W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: Meeting Mintes for: Agenda for WebID Teleconf, Monday 11 April 2011

From: peter williams <home_pw@msn.com>
Date: Tue, 12 Apr 2011 05:57:28 -0700
Message-ID: <SNT143-ds49CF42EB9C2BAF901CCBE92AB0@phx.gbl>
To: "'Henry Story'" <henry.story@bblfish.net>, "'WebID XG'" <public-xg-webid@w3.org>
Think about what happens in the bar, afterwards, when the browser guys meet
and consider the presentations they heard. From what Harry H briefed, they
come with prejudice against us (based on year of religious wars, and their
aftermath). Remember, at least 50% of the committee are associated with the
US national id program (who are behind the scenes paying real money, to
"lead opinion").

 

We can imagine the conversation

 

1. Yup. We heard the usual RDF/semantic web story. Its toned down a bit
(phew!), but at the end of the days it's the same old story of if only we
change how we think about browser making  and the web in general, we can
address *their* goals. What do they do for us? Well we get the semantic web!
The half-stated big picture of webid is to eliminate the CA vendors (
billion dollar companies), and we need to first upgrade our use of DNSsec in
the SSL libraries. If we don't include RDF parsing engines in the browser
(re-igniting an VERY CONTENTIOUS issue to all browser makers), it really
doesn't hold. We need to spend considerable amounts of money, on core
platform issues that will force million-dollar+ re-certifications by govt
security agencies doing crypto/security evals (directly relevant to our govt
and Fortune 100 sales).  This is going to require considerable budgeting
effort, and multi-year planning since it affects a billion PCs. Issues of
service packs for older operating systems all rears its head. Hmm ($$$).

 

Or,

 

2 We need to upgrade the APIs, to allow third parties to play with cert and
SSL state changes, at the browser UI. There are several views on how to do
this, some looking novel and interesting. Its time to let third parties
experiment. There are new markets here, it seems

 

We also need to upgrade the cert validation classes, so the platform can
sensibly make n outstanding connections to each of the SAN URIs mentioned in
the cert. This probably means taking another look at how we handle all URI,
already in certs, for the parallelism issue, and consider the use of async
APIs. We have to consider the impact on HSMs, when they are involved too!

 

We could ensure that when a kernel or user process initiates a profile
connection, it can push the content through the malware scanner,
particularly in the case in RDFa. There may be reputation sources to consult
too, to even consider handling the content. Webid assume the open web, and
we don't want crappy content (e.g. porn) pushed into our corporate
customer's kernel-based web caches

 

(In Windows) browsers and servers use kernel based process to do https and
that will not change now, just because webid exists. After all, it works
fine with ldap and ADSI calls - similar to webid. Thought is required on
whether to perform https on URIs within certs as we do today (for CRLDP and
OCSP and certPolicy https URIs) or else consider whether we need a more
refined kernel/userspace delegate handoff . If there are n of these handoffs
to allow different URI SANs to be evalulated in parallel for relevance (per
validation spec), one needs to consider the impact on performance in a
server operating at 100 logins a second...  Hmm. Sounds like a good
challenge, relevant to the https and SSL future generically.

 

 

 

 

My advice is pitch at the platform library level, if you want some
fundamental change that enables. Don't pitch the revolution, or the killer
app. What I heard in the abstract was tone down religion. Semantic web
light. To be fair , folks were advised to take that position. My argument
is, perhaps, is do away with the entire religion element, altoghether. Just
pitch what we need from https librarys (in browsers and OS platforms like
Windows and OSX).

 

I don't expect anyone here to agree. But, Ive added my valueless comment,
per the process.

 

 

 

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Monday, April 11, 2011 11:16 PM
To: WebID XG
Cc: Peter Williams
Subject: Re: Meeting Mintes for: Agenda for WebID Teleconf, Monday 11 April
2011

 

 

On 12 Apr 2011, at 01:31, Peter Williams wrote:

 

> Does this mean that non-browser clients (eg word, excel) cannot use
webids?

 

No of course not. The topic of the talk is "W3C Workshop on Identity in the
Browser"

 <http://www.w3.org/2011/identity-ws/> http://www.w3.org/2011/identity-ws/

If it were a talk on Web and Tools we'd have a different introduction.

 

> Today, excel posts an HTML rendering of it's reports upto websites.
Presumably, this is not in scope, now. It's not a use case this group is
interested in standardizing.

 

You do jump to conclusions don't you?

 

In a later e-mail you posted

> ne has been able to saveAS to a webDAV server since windows XP! One used
to map a drive letter to the remote site, and windows took care of using SMB
or WebDAV. This went out of fashion, when WebDAV went out of fashion. Web
standard come and go... SOAP is in SOAP is out. WebDav is in; tomorrow its
out. RDF comes in and out. RSS for site maps didn't really make it. 

 

 

I think WebDav is pretty good and would be a very good use case for WebID
integration. So would Atom pub.

We could mention those as a use case, given that microsoft will be in the
crowd. 

 

 

> 

> Presumably, FTP clients doing ftps with certs with San Uris are also out
of scope, as is the irc client (in opera) doing ssl client auth against
commercial irc servers.

 

Nothing is stoping people here to go to a big conference on ftp and give an
ftp specific presentation :-)

 

> 

> Since folk want 1 cert to be multiapp, validators can do a head operation
on the uri, to see if it is webid capable ( looking at the mime type). If
it's not, pass by that uri in the San uri list (for webid purposes). If it
is, then consult the rdf for even finer grain metadata on the uri.

> 

> Similarly, an ftps/irc server - without webid querying capabilities - can
figure which https Uris in the San  it can use (using non rdf-based
de-referencing).

> 

> 

> On Apr 11, 2011, at 2:12 PM, Henry Story <
<mailto:henry.story@bblfish.net> henry.story@bblfish.net> wrote:

> 

>> Minutes are here:

>> 

>> The meeting started off with us getting even more lost than usual in 

>> IRC magic. But I have now written down the main magic spells. After 

>> that we covered the test cases, and spent a lot of time writing the first
part of the abstract for identity in the browser.

>> 

>> Jeff Even wrote a Haiku for it

>> 

>> WebID helps me

>> identity, privacy

>> Secure, simple, free

>> 

>> Here is the first part for the talk: 

>>  <http://www.w3.org/2011/identity-ws/>
http://www.w3.org/2011/identity-ws/

>> 

>> 1. Position Statement

>> 

>> The browser is the interface to the web and should also serve as the
interface to a user's identity. Identity selection and deselection should be
a one-click gesture to secure authentication across the entire web. It
should put the user in control of the information he shares with each site.
And it should be available now.

>> 

>> The WebID protocol achieves all of the above. It works in all browsers
now using the widely-deployed TLS protocol and client-side certificates--but
with a twist. It ties those certificates into the web in a RESTful manner
allowing identities to be linked together in a secure social web of trust.

>> 

>> After explaining how the WebID protocol works,  we will suggest a roadmap
for future improvements in the browser, starting from minimal changes that
can be done right now, to longer term ones that can be deployed
incrementally.

>> 

>> 

>> We will be working on that this week and continue reviewing it next week.

>> 

>> Henry

>> 

>> 

>> 

>> On 7 Apr 2011, at 22:53, Henry Story wrote:

>> 

>>> 

>>> Meeting Time/Location:

>>> Mondays, Weekly, from April 11th 2011

>>> Time: 1600 UTC

>>> W3C Zakim bridge, telecon code: WEBID (93243)

>>>  SIP:  <mailto:zakim@voip.w3.org> zakim@voip.w3.org

>>>  Phone US: +1.617.761.6200

>>>  Phone UK: +44.203.318.0479

>>>  Phone FR: +33.4.26.46.79.03

>>> irc://irc.w3.org:6665/#webid

>>> Duration: 60 minutes

>>> 

>>> 

>>> Meeting Agenda:

>>> 1. Accept minutes from previous meeting 2a. Action Item Review  

>>>  <http://www.w3.org/2005/Incubator/webid/track/actions/open>
http://www.w3.org/2005/Incubator/webid/track/actions/open

>>>   <http://www.w3.org/2005/Incubator/webid/track/actions/pendingreview>
http://www.w3.org/2005/Incubator/webid/track/actions/pendingreview

>>> 2b. Issue Closing

>>>  (more below)

>>> 3. Anything else we need to discuss in the telecon?

>>> (a time to raise any important news, updates etc) 4. A List of 1-4 

>>> predetermined ISSUEs or Topics, tbd weekly by the Chair in advance.

>>> 

>>> - ISSUE-9: Develop WebID Test Suite

>>>    <http://www.w3.org/2005/Incubator/webid/track/issues/9>
http://www.w3.org/2005/Incubator/webid/track/issues/9

>>> - ACTION-23: Start a position paper for Identity in the browser workshop
<http://www.w3.org/2011/identity-ws/> http://www.w3.org/2011/identity-ws/

>>>   This will take some time, and could continue for half an hour after
the conf I guess. 

>>> 

>>> 

>>> On 4 Apr 2011, at 19:14, Nathan wrote:

>>> 

>>>> Hi All,

>>>> 

>>>> I'd like to propose that we have weekly meetings every Monday at 16:00
UTC from April 11th onwards.

>>>> 

>>>> If anybody has any objections or is otherwise engaged every Monday at
this time, then please do say before Friday the 8th April.

>>>> 

>>>> Meeting Time/Location:

>>>> Mondays, Weekly, from April 11th 2011

>>>> Time: 1600 UTC

>>>> W3C Zakim bridge, telecon code: WEBID (93243)

>>>>  SIP:  <mailto:zakim@voip.w3.org> zakim@voip.w3.org

>>>>  Phone US: +1.617.761.6200

>>>>  Phone UK: +44.203.318.0479

>>>>  Phone FR: +33.4.26.46.79.03

>>>> irc://irc.w3.org:6665/#webid

>>>> Duration: 60 minutes

>>>> 

>>>> Scribes:

>>>> - We'll generate a (random) scribe list and match them up to 

>>>> related dates, for an example see: 

>>>>  <http://www.w3.org/2011/rdf-wg/wiki/Scribes>
http://www.w3.org/2011/rdf-wg/wiki/Scribes

>>>> - If for any reason you can't scribe (ever) then do say so we can
remove you from the rotation.

>>>> - If for any reason you won't be able to attend a meeting which you are
due to be scribing, please let us know via the mailing list so an
alternative can be arranged.

>>>> - To save any unwanted surprises, I'll scribe the first weekly meeting
on the 11th.

>>>> 

>>>> Generic Meeting Agenda:

>>>> 1. Accept minutes from previous meeting 2a. Action Item Review  

>>>>  <http://www.w3.org/2005/Incubator/webid/track/actions/open>
http://www.w3.org/2005/Incubator/webid/track/actions/open

>>>>   <http://www.w3.org/2005/Incubator/webid/track/actions/pendingreview>
http://www.w3.org/2005/Incubator/webid/track/actions/pendingreview

>>>> 2b. Issue Closing

>>>>  (more below)

>>>> 3. Anything else we need to discuss in the telecon?

>>>> (a time to raise any important news, updates etc) 4. A List of 1-4 

>>>> predetermined ISSUEs or Topics, tbd weekly by the Chair in advance.

>>>> 

>>>> Generally:

>>>> - I'd like us to try and get working through the open/raised issues:

>>>>  <http://www.w3.org/2005/Incubator/webid/track/issues/raised>
http://www.w3.org/2005/Incubator/webid/track/issues/raised

>>>>  <http://www.w3.org/2005/Incubator/webid/track/issues/open>
http://www.w3.org/2005/Incubator/webid/track/issues/open

>>>> .. and advance the products:

>>>>  <http://www.w3.org/2005/Incubator/webid/track/products>
http://www.w3.org/2005/Incubator/webid/track/products

>>>> .. so that we all feel that the time we commit to the meetings is well
spent, and typically is centred towards making progress on the issues and
products, pre discuss on the list, then come to final resolutions on the
calls.

>>>> 

>>>> Quorum and resolving issues:

>>>> - to close an issue, Quorum is usually 1/3 of the active members in a
group (in our case that would be 12). However I'd suggest that we specify 6
plus-ones to move an issue to preliminarily close an issue, at which point
the ISSUE will be moved to a "Pending Review" status.

>>>> - For any issue we propose to close, the resolution must be sent to the
mailing list and left on "Pending Review" for one week so that others get a
chance to comment on any proposed solution, or raise any last minute
objections/points/clarifications.

>>>> - After one week of "Pending Review", all issues requiring no further
discussion will be closed at the subsequent meeting, and any issues
requiring further telecon time / another vote will be placed on the Agenda
by the Chair.

>>>> 

>>>> Does that all sound okay?

>>>> 

>>>> Best,

>>>> 

>>>> Nathan

>>> 

>>> Social Web Architect

>>>  <http://bblfish.net/> http://bblfish.net/

>>> 

>> 

>> Social Web Architect

>>  <http://bblfish.net/> http://bblfish.net/

>> 

>> 

>> 

 

Social Web Architect

 <http://bblfish.net/> http://bblfish.net/

 

 
Received on Tuesday, 12 April 2011 12:58:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC