Fix [DAP-ISSUE-135]: Add security and privacy considerations section [Network Service Discovery]
authorRich Tibbett <richt@opera.com>
Mon, 12 Aug 2013 16:20:17 +1000
changeset 440 fcbaadc4fd54
parent 439 630eb296aaf9
child 441 b4b2569b4e9b
Fix [DAP-ISSUE-135]: Add security and privacy considerations section [Network Service Discovery]
discovery-api/Overview.html
discovery-api/Overview.src.html
--- a/discovery-api/Overview.html	Thu Aug 08 14:41:34 2013 -0400
+++ b/discovery-api/Overview.html	Mon Aug 12 16:20:17 2013 +1000
@@ -222,10 +222,10 @@
       </h1>
       <h2 property="dcterms:issued"
           datatype="xsd:dateTime"
-          content="2013-07-22T22:39:30.000Z"
-          id="w3c-editor-s-draft-23-july-2013">
+          content="2013-08-11T20:17:25.000Z"
+          id="w3c-editor-s-draft-12-august-2013">
         <abbr title="World Wide Web Consortium">W3C</abbr> Editor's Draft <time class="dt-published"
-            datetime="2013-07-23">23 July 2013</time>
+            datetime="2013-08-12">12 August 2013</time>
       </h2>
       <dl>
         <dt>
@@ -362,91 +362,107 @@
               class="tocxref"><span class="secno">3.</span> Terminology</a>
         </li>
         <li class="tocline">
+          <a href="#security-and-privacy-considerations"
+              class="tocxref"><span class="secno">4.</span> Security and privacy considerations</a>
+          <ul class="toc">
+            <li class="tocline">
+              <a href="#privacy-considerations-for-api-implementations"
+                  class="tocxref"><span class="secno">4.1</span> Privacy considerations for <abbr title=
+                  "Application Programming Interface">API</abbr> implementations</a>
+            </li>
+            <li class="tocline">
+              <a href="#additional-api-implementation-considerations"
+                  class="tocxref"><span class="secno">4.2</span> Additional <abbr title=
+                  "Application Programming Interface">API</abbr> implementation considerations</a>
+            </li>
+          </ul>
+        </li>
+        <li class="tocline">
           <a href="#requesting-networked-services"
-              class="tocxref"><span class="secno">4.</span> Requesting networked services</a>
+              class="tocxref"><span class="secno">5.</span> Requesting networked services</a>
           <ul class="toc">
             <li class="tocline">
               <a href="#methods"
-                  class="tocxref"><span class="secno">4.1</span> Methods</a>
+                  class="tocxref"><span class="secno">5.1</span> Methods</a>
             </li>
             <li class="tocline">
               <a href="#error-handling"
-                  class="tocxref"><span class="secno">4.2</span> Error Handling</a>
+                  class="tocxref"><span class="secno">5.2</span> Error Handling</a>
             </li>
           </ul>
         </li>
         <li class="tocline">
           <a href="#obtaining-networked-services"
-              class="tocxref"><span class="secno">5.</span> Obtaining networked services</a>
+              class="tocxref"><span class="secno">6.</span> Obtaining networked services</a>
           <ul class="toc">
             <li class="tocline">
               <a href="#attributes"
-                  class="tocxref"><span class="secno">5.1</span> Attributes</a>
+                  class="tocxref"><span class="secno">6.1</span> Attributes</a>
             </li>
             <li class="tocline">
               <a href="#methods-1"
-                  class="tocxref"><span class="secno">5.2</span> Methods</a>
+                  class="tocxref"><span class="secno">6.2</span> Methods</a>
             </li>
             <li class="tocline">
               <a href="#events"
-                  class="tocxref"><span class="secno">5.3</span> Events</a>
+                  class="tocxref"><span class="secno">6.3</span> Events</a>
             </li>
           </ul>
         </li>
         <li class="tocline">
           <a href="#communicating-with-a-networked-service"
-              class="tocxref"><span class="secno">6.</span> Communicating with a networked service</a>
+              class="tocxref"><span class="secno">7.</span> Communicating with a networked service</a>
           <ul class="toc">
             <li class="tocline">
               <a href="#attributes-1"
-                  class="tocxref"><span class="secno">6.1</span> Attributes</a>
+                  class="tocxref"><span class="secno">7.1</span> Attributes</a>
             </li>
             <li class="tocline">
               <a href="#states"
