Minutes of the W3C/IETF Coordination Call, 2012-02-28

Minutes of the W3C/IETF Coordination Call
2012-02-28

Participants:

Stephen Farrell (SF)
John Klensin (JCK)
Philippe Le Hegaret (PLH)
Mark Nottingham (MNOT)
Pete Resnick (PR)
Peter Saint-Andre (PSA)
Robert Sparks (RJS)
Thomas Roessler (TLR)

Agenda:

1. HTTP/2.0 / recharter of IETF HTTPBIS WG
2. Web authentication (see lively discussion triggered by #1)
3. Concerns about the "CA system"
4. IETF IRI WG / W3C i18n Core WG / URL processing spec
5. WebSocket extensions / HYBI WG recharter
6. Update on work in IETF WebSec WG and W3C WebAppSec WG
7. SIP provider identity - does it matter for WebRTC?
8. Crypto API chartering, Identity meetings in Paris
9. Paris IETF / IAB plenary
10. Next meeting
11. Any Other Business

Notes:

1. HTTP Recharter

MNOT: SPDY came out ~1 year ago, gained significant momentum in late
2011. Mark reached out to implementer community. Lots of interest and
positive feedback. Mark worked on strawman charter and socialized it
with Mike Belshe / SPDY folks, IETF ADs, W3C TAG, etc. Implementation is
accelerating. Concern that input is needed sooner rather than later. Has
been put before the IESG. Idea is to solicit proposals for HTTP/2.0 in
the next few months. Open process to ensure that we're not just taking
on SPDY, other approaches are welcome.

PSA: Any coordination issues with W3C/IETF here?

MNOT: Should make sure that HTML and HTTP/2.0 are well-coordinated.

PLH: Are there specific people we need to get involved or specific
issues related to HTML5 and HTTP/2.0?

MNOT: No specific concerns here, probably involve Yves.

TLR: Concur about involving Yves.

2. Web Authentication

PSA: Lots of discussion over time, not clear that we have all the right
people at the table yet.

SF: I think it's gotten better. Might be useful to develop some
experimental approaches / new auth schemes.

TLR: Could you provide a summary of the discussion?

SF: During external review of the proposed recharter, I raised the issue
of perhaps developing new / better HTTP authentication approaches. This
gives people an opportunity to introduce proposals to work on that
during the work on HTTP/2.0. If so, the work would happen in HTTPBIS;
for non-adopted, interesting proposals, we might decide to form an
initiative in the IETF Security Area to work on experimental proposals
(so they are not critical path for HTTP/2.0.)

TLR: Are there any implementers strongly interested here?

SF: We won't know until we see concrete proposals.

3. CA Concerns

PSA: Could TLR/PLH fill us in?

TLR: No obvious venue for a productive conversation. Some ideas for the
W3C to form an initiative, also discussions at IETF (therightkey mailing
list). One additional piece: notion among some in the W3C community that
the DNS is more brittle than others think it is.

PR: What parts do people think are brittle?

TLR: Concerns not as well-defined as I'd like them to be.  But heads-up,
that discussion is going on.

PR: My slightly snarky response to the CA problem is the existence of
the DANE WG effort at the IETF. I personally feel like it could solve
the problem.

SF: DANE can change/improve stuff, but might not fix it.

TLR: Personally I think we need to start thinking about / working on
things like JavaScript APIs for some of this.

SF: One wrinkle is that there are more unreliable registrars than
unreliable CAs.

JCK: If you look at it in terms of percentages, it's ugly all around.

TLR: DANE appears to perhaps limit the attack surface. Also, this is a
much longer discussion.

TLR: Changing topics, the CA/Browser Forum is discussing whether to form
a more open venue for work on this topic and is soliciting proposals:
http://cabforum.org/index.html

SF: Is there concrete W3C planning here?

TLR: Not yet. Counter-question: is there concrete planning at the IETF?

SF: Not yet, other than therightkey@ietf.org discussion list, but the
proposals there are not yet stable and need more work before they can be
reviewed more widely. Perhaps a W3C community group?

TLR: Might be worth discussing the possibility of a workshop or, yes, a
community group.

4. IRI

PSA: i18n Core WG has agreed to review the IRI WG documents starting
around the time of IETF83.

JCK: ICANN IDN work important in this context.  Note that, if ICANN
declares that some sets of names are to be considered/ treated as
"equal", anything based on comparisons of URIs or IRIs moves from "hard
and not necessarily reliable" into "surreal".

ACTION: PSA to pull together IRI / IDN folks for discussion around IETF
83, additional discussion later.

Useful participants: folks on this call, Thomas Narten, Suzanne Woolf,
Dave Thaler, Andrew Sullivan, Gervase Markham, Klensin, Faltstrom.
Maybe Vint, maybe Steve Crocker.

TLR: Where do we stand on the HTML5 / IRI front?

PSA: See http://dvcs.w3.org/hg/url/raw-file/tip/Overview.html - based on
conversation with Mike Smith the other day, it is a bit early to provide
detailed feedback on that spec now.

5. WebSocket Extensions

PSA: HYBI WG has been rechartered, we might want to make sure that we
continue coordination between HYBI WG and WebApps WG.

PLH: Main blocker now is tests, but progress is ongoing there.

6. WebSec / WebAppSec

PSA: New version of Strict Transport Security.

TLR: Discussion of clickjacking and Content Security Policy, trying to
get CORS done, reasonable intensity of work. Reasonably confident that
things are going well.

7. SIP Provider Identity and WebRTC

TLR: There was discussion about having an IANA registry for SIP
providers. Do we have a sense of the use case?

RJS: I don't think you need to worry about it. The proponents for the
SPID idea itself are continuing to pursue the idea, and I'll point you
to the messages where they have making their motivating arguments. I
have not seen any desire to bring this up in the WebRTC.

JCK: Please loop me in on this.

8. W3C Crypto API

TLR: WG is under review by Advisory Community, still working to find an
additional co-chair. Expect approved charter in relatively near future.
Other issue is relationship to OAuth, OpenID Connect, possibility for
additional and broader work. Side meeting at IETF 83 in Paris.

SF: Scheduled on the Thursday lunch break (1130-1300) in room 252A, just
before the OAuth WG session.

PSA: Stephen, do you see any coordination issues from the IETF side?

SF: Definitely interest in seeing crypto in the browsers. Existence of
such an API could have an impact in the future on OAuth design etc.

TLR: Also note OpenID connect meeting Sunday, overlapping with training
sessions

9. IETF 83 / IAB Plenary

TLR: Do we have insights into the agenda for the IAB Plenary? I've heard
it's related to web security.

SF: We don't have details yet.

PSA: Who will be there?

TLR: Me part of the time, Philippe, Dominique for RTCWeb, Harry Halpin
is local, Wendy Seltzer for a few days, Yves might be there too. I also
expect a number of TAG members to be there since they are meeting in
Europe the next week. Might be good to have a separate discussion about
that with Yves and Larry.

ACTION: Thomas to check in with Yves on TAG activities at IETF.

10. Next Meeting

~4-5 weeks after IETF 83? Week of April 23rd or 16th might work. To
coordinate on the list.

11. Any Other Business

PLH: Possibility of HTML meeting in May/June timeframe.

TLR: There's been some discussion about impact of application work such
as WebRTC on lower layers of the network, best practices for network
usage, etc. Is this a general topic that comes up on the IETF side of
the discussion or should there be some coordination here? There is a
community group at http://www.w3.org/community/networkfriendly/

PR: Move to hallway discussion in Paris.

END

Received on Friday, 2 March 2012 04:07:17 UTC