- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 27 Feb 2008 21:45:51 +0100
- To: public-appformats@w3.org
- Cc: mike@w3.org
Minutes from the call on 2008-02-27 are available online here:
http://www.w3.org/2008/02/27-waf-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
- DRAFT -
WAF WG Access Control Voice Conf
27 Feb 2008
[2]Agenda
See also: [3]IRC log
Attendees
Present
Art, tlr, jonas
Regrets
Chair
Art
Scribe
Art, tlr
Contents
* [4]Topics
1. [5]cookies
* [6]Summary of Action Items
__________________________________________________________________
<ArtB> Hi TLR!
<ArtB> Jonas said he would invite some Moz people to our call
<ArtB> Does MikeSmith still work for the W3C :-)? Haven't seen him very
much but Boston and Tokyo time zones are not very favorable :-(.
<tlr> He was on a conf call yesterday.
<ArtB> k
<tlr> I suspect it might be time to adjust the call time to accomodate
him, though.
<ArtB> he agree to this time, IIRC
<tlr> oh well
<ArtB> Date: 27 Feb 2008
<ArtB> Scribe: Art
<tlr> Scribe: tlr
art: jonas, anybody else coming?
sicking: nope
art: let's go ahead
cookies
art: think everybody understands positions of various people
... take as opportunity to talk about what the problem is ...
... next steps ...
... let me try to summon Hixie ...
tlr: expecting anne?
art: he has a personal conflict
... let's talk a bit
jonas: need to hear from sec people at other browser vendors
... mozilla won't move alone ...
... if we're the only ones who have the concerns, maybe others can move
ahead without us ...
art: can follow up with maciej and see if willing to provide input
... about what safari team thinks ...
... had ms participation at some point ..
<scribe> ... dropped off ...
UNKNOWN_SPEAKER: making note to contact them ...
tlr: would be curious to understand more precisely what the landscape
looks like
... i.e., shipping plans?
jonas: if we can't send cookies for now, but still follow spec, we'll
ship that ...
<ArtB> ACTION: Barstow contact IE and Safari teams about their plans
for AC4CSR [recorded in
[7]http://www.w3.org/2008/02/27-waf-minutes.html#action01]
<trackbot-ng> Created ACTION-172 - Contact IE and Safari teams about
their plans for AC4CSR [on Arthur Barstow - due 2008-03-05].
<Hixie> i am not near a phone
<Hixie> wassup?
tlr: I think if not sending cookies and auth headers, we need a
handover protocol
... and that's a larger design space ..
... talk to OAuth people e.g.
... skeptical that that could happen within FF3 time frame
jonas: we're out of time for FF3
art: identity server sounds like one of the main use cases, basically
IDP
jonas: want to look into oauth
... maybe look into openid ...
tlr: I'm skeptical about openid for this use case
... that's a different discussion ...
jonas: the bouncing around design is the point
tlr; yes
jonas: we had security concerns about openid
... haven't looked into oauth ...
... they could suffer similar worries as access-control ...
tlr: sounds like a workshop situation
art: sounds like a good idea
... if I can help, by all means ...
... sounds like center of gravity are probably US West Coast ...
jonas: would want to hear from security folks at other UAs
... don't personally agree with the concerns here ...
... if other vendors think the spec is sound, then don't necessarily
need to change ...
art: along those lines, was wondering about original architecture, as
applied to VB world
... obviously, have made fairly substantial changes to the model ...
... but part borrowed from them ...
jonas: same concerns there
... concern is with normal GET ...
tlr: ambient authorization was where this once started, indeed
jonas: would have the same concerns with the plain VB spec
art: millions of pages served that way?
tlr: think VoiceXML is *the* industry standard for voice stuff
... operations in a more constrained environment ...
art: our model more open
... btw, my IRC connection is dead ...
... anyway, where do we go from here?
jonas: solution I'd be happy with & be able to implement ...
... for ff3 - don't want the no-cookies way ...
... other option is to do what normal HTTP auth does, to ask the user
...
