FYI: chartering discussion re security policy for APIs from Thomas Roessler on 2009-04-14 (public-webapps@w3.org from April to June 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 14 Apr 2009 13:39:53 +0200
To: public-webapps WG <public-webapps@w3.org>
Message-Id: <D254AC40-D949-4FF2-A58B-B4076FDBF3C8@w3.org>

FYI, the message below just went to the public-device-apis@w3.org  
list.  Please follow up there.

   http://lists.w3.org/Archives/Public/public-device-apis/2009Apr/

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>







Begin forwarded message:

> From: Thomas Roessler <tlr@w3.org>
> Date: 14 April 2009 13:34:12 GMT+02:00
> To: public-device-apis@w3.org
> Subject: Starting the chartering discussion -- security policy for  
> APIs
>
> Hello,
>
> it's about time that we start a chartering discussion.  Fundamentals  
> that we need to sort out in order to get from here to there:
>
> - general scope of the work (and things that are out of scope)
> - basic principles for the work
> - deliverables and milestones
> - resources
> - input documents
>
> Based on the outcomes from the workshop [1] and the notes from the  
> mobile web breakout session at the AC meeting [2], I'd propose the  
> following in terms of a (rough) mission and scope, and would  
> appreciate your feed-back on this mailing list:
>
> 1. The group would be chartered to produce a framework for the  
> expression of security policies that govern access of Web  
> applications and widgets to security-critical APIs.  To achieve this  
> goal, the group will need to deal with the following items:
>
> - policy expression proper
> - identification of APIs
> - identification of web applications and Widgets
>
> 2. Out of scope:
>
> - concrete APIs
> - policy management and discovery
> - fundamental changes to JavaScript
>
> 3. Principles:
>
> - before inventing a new policy expression language, existing  
> languages (such as XACML) should be reviewed for suitability
> - the resulting policy model must be compatible with the existing  
> same origin policy (as documented in the HTML5 specification)
> - the work should not be specific to either mobile or desktop  
> environments, but may take differences between the environments into  
> account
>
> 4. Liaisons:
>
> - PLING (W3C Policy Languages Interest Group)
> - HTML WG
> - WebApps WG
> - geolocation WG
> - Mobile Web Best Practices WG
> - BONDI
> - OpenAjaxAlliance
>
> Note that this would be a good time for interested members to  
> indicate *privately* whether they're willing to make chairing or  
> editing resources available.
>
> This would also be a good time for those members who presented  
> concrete technical proposals at the workshop to indicate whether  
> they'll be interested in putting these proposals on the table as a  
> basis for the work proposed here.
>
> [1] http://www.w3.org/2008/security-ws/report
> [2] http://lists.w3.org/Archives/Member/w3c-archive/2009Apr/0094.html
>
> Note: [2] is member-only; I'll circulate a publicly visible summary  
> some time soon.
>
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>

Received on Tuesday, 14 April 2009 11:40:05 UTC