 1UATh0-0001Mn-He for public-sysapps@w3.org; Tue, 26 Feb 2013 23:12:15 +0000 Received: by mail-ve0-f172.google.com with SMTP id cz11so4467326veb.31 for ; Tue, 26 Feb 2013 15:11:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=XC/Pw2CSJz6NkXr9ukG8z2JWaxi4axC4Oty2bxqAxCM=; b=KWgkeYfo/p6CuGqYjPeQUyYPJkKxUgNkzbhYOBljptEZp47t8wm/wsM9+gHCv+0kXY Ylpy2ai3YT+l+/6gkNV4wHAmu0aeE0TUQ4+8huzY97GHSbyJ7wJUdd6eZfwFe1QoO4yB EeR0lOkvVn+X5vv0Goji/XjQ0k5uRZktEuFPTB3MSXe5IqDkRDE9bZCGDAxIE3454EqW w+Rd+XfZjRl/EjHxARAQIJcEK9ZmCW3b0jLr2mZ4L4wcIUKQXZNA6yo5Q8PDxHZirUFG FgtbpKaoK8OoEPq8g7yR+F73UcYYoBGQW2BAbx/+yBelW0HCk5mEXrg+sijQ8RSVRlQW 2dKw== X-Received: by 10.220.149.82 with SMTP id s18mr43923vcv.14.1361920308334; Tue, 26 Feb 2013 15:11:48 -0800 (PST) Received: by 10.58.189.69 with HTTP; Tue, 26 Feb 2013 15:11:18 -0800 (PST) In-Reply-To: <512C7F66.5040600@samsung.com> References: <511E8005.4040900@lamouri.fr> <035d01ce0dd9$7bafb4a0$730f1de0$@samsung.com> <51223A26.6020504@cs.ox.ac.uk> <512258BD.2060503@lamouri.fr> <512266FD.80202@cs.ox.ac.uk> <5123A0A3.2010703@lamouri.fr> <5125FE43.20107@samsung.com> <512BA344.9030806@lamouri.fr> <512C7F66.5040600@samsung.com> From: Jonas Sicking Date: Tue, 26 Feb 2013 15:11:18 -0800 Message-ID: To: Janusz Majnert CC: Content-Type: text/plain; charset="ISO-8859-1" X-Gm-Message-State: ALoCoQnNunEvRzqz0phgEYRw5nN57BHF+dEkOG9Dog0V05eLkSVKsdmV/z84lYGLwv7OpImw1MI1 Received-SPF: none client-ip=209.85.128.172; envelope-from=jonas@sicking.cc; helo=mail-ve0-f172.google.com X-W3C-Hub-Spam-Status: No, score=-3.8 X-W3C-Hub-Spam-Report: AWL=-3.061, RCVD_IN_DNSWL_LOW=-0.7 X-W3C-Scan-Sig: maggie.w3.org 1UATh0-0001Mn-He b688b8b276aff3b162be422aa449b6ba X-Original-To: public-sysapps@w3.org Subject: Re: [Execution and Security Model] Proposal from Samsung Electronics Archived-At: Resent-From: X-Mailing-List: archive/latest/681 X-Loop: public-sysapps@w3.org Resent-Sender: Precedence: list List-Id: List-Help: List-Post: List-Unsubscribe: X-Oxmail-Spam-Status: score=-0.7 tests=RP_MATCHES_RCVD X-Oxmail-Spam-Level: / Return-Path: public-sysapps-request@listhub.w3.org X-MS-Exchange-Organization-AuthSource: HUB05.ad.oak.ox.ac.uk X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-AVStamp-Mailbox: Sophos;1142545922;0;PM MIME-Version: 1.0 On Tue, Feb 26, 2013 at 1:24 AM, Janusz Majnert wrote: >>> But I definitely think that our ultimate goal should be to move as >>> many of the APIs to as low level as possible. Or at least as much as >>> possible for the various APIs to as low level as possible. So for >>> example the SMS API might have a subset which is only exposed to >>> certified apps, whereas the ability to be notified of incoming >>> messages is exposed to privileged apps, and the ability to read the >>> database of stored messages is exposed to normal apps. (Just to pull >>> an example out of thin air). >> >> >> Why would the SMS API be limited to certified applications? A privileged >> application is an application that has been marked as privileged by a >> store that has been marked as privileged by the runtime. Why should we >> expect such an application to not behave correctly? If Firefox OS or >> Tizen or Webinos trusts a store and that store trusts an application >> whether because the code has been reviewed or the author is trusted. > > On Android, would you trust all applications available via the Play Store? > Or in other words - would you trust all of them the same? Or do you also > look at user ratings, download numbers, who the author is, etc? > You gave a good example in your other email, where you wrote about SMS API > being abused by an app that was trusted enough to use it... The goal of the security model used by Firefox OS is that users can always safely install any application from anywhere. Installing an app doesn't need any security or privacy decisions on the user's part. I strongly feel that we should design the security model defined in this group with the same goal. The user will have to make some runtime decisions though. Like if sharing pictures or sharing GPS location with an application is ok. These are more like privacy decisions than security decisions though. For these types of decisions I would expect the user to take into account who the author is, where the application came from etc. / Jonas