08:29:58 <RRSAgent> RRSAgent has joined #devices
08:29:58 <RRSAgent> logging to http://www.w3.org/2008/12/10-devices-irc
08:30:04 <dom> RRSAgent, make log public
08:30:13 <dom> Meeting: Workshop on Security of access to device APIs from the Web
08:30:24 <dom> Chair: Nick Allot, Thomas Roessler
08:32:36 <adrian_hb> adrian_hb has joined #devices
08:34:07 <ArtB> ArtB has joined #devices
08:35:16 <ArtB> ArtB has changed the topic to: Workshop on Security of Access to device APIs from the Web http://www.w3.org/2008/security-ws/agenda.html
08:38:01 <dom> [tlr introduces the workshop, reviews the agenda]
08:44:22 <matt> matt has joined #devices
08:46:50 <matt> scribe: Matt
08:51:55 <matt> Topic: Security for Access to Device APIs from the Web, Art Barstow, Nokia
08:52:06 <fjh> fjh has joined #devices
08:54:13 <DKA> DKA has joined #devices
08:56:15 <Anil> Anil has joined #devices
08:57:40 <smb> smb has joined #devices
09:00:49 <matt> Anders: What about OSS?  The mobile industry with a few exceptions is going open source.
09:01:17 <matt> ArtB: A few ways: the w3c can't get specs to the Recommendatino phase until there are two interoperable implementations, so OSS makes a lot of sense.
09:01:28 <matt> ArtB: WRT Widgets, there are already some OSS things there.
09:01:52 <matt> ArtB: OTOH there are some movements to not do specs until there's an OSS implementation in existance.
09:02:15 <matt> Topic: Security Challenges for Internet Technologies on Mobile Devices, Anil Dhawan, Microsoft
09:03:42 <hendry> hendry has joined #devices
09:08:03 <MikeSmith> MikeSmith has joined #devices
09:10:02 <matt> Ben_Lowrie: Verifiable disclosure, what is that?
09:10:24 <matt> Anil: That is making sure the manifest is secure, that no one has tampered with the privileged manifest document.
09:10:42 <matt> Frederick: Declarative vs Run-Time, why are those alternatives?  Why not have both?
09:10:45 <marcos> marcos has joined #devices
09:11:19 <matt> Anil: Those are things to consider from the user perspective.  A bunch of checkboxes before running an app,it's not obvious what is going to be done with that.
09:11:27 <PHB> PHB has joined #devices
09:11:46 <matt> ArtB: The six items on the last slide (Opps for Standards), are any of those good for being worked on within the w3c?
09:12:00 <matt> Anil: Those are some things we think belong in standards bodies, and if we can do that fantastic.
09:12:06 <dom> s/Lowrie/Laurie/
09:12:15 <matt> ??: What if the widget downloaded does not meet the risk requiremenets, but the user still wants to run it?
09:12:21 <dom> s/??/Fabio/
09:12:38 <matt> Anil: That falls back to policy, Operators know what they want there obviously, but to us it's a policy decision.
09:12:40 <PHB> We really need to start with a risk analysis and then look at where standards can help
09:13:13 <matt> Topic: Security Assurance for Web Device APIs, Steven M. Bellovin, Columbia University
09:14:19 <PHB> I can't work out what the security requirements are before implementation, so how could a solution be complete?
09:16:07 <PHB> [Actually the users will do the wrong thing when they do understand the circumstances!]
09:18:41 <fjh> users want to get something done and view security as a barrier
09:22:16 <PHB> Accounting needs greater consideration
09:24:05 <matt> Fabio: Are you sure it's a good idea to attach the category to the device and not the application?
09:24:33 <matt> smb: This may be semantics  When I talk about a device, like a smartphone browsing the Web, it might be microphone input... so I'm not talking about the device as the phone, but the device on the phone, such as the microphone.
09:24:59 <matt> PHB: It might be useful to think about the difference between mobile and stationary devices.
09:25:59 <matt> PHB: Old computers had accounting.
09:26:13 <matt> smb: Where is the high assurance way to turn off data roaming for instance, without malware being able to turn it back on
09:26:20 <matt> PHB: <missed>
09:27:39 <matt> smb: There are a lot of concerns there.  Vendors of say, smartphones that have controlled what apps can be downloaded and installed, they also may use that security to make sure that applications don't compete with their own applications.
09:28:03 <fjh> q+
09:28:10 <Zakim> Zakim has joined #devices
09:28:13 <dom> q+ fjh
09:28:44 <matt> Nick: What SDOs?  What about OSS?  Patent land mines?  <missed> Installable applications over the Web <?>  Trust and code identity?
09:29:12 <matt> Nick: Risks and mitigation, how do we value these things?  How are we aware of what an application claims it wants to do vs what it does?
09:29:24 <matt> Nick: Device discovery and capabilities discovery...
09:29:44 <matt> Nick: The user is a major element in this, what have they been trained to do, what role do they play?
09:30:19 <fjh> q-
09:30:21 <matt> Nick: "Fragility", you can design the best theoretical system that you'd like, but we know the problems aren't usually the theoretical systems, but the bad implementations.  They should fail gently.
09:30:29 <matt> Topic: Open Discussion
09:30:37 <fjh> Can view SDO cooperation as well as competition
09:30:41 <PHB> q=
09:30:45 <PHB> q+
09:30:59 <dougt> dougt has joined #devices
09:31:13 <pauld> pauld has joined #devices
09:31:14 <matt> Nick: Cooperation between SDOs can be difficult, differences in IPR, etc, slows things down.
09:31:20 <matt> fjh: Depends on the organizations being considered...
09:31:26 <dom> ack PHB
09:31:45 <matt> PHB: there are too many people involved to get them all together in one place that you can trust.
09:31:57 <fjh> some number of SDOs form an ecosystem
09:32:02 <matt> PHB: Once SDOs get beyond 1000 or so it's hard to know everyone.
09:32:29 <matt> PHB: The mobile Web is different in some ways, but not all that different.  We don't want to create a whole new platform for mobile devices.
09:32:57 <matt> PHB: The Web Consortium needs to serve the Web platform, but once you get to applications there isn't enough bandwidth.
09:33:28 <matt> ??: What is an application then?
09:33:36 <matt> PHB: <missed response>
09:33:42 <matt> Nick: Role of Open Source in this area?
09:34:02 <maxf> maxf has joined #devices
09:34:24 <dom> s/??/Nick/
09:34:26 <matt> Nick: Are the Open Source initiatives going to have a role to play with early prototypes, etc?
09:34:39 <matt> Kai: I'd argue that the best software should win, whether it's Open Source or not.
09:34:49 <matt> Kai: There should be competition.
09:35:22 <matt> pauld: We see great value in open source for requirements gathering.  In proprietary world, there's lots of stuff out there that claims to be backed by research, etc, but there's no better research than getting it out there.
09:35:54 <matt> ??: I think this relates to Art's question: if we don't get the major players involved, why bother?
09:36:11 <matt> ??: Many of the OS projects are driven by commercial entities.
09:36:30 <matt> dougt: How is this different than a commercial company then?
09:37:02 <dom> s/??/PaddyByers/
09:37:03 <dom> s/??/PaddyByers/
09:37:05 <matt> ??: No different, except open source is a vehicle to get things proliferated as a de facto standard in a way that commercial projects aren't?
09:37:08 <matt> s/aren't?/aren't./
09:37:09 <dom> s/??/PaddyByers/
09:37:19 <PHB> q+
09:37:19 <matt> dougt: Doesn't matter then if you're closed or open source, it's how many users you have.  Commercial vs open source is somewhat orthogonal to security in general.
