Security for Access to Device APIs from the Web - W3C Workshop 10-11 December 2008, London

• About W3C
• Call for Participation
• Venue
• Papers
• Report
• Agenda

10-11 December 2008
Hosted by
Vodafone

Agenda

We will start at 8:30am and finish at 5pm.

Day 1 (Dec 10)

See also: minutes 2009-12-10

• 8:30-9:00 Welcome, logistics, agenda review
• 9:00-9:15 Introduction
• 9:15-10:15 Challenges:
  • W3C WebApps WG (Position Paper for W3C's Security for Access to Device APIs from the Web Workshop by Art Barstow (Nokia)) [slides]
  • Security challenges for internet technologies on mobile devices by Geir Olsen (Microsoft Corp.), Anil Dhawan (Microsoft Corp.) [slides]
  • Design Principles: Security Assurance for Web Device APIs by Maritza Johnson (Columbia University), Steven M. Bellovin (Columbia University) [slides]
• 10:15-10:45 Coffee break
• 10:45-12:30 Requirements:
  • Identity/Policy/Trust: Secure access for widgets to resources and privileged APIs by Arve Bersvendsen (Opera Software ASA)
  • Geolocation fall-out I: Privacy policies and device APIs (John Morris, CDT) [slides]
  • UI considerations: APIs, Safety, and User Notifications on The Web by Arun Ranganathan (Mozilla), presented by Lucas Adamski (Mozilla) [slides]
  • Geolocation fall-out II: Device APIs in the browser context, by Doug Turner (Mozilla)
• 12:30-1:45 Lunch break
• 1:45-3:45 Landscape
  • Usability: Lotus Rich Client Experience and Security Related Device API Requirementsby Lee Griffin (IBM), Mary Ellen Zurko (IBM) [no slides]
  • Network impact of Web access to device APIs by Matthew Ford (Internet Society), Phil Roberts (Internet Society) [slides]
  • Position Paper from ANT Software [issues arising from trying to implement a security model in a context where various parties need to be able to make contributions, and prefereably without pre-agreement] [slides]
  • Widgets vs Browser issues: ACCESS NetFront Browser Widgets [slides]
• 3:45-4:15 Coffee break
• 4:15-5:30 Security Mechanisms:
  • TiddlyWiki - a reusable non-linear personal web notebook, Paul Downey (Osmosoft/BT) [presentation content]
  • Caja: Defending Against Untrusted Javascript by Ben Laurie (Google)
  • Position Paper from Verisign by Phillip Hallam-Baker (Verisign Inc.) [slides]
  • The Case for Bi-Lateral End-To-End Strong Authentication by C. Chandersekaran (Institute for Defense Analyses), William R Simpson (Institute for Defense Analyses) [slides]
  • Federated Trust Policy Enforcement by Delegated SAML Assertion Pruning by C. Chandersekaran (Institute for Defense Analyses), William R Simpson (Institute for Defense Analyses) [slides]

Day 2 (Dec 11)

See also: minutes 2009-12-11

• 8:30-9:00 Summary of day 1, agenda review
• 9:00-10:15 Policy Mechanisms:
  • Towards a community-controlled security policy for Widgets by Marcos Caceres (W3C Invited Expert) [slides]
  • Web Runtime Policy Based Security by Steve Lewontin (Nokia) [slides]
  • Security Model for browsing and widgets by Olli Immonen (Nokia) [slides]
  • BONDI: A Web based security model fit for purpose by Nick Allott (OMTP Office), David Rogers (OMTP Office), Geoff Preston (OMTP Office) [slides]
  • WebVM - Security policy for device API access by Paddy Byers (Aplix), Kai Hendry (Aplix) [slides]
• 10:15-10:45 Coffee break
• 10:45-12:30
  • Security model for widgets based on the MIDP security model, and a securtiy model for web applications based on TLS/SSL and XMLDsig - Sony Ericsson Position Paper (Marcus Liwell, Claes Nilsson, Sony Ericsson) [slides]
  • Software Components for Secure Mobile Web Application Platforms by Patrik Persson (Ericsson Reseach), Björn Johansson (Ericsson Reseach) [slides]
  • Security-By-Contract (S×C) for Mobile Systems by N. Dragoni (University of Trento), F. Massacci (University of Trento) [slides]
• 12:30-1:30 Lunch break
• 1:30-3:15 Conclusions
• 3:15-3:45 Coffee break
• 3:45-5:00 Conclusion: next steps