webinos security privacy
DESCRIPTION
An introduction to the security and privacy principles of webinos and the core security architectural principles Presented by John Lyle of The University of OxfordTRANSCRIPT
Security and privacy
Background
webinos creates networks of personal devices and exposes them to web applications.– Potential attack vector for malware– Potential for a loss of privacy
webinos must be designed to protect stakeholders (primarily users) and be implemented securely
This presentation
1. Goals for security and privacy in webinos
2. Focus on:1. One device
2. The personal zone
3. Inter-user security and privacy
3. Conclusions and future directions
Goals
1. Protect user data, devices and services
2. Balance security mechanisms against control and freedom
3. Provide a consistent user experience
4. Allow for management of applications, data and devices
5. Take into consideration other stakeholders
Security and privacy on one device
API access mediated by an XACML-based security policy architecture– Based on WAC and BONDI– Extended for multi-device scenarios– Extended with privacy controls (TBD)
Application signing– Widgets – based on WAC and W3C
drafts/standards– Websites – SSL certificates
Local authentication
Personal zones
Device authentication– Public key infrastructure for every device– PZH acts as a certificate authority– Enrolment of new devices
Secure communication OpenID authentication of users Policy synchronisation PZH interface to manage zones
Communication between users
Personal zones can be bridged for inter-user communication
Authentication– User identity expressed through OpenID /
WebFinger / social network– Enables certificate exchange
Authorisation– Policies mediate access to APIs and services
Conclusion
Consistent, straightforward security framework
Building on existing work, introducing personal zones
In the future:– Interfaces– Better privacy management, expression– Integration of secure hardware?– More tools for users and developers