09:37:39 <matt> PaddyByers: An OS implementation that you can use is not enough.
09:37:46 <tlr> q?
09:38:06 <pauld> rrsagent, where am i?
09:38:06 <RRSAgent> See http://www.w3.org/2008/12/10-devices-irc#T09-38-06
09:38:06 <tlr> I suggest not using Zakim for queue management
09:38:10 <smb> smb has joined #devices
09:38:18 <dom> zakim, bye
09:38:18 <Zakim> Zakim has left #devices
09:38:19 <tlr> instead, wave your hands -- the session chair isn't looking at IRC
09:38:37 <matt> Nick: Getting the right people involved... because we're talking about accessing device APIs the number of people involved has increased many fold.
09:39:17 <matt> Nick: Ooperating System implementors, application developers, and middleware players...  this makes collaboration more complicated.
09:39:18 <matt> PHB: Are we asking about Open Source because we are afraid there won't be any?
09:39:37 <matt> PHB: If the devices are open, regardless of what we decide, then OS will grow.
09:39:47 <matt> dougt: What does an open device mean?
09:40:00 <AndreaT> AndreaT has joined #devices
09:40:20 <matt> PHB: I can write an app and put it on my device, without worrying about it competing with the vendor.
09:40:24 <AndreaT> Greetings. Andrea Trasatti, dotMobi. I hope it's OK, if I quitely read....
09:41:23 <matt> David: In the case where there are contractual obligations you have to follow them...  <??>
09:41:35 <matt> Nick: For instance who has your credit card, or debit card numbers, etc...??
09:42:28 <matt> dougt: For instance my cable provider has my credit card number and charges me for bandwidth, but has no control over the applications I use.
09:42:29 <matt> dougt: The mobile phone case is slightly different due to subsidies, etc, but...
09:43:19 <matt> PHB: Discussing whether open source is going to play a role in developing device APIs etc, doesn't strike me as useful, regardless of the opinion of the people at this table, it's going to happen.  So really, this discussion is just a proxy for the openness discussion.
09:43:46 <matt> ??: Open source and openness those two subjects are fundamentally, simply, don't have anything to do with each other..
09:43:53 <dom> s/??/Arve/
09:44:20 <matt> Arve: You can deliver the greatest open source device in the world and you could still have the device locked down for signed applications.
09:45:08 <matt> Nick: Irrespective of whether OSS has a role, there could be a role in testing, etc. ??
09:45:16 <matt> pauld: Are you suggesting a reference implementation?
09:45:25 <matt> Nick: Well, I've got a particular feeling about it...
09:45:37 <matt> Nick: Who are the core players here?
09:45:45 <LucasAdamski> LucasAdamski has joined #devices
09:45:54 <matt> dougt: Geolocation is going to be one of the first implementations of device APIs within browsers.
09:46:08 <matt> dougt: It'll be deployed in fennec and fx desktop client.
09:46:22 <matt> dougt: In fact, in fx 3.1 the draft spec implementation is there, but with no location provider provided.
09:46:31 <matt> dougt: WebKit/Apple will follow.
09:46:51 <matt> dougt: If you want to model it, and it's development, then you'll want to follow it.
09:47:10 <matt> Nick: You're talking about the companies in that WG then?
09:47:32 <matt> dougt: The UAs in that group, sure, not saying they should be the only ones involved, but that's a good thread to watch.
09:48:05 <matt> Anil: We've got a great representation across the board, but who is going to build the scenarios we're actually talking about?  Where is the developer that we're talking about?  Who is representing the next killer app?
09:48:15 <matt> Anil: What can we do to bring that voice here?
09:48:27 <matt> Nick: I think those people are identifiable.
09:48:43 <matt> Nick: They are usually companies who run into the brick wall of being tied to the platform...
09:49:18 <matt> Nick: They're identifiable, and should be engaged.
09:49:33 <matt> Anil: Build it and they will come vs build it and make sure they come.
09:49:38 <matt> Nick: They've hit these problems before really...
09:50:07 <matt> tlr: The environment we're talking about, JavaScript and DOM.  There's a hell of a lot of rope for developers to hang themselves.  There are lots of moving parts for these things to be secure..
09:51:32 <matt> tlr: We've got things that resemble device APIs, things like the widget platforms.  e.g. Google Mail widget, it had to write the subject header of a message.. so it over wrote document.innerhtml... so you could embed HTML and script in there.  You could easily write a mail that could take over your computer.  It's basically getting access to system(3)
09:52:30 <matt> tlr: Anything that displays HTML, most apps don't use their own parser, but the HTML parser given to them by the system.  Same problem, slight variant.  If there is a cross site scripting problem in a page seen by a widget then it turns into a vulnerability on the computer...
09:52:46 <matt> tlr: We need to keep these things in mind, in addition to just API design.
09:53:37 <matt> tlr: People have been talking about least privilege capabilities...  a widget declares only the capabilities that you need.  In  the cases that I've just listed, the widget declares that it's going to want system access...
09:54:08 <matt> tlr: When talking about least privilege, think about how it will be used, what causes users to escalate privileges?
09:54:14 <smb> smb has joined #devices
09:54:18 <marcos> pauld, sounds good. 
09:54:32 <matt> tlr: One of the reasons people use widget.system they just want to display a growl notification. 
09:54:50 <matt> tlr: There's a lot of rope being given to people.  Conservative design of the APIs will be a very important piece.
09:55:01 <pauld> suggests tag for workshop of #w3cdevices
09:55:04 <matt> tlr: A design that lets app developers do what they need to do without shooting themselves.
09:55:26 <matt> tlr: I hope the work that goes on in this room will help close the box on these issues.
09:56:10 <matt> Lucas: People coding the rich internet applications isn't their problem, but that we are using this stuff to work in a way that it wasn't designed to in the first place.
09:56:39 <matt> Lucas: The solution is to have the developer declare their intent.  But those will fail at the same way, if the pace of the underlying implementation is not keeping up.
09:57:01 <matt> Lucas: These models have to be flexible enough to keep pace.
09:57:13 <matt> Lucas: New design patterns have to be supported explicitly.
09:57:25 <matt> Lucas: Right now we give the developer a grenade and pull the pin.
09:57:37 <matt> Lucas: You have to write your own parser or do complex escaping, etc.
09:57:58 <matt> Lucas: Right now the bar is so low that no one bothers going 'up here', when 'down here' there's enough.
09:58:32 <matt> Arve: We shot ourself in the foot in 1995 or so, with the introduction of <img>, which allowed off-site content.  We can't really fix that.
09:58:47 <matt> Arve: We have to work with the broken security model of the Web.
09:59:03 <matt> Arve: We've been giving them enough to shoot themselves in the foot, but we have to make sure they don't shoot their legs off in the process.
09:59:17 <matt> Arve: So, anything we do has to work with least privileges.
09:59:34 <matt> Lucas: We can change the sandboxes...
10:00:05 <matt> Lucas: Every time you think about giving folks access to things, either new APIs or new sandboxes, then you have a chance to get them to subsribe to a new security model.
10:00:21 <matt> Lucas: We're looking at this in content security policy... 
10:01:26 <matt> fjh: I think tlr made a good point: if you want to use say, growl or someone elses work, people will want to do that, but there's no API for it.  You can't predict what it would be.  You need a way to do this without using a system call.
10:01:54 <matt> Lucas: Think of it in services, like here's a notificatin service, tell them what services are available, etc.
10:02:12 <matt> Lucas: The more generic those APIs... ??
10:02:28 <matt> Paddy: On JS sandboxing and eval, my project, supports those compatibly.
10:03:11 <matt> Nick: This WS is about device APIs, W3C and secure access.  The question we need to keep in mind as we have these discussions: within this domain, what is it we need to standardize?
