ISSUE-34: Protecting data versus protecting apis
protectingDataOrApis
Protecting data versus protecting apis
- State:
- CLOSED
- Product:
- APIs — General
- Raised by:
- Marcin Hanclik
- Opened on:
- 2009-10-21
- Description:
- cf http://lists.w3.org/Archives/Public/public-device-apis/2009Oct/0193.html
“I think it is important to distinguish between protecting APIs and protecting data.
At present we focus mainly on protection of the APIs.
What about the case that the filesystem API is enabled for everyone, but the rights are related to some paths in the filesystem?
If we just concentrate on protecting APIs, we would probably need to define new APIs for the secure storage case.
So I would rephrase:
"SHOULD provide secure storage and management of secret information, e.g. server login credentials or API keys."
to
"SHOULD provide means to protect or restrict access to the parts of a given file system based on some security model, possibly different from the API security model".
(depending on what we will be able to agree on in the future).
This is the area that has been disputed in BONDI for a long time and there is currently no standardized end-2-end (from developer to policy writer) solution to that.
It is in general the area where the APIs meet security, the coupling is quite tight, although may not be so visible at first sight.†- Related Actions Items:
- No related actions
- Related emails:
- Privacy related issues - next steps (from Frederick.Hirsch@nokia.com on 2011-01-19)
- corrected draft minutes 2009-10-21 for approval (v2) (from frederick.hirsch@nokia.com on 2009-10-21)
- Draft minutes 2009-10-21 (from frederick.hirsch@nokia.com on 2009-10-21)
Related notes:
[fhirsch]: http://lists.w3.org/Archives/Public/public-device-apis/2009Oct/0193.html
21 Oct 2009, 14:29:37An exchange based security model has been proposed on the list though it's currently not clear whether any requirements have come out of that:
http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0038.html
[fjh]: focus now is privacy by design, not policy framework
15 Mar 2011, 07:36:33[dom]: WTF??
15 Mar 2011, 07:37:35Display change log