-                  class="tocxref"><span class="secno">6.2</span> States</a>
+                  class="tocxref"><span class="secno">7.2</span> States</a>
             </li>
             <li class="tocline">
               <a href="#events-1"
-                  class="tocxref"><span class="secno">6.3</span> Events</a>
+                  class="tocxref"><span class="secno">7.3</span> Events</a>
             </li>
           </ul>
         </li>
         <li class="tocline">
           <a href="#service-discovery"
-              class="tocxref"><span class="secno">7.</span> Service Discovery</a>
+              class="tocxref"><span class="secno">8.</span> Service Discovery</a>
           <ul class="toc">
             <li class="tocline">
               <a href="#zeroconf-mdns-dns-sd"
-                  class="tocxref"><span class="secno">7.1</span> Zeroconf (<abbr title="Multicast DNS">mDNS</abbr> +
+                  class="tocxref"><span class="secno">8.1</span> Zeroconf (<abbr title="Multicast DNS">mDNS</abbr> +
                   <abbr title="Domain Name System">DNS</abbr>-<abbr title="Service Discovery">SD</abbr>)</a>
             </li>
             <li class="tocline">
               <a href="#simple-service-discovery-protocol-ssdp"
-                  class="tocxref"><span class="secno">7.2</span> Simple Service Discovery Protocol (<abbr title=
+                  class="tocxref"><span class="secno">8.2</span> Simple Service Discovery Protocol (<abbr title=
                   "Simple Service Discovery Protocol">SSDP</abbr>)</a>
             </li>
             <li class="tocline">
               <a href="#discovery-and-launch-protocol-dial"
-                  class="tocxref"><span class="secno">7.3</span> Discovery and Launch Protocol (<abbr title=
+                  class="tocxref"><span class="secno">8.3</span> Discovery and Launch Protocol (<abbr title=
                   "Discovery and Launch Protocol">DIAL</abbr>)</a>
             </li>
             <li class="tocline">
               <a href="#network-topology-monitoring"
-                  class="tocxref"><span class="secno">7.4</span> Network Topology Monitoring</a>
+                  class="tocxref"><span class="secno">8.4</span> Network Topology Monitoring</a>
             </li>
           </ul>
         </li>
         <li class="tocline">
           <a href="#events-summary"
-              class="tocxref"><span class="secno">8.</span> Events Summary</a>
+              class="tocxref"><span class="secno">9.</span> Events Summary</a>
         </li>
         <li class="tocline">
           <a href="#garbage-collection"
-              class="tocxref"><span class="secno">9.</span> Garbage collection</a>
+              class="tocxref"><span class="secno">10.</span> Garbage collection</a>
         </li>
         <li class="tocline">
           <a href="#use-cases-and-requirements"
-              class="tocxref"><span class="secno">10.</span> Use Cases and Requirements</a>
+              class="tocxref"><span class="secno">11.</span> Use Cases and Requirements</a>
         </li>
         <li class="tocline">
           <a href="#examples"
@@ -610,7 +626,8 @@
 </pre>
       </div>
       <p>
-        For more detailed examples see the <a href="#examples">Examples</a> section.
+        For more detailed examples, including examples of communicating with obtained networked services, see the
+        <a href="#examples">Examples</a> section.
       </p>
     </section>
     <section id="conformance"
@@ -758,9 +775,90 @@
         </li>
       </ul>
     </section>
+    <section id="security-and-privacy-considerations">
+      <h2>
+        <span class="secno">4.</span> Security and privacy considerations
+      </h2>
+      <p>
+        The <abbr title="Application Programming Interface">API</abbr> defined in this specification can be used to
+        find and connect to devices and services within a user's current network. This discloses information related to
+        a user's network: devices available on their network and the publicly-accessible services ("networked
+        services") currently running and available on those devices. The distribution of this information could
+        potentially compromise the user's privacy. A conforming implementation of this specification <em class=
+        "rfc2119"
+           title="MUST">MUST</em> provide a mechanism that protects the user's privacy. This mechanism <em class=
+           "rfc2119"
+           title="MUST">MUST</em> ensure that no networked service information is retrievable without the user's
+           express permission.
