ACTION-48: Propose a definition for API access control, and a possible model for policy enforcement from Suresh Chitturi on 2010-02-23 (public-device-apis@w3.org from February 2010)

From: Suresh Chitturi <schitturi@rim.com>
Date: Tue, 23 Feb 2010 11:32:13 -0600
To: <public-device-apis@w3.org>
Message-ID: <D37CC1B151BD57489F4F89609F168FE80473B52D@XCH01DFW.rim.net>

Hi all,

In response to the above action, please find below the proposed
definition for Access Control. The group is recommended to add the
following definition under the definitions section of [1].

--------BEGIN--------------

Access Control

It is referred to the management of controlling access to device API and
its underlying resources i.e. whether to allow or disallow the
application in subject to gain access to a particular device capability.
Access Control is a function of two methods that may or may not be
mutually exclusive:

1) Access Control by declaration - refers to a method wherein the
author of the application seeks access to specific device APIs i.e. by
declaring the application author's intent. Example, by declaring the
Feature to which the application intents to access and the domain or
network resources that may need to access that particular Feature during
the lifecycle of the application.

2) Runtime Policy Enforcement - refers to method wherein a
security policy is applied at the runtime based on underlying
implementation of the Device API, which maybe based on several factors
e.g. the context in which the device API is accessed, terms of
deployment, etc.

--------END--------------

We acknowledge that the above definition only satisfies part of the
action, and does not make a proposal on the model for policy
enforcement. However, considering the ongoing discussions related to the
overall security framework and the fact that the policy enforcement
model definition is not appropriate for requirements document but part
of the solution, we would like to close this action at this point, and
create a new one if necessary.

[1] http://dev.w3.org/2009/dap/policy-reqs/#definitions

Thanks,
Suresh

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

Received on Tuesday, 23 February 2010 17:49:02 UTC