FYI, the message below just went to the public-device-a...@w3.org
list. Please follow up there.
http://lists.w3.org/Archives/Public/public-device-apis/2009Apr/
Regards,
--
Thomas Roessler, W3C <t...@w3.org>
Begin forwarded message:
From: Thomas Roessler <t...@w3.org>
Date: 14 April 2009 13:34:12 GMT+02:00
To: public-device-a...@w3.org
Subject: Starting the chartering discussion -- security policy for
APIs
Hello,
it's about time that we start a chartering discussion. Fundamentals
that we need to sort out in order to get from here to there:
- general scope of the work (and things that are out of scope)
- basic principles for the work
- deliverables and milestones
- resources
- input documents
Based on the outcomes from the workshop [1] and the notes from the
mobile web breakout session at the AC meeting [2], I'd propose the
following in terms of a (rough) mission and scope, and would
appreciate your feed-back on this mailing list:
1. The group would be chartered to produce a framework for the
expression of security policies that govern access of Web
applications and widgets to security-critical APIs. To achieve this
goal, the group will need to deal with the following items:
- policy expression proper
- identification of APIs
- identification of web applications and Widgets
2. Out of scope:
- concrete APIs
- policy management and discovery
- fundamental changes to JavaScript
3. Principles:
- before inventing a new policy expression language, existing
languages (such as XACML) should be reviewed for suitability
- the resulting policy model must be compatible with the existing
same origin policy (as documented in the HTML5 specification)
- the work should not be specific to either mobile or desktop
environments, but may take differences between the environments into
account
4. Liaisons:
- PLING (W3C Policy Languages Interest Group)
- HTML WG
- WebApps WG
- geolocation WG
- Mobile Web Best Practices WG
- BONDI
- OpenAjaxAlliance
Note that this would be a good time for interested members to
indicate *privately* whether they're willing to make chairing or
editing resources available.
This would also be a good time for those members who presented
concrete technical proposals at the workshop to indicate whether
they'll be interested in putting these proposals on the table as a
basis for the work proposed here.
[1] http://www.w3.org/2008/security-ws/report
[2] http://lists.w3.org/Archives/Member/w3c-archive/2009Apr/0094.html
Note: [2] is member-only; I'll circulate a publicly visible summary
some time soon.
--
Thomas Roessler, W3C <t...@w3.org>