webinos Security privacy


Published on

An introduction to the security and privacy principles of webinos and the core security architectural principles

Presented by John Lyle of The University of Oxford

Published in: Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Notes:Primarily protecting against malware and malicious usersWe don’t want to put users at the risk of malware, but we don’t want to create a closed system like AppleUsability:An advantage webinos has is that it can present the same controls and interfaces across different devices. We’re still working on what these will be, but having a common policy model will be essential. Furthemore, the common policy model means users only need to define things once in some casesWe’ve implemented various design techniques to elicit misuse cases and misusability cases, which we hope will help us align user goals and security and privacy issuesInter-user, inter-device and inter-application communication can be managed. Management can be done on the most suitable device. Remote management of settings plannedIt would be easy to say ‘no’ to things like analytics, payment, etc. However, we’re trying to make a pragmatic system which provides a sensible trade-off.
  • OpenID Authentication – users authenticate by logging into their PZH through an OpenID provider. This avoids the need for any new passwords or identities for those users (we hope). It also provides a means for users to authentication outside of the personal zone.
  • webinos Security privacy

    1. 1. Security and privacy
    2. 2. Background webinos creates networks of personal devices and exposes them to web applications. – Potential attack vector for malware – Potential for a loss of privacy webinos must be designed to protect stakeholders (primarily users) and be implemented securely
    3. 3. This presentation1. Goals for security and privacy in webinos2. Focus on: 1. One device 2. The personal zone 3. Inter-user security and privacy3. Conclusions and future directions
    4. 4. Goals1. Protect user data, devices and services2. Balance security mechanisms against control and freedom3. Provide a consistent user experience4. Allow for management of applications, data and devices5. Take into consideration other stakeholders
    5. 5. Security and privacy onone device API access mediated by an XACML-based security policy architecture – Based on WAC and BONDI – Extended for multi-device scenarios – Extended with privacy controls (TBD) Application signing – Widgets – based on WAC and W3C drafts/standards – Websites – SSL certificates Local authentication
    6. 6. Personal zones Device authentication – Public key infrastructure for every device – PZH acts as a certificate authority – Enrolment of new devices Secure communication OpenID authentication of users Policy synchronisation PZH interface to manage zones
    7. 7. Communication betweenusers Personal zones can be bridged for inter- user communication Authentication – User identity expressed through OpenID / WebFinger / social network – Enables certificate exchange Authorisation – Policies mediate access to APIs and services
    8. 8. Conclusion Consistent, straightforward security framework Building on existing work, introducing personal zones In the future: – Interfaces – Better privacy management, expression – Integration of secure hardware? – More tools for users and developers