10:03:25 <matt> Nick: There are plenty of companies here that already do these things, all in different ways.
10:03:42 <matt> Nick: There are lots of big issues here, we can't do it all in one go, so what needs to be prioritized for standardization in this area?
10:04:08 <matt> Nick: So at the end of these two days, we should have figured some of this out.
10:04:24 <matt> Nick: So, what are the priorities so far?
10:05:22 <matt> ??: A lot of the things going on already, specifically widget systems.  Widget packages have access to device APIs, with some declaration of their security policy.  Some people are talking about Web sites accessing these APIs.  What are the priorities of each of these two things?
10:05:33 <matt> Nick: Widget vs Web contexts...
10:05:59 <matt> Steve: We've had to address this quite a bit, we started with the idea that only device access would come from widgets, but we had problems with that from our content providers.
10:06:49 <matt> tlr: If you take the widget examples I just took, most of them fail at the point where they are ??special . 
10:07:34 <smb> smb has joined #devices
10:08:14 <matt> tlr: The two contexts share the environment...  it's probably important to look at both at the same time, otherwise you're probably looking at more vulnerabilities.  I think it's important that we don't end up diverging, but consider both together.
10:09:07 <matt> tlr: If we look 5 years ahead, most interesting things will be on the Web.  Making the device APIs different between the two will make it worse.
10:09:32 <matt> ??: We should look at Widgets and Web Applications at the same time?  Does that mean you should find the same security solutions?
10:09:59 <matt> tlr: I think we should aim to find the same solutions.  There's a large cost to separating these things.  The cost might be worth it.
10:10:29 <matt> tlr: The cost is high and we shouldn't make the tradeoff just in passing.  It needs to be a concious discussion where the two space should converge and it might make sense to separate them, if anywhere at all.
10:10:54 <matt> Lucas: They're already convering, right?  Why would we want them to be different?  You may have to reconcile the differences between the two models.  How do you do that?
10:11:17 <matt> ??: The distinction, if you have WebKit on the iPhone, the user doesn't know if it's a widget or a web page.
10:11:48 <matt> ??: You want the user at least aware, if not in control of what happens.  The issues you're presenting the user with in those cases aren'[t that different.  Maybe one is a widget install, the other is maybe a bookmark..
10:12:07 <matt> ??: In the widget space, we... <lost>
10:12:25 <matt> ??: Keeping focus on the Web site use cases is important.  We're going to have the same issues.
10:12:38 <matt> ??: You may have to do these things different in the two cases, but there's no reason for the APIs to be different.
10:12:44 <hendry> s/??/Paddy Byers
10:13:15 <tlr> ?? in the previous few points is Paddy Byers
10:13:31 <tlr> (putting it on the record for the moment since the s// will only apply to the last point)
10:13:32 <matt> maxf: I think all of the points made thus far have been in favor of treating them the same, perhaps we all agree?
10:14:17 <matt> Nick: We might have to implement them in a different manner, but the intent, I think is a good one.  If we could get consensus on that, it'd be good.
10:14:41 <matt> Arve; I do not think the same solutions will apply.
10:14:48 <matt> s/Arve;/Arve:/
10:15:15 <matt> Lucas: Ideally, theoretically, the user always makes a trust decision.
10:16:24 <matt> Lucas: I don't think there will be any difference.  i think the user will be making a decision based on a trust model based on origin.
10:16:33 <arve> arve has joined #devices
10:16:39 <matt> Lucas: In the WebApps case it's ssl, in widgets it's ??
10:16:54 <matt> PHB: Whenever trust is said, the next thing mentioned is identity.  With trust we're really interested in accountability.
10:17:05 <matt> PHB: I don't care who I get my code from, I want the to be accountable.
10:17:16 <matt> PHB: That's the only reason you have identity there.
10:17:37 <matt> Nick: resume at 10:45
10:29:09 <StewartB> StewartB has joined #devices
10:38:57 <Dowan> Dowan has joined #devices
10:41:28 <arve> arve has joined #devices
10:47:52 <matt> rrsagent, draft minutes
10:47:52 <RRSAgent> I have made the request to generate http://www.w3.org/2008/12/10-devices-minutes.html matt
10:48:24 <maxfroumentin> maxfroumentin has joined #devices
10:49:26 <hendry> heh
10:50:05 <hendry> im on a g1 device. cant scribe :)
10:50:21 <matt> i/particular feeling about it.../Topic: Open Discussion/
10:50:28 <matt> rrsagent, draft minutes
10:50:28 <RRSAgent> I have made the request to generate http://www.w3.org/2008/12/10-devices-minutes.html matt
10:50:39 <dom> ScribeNick: maxfroumentin
10:51:01 <dom> Topic: A New Approach to Online Location Privacy, John Morris, CDT
10:51:19 <pauld> pauld has joined #devices
10:52:02 <matt> matt has left #devices
10:52:02 <maxf> scribe: maxf
10:52:24 <maxf> John: proposing a new model for location privacy
10:52:31 <matt> matt has joined #devices
10:52:57 <maxf> user needs to be able to set privacy rules, not the web site
10:53:15 <maxf> work going on in IETF [geopriv working group]
10:55:15 <Anil> Anil has joined #devices
10:56:17 <mahemoff> mahemoff has joined #devices
10:56:52 <amachin> amachin has joined #devices
10:59:39 <amachin> amachin has joined #devices
11:03:30 <maxf> ??: there's some work at Liberty Alliance related to that
11:03:39 <dom> s/??/Friedrich/
11:03:56 <ArtB> q+
11:04:21 <dom> s/Friedrich/Frederick/
11:04:23 <matt> [ the group has listed the Liberty Alliance amongst the groups it will liaise with, we'll probably be pursing that once the first draft is published ]
11:04:30 <DKA> DKA has joined #devices
11:04:39 <maxf> John: generally familiar with it. Location is a particular area that has a particular sensitivity with people
11:04:50 <madofo> madofo has joined #devices
11:04:58 <maxf> I think that the idea of transmitting rules is tremedous
11:05:40 <maxf> ??: how do you bind the restriction to the information
11:05:55 <maxf> John: you send the information as xml along with the data, but there's no techincal binding
11:06:07 <dom> s/??/Randy/
11:06:10 <smb> smb has joined #devices
11:06:17 <maxf> ??: but you have legal issues, tying the data with its source
11:06:25 <pauld> wonders if FireEagle are involved with / aware of this work
11:06:26 <fjh> Liberty Alliance has work in this area, Identity Governance Framework
11:06:53 <fjh> Application can specify data used and conditions, CARML and service provider can specify how data should be used, profile of XACML
11:06:58 <maxf> John: true, but the legal enforcement machanism is going to be on the 10000th case when a particular provides has a pattern of violating the rules. Data commisionners will take action
11:07:17 <fjh> This offers potentialy usefl generic approach that leverages some existing standards like XACML
11:07:23 <maxf> so these rules could be split off, but whoever does it could face legal action
11:07:39 <fjh> Related open source work exists, including some work in Higgins
11:08:16 <maxf> PHB: on Exif. Cameras are getting GPSs. We could have whatever privacy we like. If the raw data contains wrong geo information, we have a problem
11:08:58 <maxf> John: the photo can be retransmitted, but it's not necessarily tied to who took it
11:08:58 <maxf> Art: ??
11:09:09 <fjh> URI for identity governance framework - http://www.projectliberty.org/liberty/strategic_initiatives/identity_governance
11:09:50 <maxf> s/??/IPR declarations?/
11:11:06 <ArtB> John, if  any IPR declarations regarding Geopriv have been made, where can I find those declarations?