... I think that that would be a doable solution ...
tlr: *very* skeptic about the ask user approach for this
jonas: requirement was "user needs to approve request"
... not necessarily a pop-up ...
... if browser needs to ask the user ...
... we're stuck there ...
... but yes, I want to hear from Johnath ...
tlr: if you want a useful user interaction, explain in terms that
people understand
... and that gets you very close to flickr authorization style
experiences ...
... where effectively you want the collaboration of both sites to do
the authorization step ...
... and that in turn suggests looking at the vairous bounce people
around protocols ...
jonas: would argue that current protocol bounces user around
... just haven't standardized how bouncing should happen ...
... that might be our problem ...
... should probably design a protocol around that ...
... target site should be the one that's responsible ...
... shouldn't include site in allow list unless previously asked user
...
tlr: I think we're edigng more and more toward a server-side decision
model
... which means the current model doesn't really fit ...
jonas: probably don't need whitelist language we have
... probably just yes/no answer ...
tlr: in a way, like what Tyler and Mark were describing
... my advice (and it's nothing more) would be to drop from FF3 ...
jonas: unless we do something about asking the user
... don't think we can get everybody to agree to that
... want to keep working on the thread that I started
... try to explain better what people think of it
... expecting a no, if that's what I get, pull implementation
tlr: assuming you need to pull, who would need to be involved from
Mozo?
... in a workshop, e.g. ...
Jonas: xx Snyder
... Brendan ?? ...
... basically the folks cced on my e-mail
art: seeing how to move work forward
... whatever way makes sense ...
... think concern that Jonas raised is legitimate ...
... and understandable ...
... will go ahead and contact Apple and Ms and see if they're willing
... to provide input ...
... ma ybe can get somebody from opera in addition to AvK to
... provide input
tlr: Yngve; he was having misgivings i think
art: going to try to get review from MS and other security folks
tlr: note that most useful discussion might be to look at models
art: news on charter, also re access-control?
tlr: not in the loop on chartering discussions
... I think one question we hear here is what scope access-control work
... should have, and whether webapps charter should blcok on that
... I don't know answer to the first question, but would speculate
second one is "no"
art: yeah, we seem to have lost the FF3 driver
... let's pull people together
... disadvantage is that things could drag on for longer than we like
... consequence of bringing things into committee before
... implemented
tlr: there could be existing things or mixtures of these that could be
... quicker to specify
art: mash-ups running into this
jonas: use own server as proxy
tlr: yeah... lots ask for user name and password now
... flickr api is the other way ...
jonas: that's why I liked the with-cookie approach
... better in some ways, but not good enough
... think whatever we do should integrate with whatever is out there
today
... current spec doesn't cover authorization
... use latest greatst -- which is good
art: one last question for jonas -- seems like moz position not likely
to change?
jonas: yep
art: thanks for taking the time
... will follow up with other vendors ...
... hope to get some useful information ...
... if there's anything I can do to help workshopping things, please
say
... let's suspend phone conferences till we need one
tlr: I'll stick around on IRC
jonas: agree
Summary of Action Items
[NEW] ACTION: Barstow contact IE and Safari teams about their plans for
AC4CSR [recorded in
[8]http://www.w3.org/2008/02/27-waf-minutes.html#action01]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [9]scribe.perl version 1.133
([10]CVS log)
$Date: 2008/02/27 20:43:57 $
__________________________________________________________________
[End of [14]scribe.perl diagnostic output]
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0276.html
3. http://www.w3.org/2008/02/27-waf-irc
4. http://www.w3.org/2008/02/27-waf-minutes.html#agenda
5. http://www.w3.org/2008/02/27-waf-minutes.html#item01
6. http://www.w3.org/2008/02/27-waf-minutes.html#ActionSummary
7. http://www.w3.org/2008/02/27-waf-minutes.html#action01
8. http://www.w3.org/2008/02/27-waf-minutes.html#action01
9. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
10. http://dev.w3.org/cvsweb/2002/scribe/
11. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/
12. http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0276.html
13. http://www.w3.org/2008/02/27-waf-minutes.html
14. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 27 February 2008 20:46:03 UTC