- From: Arthur Barstow <art.barstow@nokia.com>
- Date: Wed, 30 Jan 2008 16:40:56 -0500
- To: public-appformats@w3.org
All - The minutes from the WAF WG's 30 January VoiceConf on Access Control are available at the following and copied below: <http://www.w3.org/2008/01/30-waf-minutes.html> WG Members - if you have any comments, corrections, etc., please send them to the public-appformats mail list before February 6; otherwise the minutes will be considered approved. Regards, Art Barstow --- [1]W3C [1] http://www.w3.org/ - DRAFT - Web Application Formats Working Group Teleconference 30 Jan 2008 [2]Agenda [2] http://lists.w3.org/Archives/Public/public-appformats/ 2008Jan/0305.html See also: [3]IRC log [3] http://www.w3.org/2008/01/30-waf-irc Attendees Present Art, Anne, Dave, Thomas, Jonas, Hixie_(IRC) Regrets Chair Art Scribe Art Contents * [4]Topics 1. [5]Review Agenda 2. [6]Requirements and UCs 3. [7]Requirement #1 4. [8]Requirement 3 5. [9]Requirement #4 6. [10]Requirement #6 7. [11]Requirement #9 8. [12]Requirement #10 9. [13]Requirement #12 10. [14]Requirement #13 11. [15]AOB * [16]Summary of Action Items _________________________________________________________ <trackbot-ng> Date: 30 January 2008 <scribe> Scribe: Art <scribe> ScribeNick: ArtB Review Agenda AB: reserve 5 mins for AOB Requirements and UCs <tlr> argh <tlr> sorry AB: no comments on 2, 5, 7, 8, 11 ... comments on 1, 3, 4, 6, 9, 10, 12 ... not sure about #13 JS: I made comments on #13 AvK: I've addressed those comments AB: propose we record agreement on 2, 5, 7, 8, 11 and 13 ... OK? DO: not sure everyone has reviewed them AB: we've had two weeks now and in this agenda and the last I asked people to submit comments in advance of the meeting JS: I didn't receive many replies, mostly from Art <dorchard> DO: I'm worried that people have reviewed some of the requirements and their conversations are focused on those, not on all. AB: propose we recored agreement on 2, 5, 7, 8, 11 and 13 <dorchard> DO: so the concern is that the absence of discussion isn't consensus. AB: any objections? TR: I want to remove #13 since it has been changed DO: wonder about #5; think it was bundled in other conversations JS: Jon may have had a counter-proposal for #5 DO: I don't object to the others but not #5 TR: I have some concenrs about #5 too but mostly editorial <sicking> [17]http://lists.w3.org/Archives/Public/public-appformats/2008Jan/02 50.html [17] http://lists.w3.org/Archives/Public/public-appformats/ 2008Jan/0250.html AB: propose we record agreement on 2, 7, 8, 11 <sicking> contains feedback to 5 <Hixie> could i ask a quick process question? what happens if we can't get consensus on these requirements? <tlr> I *think* number 5 means "mechanism MUST apply to any media type". If that's the case, that's great, but I'd like the text to read that way AB: any objections to that proposal? [No objections] RESOLUTION: requirements 2, 7, 8, 11 have agreement AB: then we keep trying to get consensus Requirement #1 <anne> "then we keep trying to get consensus" was a reply from Art to Hixie's question <Hixie> so i could block progress indefinitely by simply never allowing consensus to form? TR: I'm looking at a Jan 22 version AvK: I don't want to revise requirements text; I don't want to do this ... now but via e-mail AB: I don't think we are getting closure via e-mail TR: re 1.1., authentication isn't the issue but Authorization is <tlr> Some servers authorize any requests that can reach the server. TR: also have a problem with the last paragraph in 1.1 but I can take that to e-mail <tlr> "Although anyone..." includes somewhat inaccurate diagnosis of current state; happy to take that to e-mail <scribe> ACTION: Thomas submit an input for requirement 1.1 [recorded in [18]http://www.w3.org/2008/01/30-waf-minutes.html#action01] <trackbot-ng> Created ACTION-158 - Submit an input for requirement 1.1 [on Thomas Roessler - due 2008-02-06]. <tlr> "Should not be possible to issue..." -- motivate with UPNP TR: I can supply an input for 1.2 <Hixie> due feb 6th? <Hixie> that's a week from now! <scribe> ACTION: Thomas submit an input for requirement 1.2 [recorded in [19]http://www.w3.org/2008/01/30-waf-minutes.html#action02] <trackbot-ng> Created ACTION-159 - Submit an input for requirement 1.2 [on Thomas Roessler - due 2008-02-06]. DO: re 1.2, I thought the Atom people had objected to that requirement <tlr> DO: atom folks objected against that one? <tlr> hixie, that's the default due date <tlr> this one needs to say "should not be possible to issue unauthorized cross-site POST"... JS: I think we need to qualify 1.2 [missed JS' explicit proposal to append a qualification to 1.2] <Hixie> wait now we're arguing about the precise _wording_ of these requirements?! <Hixie> good lord <anne> What was minuted above about me is not true. I said that I don't want to be the author of the requirements. I'm fine with editing. I also objected to discussing the requirement text and discussing comments on requirements already posted to the mailing list. <Hixie> i also object to discussing the requirements at this point <Hixie> it's months past the time to discuss requirements <dorchard> It should not be possible to cross site non-safe operations priort to an authorization check performed. <Hixie> all we're doing is delaying the specs that depend on this <anne> I'd also like to point out that I can't actually edit the document while being on the call and that all detailed sugestions have not at all been minuted! It would be much better if people actually e-mail the list. <anne> So all tlr's comments are lost. AB: we can delete 1.2; we could assign someone to "champion it" <dorchard> Proposal: It should not be possible to perform cross-site non-safe (in HTTP, POST/PUT/DELETE) operations prior to an authorization check being performed DO: I made a proposal osal #2 <anne> (I'm not trying to attack the minutetaker fwiw, just saying that this doesn't really work.) DO: I made proposal #2 <tlr> tlr: let's go with DO's rpoposal, modulo minor wordsmithing on list TR: I can live with David's #2 proposal modulo some word smitthing <tlr> close ACTION-159 <trackbot-ng> ACTION-159 Submit an input for requirement 1.2 closed JS: I'm OK with David's #2 proposal <Hixie> i do not agree with that proposal <Hixie> because i do not believe we should be discussing this in the first place Hixie, if you want to participate in this meeting please join the voice conference <Hixie> i do not have access to a phone here <Hixie> (literally the closest phone to here is about 35 minutes away) AB: can you make the sub-bullet's numbered? AvK: if you send me an e-mail requesting so <scribe> ACTION: barstow submit a request to get the subbullets numbered [recorded in [20]http://www.w3.org/2008/01/30-waf-minutes.html#action03] <trackbot-ng> Created ACTION-160 - Submit a request to get the subbullets numbered [on Arthur Barstow - due 2008-02-06]. Requirement 3 TR: I think there are typical configs that require root privs ... should be worded in a positive way rather than negative ... We need to know the capabilities that are needed for the policy deployer ... As worded, it doesn't help us at all. ... Also wonder if this is for XML only content or other content too <sicking> sorry on, phone AB: Jonas, any comments I think you are the author JS: I can come up with a proposal; hope we don't get a bunch of additional feedback DO: yes, "typical" here is too open <scribe> ACTION: Jonas submit a proposal for req #3 [recorded in [21]http://www.w3.org/2008/01/30-waf-minutes.html#action04] <trackbot-ng> Created ACTION-161 - Submit a proposal for req #3 [on Jonas Sicking - due 2008-02-06]. <tlr> same applies to 4 Requirement #4 AvK: I made a mistake in my response to TR and I will follow-up on e-mail TR: this also talks about "typical" ... prefer to have it worded in a positive way rather than a list of negative things DO: I tend to agree with TR <tlr> avk: I agree that req 4 is about XML stuff, won't propose new text AB: is anyone willing to champion this requirement? ... we could delete it JS: we could change "typical" to Apache TR: not clear what the real req is DO: agree this req is not clear AvK: why do we need to be so precise? DO: we will continue to have ambiguity if the reqs aren't clear <tlr> as phrased, I think it means "to be able to authorize cross-origin access to the content of an XML file that's served, it should be sufficient to be able to write to that XML file" <tlr> If that's not what it means, I'd like to understand *what* it means. JS: I can propose a rewording I think will be helpful <dorchard> right, tlr, I think that's close.. <sicking> Must able to deploy support for cross-site GET requests without having to use server-side scripting (such as PHP, ASP, or CGI) on IIS and Apache. JS: no, that's not quite right Thomas TR: we need an e-mail discussion on this ... again, think the negative list is a good way to write the requirement AvK: but that would lead to specifying a solution JS: I don't want to force people to have to write programs to use this stuff <dorchard> So, Thomas, you want something like: Must able to deploy support for cross-site GET requests by modifying the content of the resource or HTTP Headers. <tlr> dorchard, right <tlr> maybe the right answer also involves something about these things possibly being static. <scribe> ACTION: Jonas start an e-mail thread about req #4 [recorded in [22]http://www.w3.org/2008/01/30-waf-minutes.html#action05] <trackbot-ng> Created ACTION-162 - Start an e-mail thread about req #4 [on Jonas Sicking - due 2008-02-06]. Requirement #6 <tlr> I'm just very worried about "shouldn't need to program", as I might need to program in certain deployments. <dorchard> I have to drop off for about 5 minutes before lunch disappears. TR: needs clarification of wording ... "on a per-resource basis" can be mis-leading <tlr> "It should be possible to configure distinct cross-site authorization