11:11:39 <ArtB> s/Art: ??/Art: John, are you aware of any IPR disclosures that have been made for Geopriv?/
11:11:58 <matt> rrsagent, draft minutes
11:11:58 <RRSAgent> I have made the request to generate http://www.w3.org/2008/12/10-devices-minutes.html matt
11:12:47 <matt> s/IPR declarations?/John, are you aware of any IPR disclosures that have been made for Geopriv?/
11:12:49 <matt> rrsagent, draft minutes
11:12:49 <RRSAgent> I have made the request to generate http://www.w3.org/2008/12/10-devices-minutes.html matt
11:13:10 <dom> Topic: APIs, Safety, and User Notifications on The Web, Lucas, Mozilla
11:19:16 <maxf> tlr: if you only let top-level content do these things, then it might be worth it standardasing those messages passed
11:19:55 <DKA> DKA has joined #devices
11:19:57 <maxf> Lucas: suspect that a top-level model won't be enough in the long run
11:20:54 <maxf> ??: we looked at those asynchronous APIs and we ran into problems. In some circumstances they complete synchonously
11:21:04 <matt> s/??/Paddy/
11:21:05 <maxf> and it becomes inconvenient for the programmer to handle both cases
11:21:22 <maxf> and we came to the conclusion that API wouldn't be convenient
11:21:47 <maxf> ??: do you envisage some way for the site to explain why they need your location?
11:22:14 <maxf> dougt: in the geolocation spec, we used to have an attribute to synchornously give you the location. 
11:22:37 <maxf> problem is that most devices take time to start, and also you want to ask the user for permission
11:23:03 <maxf> so we dropped that, and everything is asynchronous, because the user is the decision maker
11:23:24 <matt> s/??/Fabio/
11:23:37 <maxf> Lucas: you don't want to block the app, hence asynchronous
11:25:19 <maxf> psd: asynchronous is good because it empowers the user. Lack of accuracy is a feature. A bit worried about my wife useing a location device, she would just turn it off
11:26:02 <smb> smb has joined #devices
11:26:10 <maxf> Lucas: you can have tons of impormation the device asks you
11:26:17 <Anil> Anil has joined #devices
11:26:26 <maxf> psd: the beauty of fireeagle, for instance, was that I tell the service where I am
11:26:29 <matt> s/impormation/information/
11:26:37 <maxf> a kind of push model.
11:27:25 <maxf> Topic: Geolocation fall-out II: Device APIs in the browser context, by Doug Turner (Mozilla)
11:29:41 <pauld> seems most geolocation use-cases involve alcohol - I'm drunk, need a taxi, pizza, waking up when my train nears the station
11:31:49 <DKA> DKA has joined #devices
11:38:18 <pauld> scribe: pauld
11:38:26 <dougt> dougt has joined #devices
11:39:11 <mahemoff> mahemoff has joined #devices
11:39:25 <pauld> Topic: dentity/Policy/Trust: Secure access for widgets to resources and privileged APIs by Arve Bersvendsen (Opera Software ASA)
11:39:33 <pauld> s/dentit/identity/
11:39:57 <pauld> s/tityy/tity/
11:41:30 <smb> smb has joined #devices
11:41:56 <DKA> ArtB - if a Zakim bridge channel is set up we can dial into it.
11:41:58 <pauld> Arve: widgets I'm talking about aren't OpenSocial/ iGoogle Web based, rather installed desktop/device software
11:45:50 <ben_> ben_ has joined #devices
11:47:05 <jmorris> jmorris has joined #devices
11:48:14 <pauld> ???: Adobe model is based on signatures, not origin based identity
11:48:25 <pauld> .. most widgets based on signatures?
11:49:02 <pauld> Arve: not dashboard, Yahoo! is the only other signed widget platform I'm aware of
11:49:21 <matt> s/???/Lucas/
11:49:48 <pauld> x??: an alternative approach is to use registration
11:50:15 <matt> s/x??/Randy/
11:50:18 <pauld> y??: any thoughts on security around the execution of the script itself?
11:50:23 <matt> s/y??/Anil/
11:51:53 <pauld>  BenLaurie: my project, caja, protects against intermediary attacks
11:53:09 <pauld> Arve: you can base this from a Web of trust, e.g. foaf, when it comes to mobile, preferred approach is the trusted vendor - application, device, network provider
11:53:33 <pauld> .. who do you trust enough to allow an application to run without prompts?
11:54:24 <pauld> q??: do you have a notion of the capabilities a good or bad application may exploit?
11:54:43 <tlr> two houses, each alike in dignity...
11:54:50 <pauld> .. are you "just from a noble family" good enough?
11:55:19 <matt> s/q??/Fabio?/
11:55:52 <pauld> Arve: we're more interested in how to deal with bad applications - making calls to premium rate nos, etc
11:56:06 <pauld> BenLaurie: revoking a signature following an issue
11:57:14 <Zakim> Zakim has joined #devices
11:57:24 <pauld> StevenBellovin: it's a reputation thing, a malicious app may have a delayed impact, so. I don't think you get the accountability you really want
11:57:43 <dom> q+ paddy, steve, Doug, Lukas, PHB
11:58:02 <pauld> Arve: trust comes from assured "identity" - not going to pass on credit card details to someone I don't know
11:58:03 <tlr> ack p
11:58:57 <dom> ack paddy
11:59:08 <pauld> Paddy: we're talking about signatures without understanding what the signatures mean - authenticity, OK, but we shouldn't confuse identity with trust
11:59:29 <pauld> Arve: the web model is built around certificates
11:59:51 <dom> ack steve
11:59:59 <pauld> tlr: interesting discussion, let's not go down that rabbit hole, just yet!
12:00:27 <madofo> madofo has joined #devices
12:01:10 <dom> q- doug
12:01:17 <dom> ack lukas
12:01:19 <dom> q+ PHB
12:01:40 <pauld> Steve: (Nokia) signatures can be used implicitly without having to make them a part of access control - (layered) and a privileged runtime maybe based on where something is installed on the filesystem
12:02:23 <tlr> ack p
12:02:55 <tlr> q+ johnmorris
12:03:06 <pauld> Arve: (in reply to John) geoprivacy is different to, say, payments
12:03:26 <tlr> ack smb
12:03:30 <tlr> q+ smb
12:05:45 <pauld> PHB: bad guys are infinitely capable of generating bad stuff, all data has to be signed - that's cast iron, but how to determine sources of goodness is what we need, and in ways which are compatible with open source. Less interested in "The Web of Trust" than cooperative voting/vouching systems. Web of trust ain't going to defeat the Russian Mafia 
12:05:53 <PHB> Separate the decision of who to trust from enforcement, signatures are about enforcement, we need to move to a default deny mode of security, look for goodness, not badness, Signatures allow you to determine that the code is from your previously determined source of goodness. All code must be signed, some users will decide that code must be signed by trusted sources that meet particular criteria.
12:06:51 <pauld> John: privacy of me isn't critical, privacy of my child might be. I realise geoprivacy not a big a beast as financial security, but can be
12:07:46 <tlr> xkcd.com/501
12:08:39 <Anil> xkcd: classic
12:08:42 <pauld> StevenBellovin: although people maybe appear not to be trustable, or have reputation, I may still trust them in some cases, e.g. EULA attacks for software such as Bazaar  
12:09:13 <pauld> a??: a signature which is not used is useless
12:09:43 <pauld> tlr: want to highlight two dimensions wrt to extent of trust 
12:09:49 <matt> s/Bazaar/Kazaa/
12:09:55 <pauld> s/a??/randy/
12:12:31 <pauld> .. how can you bring in authentication into the flow of an interaction, then there is the distinction of identity, on the Web the best we seem to have is origin, certificates not transparent or available from the URI location, what is the action the party has to take when trusting code - we're in a general discussion
12:13:34 <pauld> David: the example of geolocation in jpegs is a slippery slope, where do we stop here? We should be careful of making Geolocation too much of a special case.