+      </p>
+      <section id="privacy-considerations-for-api-implementations">
+        <h3>
+          <span class="secno">4.1</span> Privacy considerations for <abbr title=
+          "Application Programming Interface">API</abbr> implementations
+        </h3>
+        <p>
+          A <a href="#dfn-user-agent"
+             class="internalDFN">user agent</a> <em class="rfc2119"
+             title="MUST NOT">MUST NOT</em> provide networked service information to web sites without the express
+             permission of the user. A user agent <em class="rfc2119"
+             title="MUST">MUST</em> acquire permission through a user interface, unless they have prearranged trust
+             relationships with users, as described below. The user interface <em class="rfc2119"
+             title="MUST">MUST</em> include the document base <abbr title="Uniform Resource Locator">URL</abbr>. Those
+             permissions that are acquired through the user interface and that are preserved beyond the current
+             browsing session (i.e. beyond the time when the browsing context is navigated to another <abbr title=
+             "Uniform Resource Locator">URL</abbr>) <em class="rfc2119"
+             title="MUST">MUST</em> be revocable and a user agent <em class="rfc2119"
+             title="MUST">MUST</em> respect revoked permissions.
+        </p>
+        <p>
+          Obtaining the user's express permission to access one <abbr title=
+          "Application Programming Interface">API</abbr> method does not imply the user has granted permission for the
+          same web site to access any other methods that may be provided by this <abbr title=
+          "Application Programming Interface">API</abbr>, or to access the same method with a different set of
+          arguments, as part of the same permission context. If a user has expressed permission for an implementation
+          to, e.g. find a set of existing networked services, the implementation <em class="rfc2119"
+             title="MUST">MUST</em> seek the user's express permission if and when any subsequent functions are called
+             on this <abbr title="Application Programming Interface">API</abbr>.
+        </p>
+        <p>
+          A user agent <em class="rfc2119"
+             title="MAY">MAY</em> have prearranged trust relationships that do not require such user interfaces. For
+             example, while a web browser will present a user interface when a web site performs a networked service
+             lookup, a different runtime may have a prearranged, delegated security relationship with the user and, as
+             such, a suitable alternative security and privacy mechanism with which to authorise the retrieval of
+             networked service information.
+        </p>
+      </section>
+      <section class="informative"
+               id="additional-api-implementation-considerations">
+        <h3>
+          <span class="secno">4.2</span> Additional <abbr title="Application Programming Interface">API</abbr>
+          implementation considerations
+        </h3>
+        <p>
+          <em>This section is non-normative.</em>
+        </p>
+        <p>
+          Further to the requirements listed in the previous section, implementors of the Network Service Discovery
+          <abbr title="Application Programming Interface">API</abbr> are also advised to consider the following aspects
+          that can negatively affect the privacy of their users: in certain cases, users can inadvertently grant
+          permission to the user agent to disclose networked services to Web sites. In other cases, the content hosted
+          at a certain <abbr title="Uniform Resource Locator">URL</abbr> changes in such a way that previously granted
+          networked service permissions no longer apply as far as the user is concerned. Or the users might simply
+          change their minds.
+        </p>
+        <p>
+          Predicting or preventing these situations is inherently difficult. Mitigation and in-depth defensive measures
+          are an implementation responsibility and not prescribed by this specification. However, in designing these
+          measures, implementers are advised to enable user awareness of networked service sharing, and to provide easy
+          access to interfaces that enable revocation of permissions that web applications have for accessing networked
+          services via this <abbr title="Application Programming Interface">API</abbr>.
+        </p>
+      </section>
+    </section>
     <section id="requesting-networked-services">
       <h2>
-        <span class="secno">4.</span> Requesting networked services
+        <span class="secno">5.</span> Requesting networked services
       </h2>
       <pre class="widl">
 [Supplemental, NoInterfaceObject]
@@ -783,7 +881,7 @@
 </pre>
       <section id="methods">
         <h3>
-          <span class="secno">4.1</span> Methods
+          <span class="secno">5.1</span> Methods
         </h3>
         <dl class="domintro">
           <dt>
@@ -1059,7 +1157,7 @@
       </section>
       <section id="error-handling">
         <h3>
-          <span class="secno">4.2</span> Error Handling
+          <span class="secno">5.2</span> Error Handling
         </h3>
         <dl class="domintro">
           <dt>
@@ -1106,7 +1204,7 @@
     </section>
     <section id="obtaining-networked-services">
       <h2>
-        <span class="secno">5.</span> Obtaining networked services
+        <span class="secno">6.</span> Obtaining networked services
       </h2>
       <p>
         The <a href="#networkservices"><code>NetworkServices</code></a> interface represents a collection of zero or
@@ -1144,7 +1242,7 @@
