- From: Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr>
- Date: Wed, 13 Jun 2012 10:51:39 +0200
- To: Greg Billock <gbillock@google.com>
- CC: "public-web-intents@w3.org" <public-web-intents@w3.org>
On 13/6/12 07:38 , Greg Billock wrote: > Can you elaborate? The risk the language about intent delivery is > addressed to is not a security concern, but to maintain a specific > model of registration within the UA -- that it not silently register > services and then dispatch to them without user involvement. For > explicit intents, though, the client is specifically directing the > user to a particular service -- there's no registration involved. > > Do you think the same thinking ought to apply here, though? That is, > any dispatch, even explicit, to a particular service ought to be > approved by the user? JCD: The people I work with in the webinos project looked at the registration of the intent as the place in the process where they will insert security/policy checking. They are concerned about the explicit intents and the lack of this registration check. So our first reaction was to try to impose the registration check also for explicit intents. After trying to write a scenario about a pirate page using an explicit intent "transferFunds" provided by a banking site, I realize that the intent registration may not provide for enough checking. If such a sensitive intent existed, then I would not authorize its invocation from just any page, so at the intent registration time, I cannot "approve" it in general. So the intent provider may need to do additional checking, but it has no information on who is the invoker, right ? I believe there is something missing, the possibility of imposing more checks, depending on the sensitivity of the intent. How would you "install" a security policy for intents on top of the current spec ? Best regards JC -- JC Dufourd Directeur d'Etudes/Professor Groupe Multimedia/Multimedia Group Traitement du Signal et Images/Signal and Image Processing Telecom ParisTech, 37-39 rue Dareau, 75014 Paris, France Tel: +33145817733 - Mob: +33677843843 - Fax: +33145817144
Received on Wednesday, 13 June 2012 08:52:09 UTC