policies for different target resources that reside within the same origin" <tlr> sth like that AB: Jonas, are you OK with that? JS: yes AvK: probably AB: OK ... propose we go with TR's rewording ... any objections? RESOLUTION: Anne will change the wording as Thomas proposed Requirement #9 TR: I'm uneasy talking about the adminstrator ... should be able to override auth without changing an entity in an HTTP response JS: not exactly ... there are many solutions to satisfy this ... the PI requires a deny clause TR: don't want to change the entity body of the HTTP response AB: the first sentence seems like the only "normative" part JS: second sentence is normative too <tlr> Entity Body is the right one <sicking> i'd be ok with "Must not require that the server filters the entity body of the resource in order to deny cross-site access to all resources on the server" <sicking> or change "filters" to "modify" AB: what do you think of that proposal? TR: OK DO: looks OK but need to think about it more ... e.g. need to factor in the OPTIONs and non-GET discusssions AB: propose we accept JS's new wording with the 2 substitutions ... any objections? DO: don't agree to a formal resolution JS: would like a one week on the review on any reqs that have been changed DO: I agree JS: need to get actions done ASAP AB: agree! <scribe> ACTION: Anne add Jonas proposed change for Req #9 and add in the 2 substituions he proposed [recorded in [23]http://www.w3.org/2008/01/30-waf-minutes.html#action06] <trackbot-ng> Created ACTION-163 - Add Jonas proposed change for Req #9 and add in the 2 substituions he proposed [on Anne van Kesteren - due 2008-02-06]. Requirement #10 <anne> why didn't we discuss open issues? <anne> they were also on the agenda TR: I think we're pretty close on this <DaveO> Anne, I don't think we are done agenda item #3: Requirements <anne> ArtB? <scribe> ACTION: Thomas submit a proposed edit for Req #10 [recorded in [24]http://www.w3.org/2008/01/30-waf-minutes.html#action07] <trackbot-ng> Created ACTION-164 - Submit a proposed edit for Req #10 [on Thomas Roessler - due 2008-02-06]. Requirement #12 TR: issue with requests coming from other servers ... also issue with IIS ... think we need to say less actually JS: agree but informative example could be useful <tlr> req 12: Should be compatible with commonly used HTTP authentication and session management mechanisms <tlr> (i.e., HTTP authentication and cookies) <scribe> ACTION: Jonas submit a new proposal for req #12 reflecting Thomas' proposal [recorded in [25]http://www.w3.org/2008/01/30-waf-minutes.html#action08] <trackbot-ng> Created ACTION-165 - Submit a new proposal for req #12 reflecting Thomas' proposal [on Jonas Sicking - due 2008-02-06]. <sicking> I.e. on an IIS server where authentication and session management is generally done by the server before ASP pages execute this should be doable also for requests coming from cross-site requests. Same thing applies to PHP on Apache. Requirement #13 TR: this needs more review ... it is totally different than it was one week ago AOB AB: call next week TR: I cannot attend next week <DaveO> I can make next week AB: meet anyhow? DO: what about Hixie? AB: let's plan to have a call next week TR: make sure Mike can be on the call AB: good point <scribe> ACTION: barstow make sure Mike Smith can attend next week's call [recorded in [26]http://www.w3.org/2008/01/30-waf-minutes.html#action09] <trackbot-ng> Created ACTION-166 - Make sure Mike Smith can attend next week's call [on Arthur Barstow - due 2008-02-06]. <Hixie> DaveO: my opinion is that these telecons are a waste of time. AB: meeting adjourned Summary of Action Items [NEW] ACTION: Anne add Jonas proposed change for Req #9 and add in the 2 substituions he proposed [recorded in [27]http://www.w3.org/2008/01/30-waf-minutes.html#action06] [NEW] ACTION: barstow make sure Mike Smith can attend next week's call [recorded in [28]http://www.w3.org/2008/01/30-waf-minutes.html#action09] [NEW] ACTION: barstow submit a request to get the subbullets numbered [recorded in [29]http://www.w3.org/2008/01/30-waf-minutes.html#action03] [NEW] ACTION: Jonas start an e-mail thread about req #4 [recorded in [30]http://www.w3.org/2008/01/30-waf-minutes.html#action05] [NEW] ACTION: Jonas submit a new proposal for req #12 reflecting Thomas' proposal [recorded in [31]http://www.w3.org/2008/01/30-waf-minutes.html#action08] [NEW] ACTION: Jonas submit a proposal for req #3 [recorded in [32]http://www.w3.org/2008/01/30-waf-minutes.html#action04] [NEW] ACTION: Thomas submit a proposed edit for Req #10 [recorded in [33]http://www.w3.org/2008/01/30-waf-minutes.html#action07] [NEW] ACTION: Thomas submit an input for requirement 1.1 [recorded in [34]http://www.w3.org/2008/01/30-waf-minutes.html#action01] [NEW] ACTION: Thomas submit an input for requirement 1.2 [recorded in [35]http://www.w3.org/2008/01/30-waf-minutes.html#action02] [End of minutes]
Received on Wednesday, 30 January 2008 21:41:15 UTC