- From: Dan Connolly <connolly@w3.org>
- Date: Mon, 05 Jan 2009 10:53:20 -0600
- To: public-ietf-w3c <public-ietf-w3c@w3.org>
apologies for the delay...
IETF teleconference
10 Jun 2008
See also: http://www.w3.org/2008/06/10-ietf-irc
Attendees
Present
Plh, Mark Nottingham, Tim BL, Thomas, Dan C, Lisa_Dusseault
Regrets
Jon Klensin
Chair
Mark
Scribe
Plh
Contents
* Topics
1. Agenda bashing
2. XHR
3. Media Fragments
4. XML Sig
5. XML Security WG
6. OpenID + OAuth
7. next call
* Summary of Action Items
_________________________________________________________
Agenda bashing
XHR Object LC
Media Fragments
XML Sig
XML Security WG
anything else?
Tim: anything in the IETF about OpenID?
XHR
Mark: the HTTP looked into it in the past
... not sure if anyone looked at it recently
... looked at it 4 or 5 months
... kind of confusing as well since they're working on new stuff as
well
... has the WG closed the LC?
Philippe: dunno
Dan: as long as they don't reach the next steps, you might be fine
Mark: the document is documenting current practices so can't do much
damage
Dan: it's not documenting current practices. tried an example and
didn't work.
Mark: I was aware that they were places where they weren't able to
document current practices
Dan: Hello World example doesn't work
Mark: I'll talk to Yves.
Thomas: web applications WG has been officially chartered yesterday
... Web application formats and webapps. new mailing list!
... new group, chaired by Art Barstow and Charles
McCathyNeville
<tlr> public-webapps, member-webapps
Mark: is the public list like the HTML public list? ie you have to
be a member of the group?
Thomas: dunno, check with Doug or Mike
Mark: so XHR work is now taken place there?
Thomas: yes
Media Fragments
http://www.w3.org/2008/01/media-fragments-wg.html
<DanC> (mnot, re
]http://lists.w3.org/Archives/Public/public-webapps/ , MikeSmith
says "I believe that anybody can subscribe to that list" )
Philippe: introduces the topic
Mark: when will the Group start?
Philippe: mid-July in the best case
... any special IETF group to be listed?
Lisa: for media, RAI Groups are doing more in this area nowadays.
Maybe MMusic. Drop to John Peterson?
<scribe> ACTION: Mark to contact the RAI Groups about the Media
Fragment charter
XML Sig
Thomas: XML Security Maintenance Group has been working on a second
edition of XML Signature, to include c14n 1.1 as mandatory
... Proposed Recommendation was successful and will be published as
a REC today.
... include c14n 1.1, most of known errata
... some edge cases in tests
... tests included 5 implementations
... originally planned to have IETF LC at the same time as the PR,
but did not happen
... will need an update of the RFC (?)
... RFC 3275
<tlr> ... Don Eastlake will submit internet-draft soon-ish ...
<tlr> ... expect Tim Polk to be sponsoring AD ....
Thomas: Don will have a draft ready soonish, before next week
XML Security WG
Thomas: we have chartered a new WG to re open Signature and
Encryption. Aim to look into the pain points identified during
workshop. streaming, performance, etc.
... expectation is the Group won't make breaking changes unless
absolutely necessary
... charter is for 2 years
... will start at requirements, gathered at the workshop
... group will have initial f2f in July in Barcelona
... the security area should know about it
Mark: how about apps folks as well?
Thomas: could do it as well
OpenID + OAuth
Tim: OpenID looked like a nifty solution for sign-on issues but
instead of using HTTP URIs, it's using XRI URIs.
... the TAG has been very critical of XRIs, because they end up
recreating functionalities of HTTP
... you have to duplicate the protocol
... and duplicate social aspects (naming space)
... XRIs don't use URI syntax natively, but could be converted.
... so we have fragmentation
... TAG suggested that it should not become OASIS standard
... as we know it's important to have liaison between orgs
... so, OpenID calls out XRIs
... when we tried to implement, there is a lot of round trips
... lots of HTTP connections for reason like it's too painful to
distribute public keys or because of legacy
... could save some round trips with a better code base
... so what's the story of IETF and OpenID?
