RE: ISSUE-11: Gathering requirements [FileSystem API] from Nilsson, Claes1 on 2009-10-06 (public-device-apis@w3.org from October 2009)

From: Nilsson, Claes1 <Claes1.Nilsson@sonyericsson.com>
Date: Tue, 6 Oct 2009 11:41:23 +0200
To: 'Robin Berjon' <robin@robineko.com>
CC: "'public-device-apis@w3.org'" <public-device-apis@w3.org>
Message-ID: <6DFA1B20D858A14488A66D6EEDF26AA3208923CDE1@seldmbx03.corpusers.net>

Hi,

I am thinking of general secrets for authentication towards a server. This can be API keys but also login credentials.

It should be implementation dependent how the keys, credentials etc are stored. What's important is that the secret information shall be protected from access by applications for which the secret information is not indented. Access to the information should be granted based on the identity of the application. 

An example of an application needing this kind of API is a Facebook web widget where certain API keys are needed to get access to a set of extra APIs that are not accessible by the normal Facebook web page executed in the browser.

Maybe the requirement should be rephrased to:

"SHOULD provide secure storage and management of secret information, e.g. server login credentials or API keys."

Regards
  Claes 

-----Original Message-----
From: Robin Berjon [mailto:robin@robineko.com] 
Sent: måndag den 5 oktober 2009 18:05
To: Nilsson, Claes1
Cc: 'public-device-apis@w3.org'
Subject: Re: ISSUE-11: Gathering requirements [FileSystem API]

Hi,

On Oct 5, 2009, at 14:34 , Nilsson, Claes1 wrote:
> I am considering the following: Web applications, for example social  
> network services,  often require secrets, "credentials" to get  
> access to service APIs.  If these credentials are stored in the  
> application html or JavaScript code then they are easily accessible  
> and can be misused.  To protect these credentials it would be useful  
> if the FileSystem API provides a secure storage and management of  
> credentials.

Are you thinking about API keys, like for Twitter or Flickr, or about  
a different sort of credential?

> What about adding a requirement that says:
>
> "SHOULD provide secure storage and management of credentials."

Is that expected to be, say, an encrypted volume? I'm not sure I fully  
understand the level of security you are looking for here, could you  
provide a concrete case of an application using this functionality,  
and how it contrasts with one that doesn't (it doesn't need to be very  
complex)?

--
Robin Berjon
   robineko - setting new standards
   http://robineko.com/

Received on Tuesday, 6 October 2009 09:41:57 UTC