Re: ISSUE-11: Gathering requirements [FileSystem API] from Nilsson, Claes1 on 2009-10-05 (public-device-apis@w3.org from October 2009)

From: Nilsson, Claes1 <Claes1.Nilsson@sonyericsson.com>
Date: Mon, 5 Oct 2009 14:34:06 +0200
To: "'public-device-apis@w3.org'" <public-device-apis@w3.org>
Message-ID: <6DFA1B20D858A14488A66D6EEDF26AA3208923CDD6@seldmbx03.corpusers.net>

Hi,

I am considering the following: Web applications, for example social network services, often require secrets, "credentials" to get access to service APIs. If these credentials are stored in the application html or JavaScript code then they are easily accessible and can be misused. To protect these credentials it would be useful if the FileSystem API provides a secure storage and management of credentials.

What about adding a requirement that says:

"SHOULD provide secure storage and management of credentials."

Note: Based on the identity of the web application access should be granted to its pre-provisioned credential and no others credentials. I currently do not suggest any method of provisioning the credentials to the "credential manager". Might be possible to add an API so the widget can store credentials and use later or be provisioned in any proprietary out-of-band solution.

Views?

Claes

Claes Nilsson M.Sc.E.E
Senior Staff Engineer
Technology Areas and Standardization - TAG Web Technology

Sony Ericsson Mobile Communications
Phone: +46 10 80 15178
Mobile: +46 705 56 68 78
Switchboard: +46 10 80 00000
E-Mail: mailto:claes1.nilsson@sonyericsson.com
Visiting Address; Nya Vattentornet
SE-221 88 LUND,
Sweden
Disclaimer:
The information in this e-mail is confidential and may be legally privileged. It is intended solely for the named recipient(s) and access to this e-mail by anyone else is unauthorized. The views are those of the sender and not necessarily the views of Sony Ericsson and Sony Ericsson accepts no responsibility or liability whatsoever or howsoever arising in connection with this e-mail.Any attachment(s) to this message has been checked for viruses, but please rely on your own virus checker and procedures. If you contact us by e-mail, we will store your name and address to facilitate communications. If you are not the intended recipient, please inform the sender by replying this transmission and delete the e-mail and any copies of it without disclosing it.

Received on Monday, 5 October 2009 12:34:48 UTC