Subject: Position Paper for W3C's Security for Access to Device APIs  
from the Web Workshop
By: Art Barstow (art.barstow@nokia.com)
Date: 31 October 2008

As a Chair of the W3C's Web Applications Working Group [WebApps], I  
am pleased the W3C is hosting the Workshop on Security for Access to  
Device APIs from the Web [Workshop]. This is an important subject and  
one that is related to some of the specifications being developed by  
the Web Applications WG, particularly the group's Widgets  
specifications [Widgets].

As the scope of the Workshop suggests, there numerous security and  
privacy related issues regarding accessing services on a device,  
including but not limited to:

* Trust models

* Security policies

* Authentication

* Data integrity

* User interaction models

Besides the W3C, there are several other standards organizations,  
industry fora and open communities that have completed and/or are  
actively doing, work related to this workshop's broad scope. This set  
of interested parties includes: Trusted Computing Group (TCG), IETF,  
OASIS, OpenID, OAuth and OWASP.

Among some potential discussion topics for this workshop are:

* Problem statement: within the context of this workshop's scope,  
which topics are high priority problem areas for current work in  
progress by W3C WGs?

* Landscape: who (see list of organizations above) is doing related  
work the W3C can leverage and what are their roadmaps? What are the  
specification gaps and overlaps? What, if anything, should the W3C do  
to cooperate and coordinate with these organizations?

* W3C's role: which of this workshop's topics are in scope for the  
W3C? What, if anything, can the W3C do to provide value by addressing  
clear specification gaps both in the short-term and long-term?

* Separation of Concerns: creating models and specifications that  
separate policy from mechanisms (e.g. APIs). How do WG's create  
modular specifications that maximize reuse of other organizations  
specs yet not create scheduling issue, How does the W3C leverage  
other organizations work yet not build dependencies on time-critical  
work?

-Art Barstow

[Workshop] <http://www.w3.org/2008/security-ws/>
[WebApps] <http://www.w3.org/2008/webapps/>
[Widget] <http://www.w3.org/TR/widgets-reqs/#introduction>