12:14:18 <pauld> PHB: there are a number of methods of finding someone's location beyond the location device, e.g. IP address
12:15:50 <tlr> q+ lukas, dom
12:15:55 <tlr> q- john
12:15:56 <tlr> q- smb
12:16:19 <pauld> DougT: we have a tremendous UI responsibility, and much of this is middleware, surfacing it is hard! Also, we're sending information to sites who have unclear privacy policies, for retention, etc. 
12:17:38 <pauld> r??: trusted versus trustworthy (runs in a sandbox) is worth highlighting
12:17:50 <tlr> s/r??/lucas/
12:18:15 <tlr> q?
12:18:15 <pauld> dom: would the privacy concern be bound not just to the device or service but the location?
12:18:18 <tlr> ack lukas
12:18:19 <tlr> ack d
12:20:23 <pauld> John: current location is The most important concern when it comes to privacy
12:20:40 <dom> dom: so problem would be less important if the API was less focused on current location
12:23:27 <pauld> John: many of the ideas discussed sound good - advice in documents on how devices should behave, but I don't see an incompatibility on transmitting rules along with the data. We want APIs to be implemented, and W3C will lead to adoption of *code* without reading the constraints expressed in a spec, which is why we'd advocate sending rules
12:26:11 <fhirsch3> fhirsch3 has joined #devices
12:26:13 <DKA> q+ to ponder whether WIdgets are the Web and whether it matters in this context.
12:26:14 <pauld> .. geopriv in the IETF is a set of requirements to be implemented by other WGs, one binary and one XML based already, you can be compliant so long as you transmit the rules, but we don't define the format. One of the specific documents defining a format doesn't currently have extensibility, but the principle does. Most important questions: who gets the info, how long to retain, who to pass info onto
12:26:25 <pauld> q?
12:27:03 <pauld> tlr: we should look less at a specific solutions, but more generic principles
12:27:40 <pauld> BenLaurie: does retention cover logging?
12:29:46 <pauld> John: obviously there is data which is implicitly providing location, e.g. IP address. We'd say, yes, for privacy you should periodically dump those logs. There is leakage throughout here, and doesn't prevent man in the middle attacks, it's more aimed at the intended recipient
12:30:18 <DKA> q?
12:31:27 <pauld> BenLaurie: an attacker could demand you flush your logs!
12:31:48 <dom> -> http://www.w3.org/2008/12/08-geolocation-minutes Geolocation F2F minutes on Day 1
12:33:45 <pauld> Dan: we should be careful about how we define "widget" - they are potentially a part of the Web, an extension of the Web. A security mechanism which makes sense for the Web. We (Vodafone) don't think it's true there are separate mobile and non-mobile Webs.
12:34:17 <pauld> lunch engineering discussion
12:35:31 <pauld> mechanics of dinner: Spaghetti House - details will be online 7pm reservation 30 people
12:41:26 <tlr> zakim, this will be foo
12:41:27 <Zakim> ok, tlr; I see Team_(foo)13:30Z scheduled to start in 49 minutes
12:42:08 <tlr> zakim, code?
12:42:08 <Zakim> the conference code is 26632 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), tlr
13:00:31 <pauld> pauld has joined #devices
13:07:34 <maxfroumentin> maxfroumentin has joined #devices
13:12:32 <madofo> madofo has joined #devices
13:32:58 <Zakim> Team_(foo)13:30Z has now started
13:33:05 <Zakim> + +1.919.676.aaaa
13:35:47 <tlr> zakim, code?
13:35:47 <Zakim> the conference code is 26632 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), tlr
13:36:49 <Zakim> +[Vodafone]
13:42:42 <DKA> zakim, who is on the phone?
13:42:42 <Zakim> On the phone I see +1.919.676.aaaa, [Vodafone]
13:42:49 <DKA> zakim, who's making noise?
13:42:59 <Zakim> DKA, listening for 10 seconds I could not identify any sounds
13:43:06 <DKA> hmmm...
13:43:27 <DKA> can whoever is on the bridge verify that they can hear anything?
13:43:59 <DKA> zakim, who's making noise?
13:44:09 <Zakim> DKA, listening for 10 seconds I could not identify any sounds
13:45:59 <mahemoff> mahemoff has joined #devices
13:46:16 <ArtB> ArtB has joined #devices
13:46:35 <dom> Topic: TiddlyWiki - a resuable non-linear personal web notebook (Paul Downey, Osmosoft.com)
13:48:22 <amachin> amachin has joined #devices
13:51:10 <arve> arve has joined #devices
13:52:28 <dom> ScribeNick: dom
13:52:41 <dom> MaxF: I really liked TiddlyWiki when I started playing with it after reading the paper
13:53:12 <dom> ... You're talking about specific capabilities of the application - e.g. the fact that a file:// resource can be saved on some browsers
13:53:27 <dom> ... Do you see room for standardization around this?
13:53:38 <dom> PaulD: not around that specifically
13:53:50 <dom> ... what we are interested in is what the user sees
13:53:54 <marcos> marcos has joined #devices
13:54:12 <dom> ... There is a lot of variation across browsers on the way the browsers react to these use cases
13:54:14 <matt> zakim, who is here?
13:54:14 <Zakim> On the phone I see +1.919.676.aaaa, [Vodafone]
13:54:15 <Zakim> On IRC I see marcos, arve, amachin, ArtB, mahemoff, madofo, pauld, Zakim, jmorris, ben_, dougt, DKA, Anil, matt, Dowan, StewartB, LucasAdamski, AndreaT, MikeSmith, hendry,
13:54:17 <Zakim> ... adrian_hb, RRSAgent, dom, tlr
13:54:19 <dom> ... we would like more consistency on this
13:54:38 <dom> ... the Web Security Context WG is working around these topics I believe
13:54:53 <dom> Ben: Have you seen the Tao@@@ version of TiddlyWiki?
13:55:03 <dom> ... Tao@@@ is a distributed file system
13:55:18 <dom> ... and they've integrated tiddlywiki on top of it
13:55:48 <dom> Paul: I hadn't heard about it - I'm seeing usage of tiddlywiki in surprising places given how convenient it proves
13:56:01 <matt> s/Tao@@@/Tahoe/
13:56:28 <dom> Lee: I'm from IBM - presenting the paper wrote by myself and Mary Ellen Zurko
13:56:44 <dom> ... we couldn't join the workshop physically
13:56:58 <dom> ... we're seeing areas where standardization could help us
13:57:15 <dom> ... Mez and I work on the Lotus division; in particular, its mobile version
13:57:24 <matt> zakim, aaaa is Lee_Griffin
13:57:24 <Zakim> +Lee_Griffin; got it
13:57:52 <dom> ... various areas where device APIs could be useful
13:58:11 <dom> ... integrity for the software itself - e.g. to defend against virus
13:58:33 <dom> ... relatively easy on windows mobile, by requiring signature of software
13:59:01 <dom> ... at the other end of that, Symbian requires that the software provider gets its software signed off by @@@
13:59:51 <dom> ... we need write access to the filesystem (e.g. to keep logs), but the operations we're trying to do are on the safe-side - nothing that would incapacitate the phone
14:00:30 <dom> ... Another complex area is identifying the user
14:00:42 <dom> ... done today mostly by username/password
14:01:04 <dom> ... devices with biometrics are becoming more popular
14:01:10 <dom> ... and provide another way for authentication
14:02:43 <dom> ... We also need the ability for an administrator to look into a device and see various capabilities / settings
14:03:02 <dom> ... we also need to be able to do things to device - e.g. in case it is lost or stolen
14:03:04 <fjh> fjh has joined #devices
14:03:09 <dom> ... Carriers face the same pb today
14:03:26 <dom> ... currently it is specific to the manufacturer / OS
14:04:00 <dom> ... Finally, we're also very constrained on these devices: there is a trade off between everything and the battery
14:04:22 <dom> ... the battery life is the focus of the manufacturers
14:04:53 <dom> ... everything needs to be subset as much as possible so that it works even on 1MB phones where no more than 32K of memory can be allocated
14:06:03 <PHB> PHB has joined #devices
14:10:08 <dom> Toipc: Network impact of Web access to device APIs
14:10:14 <dom> s/Toipc/Topic/
14:10:22 <dom> s/APIs/APIs (ISOC, Mat Ford)
14:12:32 <dom> zakim, pick a victim
14:12:32 <Zakim> Not knowing who is chairing or who scribed recently, I propose [Vodafone]
14:12:44 <dom> zakim, this is not useful
14:12:44 <Zakim> sorry, dom, I do not see a conference named 'not useful' in progress or scheduled at this time
14:15:12 <matt> scribe: Matt
14:15:24 <dom> Scribe: dom
14:20:51 <EMScamking> EMScamking has joined #devices
14:21:10 <dom> Ben: you talked about sharing IP addresses potentially breaking some apps
14:21:33 <dom> ... we have had a recent good example with wikipedia banning
14:22:29 <dom> tlr: you mentioned "further" damages - anything damage you had in mind?
14:22:37 <dom> mat: NAT? many other examples
14:22:47 <dom> PHB: I want to question the @@@ principle
14:23:01 <dom> s/@@@/end-to-end/
14:23:20 <dom> ... the end of applications are not in the network - they are people, organizations
14:23:40 <dom> ... the end to end principle has led to not putting the security in the right places
14:24:04 <dom> Mat: I don't think I disagree with what you said - I mentioned the end-to-end principle as a background information
14:24:14 <pauld> pauld has left #devices
14:24:23 <pauld> pauld has joined #devices
14:30:48 <maxfroumentin> maxfroumentin has joined #devices
14:31:13 <madofo> madofo has joined #devices
14:31:35 <PHB> luxury, when I were a lad we didn;t have 300MHz, we had 1MHz, and 8-bits too
14:31:44 <PHB> and 16K RAM
14:31:58 <PHB> Tell kids today that, they won't believe you
14:32:46 <dom> tlr: it wasn't clear to me of divergence between your system and native apps on PC
14:32:50 <amachin> amachin has joined #devices
14:33:21 <dom> stewart: we would like youtube to be able to use a setup box decompression hardware
14:33:36 <dom> ... we would need to grant specific right to youtube for this
14:33:43 <PHB> well we used to call it RAM, it was really just a big process register, but we called it RAM because it was RAM to us
14:33:55 <dom> tlr: have you looked at the <video> tag? this could be answer to that specific question
14:34:15 <dom> ... it's interesting that you describe the codec as an asset that you would need to grant specific access to
14:34:36 <dom> steward: I'm also thinking to things like access to your PVR
14:35:01 <dom> ... you probably wouldn't want YouTube to upload videos from your PVR
14:35:21 <dom> art: do you have concrete solutions to signal security violations?
14:35:32 <dom> stewart: two options: simply terminate, or raise an exception
14:35:57 <dom> doug: I've never used one of your systems - I imagine it is sort of like TiVo?
14:36:09 <dom> stewart: it's more of a platform
14:36:22 <dom> doug: it sounds cool to have widgets on a PVR
14:36:40 <dom> ... why wouldn't you want to allow these widgets to prompt the user for permissions to do some things?
14:36:59 <dom> ... e.g. it would be great to have ESPN populating my scheduler based on the best sports program
14:37:20 <dom> ... or go to someone's personal web page and import playlist from that page?
14:37:52 <dom> stewart: there are things that the user wants to control, others that the tV operator wants to control
14:38:03 <dom> ... it comes down to commercial agreements
14:38:26 <dom> ... in many cases, the operator will answer the questions on behalf of the user
14:38:55 <dom> nick: given how complex pvr already are, I can't image adding security-prompt making them more user-friendly :)
14:39:24 <dom> stewart: [example of prompt asking for 35% for bandwidth to watch a program]
14:39:58 <dom> PHB: this all goes down to the model of the technology provider: are the consumers citizens or subjects?
14:41:11 <dom> Lucas: but isn't that similar to administrators on desktops? or DRM on music?
14:42:05 <pauld> along with "trusted platforms" and other ideas guaranteed to die in the marketplace
14:42:18 <dom> Arve: we should probably leave the political discussions on DRM to the pub :)
14:42:49 <dom> nick: still, the two questions of "who's in control" or usability are key to these discussions
14:43:05 <dom> PHB: also, in some cases the user can make the choice to delegate his control to another entity
14:43:55 <dom> nick: interesting discussion about user prompting - I'm the only user of my phone, but my children use the TV box and could give different answers than I would to security prompts
14:45:03 <dom> Topic: NetFront Widgets Security Model (Marcin Hanclik, ACCESS)
14:47:15 <tlr> zakim, who is on the phone?
14:47:15 <Zakim> On the phone I see Lee_Griffin, [Vodafone]
14:47:21 <tlr> zakim, code
14:47:21 <Zakim> I don't understand 'code', tlr
14:47:23 <tlr> zakim, code?
14:47:24 <Zakim> the conference code is 26632 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), tlr
14:48:09 <StewartB> StewartB has joined #devices
14:50:09 <StewartB> hmm, the wifi is cutting me off from time to time - is that happening to others too?
14:52:03 <StewartB> must be just my laptop then :-(
14:53:02 <DKA> DKA has joined #devices
14:54:57 <jmorris> wifi is also dropping me at random times...
14:57:56 <dom> Fabio: why do you need authenticated widgets? This is just a wrapper - you could only monitor unauthenticated widgets
14:58:21 <dom> MH: this relates to our business relationships with widgets providers
14:59:19 <dom> ... we assume that any widgets can be malicious
14:59:25 <dom> ... we give access to very sensitive APIs
15:00:12 <dom> Arve: take for instance an RSS reader widget - we could sign it as coming from Opera
15:00:37 <dom> ... but given that it reads content from external sources, it could be victim of attacks by injection of malicious content
15:00:54 <dom> ... this makes the identification of the vendor fairly useless in this context
15:01:46 <dom> MH: in our model, it is possible to set  the default permissions for non-authenticated widgets includes geolocation
15:01:51 <ArtB> q+
15:02:00 <dom> ... but in practice, the actors in the chains are unlikely to allow that
15:02:21 <dom> ... also, our post-installation process allows to control this after installation
15:02:24 <amachin> amachin has joined #devices
15:03:07 <dom> SteveL: One approach to work around the problems of loading external content is to downgrade the permissions if e.g. the widget modifies itself
15:03:13 <dom> ... have you looked in this?
15:03:38 <dom> MH: we haven't dealt with this yet - lacking a good model based on use cases
15:04:09 <tlr> q?
15:04:20 <dom> SteveL: would be worth looking into this - each time the widget modifies what gets rendered, it loses  its priviledged status
15:04:46 <dom> art: I heard you say you've been working on BONDI on this
15:05:02 <dom> ... what part of this security model do you see in BONDI vs what might be applicable in the scope of W3C?
15:05:14 <dom> MH: my understanding is that the BONDI group is to contribute it to W3C
15:05:21 <dom> s/is to/wants to/
15:05:50 <dom> ... we're open to support changes in the format - we could provide transcoders
15:06:04 <dom> ... but we want a unique standards
15:06:07 <matt> q?
15:06:08 <dom> s/ds/d/
15:06:11 <dom> q- artb
15:06:13 <dom> q- dka
15:06:15 <tlr> q- dka
15:06:27 <dom> art: would be good to see you involved in the w3c groups
15:06:37 <dom> nick: the last two presentations called the case  for fine-grained permissions
15:06:50 <dom> ... they also opened the complex / political issues of policy management
15:07:03 <dom> ... would like to open the floor on these points
15:07:27 <dom> ... also, discussions on upfront policy management vs blacklist as highlighted by marcin
15:07:52 <dom> Lucas: I think it is good to separate the mechanisms of policy management and @@@
15:08:06 <dom> ... e.g. an IT department could impose other policies than the ones defined by the operators
15:08:38 <dom> PHB: one of my fear is that at the end we don't discuss the concerns around the layer of policy management
15:09:08 <dom> ... and then the business folks ignore the security questions because the policy layer doesn't match their views
15:09:18 <dom> ... due to possible "abuse of consumers"
15:09:39 <dom> Nick: assuming you have strong permissioning, strong identity, strong policy management
15:09:56 <dom> ... what to do when the application abuses its rights?
15:10:43 <dom> PHB: what do you call abuses? depending on the type of abuses, it might be bound to law enforcement
15:11:03 <dom> SMB: hard to decide when to revoke
15:11:29 <dom> ... find it hard to trust all the police departments on the planet to decide whether or not to ban a given widget / applications
15:11:38 <dom> ... I could trust some of them, clearly not all of them
15:11:59 <dom> ... can we revoke the ability to revoke? there is very strong potential for abuse here too
15:12:12 <dom> Randy: that's why you would have a strong attribution mechanism
15:12:26 <dom> ... so that problems that occur can be bound to the persons/devices/softwares responsible
15:12:39 <dom> ... this leads to needs for tracking information
15:12:52 <dom> ... but then the question is how to track abuse of this tracking
15:13:27 <dom> Lucas: I don't agree that the distinction between malicious and non-malicious is purely academic
15:13:36 <dom> ... revoking an application doesn't revoke the damages
15:13:56 <dom> ... I think the options for malicious applications are simple (delete / disable / @@@)
15:14:03 <dom> ... it's different for a flawed application
15:14:10 <dom> s/non-malicious/flawed/
15:15:05 <dom> tlr: 3 weeks ago, a German politician got a court in Germany to issue an injonction against wikipedia.de
15:15:24 <dom> ... made it difficult to access for a couple of days - this was revoked soon after
15:16:00 <dom> ... If we look into 5 years ahead - we're talking about widgets, expandable applications
15:16:19 <dom> ... it's likely some of these will become critical parts of business operations
15:16:55 <dom> ... we need to be extremely careful about granting anyone access to supervise and trigger kill-switch for these applications
15:17:07 <dom> ... we can't take this lightly
15:17:43 <tlr> http://www.techcrunch.com/2008/11/16/german-politician-blocks-local-wikipedia/
15:17:58 <dom> Arve: +1 to thomas
15:18:11 <dom> ... who watches the watchers? how can the user override the watcher?
15:18:24 <dom> ... we know that there are devices are on the market with remote kill switch
15:19:04 <dom> PHB: one of the reasons we set the CA@@@ browser forum
15:19:07 <maxfroumentin> maxfroumentin has joined #devices
15:19:09 <dom> s/set/set up/
15:19:30 <tlr> we might not be getting away without *some* sort of kill switch. But we need to think about mitigating the impact of error cases for this beast.
15:19:31 <dom> ... to increase the level of accountability of certificates
15:19:52 <dom> ... we have started looking at accountability of the  revokation process
15:20:28 <dom> ... in particular, we need to be able to give much more details on the reasons for revokation in our protocols
15:21:44 <dom> Nick: the differences in juridictions makes it extremely difficult to find a legal framework for these revokation systems
15:21:56 <tlr> phb: 'why don't you hire me to deal with that problem'
15:22:35 <dom> Lucas: if the service provider controls the platform, no matter what you may decide e.g. as a browser vendor, the platform provider can always override that at the systems level
15:23:11 <Zakim> -Lee_Griffin
15:23:21 <maxfroumentin> maxfroumentin has joined #devices
15:31:40 <amachin> amachin has joined #devices
15:32:24 <maxfroumentin> maxfroumentin has joined #devices
15:35:01 <Zakim> disconnecting the lone participant, [Vodafone], in Team_(foo)13:30Z
15:35:04 <Zakim> Team_(foo)13:30Z has ended
15:35:05 <Zakim> Attendees were +1.919.676.aaaa, [Vodafone], Lee_Griffin
15:47:48 <madofo> madofo has joined #devices
15:56:48 <matt> rrsagent, draft minutes
15:56:48 <RRSAgent> I have made the request to generate http://www.w3.org/2008/12/10-devices-minutes.html matt
16:03:32 <dom> ScribeNick: fjh
16:03:46 <fjh> zakim, who is here?
16:03:46 <Zakim> apparently Team_(foo)13:30Z has ended, fjh
16:03:47 <Zakim> On IRC I see madofo, maxfroumentin, amachin, DKA, StewartB, pauld, PHB, fjh, arve, Zakim, jmorris, ben_, dougt, Anil, matt, Dowan, LucasAdamski, AndreaT, MikeSmith, hendry,
16:03:49 <Zakim> ... adrian_hb, RRSAgent, dom, tlr
16:03:57 <dom> Topic: Caja (Ben Laurie, Google)
16:04:34 <fjh> Javascript compiler in and out of standard javascript with output controlled by containing page
16:05:52 <fjh> ben_: aimed at gadget scenerio, have trusted page, but want to add gadgets to that page
16:06:17 <fjh> ... compilation enforces policy
16:06:21 <dom> http://www.cajadores.com/demos/testbed
16:07:04 <fjh> ... example of visiting document.location to get possibly evil content
16:07:49 <fjh> ... red line in slides shows what was shown
16:09:07 <fjh> ... doug demoned geolocation api, caja compiler can modify what javascript receives allows a transformation as security mechanism
16:09:17 <fjh> ... can be also used for experimentation
16:09:59 <fjh> lucas: eval is function that executes arbitrary javascript - caja is tool for building own security model
16:10:17 <fjh> s/caa/caja
16:10:20 <fjh> ben_: offer default material in caa
16:10:31 <fjh> s/caa/caja
16:11:03 <fjh> ben_: compile java string at server then eval it
16:11:19 <fjh> ... could do client side by writing compiler in javascript
16:11:54 <fjh> lucas: access to dom is needed
16:12:06 <fjh> ben_: get access to wrapped dom,  no static analysis, run time
16:13:14 <fjh> lucas: how can good code get needed access when bad code should not
16:13:25 <fjh> ben_: eval safe from point of view of container
16:14:03 <fjh> steve b: how does this change javascript
16:14:10 <fjh> ben_: effectively  a whitelist
16:14:46 <fjh> michael: cajita is smaller subset - is a larger subset possible for static validation
16:14:57 <fjh> ben_: hard with languages that are not strongly typed
16:15:22 <fjh> claudio: is this transparent to developer, can you guarantee code will work?
