Security Review of Network Service Discovery

The Device APIs WG (DAP) is currently working on a specification called "Network Security Discovery", working drafts have  been published and since the last we have incorporated use of CORs into the editors draft. We anticipate publishing an updated WD in the next month unless there are reasons for delay (my preference is to publish WDs  frequently as needed).

We are seeking security review both early in the process to help us work in the right direction as well as later once we are in LC. We are also requesting Privacy review from PING and have scheduled an overview session on the PING call 30 January, so you may wish to attend that for an overview [1].

This is a request for the Security Interest Group to review this specification when and how you think appropriate, to make sure we aren't missing any good ideas or concerns.

Editors draft: https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html

Issues: http://www.w3.org/2009/dap/track/products/31

Extract from non-normative introduction text:

[[


This specification defines the NavigatorNetworkService<https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html#navigatornetworkservice> interface to enable Web pages to connect and communicate with Local-networked Services provided over HTTP. This enables access to services and content provided by home network devices, including the discovery and playback of content available to those devices, both from services such as traditional broadcast media and internet based services as well as local services. Initial design goals and requirements provided by the W3C Web & TV interest group<http://www.w3.org/2011/webtv/> are documented in [hnreq<https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html#bib-hnreq>].

Using this API consists of requesting a well-known service type, known by developers and advertised by Local-networked Devices. User authorization, where the user connects the web page to discovered services, is expected before the web page is able to interact with any Local-networked Services.

A web page creates a request to obtain connectivity to services running in the network by specifying a well-known discovery service type that it wishes to interact with.

...

]]

Rich, Dom,  if you have more to add, please feel free.

Thanks

regards, Frederick

Frederick Hirsch, Nokia
Chair, W3C DAP Working Group

[1] http://www.w3.org/Privacy/

On Jan 16, 2014, at 7:47 AM, ext GALINDO Virginie wrote:

Hi all,

As one of the task of the Web Security IG relates to reviewing the specifications, I have been drafted a light process for reviewing the specifications (either from W3C or from other standardization bodies or consortium). This proposal is based on a discussion I had with Dom.
It is available here : http://www.w3.org/Security/wiki/IG/W3C_spec_review#Process_Proposal_for_Reviewing_Specification
This will help the potential people asking for review to know what they can expect from this IG.

Do not hesitate to comment for improving it.

Regards,
Virginie
Co-chair of the web security IG


________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus