Security and privacy

Background

webinos creates networks of personal devices and exposes them to web applications.– Potential attack vector for malware– Potential for a loss of privacy

webinos must be designed to protect stakeholders (primarily users) and be implemented securely

This presentation

1. Goals for security and privacy in webinos

2. Focus on:1. One device

2. The personal zone

3. Inter-user security and privacy

3. Conclusions and future directions

Goals

1. Protect user data, devices and services

2. Balance security mechanisms against control and freedom

3. Provide a consistent user experience

4. Allow for management of applications, data and devices

5. Take into consideration other stakeholders

Security and privacy on one device

API access mediated by an XACML-based security policy architecture– Based on WAC and BONDI– Extended for multi-device scenarios– Extended with privacy controls (TBD)

Application signing– Widgets – based on WAC and W3C

drafts/standards– Websites – SSL certificates

Local authentication

Personal zones

Device authentication– Public key infrastructure for every device– PZH acts as a certificate authority– Enrolment of new devices

Secure communication OpenID authentication of users Policy synchronisation PZH interface to manage zones

Communication between users

Personal zones can be bridged for inter-user communication

Authentication– User identity expressed through OpenID /

WebFinger / social network– Enables certificate exchange

Authorisation– Policies mediate access to APIs and services

Conclusion

Consistent, straightforward security framework

Building on existing work, introducing personal zones

In the future:– Interfaces– Better privacy management, expression– Integration of secure hardware?– More tools for users and developers