16:15:36 <fjh> ben_: should be limited to areas that are not safe, can test it
16:16:00 <marcos> marcos has joined #devices
16:17:02 <fjh> max: how can application use api that user does not want to allow, can have fallback
16:17:12 <fjh> ben_: yes, with if method available etc
16:17:58 <fjh> ... container can specify accuracy of location to wrap real location api, gadget unaware using wrapped version
16:18:22 <fjh> dan: what about performance
16:18:30 <fjh> ben_: less secure version is more expensive
16:19:04 <fjh> ... 100x slower than cajita, 3-5x slower than without wrapper
16:19:47 <fjh>  ?: can I use on android phone
16:19:57 <fjh> ben_: not yet
16:20:06 <dom> s/ ?/Kai/
16:20:11 <fjh> ... should be possible, looking into it
16:20:28 <fjh> tlr: looked at other cases than gadgets?
16:20:51 <fjh> ben_: other case is clients giving javascript you want to run on server, will look at this
16:21:20 <fjh> tlr: how about restricting access to device APIs to top-level document, could this work here
16:21:34 <fjh> ben_: yes, can get rid of iframes, better approach
16:22:03 <fjh> anil: how different from web sandbox
16:22:51 <tlr> fjh: availability?
16:23:00 <fjh> ben_: similar, but not as extensive as cajita, have had this out for a year
16:23:09 <maxfroumentin> http://code.google.com/p/google-caja/
16:23:20 <fjh> ben_: available as open source under apache license, readily available, see url
16:24:07 <ArtB> ArtB has joined #devices
16:24:07 <fjh> TOPIC: - Blended  Crypto -Phill Hallam-Baker, Verisign
16:24:34 <fjh> phb: small is not beautiful when writing code
16:24:52 <fjh> ... look at device controllers, which are really small etc
16:25:18 <fjh> ... no tcp/ip since no memory
16:25:32 <fjh> s/no memory/memory on order of 368 bytes ram
16:25:54 <fjh> ... in cars for example, tires with pressure sensors
16:26:43 <fjh> .. rfid devices 
16:26:49 <fjh> s/../...
16:27:14 <fjh> ... anyone can listen and determine id, so can track car 
16:27:36 <fjh> ... device costs less than $1, so cannot do public key
16:28:08 <fjh> ... cannot use bigger chip since smaller will get cheaper
16:28:33 <fjh> ... some say we will have rfid on every can of baked beans!
16:28:41 <fjh> ... but can do PKI
16:29:57 <fjh> ... PKI simplifies administration
16:30:32 <fjh> ... SCADA. industrial process system controllers - need security of electricity distribution grid, chemical plants etc
16:30:51 <fjh> ... do public key on device that does not do public key - delegation
16:32:52 <fjh> ... device and control system share secret, yet control system has public key, service does not know symmetric key 
16:33:13 <fjh> ... device - control - servcie
16:33:29 <fjh> s/servcie/service
16:35:17 <RRSAgent> I have made the request to generate http://www.w3.org/2008/12/10-devices-minutes.html ArtB
16:35:17 <fjh> phb: security context often via cookies, too many, but device authentication different than user
16:36:50 <fjh> phb asks why not only use device authentication for accessing bank balance , i ask what if your device is stolen and it isn't you holding device?
16:37:51 <fjh> ohb: describes transparent tls crypto, see slides
16:39:39 <fjh> s/ohb/phb
16:40:19 <fjh> phb: can achieve benefits of strong crypto by using hash appropriately to generate shared secret based on appropriate info based on server cert
16:41:35 <maxfroumentin> maxfroumentin has joined #devices
16:42:43 <fjh> phb: regarding need for user authentication relates to relative risk. Making it easier allows more frequent checking of balance, reducing some risks. Weighed against risk of misuse
16:43:36 <fjh> phb: have IPR on this, for defensive purposes
16:46:05 <fjh> TOPIC: need for bilateral end to end strong authentication,William Simpson, IDA
16:46:56 <fjh> ws: web services, using security token service
16:50:25 <fjh> see slides for details
16:55:29 <fjh> ws: need ws enabled browser for this to work
16:56:09 <fjh> ws: sp needs appropriate sofware
16:57:07 <fjh> ws: notes issue of dealing with multiple CAs and jurisdictions
16:58:24 <matt> scribe:Matt
16:58:50 <matt> tlr: Question, particular to geolocation...  What does this mean for a Geolocation JavaScript API that uses in-network location?
16:59:10 <matt> Randy: We'll be on the user side, and it'd be controlled from a white listing.
16:59:34 <matt> Randy: The monitoring software will give us alerts...
16:59:44 <matt> Randy: All software on mobile units will be registered and signed.
16:59:56 <matt> Randy: it should be easy to find code that's not part of the process.  That's in progress.
17:07:59 <matt> Fabio: Since this is on the device... We tried with Docomo to try to do Web services security on the device.  Do you think this could end up on the mobile?
17:08:13 <matt> Randy: We have a much more closed system and a much lower threshold for loses.
17:08:25 <matt> Randy: We are going to take more cycles. 
17:08:42 <matt> Randy: I have applications like two airplanes talking to one another, the cycles are dear.
17:09:14 <matt> pauld: It seems like an interesting domain.  Difficult constraints and problems to solve.  I'm worried that this would be seen as a generic solution, the fat browser bits make me a bit alarmed.  Have you seen the MS work on this area?
17:09:41 <matt> Randy: One of our solutions is not a fat browser but an appliance
17:10:04 <matt> Randy: Trying to fit these things into the commercial space... we realize the closer we move to the commercial space the cheaper it will be.
17:10:16 <matt> pauld: In the commercial space I work hard in avoiding central points of control
17:10:33 <matt> pauld: there's a mismatch though, I'm concerned that I know the bank is the bank, and not so much worried about the bank knowing I am me.
17:10:54 <matt> pauld: MS did a lot of work in the way devices are hooked up to Vista.  You should look into it.
17:11:16 <matt> Randy: We've got two solution spaces, J2EE and .NET.  Also going to have to look at Solaris and Linux.
17:11:23 <matt> Topic: Wrap Up
17:12:29 <matt> tlr: Looking at tomorrow's agenda...
17:13:30 <matt> tlr: At the moment there are things about Widgets security policy.  We'll here from fjh about security models... BONDI will be presented... WebVM security policy.
17:13:51 <matt> tlr: After that, Sony Ericsson about MIDP based security model for widgets.
17:14:04 <matt> tlr: Then Fabio will talk about security by contract.
17:14:31 <matt> tlr: Tomorrow afternoon is an open agenda, we'll be working out something and trying to figure out what to do next, what useful things we got out of this .etc
17:14:50 <matt> tlr: Dinner tonight, not before 7.
17:15:05 <matt> DKA: Going to Porter House Pub leaving immediately after.
17:15:29 <matt> DKA: it's a five minute walk and Porterhouse is in between.
17:15:53 <matt> DKA: About the Web... I hope we focus on that concept somehow during the discussion.
17:16:10 <matt> DKA: In terms of what W3C can do, what needs to happen to make it become part of the Web as we know it.
17:16:20 <maxfroumentin> +1
17:16:24 <matt> tlr: We're done.  Thank you!
17:17:09 <matt> rrsagent, draft minutes
17:17:09 <RRSAgent> I have made the request to generate http://www.w3.org/2008/12/10-devices-minutes.html matt
17:17:15 <Dowan> Dowan has left #devices
17:41:31 <dougt> dougt has joined #devices
17:46:03 <Anil> Anil has joined #devices
17:51:20 <LucasAdamski> LucasAdamski has joined #devices
18:03:55 <adrian_hb> adrian_hb has joined #devices
18:19:53 <pauld> pauld has joined #devices
18:30:09 <Zakim> Zakim has left #devices
19:46:12 <pauld> pauld has joined #devices
21:08:53 <adrian_hb> adrian_hb has joined #devices