Minutes from 30 January 2008 Voice Conference on Access Control

All - The minutes from the WAF WG's 30 January VoiceConf on Access  
Control are available at the following and copied below:

    <http://www.w3.org/2008/01/30-waf-minutes.html>

WG Members - if you have any comments, corrections, etc., please send  
them to the public-appformats mail list before February 6; otherwise  
the minutes will be considered approved.

Regards, Art Barstow
---

    [1]W3C

       [1] http://www.w3.org/

                                - DRAFT -

          Web Application Formats Working Group Teleconference
                               30 Jan 2008

    [2]Agenda

       [2] http://lists.w3.org/Archives/Public/public-appformats/ 
2008Jan/0305.html

    See also: [3]IRC log

       [3] http://www.w3.org/2008/01/30-waf-irc

Attendees

    Present
           Art, Anne, Dave, Thomas, Jonas, Hixie_(IRC)

    Regrets
    Chair
           Art

    Scribe
           Art

Contents

      * [4]Topics
          1. [5]Review Agenda
          2. [6]Requirements and UCs
          3. [7]Requirement #1
          4. [8]Requirement 3
          5. [9]Requirement #4
          6. [10]Requirement #6
          7. [11]Requirement #9
          8. [12]Requirement #10
          9. [13]Requirement #12
         10. [14]Requirement #13
         11. [15]AOB
      * [16]Summary of Action Items
      _________________________________________________________



    <trackbot-ng> Date: 30 January 2008

    <scribe> Scribe: Art

    <scribe> ScribeNick: ArtB

Review Agenda

    AB: reserve 5 mins for AOB

Requirements and UCs

    <tlr> argh

    <tlr> sorry

    AB: no comments on 2, 5, 7, 8, 11
    ... comments on 1, 3, 4, 6, 9, 10, 12
    ... not sure about #13

    JS: I made comments on #13

    AvK: I've addressed those comments

    AB: propose we record agreement on 2, 5, 7, 8, 11 and 13
    ... OK?

    DO: not sure everyone has reviewed them

    AB: we've had two weeks now and in this agenda and the last I asked
    people to submit comments in advance of the meeting

    JS: I didn't receive many replies, mostly from Art

    <dorchard> DO: I'm worried that people have reviewed some of the
    requirements and their conversations are focused on those, not on
    all.

    AB: propose we recored agreement on 2, 5, 7, 8, 11 and 13

    <dorchard> DO: so the concern is that the absence of discussion
    isn't consensus.

    AB: any objections?

    TR: I want to remove #13 since it has been changed

    DO: wonder about #5; think it was bundled in other conversations

    JS: Jon may have had a counter-proposal for #5

    DO: I don't object to the others but not #5

    TR: I have some concenrs about #5 too but mostly editorial

    <sicking>
    [17]http://lists.w3.org/Archives/Public/public-appformats/2008Jan/02
    50.html

      [17] http://lists.w3.org/Archives/Public/public-appformats/ 
2008Jan/0250.html

    AB: propose we record agreement on 2, 7, 8, 11

    <sicking> contains feedback to 5

    <Hixie> could i ask a quick process question? what happens if we
    can't get consensus on these requirements?

    <tlr> I *think* number 5 means "mechanism MUST apply to any media
    type". If that's the case, that's great, but I'd like the text to
    read that way

    AB: any objections to that proposal?

    [No objections]

    RESOLUTION: requirements 2, 7, 8, 11 have agreement

    AB: then we keep trying to get consensus

Requirement #1

    <anne> "then we keep trying to get consensus" was a reply from Art
    to Hixie's question

    <Hixie> so i could block progress indefinitely by simply never
    allowing consensus to form?

    TR: I'm looking at a Jan 22 version

    AvK: I don't want to revise requirements text; I don't want to do
    this
    ... now but via e-mail

    AB: I don't think we are getting closure via e-mail

    TR: re 1.1., authentication isn't the issue but Authorization is

    <tlr> Some servers authorize any requests that can reach the server.

    TR: also have a problem with the last paragraph in 1.1 but I can
    take that to e-mail

    <tlr> "Although anyone..." includes somewhat inaccurate diagnosis of
    current state; happy to take that to e-mail

    <scribe> ACTION: Thomas submit an input for requirement 1.1
    [recorded in
    [18]http://www.w3.org/2008/01/30-waf-minutes.html#action01]

    <trackbot-ng> Created ACTION-158 - Submit an input for requirement
    1.1 [on Thomas Roessler - due 2008-02-06].

    <tlr> "Should not be possible to issue..." -- motivate with UPNP

    TR: I can supply an input for 1.2

    <Hixie> due feb 6th?

    <Hixie> that's a week from now!

