W3C Forms teleconference August 25, 2010

* Present

Steven Pemberton, CWI/W3C
Charlie Wiecha, IBM
Leigh Klotz, Xerox
John Boyer, IBM

* Agenda


* Invited Experts

Steven Pemberton: I have gotten OK for two invited experts and will do my part of the action now.

* Summer Vacation Schedule


Steven Pemberton: This looks like the last week of holiday regrets.

* New Draft Tutorial


Steven Pemberton: Please look at it.
Leigh Klotz: I'm getting exceptions.
Steven Pemberton: I'll look at it. I'll try to get a Ubiquity version as well, as I've been talking to Mark.
John Boyer: We'd like to get the stable version up soon. There's a lot of working going on. For IE it uses HTC files for behaviors, but there's a way to do it without those files, and that eliminates XSS issues.
Steven Pemberton: Please let me know. We do have to have models in the body, right?
John Boyer: We're doing DOM walking instead of HTC, so possibly that limitation can be removed.
Steven Pemberton: I thought it had something to do with Firefox.
John Boyer: It has to do with when certain things can happen.

Steven Pemberton: So please skim through the tutorial.
Leigh Klotz: Our new experts would be good to review this as they've been involved in advocacy.

* XQuery in Browser

http://sourceforge.net/projects/edib/ https://addons.mozilla.org/en-US/firefox/addon/199900/

Leigh Klotz: We might want to consider some sort of liaison with XQuery and possibly either an XQuery action as we have planned for XSLT, or an expression version (as Nick van den Bleeken proposed) for using XQuery. I think Nick, Erik Bruchez, Dan McCreary, and Alain would be interested in watching this space.

* News Items


John Boyer: Do we have any?
Leigh Klotz: I think there was a Dutch company.
Steven Pemberton: Let me look...it was sent to www-forms. http://www.seneca.nl. I'll add that. "SmartSite iXperion".

* XForms 1.1 Errata

http://www.w3.org/MarkUp/Forms/wiki/XForms_1.1_First_Edition_Errata http://www.w3.org/2009/10/REC-xforms-20091020-errata-20091020.html

John Boyer: I started this and did two other action items.
Steven Pemberton: Should our actual errata document point to this?
John Boyer: The spec itself points to a specific location. We can snapshot this.
John Boyer: In the final rec pub process, someone changed the link. They only changed it in the link, not the diff-marked version (which has no diffs), so the diff-marked version pointed to one and the formal rec pointed to another. It looked like "help" but Ian fixed it immediately. I provide previous version links in errata documents and the previous-link trail takes us to the now empty one. We decided we would use the wiki to collect errata.
John Boyer: The second erratum is the schema change for select and select1 elements to allow UI common (help|hint|alert|action) to appear after item|itemset. I did not change the schema yet.
Leigh Klotz: Right, because it's a prose change as well.
John Boyer: Actually, because I forgot. The schema we can change right now.

* Action Items

John Boyer: I've done three. It's been a couple of months since the list has been updated. Was Nick supposed to be back today?
Steven Pemberton: Next week.
John Boyer: Maybe next week. I know there are errata and other action items.

* Web Service Security

John Boyer: There are people who say that your web services work in XForms is good, but what about secure services? I think they mean digital signature on the SOAP envelope. I don't have a lot of experience with secure web services, but that's my suspicion. I think it's just a piece of XML in the SOAP envelope. I had kind of thought that secure web services were secured with digital signatures that used HMAC, and you were securing server-to-server communications, but they're asking for end-user private keys. I'm not so sure that it makes a lot of sense, and wonder if anyone else thinks it makes sense. What I tell people to do now is to use XForms HTTP and HTTPS submissions; we send SOAP envelope submissions over that call, and if you want to use secure server-to-server communications, use a proxy service that is access-controlled to the users and use XForms submission to submit to that service; that service can then do server-side secure service with digital signatures and using the server-side HMAC password or server-side private key, and then return the result to the client.
Steven Pemberton: So we don't have to make the XForms mechanism more complicated because you can handle it on the server.
John Boyer: Yes, but the downside is that the server is authenticating on behalf of the user and has to be trusted. That proxy service gets the userid from the servlet application context that the end user has authenticated to in the first place. I don't think there's anything weird about it. The secure service trusts only certain servers (which have which have the HMAC password or trusted public key). It should only trust those that server should trust, and trust them to authenticate users. That seems to work, but on the other hand, that does seem to work. They want end-users to be trusted to use the service and end up using the direct digital signatures of those end users. So far we don't do this.
Steven Pemberton: It's a whole area not properly addressed in the web as a whole. I often wonder why, when we fill in our credit card number, that doesn't get encoded with a public key of the bank so it's passed on to the bank.
John Boyer: Somehow users aren't supposed to use anything but HTTPS.
Steven Pemberton: No, the vendor (the shop) gets your credit card number.
John Boyer: So why can't they just pass it on?
Steven Pemberton: The bank can check it and the vendor call.
Leigh Klotz: I think they do the absolute cheapest thing that works. In France they all have SIM cards.
Steven Pemberton: I dream of a mechanism where the form contains a field for you to contain secret information that also contains the link to the public key so that, on submission, it gets encrypted so that you, as the buyer (or voter) can be sure that nobody knows.
John Boyer: That's not so much the end-user authenticating, but the encryption.
Steven Pemberton: That's the nice thing; it goes both ways.
John Boyer: That requires the vendor to write the intermediate JavaScript.
Steven Pemberton: If XForms supports it, that's not necessary.
John Boyer: You'd have to configure it as a credit card, or a secure field, and here's where you get that credential from.
Steven Pemberton: And that's the dream.
Leigh Klotz: You can't trust a downloaded implementation from the vendor.
John Boyer: And also the encryption can't be done on submission; it has to be done before it hits the instance.
Steven Pemberton: Right
Leigh Klotz: It's like the lexical conversion.
John Boyer: Except it doesn't go backward.

* Text Encoding Initiative workshop on XForms by Michael Sperberg-McQueen


Steven Pemberton: Michael Sperberg-McQueen is back at W3C and he's doing a workshop on XFOrms.
Steven Pemberton: He has some questions:

Steven Pemberton: He's approach XForms as a generalized editor for XML.
Leigh Klotz: Like Sebastian.
John Boyer: http://www.w3.org/TR/xforms11/#data-mutation-patterns-move-element
Steven Pemberton: Primitive actions for manipulating an XML document.

John Boyer: The rename is a little difficult without element creation. We can copy, but unless you can make a new node and copy content...For rename, we need the new "create" capability that Nick has been designing.
Steven Pemberton: It would be good to keep the conversation going.

* Distributed Extensibility

Charlie Wiecha: I was wondering about distributed extensibility. Did anything happen with HTML5? It will probably come up at TPAC again.

* Next week, Modules

Leigh Klotz: We need to get into it.
Steven Pemberton: I need to look at modularization.
Charlie Wiecha: And I need to look at the wiki syntax.
Leigh Klotz: John's provided a bit of a start for you.

* Dojo Single-Node Binding


Charlie Wiecha: This is our first example of pure-Dojo MVC with single-node binding. We got back some good responses that they want to do MVC.
Steven Pemberton: It's sort of got a model.
Charlie Wiecha: It definitely has a model. The repeat template is temporarily in a comment. Binding expressions aren't queries; we need a query language and dependency graph, but that's understood as an interesting direction to go.
Steven Pemberton: Very good.
Charlie Wiecha: We're trying to get this onto the Dojo-2.0 agenda for 2011.

* IRC Minutes


* Meeting Ends