 </pre>
       <section id="attributes">
         <h3>
-          <span class="secno">5.1</span> Attributes
+          <span class="secno">6.1</span> Attributes
         </h3>
         <dl class="domintro">
           <dt>
@@ -1189,7 +1287,7 @@
       </section>
       <section id="methods-1">
         <h3>
-          <span class="secno">5.2</span> Methods
+          <span class="secno">6.2</span> Methods
         </h3>
         <dl class="domintro">
           <dt>
@@ -1265,7 +1363,7 @@
       </section>
       <section id="events">
         <h3>
-          <span class="secno">5.3</span> Events
+          <span class="secno">6.3</span> Events
         </h3>
         <p>
           The following are the event handlers (and their corresponding event handler event types) that <em class=
@@ -1309,7 +1407,7 @@
     </section>
     <section id="communicating-with-a-networked-service">
       <h2>
-        <span class="secno">6.</span> Communicating with a networked service
+        <span class="secno">7.</span> Communicating with a networked service
       </h2>
       <p>
         The <a href="#networkservice"><code>NetworkService</code></a> interface is used to provide a set of connection
@@ -1343,7 +1441,7 @@
 </pre>
       <section id="attributes-1">
         <h3>
-          <span class="secno">6.1</span> Attributes
+          <span class="secno">7.1</span> Attributes
         </h3>
         <dl class="domintro">
           <dt>
@@ -1428,7 +1526,7 @@
       </section>
       <section id="states">
         <h3>
-          <span class="secno">6.2</span> States
+          <span class="secno">7.2</span> States
         </h3>
         <dl class="domintro">
           <dt>
@@ -1454,7 +1552,7 @@
       </section>
       <section id="events-1">
         <h3>
-          <span class="secno">6.3</span> Events
+          <span class="secno">7.3</span> Events
         </h3>
         <p>
           The following are the event handlers (and their corresponding event handler event types) that <em class=
@@ -1507,7 +1605,7 @@
     </section>
     <section id="service-discovery">
       <h2>
-        <span class="secno">7.</span> Service Discovery
+        <span class="secno">8.</span> Service Discovery
       </h2>
       <p>
         A <a href="#dfn-user-agent"
@@ -1547,7 +1645,7 @@
       <p>
         The <dfn id="dfn-list-of-available-service-records">list of available service records</dfn> is a single dynamic
         internal lookup table within user agents that is used to track all the services that have been discovered and
-        are available in the current network at the current time. At any point during the running of either of the two
+        are available in the current network at the current time. At any point during the running of any of the
         <a href="#dfn-service-discovery-mechanisms"
            class="internalDFN">service discovery mechanisms</a> then existing entries within this table can be updated,
            entries can be added and entries can be removed as the status of networked services changes according to the
@@ -1733,7 +1831,7 @@
       </p>
       <section id="zeroconf-mdns-dns-sd">
         <h3>
-          <span class="secno">7.1</span> Zeroconf (<abbr title="Multicast DNS">mDNS</abbr> + <abbr title=
+          <span class="secno">8.1</span> Zeroconf (<abbr title="Multicast DNS">mDNS</abbr> + <abbr title=
           "Domain Name System">DNS</abbr>-<abbr title="Service Discovery">SD</abbr>)
         </h3>
         <p>
@@ -1798,7 +1896,7 @@
       </section>
       <section id="simple-service-discovery-protocol-ssdp">
         <h3>
-          <span class="secno">7.2</span> Simple Service Discovery Protocol (<abbr title=
+          <span class="secno">8.2</span> Simple Service Discovery Protocol (<abbr title=
           "Simple Service Discovery Protocol">SSDP</abbr>)
         </h3>
         <p>
@@ -2191,7 +2289,7 @@
       </section>
       <section id="discovery-and-launch-protocol-dial">
         <h3>
-          <span class="secno">7.3</span> Discovery and Launch Protocol (<abbr title=
+          <span class="secno">8.3</span> Discovery and Launch Protocol (<abbr title=
           "Discovery and Launch Protocol">DIAL</abbr>)
         </h3>
         <p>
@@ -2346,7 +2444,7 @@
       </section>
       <section id="network-topology-monitoring">
         <h3>
-          <span class="secno">7.4</span> Network Topology Monitoring
+          <span class="secno">8.4</span> Network Topology Monitoring
         </h3>
         <div>
           <p>
@@ -2374,7 +2472,7 @@
     </section>
     <section id="events-summary">
       <h2>
-        <span class="secno">8.</span> Events Summary
+        <span class="secno">9.</span> Events Summary
       </h2>
       <p>
         The following events are dispatched on the <a href="#networkservices"><code>NetworkServices</code></a> and/or
@@ -2470,7 +2568,7 @@
     </section>
     <section id="garbage-collection">
       <h2>
-        <span class="secno">9.</span> Garbage collection
+        <span class="secno">10.</span> Garbage collection
       </h2>
       <p>
         A user agent <em class="rfc2119"
@@ -2503,7 +2601,7 @@
     </section>
     <section id="use-cases-and-requirements">
       <h2>
-        <span class="secno">10.</span> Use Cases and Requirements
+        <span class="secno">11.</span> Use Cases and Requirements
       </h2>
       <p>
         This section covers what the requirements are for this <abbr title=
--- a/discovery-api/Overview.src.html	Thu Aug 08 14:41:34 2013 -0400
+++ b/discovery-api/Overview.src.html	Mon Aug 12 16:20:17 2013 +1000
@@ -217,7 +217,8 @@
 </pre>
       </div>
       <p>
-        For more detailed examples see the <a href="#examples">Examples</a> section.