Lisa: Dirk ? brought the OpenID BOF at the IETF
... told OpenID improved security but since it's using redirects for
legacy
... so platform for fishing
... I went around saying it's a platform to make fishers happy
... if you can get pass the requirement of running on existing
browsers, you can do things that are a lot more security
... there are issues with redirect, ie you could be redirected to
somewhere unknown instead of your entity
Tim: yes, unless you have client that can check the sig
Lisa: relaxing the backward compatibility was primordial
... so didn't find a crowd in IETF
<DanC> (the verisign openid seatbelt extension intercepts the
redirect... but again, that's not the "no changes to browsers"
approach.)
Tim: we have old timers at W3C and IETF in those fields, so we're
not as friendly to them as we used to be
Lisa: without the OpenID coming to IETF, I'm not sure we have
critical mass
... we could document it
... but can't be published as an RFc until we have a better system
to replace it
... it's a people mngt thing
... not enough consensus around anyone approach. some folks still
want kerberos
Thomas: several competitors
Tim: OpenID.org, isn't there consensus there?
Thomas: there is a community that thinks that OpenID is a really
good idea but don't know if that extend outside this community
... liberty is not part of it
... kerberos coomunity either
... something around delegation would be worth doing but lots of
existing investments and no consensus to move forward
Tim: OpenID is the new kid on the block
Philippe: several companies, like Yahoo!, deployed an OpenID entity
but still not accepting OpenID from outside
Thomas: don't think that OpenID solves single sign-on
... and in lots of cases, it's authorizing something specific
... OAuth addresses that
... I don't need to prove who I am to authorize a web site to access
some data
... so solving a different problem but it's more relevant for
mash-ups
Tim: two different models: give access to web sites or do the
processing on your computer.
Thomas: that last part is being addressed by WebApps (AccessControl)
Tim: thanks for the update
Mark: wearing my HTTP hat, I have issues with Oauth
... Yahoo! just hired the author of oauth, trying to engage in IETF
work
... I'll publish something at some point
... they define an HTTP authentification scheme without any
constraint
... so interop issues
Thomas: so it's about being underspecified?
Mark: yes
... it's going to be defined by the implementations, whoever comes
first
Lisa: read Oauth a while ago, enough to conclude that it wasn't
ready. but don't remember details
Mark: yes, needs a lot of work
Lisa: I'm not against a new HTTP auth mechanism
... some people would disagree
... would rather build it on top of HTTP
Tim: issues with building it on top of HTTP, especially with
redirects. No standard way to engage an auth dialog with the browser
<tlr> 402 Payment Required ;-)
Dan: how about 4xx?
Tim: you want poop-ups, different colors, etc, creating a little
sandbox environment
... the calendar could delegate that to the browser
... but folks want to work with existing browsers
Lisa: if the application is not in the browser, it may be
inappropriate to go an HTML page.
Tim: yes, would need to connect it through the browser, taking care
of offline/online mode, etc.
Lisa: at the P2p workshop, topic came up about network conditions.
might result in new work at IETF.
... bittorrent guys could certainly use more information about the
network
... they tried to be responsible, but no standard for it
<DanC> New Status Code -- 2xx Greedy Hotel? Mark Nottingham 15 Mar
2007
http://lists.w3.org/Archives/Public/ietf-http-wg/2007JanMar/0277
.html
Tim: yes, that would be useful indeed
... wifi should be made easier to use, as easy as dhcp
... including taken care of payment
Lisa: will certainly push for something simple.
Lisa: dhcp has a new option for HTTP URI
... we can talk about recommended information but can't force
anything
<DanC> (hmm... if it's XML or RDF, how do you sell the user a new
boingo subscription?)
Tim: obviously, if it's rdf, you can throw more data.
next call
DanC will chair
and take the ball
Summary of Action Items
[NEW] ACTION: Mark to contact the RAI Groups about the Media
Fragment charter
--
Dan Connolly, W3C http://www.w3.org/People/Connolly/
gpg D3C2 887B 0F92 6005 C541 0875 0F91 96DE 6E52 C29E
Received on Monday, 5 January 2009 16:56:40 UTC