|| ||Ryan Ware <ware-VuQAYsv1563Yd54FQh9/CA-AT-public.gmane.org> |
|| ||meego-security-discussion-VVXm0OgCXj10cC2WI2GV6A-AT-public.gmane.org |
|| ||Re: Arbitrary 3rd Party Code |
|| ||Fri, 08 Apr 2011 10:26:29 -0700|
|| ||Article, Thread
On 04/07/2011 04:32 PM, Praveen Gupta wrote:
> URL is not usable.. Please re-send..
> Again, separation of local-access only data is, just, one usecase..
> There are several other usecases.. For example -
> * Separation of "enterprise", "Carrier" and "application-sensitive" data
> * Restriction of data cross-over from one domain to another
> Mobile platforms has "unique" security requirements.
> Implementation of these requirements is *necessary* for adoption of mobile
> platforms by "sensitive" enterprise applications (for example).. Several
> other such scenarios / use-cases exists.
> We need *requirements* which we can map to different Meego releases..
> After requirements are frozen, we need to propose "architecture" with
> release plan.
Please don't top-post.
This might be the case if we were following a waterfall development
model. We are not in any way following that type of model.
Additionally, we already have security requirements that have previously
been defined and published. There are others that have been defined and
will be published in the near future.
As for the specific requirement that you've proposed, I do not see it as
a requirement for MeeGo. Even if it was, I don't see a viable technical
solution that could be put in place. Content providers have been trying
to do this exact thing with various digital rights management systems
since the dawn of digitally distributed, consumer oriented products. As
we all know, their efforts with all of their resources have not yet
created a solution that would meet the intent of your requirement. If
they've never been able to do it, we have no hope of doing that with the
small number of resources we have working on MeeGo.
I believe I have a good understanding of what you would like to see and
we can't do it. We can't have a requirement saying we need to govern
what an application does with data after it's received it. What we
*can* have though (and do, but not published yet) is a requirement
stating that the end-user can control which applications are allowed
which type of personal data. That is reasonable and implementable and
we already have things in flight to get there.
to post comments)