    <scribe> ACTION: Thomas submit an input for requirement 1.2
    [recorded in
    [19]http://www.w3.org/2008/01/30-waf-minutes.html#action02]

    <trackbot-ng> Created ACTION-159 - Submit an input for requirement
    1.2 [on Thomas Roessler - due 2008-02-06].

    DO: re 1.2, I thought the Atom people had objected to that
    requirement

    <tlr> DO: atom folks objected against that one?

    <tlr> hixie, that's the default due date

    <tlr> this one needs to say "should not be possible to issue
    unauthorized cross-site POST"...

    JS: I think we need to qualify 1.2

    [missed JS' explicit proposal to append a qualification to 1.2]

    <Hixie> wait now we're arguing about the precise _wording_ of these
    requirements?!

    <Hixie> good lord

    <anne> What was minuted above about me is not true. I said that I
    don't want to be the author of the requirements. I'm fine with
    editing. I also objected to discussing the requirement text and
    discussing comments on requirements already posted to the mailing
    list.

    <Hixie> i also object to discussing the requirements at this point

    <Hixie> it's months past the time to discuss requirements

    <dorchard> It should not be possible to cross site non-safe
    operations priort to an authorization check performed.

    <Hixie> all we're doing is delaying the specs that depend on this

    <anne> I'd also like to point out that I can't actually edit the
    document while being on the call and that all detailed sugestions
    have not at all been minuted! It would be much better if people
    actually e-mail the list.

    <anne> So all tlr's comments are lost.

    AB: we can delete 1.2; we could assign someone to "champion it"

    <dorchard> Proposal: It should not be possible to perform cross-site
    non-safe (in HTTP, POST/PUT/DELETE) operations prior to an
    authorization check being performed

    DO: I made a proposal

    osal #2

    <anne> (I'm not trying to attack the minutetaker fwiw, just saying
    that this doesn't really work.)

    DO: I made proposal #2

    <tlr> tlr: let's go with DO's rpoposal, modulo minor wordsmithing on
    list

    TR: I can live with David's #2 proposal modulo some word smitthing

    <tlr> close ACTION-159

    <trackbot-ng> ACTION-159 Submit an input for requirement 1.2 closed

    JS: I'm OK with David's #2 proposal

    <Hixie> i do not agree with that proposal

    <Hixie> because i do not believe we should be discussing this in the
    first place

    Hixie, if you want to participate in this meeting please join the
    voice conference

    <Hixie> i do not have access to a phone here

    <Hixie> (literally the closest phone to here is about 35 minutes
    away)

    AB: can you make the sub-bullet's numbered?

    AvK: if you send me an e-mail requesting so

    <scribe> ACTION: barstow submit a request to get the subbullets
    numbered [recorded in
    [20]http://www.w3.org/2008/01/30-waf-minutes.html#action03]

    <trackbot-ng> Created ACTION-160 - Submit a request to get the
    subbullets numbered [on Arthur Barstow - due 2008-02-06].

Requirement 3

    TR: I think there are typical configs that require root privs
    ... should be worded in a positive way rather than negative
    ... We need to know the capabilities that are needed for the policy
    deployer
    ... As worded, it doesn't help us at all.
    ... Also wonder if this is for XML only content or other content too

    <sicking> sorry on, phone

    AB: Jonas, any comments I think you are the author

    JS: I can come up with a proposal; hope we don't get a bunch of
    additional feedback

    DO: yes, "typical" here is too open

    <scribe> ACTION: Jonas submit a proposal for req #3 [recorded in
    [21]http://www.w3.org/2008/01/30-waf-minutes.html#action04]

    <trackbot-ng> Created ACTION-161 - Submit a proposal for req #3 [on
    Jonas Sicking - due 2008-02-06].

    <tlr> same applies to 4

Requirement #4

    AvK: I made a mistake in my response to TR and I will follow-up on
    e-mail

    TR: this also talks about "typical"
    ... prefer to have it worded in a positive way rather than a list of
    negative things

    DO: I tend to agree with TR

    <tlr> avk: I agree that req 4 is about XML stuff, won't propose new
    text

    AB: is anyone willing to champion this requirement?
    ... we could delete it

    JS: we could change "typical" to Apache

    TR: not clear what the real req is

    DO: agree this req is not clear

    AvK: why do we need to be so precise?

    DO: we will continue to have ambiguity if the reqs aren't clear

    <tlr> as phrased, I think it means "to be able to authorize
    cross-origin access to the content of an XML file that's served, it
    should be sufficient to be able to write to that XML file"

    <tlr> If that's not what it means, I'd like to understand *what* it
    means.

    JS: I can propose a rewording I think will be helpful

    <dorchard> right, tlr, I think that's close..

    <sicking> Must able to deploy support for cross-site GET requests
    without having to use server-side scripting (such as PHP, ASP, or
    CGI) on IIS and Apache.

