Device APIs and Policy Working Group Charter
The mission of the Device APIs and Policy Working Group is to create client-side APIs that enable the development of Web Applications and Web Widgets that interact with devices services such as Calendar, Contacts, Camera, etc. Additionally, the group will produce a framework for the expression of security policies that govern access to security-critical APIs (such as the APIs listed previously).
| End date | 31 July 2011 |
|---|---|
| Confidentiality | Proceedings are Public |
| Chairs | Robin Berjon, Frederick Hirsch |
| Team Contact (FTE %: 30) |
Dominique Hazaël-Massieux, Thomas Roessler |
| Usual Meeting Schedule | Teleconferences: 1 per week Face-to-face: 3-4 per year (only as needed) |
Goals
In December 2008, the W3C held a workshop on Security for Access to Device APIs from the Web. The goal of this workshop was to gather information and experiences in the device API space, to start building community consensus about possible standardization work within W3C, and to gather requirements to guide such work.
Workshop participants discussed the need for standardization of technologies that would be required to provide access to security sensitive APIs from a web developer's perspective, the form these technologies should take, and the viability and practicalities of standardizing this work within W3C. At the end of this workshop, the participants discussed several potential topics for new standardization work (see the Workshop Report for more details).
The following high priority topics identified in this workshop are addressed in this charter:
- Declaration of APIs such as Contacts - The mechanisms by which a widget or Web Application can declare a dependency (with possible security consequences) on an API
- API Patterns - What should be similar across many APIs, e.g. API design, error handling etc.
- Concrete APIs - Specific APIs that should be standardized
- Policy Description - An XML (or other) formalism describing a security policy for concrete APIs.
Scope
The scope of this Working Group is this creation of API specifications for a device's services that can be exposed to Widgets and Web Applications. Devices in this context include desktop computers, laptop computers, mobile internet devices (MIDs), cellular phones, etc.
The scope also includes defining a framework for the expression of security policies that govern access of Web Applications and Widgets to security-critical APIs. To achieve this goal, the group will need to deal with the following items: policy expression proper, identification of APIs and identification of Web Applications and Widgets. Among the principles that guide the policy framework are:
- Before developing a new policy expression language, existing languages (such as XACML) should be reviewed for suitability;
- The resulting policy model must be consistent with the existing same origin policies (as documented in the HTML5 specification), in the sense that a deployment of the policy model in Web browsers must be possible;
- The work should not be specific to either mobile or desktop environments, but may take differences between the environments into account
Where practical, the API specifications should use the Web IDL formalism.
Priority will be given to developing simple and consensual APIs, leaving more complex features to future versions.
This Working Group's deliverables must address issues of accessibility, internationalization, mobility, and security.
Additionally, comprehensive test suites will be developed for each specification to ensure interoperability, and the group will create interoperability reports. The group will also maintain errata as required for the continued relevance and usefulness of the specifications it produces.
Success Criteria
To advance to Proposed Recommendation, each specification is expected to have two independent implementations of each feature defined in the specification.
Out of Scope
The management of security policies (e.g. by remote entities) is out of scope of this group.
Deliverables
Recommendation-Track Deliverables
The working group will deliver at least the following specifications:
- a set of Personal Information Management (PIM) APIs that
includes:
- Calendar API
- an API to access a calendar service (e.g. to add an entry, to edit an entry, to delete an entry, etc.)
- Tasks API
- an API to access a personal task management / organizer service (e.g. to add, edit, delete a task, etc.)
- Contacts API
- an API to access a contacts or address book service (e.g. to add an entry, to edit an entry, to delete an entry, etc.)
- Camera API
- an API to manage a device's camera e.g. to take a picture
- Messaging API
- an API to access a message service (e.g. to create a message, to send a message, to delete a message, etc.). The API is agnostic to the underlying messaging service (e.g. e-mail, SMS, MMS, etc.).
- System Information and Events API
- an API to access various system services e.g. battery level, network status, etc.
- FileSystem API, an API to access the file system and perform basic operations (Create, Read, Update, Delete) and more complex operations (e.g. mount, unmount) - this API should be developed in coordination with the Web Applications Working Group File Upload specification
- Application Launcher API, an API to discover, identify and launch the platform's native applications
- Application Configuration API, an API to manage application settings and user preferences
- User Interaction API, a set of APIs that gives a widget or website far better control of how it manifests itself on different platforms. This would include minimise/maximise functions, window size, alerting mechanisms etc.
- Communication Log API, an API to access information about past communication events, such as sent emails, SMS, MMS, call events.
- Gallery API, an API to manage the local media file storage
- Security Policy Framework, to express security
policies that govern access of Web Applications and widgets to
security-critical APIs, including work on
- Identification of APIs
- Identification of Web Applications and Widgets
- Definition of a policy description language for security policies
- Expression of security policies that govern access of Web Applications and Widgets to security-critical APIs
The Working Group may also enter into joint Task Forces with other groups (in particular with the Web Applications Working Group), to collaborate on specifications that cross group boundaries.
Other Deliverables
A comprehensive test suite for all features of a specification is necessary to ensure the specification's robustness, consistency, and implementability, and to promote interoperability between User Agents. Therefore, each specification must have a companion test suite, which should be completed by the end of the Last Call phase, and must be completed, with an implementation report, before transition from Candidate Recommendation to Proposed Recommendation. Additional tests may be added to the test suite at any stage of the Recommendation track, and the maintenance of a implementation report is encouraged.
The Working Group will also document in a Working Group Note the useful design patterns shared by the APIs it is developing.
Other non-normative documents may be created such as:
- Primers
- Requirements and use case document for specifications - these documents should also address non-mobile scenarios.
