ISSUE-34: Protecting data versus protecting apis

protectingDataOrApis

Protecting data versus protecting apis

State:

CLOSED

Product:

APIs — General

Raised by:

Marcin Hanclik

Opened on:

2009-10-21

Description:

cf http://lists.w3.org/Archives/Public/public-device-apis/2009Oct/0193.html
“I think it is important to distinguish between protecting APIs and protecting data.
At present we focus mainly on protection of the APIs.
What about the case that the filesystem API is enabled for everyone, but the rights are related to some paths in the filesystem?
If we just concentrate on protecting APIs, we would probably need to define new APIs for the secure storage case.
So I would rephrase:
"SHOULD provide secure storage and management of secret information, e.g. server login credentials or API keys."
to
"SHOULD provide means to protect or restrict access to the parts of a given file system based on some security model, possibly different from the API security model".
(depending on what we will be able to agree on in the future).

This is the area that has been disputed in BONDI for a long time and there is currently no standardized end-2-end (from developer to policy writer) solution to that.
It is in general the area where the APIs meet security, the coupling is quite tight, although may not be so visible at first sight.”

Related Actions Items:

No related actions

Related emails:

1. Privacy related issues - next steps (from Frederick.Hirsch@nokia.com on 2011-01-19)
2. corrected draft minutes 2009-10-21 for approval (v2) (from frederick.hirsch@nokia.com on 2009-10-21)
3. Draft minutes 2009-10-21 (from frederick.hirsch@nokia.com on 2009-10-21)

Related notes:

Display change log