+        For more detailed examples, including examples of communicating with obtained networked services, see the
+        <a href="#examples">Examples</a> section.
       </p>
     </section>
     <section id='conformance'>
@@ -329,6 +330,67 @@
     </section>
     <section>
       <h2>
+        Security and privacy considerations
+      </h2>
+      <p>
+        The API defined in this specification can be used to find and connect to devices and services within a user's
+        current network. This discloses information related to a user's network: devices available on their network and
+        the publicly-accessible services ("networked services") currently running and available on those devices. The
+        distribution of this information could potentially compromise the user's privacy. A conforming implementation
+        of this specification MUST provide a mechanism that protects the user's privacy. This mechanism MUST ensure
+        that no networked service information is retrievable without the user's express permission.
+      </p>
+      <section>
+        <h3>
+          Privacy considerations for API implementations
+        </h3>
+        <p>
+          A <a>user agent</a> MUST NOT provide networked service information to web sites without the express
+          permission of the user. A user agent MUST acquire permission through a user interface, unless they have
+          prearranged trust relationships with users, as described below. The user interface MUST include the document
+          base URL. Those permissions that are acquired through the user interface and that are preserved beyond the
+          current browsing session (i.e. beyond the time when the browsing context is navigated to another URL) MUST be
+          revocable and a user agent MUST respect revoked permissions.
+        </p>
+        <p>
+          Obtaining the user's express permission to access one API method does not imply the user has granted
+          permission for the same web site to access any other methods that may be provided by this API, or to access
+          the same method with a different set of arguments, as part of the same permission context. If a user has
+          expressed permission for an implementation to, e.g. find a set of existing networked services, the
+          implementation MUST seek the user's express permission if and when any subsequent functions are called on
+          this API.
+        </p>
+        <p>
+          A user agent MAY have prearranged trust relationships that do not require such user interfaces. For example,
+          while a web browser will present a user interface when a web site performs a networked service lookup, a
+          different runtime may have a prearranged, delegated security relationship with the user and, as such, a
+          suitable alternative security and privacy mechanism with which to authorise the retrieval of networked
+          service information.
+        </p>
+      </section>
+      <section class="informative">
+        <h3>
+          Additional API implementation considerations
+        </h3>
+        <p>
+          Further to the requirements listed in the previous section, implementors of the Network Service Discovery API
+          are also advised to consider the following aspects that can negatively affect the privacy of their users: in
+          certain cases, users can inadvertently grant permission to the user agent to disclose networked services to
+          Web sites. In other cases, the content hosted at a certain URL changes in such a way that previously granted
+          networked service permissions no longer apply as far as the user is concerned. Or the users might simply
+          change their minds.
+        </p>
+        <p>
+          Predicting or preventing these situations is inherently difficult. Mitigation and in-depth defensive measures
+          are an implementation responsibility and not prescribed by this specification. However, in designing these
+          measures, implementers are advised to enable user awareness of networked service sharing, and to provide easy
+          access to interfaces that enable revocation of permissions that web applications have for accessing networked
+          services via this API.
+        </p>
+      </section>
+    </section>
+    <section>
+      <h2>
         Requesting networked services
       </h2>
       <pre class="widl">
@@ -1029,7 +1091,7 @@
       <p>
         The <dfn>list of available service records</dfn> is a single dynamic internal lookup table within user agents
         that is used to track all the services that have been discovered and are available in the current network at
-        the current time. At any point during the running of either of the two <a>service discovery mechanisms</a> then
+        the current time. At any point during the running of any of the <a>service discovery mechanisms</a> then
         existing entries within this table can be updated, entries can be added and entries can be removed as the
         status of networked services changes according to the rules defined in this specification.
       </p>