- Non-normative group notes
Given sufficient resources, this Working Group should review other working groups' deliverables that are identified as being relevant to the Working Group's mission.
Milestones
Note: The actual production of some of the deliverables may follow a different timeline. The group will document any schedule changes on the group home page.
- 2009Q3
- The Working Group reviews and compares existing starting points for the various deliverables, and establishes a detailed roadmap.
- 2009Q4-2010Q1
- Deliverables with assigned editors progress along Recommendation track.
- 2010Q2-2010Q3
- All deliverables are on Recommendation track.
- 2011Q2
- All deliverables have reached Proposed Recommendation.
Dependencies
W3C Groups
This Working Group's specifications will depend upon some specifications being developed by other Working Groups for example the Web Applications Working Group's Web IDL specification.
This Working Group is not aware of any dependencies other Working Groups' specifications have on this Working Group's specifications.
Liaisons
This Working Group expects to maintain contacts with at least the following groups and Activities within W3C (in alphabetical order):
- Geolocation Working Group
- The Geolocation Working Group is chartered to develop the Geolocation API Specification. During Workshop discussions, this specification was frequently cited as a prototypical example for the kinds of security and privacy considerations that are expected in future device APIs.
- HTML Working Group
- The HTML Working Group's deliverables cover the security model implemented in Web Browsers; this security model imposes limitations on what an extended model for Web Applications and widgets can achieve.
- Mobile Web Initiative
- To help identify use cases and requirements for Web Applications on mobile devices and to help ensure that this Working Group's deliverables address those use cases and requirements
- Policy Languages Interest Group (PLING)
- PLING is chartered as a forum for community building around policy languages, and might be able to provide useful expertise. This Interest Group might be a useful forum for further discussion of policy management strategies.
- Web Accessibility Initiative Protocols and Formats Working Group
- To ensure this Working Group's deliverables support accessibility requirements, particularly with regard to interoperability with assistive technologies, and inclusion in deliverables of guidance for implementing the group's deliverables in ways that support accessibility requirements.
- Web Applications Working Group
- This group defines relevant specifications including Web IDL, and File Upload.
- Ubiquitous Web Applications Working Group
- This group defines relevant specifications, including the Delivery Context Client Interfaces (DCCI).
Furthermore, this Working Group expects to follow the following W3C Recommendations, Guidelines and Notes and, if necessary, to liaise with the communities behind the following documents:
External Groups
The following is a tentative list of external bodies the Working Group should collaborate with:
- ECMA Technical Committee 39 (TC39)
- This is the group responsible for ECMAScript standardization, and related ECMAScript features like E4X. As this Working Group will be developing ECMAScript APIs, it should collaborate with TC39.
- JCP
- The Java Community Process has developed comparable APIs for the Java runtime.
- IETF
- The IETF has created specifications that are related to some of the APIs in this WG's scope.
- OASIS
- OASIS' Extensible Access Control Markup Language (XACML) is a likely starting point for work on policy description. If the language is used, relevant requirements and experiences should be fed back to the XACML technical committee.
- OMTP
- OMTP's BONDI initiative aims to define key interfaces that enable the mobile web platform to access sensitive functions on the mobile, within a security framework that protects the user from malicious actions. OMTP can provide input to requirements and technologies for this Working Group, as well as review and endorse deliverables.
- OpenAjax Alliance
- The OpenAjax Alliance has done initial work to identify guidelines for the design of mobile device APIs.
Participation
To be successful, this Working Group is expected to have 10 or more active participants for its duration, and to have the participation of the industry leaders in fields relevant to the specifications it produces.
The Chair(s) and specification Editors are expected to contribute one to two days per week towards the Working Group. There is no minimum requirement for other participants. However, it should be noted that as defined by the Process Document, group participants need to attend most meetings, be familiar with documents and minutes of past meeting, and follow the relevant mailing lists to be considered in good standing; this is likely to require at least half a day a week.
This Working Group will also allocate the necessary resources for building Test Suites for each specification.
This Working Group welcomes participation from non-Members. The group encourages questions and comments on its public mailing list, public-device-apis@w3.org, which is publicly archived and for which there is no formal requirement for participation. The group also welcomes non-Members to contribute technical submissions for consideration, with the agreement from each participant to Royalty-Free licensing of those submissions under the W3C Patent Policy.
Communication
The Working Group's Teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis. At least one teleconference per week is expected.
Most of the technical work of the group will be done through discussions on the public-device-apis@w3.org, the group's public mailing list. Editors' drafts and their editing history will be available from a public W3C web site. The group's action and issue tracking data will also be public, as will the Member-approved minutes from all teleconferences and meetings.
The group will use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a particular member requests such a discussion.
Information about the group (for example, details about deliverables, issues, actions, status, participants) will be available from the Device APIs and Policy Working Group home page.
Decision Policy
As explained in the Process Document (section 3.3), this group will seek to make decisions when there is consensus. When the Chair puts a question and observes dissent, after due consideration of different opinions, the Chair should record a decision (possibly after a formal vote) and any objections, and move on.
This charter is written in accordance with Section 3.4, Votes of the W3C Process Document and includes no voting procedures beyond what the Process Document requires.
Patent Policy
This Working Group operates under the W3C Patent Policy (5 February 2004 Version). To promote the widest adoption of Web standards, W3C seeks to issue Recommendations that can be implemented, according to this policy, on a Royalty-Free basis.
For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.
About this Charter
This charter for this Working Group has been created according to section 6.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Dominique Hazael-Massieux, <dom@w3.org>, Thomas Roessler, <tlr@w3.org>, Team Contacts, based on a draft by Art Barstow, Nokia
Copyright© 2009 W3C® (MIT, ERCIM, Keio), All Rights Reserved.