    JS: no, that's not quite right Thomas

    TR: we need an e-mail discussion on this
    ... again, think the negative list is a good way to write the
    requirement

    AvK: but that would lead to specifying a solution

    JS: I don't want to force people to have to write programs to use
    this stuff

    <dorchard> So, Thomas, you want something like: Must able to deploy
    support for cross-site GET requests by modifying the content of the
    resource or HTTP Headers.

    <tlr> dorchard, right

    <tlr> maybe the right answer also involves something about these
    things possibly being static.

    <scribe> ACTION: Jonas start an e-mail thread about req #4 [recorded
    in [22]http://www.w3.org/2008/01/30-waf-minutes.html#action05]

    <trackbot-ng> Created ACTION-162 - Start an e-mail thread about req
    #4 [on Jonas Sicking - due 2008-02-06].

Requirement #6

    <tlr> I'm just very worried about "shouldn't need to program", as I
    might need to program in certain deployments.

    <dorchard> I have to drop off for about 5 minutes before lunch
    disappears.

    TR: needs clarification of wording
    ... "on a per-resource basis" can be mis-leading

    <tlr> "It should be possible to configure distinct cross-site
    authorization policies for different target resources that reside
    within the same origin"

    <tlr> sth like that

    AB: Jonas, are you OK with that?

    JS: yes

    AvK: probably

    AB: OK
    ... propose we go with TR's rewording
    ... any objections?

    RESOLUTION: Anne will change the wording as Thomas proposed

Requirement #9

    TR: I'm uneasy talking about the adminstrator
    ... should be able to override auth without changing an entity in an
    HTTP response

    JS: not exactly
    ... there are many solutions to satisfy this
    ... the PI requires a deny clause

    TR: don't want to change the entity body of the HTTP response

    AB: the first sentence seems like the only "normative" part

    JS: second sentence is normative too

    <tlr> Entity Body is the right one

    <sicking> i'd be ok with "Must not require that the server filters
    the entity body of the resource in order to deny cross-site access
    to all resources on the server"

    <sicking> or change "filters" to "modify"

    AB: what do you think of that proposal?

    TR: OK

    DO: looks OK but need to think about it more
    ... e.g. need to factor in the OPTIONs and non-GET discusssions

    AB: propose we accept JS's new wording with the 2 substitutions
    ... any objections?

    DO: don't agree to a formal resolution

    JS: would like a one week on the review on any reqs that have been
    changed

    DO: I agree

    JS: need to get actions done ASAP

    AB: agree!

    <scribe> ACTION: Anne add Jonas proposed change for Req #9 and add
    in the 2 substituions he proposed [recorded in
    [23]http://www.w3.org/2008/01/30-waf-minutes.html#action06]

    <trackbot-ng> Created ACTION-163 - Add Jonas proposed change for Req
    #9 and add in the 2 substituions he proposed [on Anne van Kesteren -
    due 2008-02-06].

Requirement #10

    <anne> why didn't we discuss open issues?

    <anne> they were also on the agenda

    TR: I think we're pretty close on this

    <DaveO> Anne, I don't think we are done agenda item #3: Requirements

    <anne> ArtB?

    <scribe> ACTION: Thomas submit a proposed edit for Req #10 [recorded
    in [24]http://www.w3.org/2008/01/30-waf-minutes.html#action07]

    <trackbot-ng> Created ACTION-164 - Submit a proposed edit for Req
    #10 [on Thomas Roessler - due 2008-02-06].

Requirement #12

    TR: issue with requests coming from other servers
    ... also issue with IIS
    ... think we need to say less actually

    JS: agree but informative example could be useful

    <tlr> req 12: Should be compatible with commonly used HTTP
    authentication and session management mechanisms

    <tlr> (i.e., HTTP authentication and cookies)

    <scribe> ACTION: Jonas submit a new proposal for req #12 reflecting
    Thomas' proposal [recorded in
    [25]http://www.w3.org/2008/01/30-waf-minutes.html#action08]

    <trackbot-ng> Created ACTION-165 - Submit a new proposal for req #12
    reflecting Thomas' proposal [on Jonas Sicking - due 2008-02-06].

    <sicking> I.e. on an IIS server where authentication and session
    management is generally done by the server before ASP pages execute
    this should be doable also for requests coming from cross-site
    requests. Same thing applies to PHP on Apache.

Requirement #13

    TR: this needs more review
    ... it is totally different than it was one week ago

AOB

    AB: call next week

    TR: I cannot attend next week

    <DaveO> I can make next week

    AB: meet anyhow?

    DO: what about Hixie?

    AB: let's plan to have a call next week

    TR: make sure Mike can be on the call

    AB: good point

    <scribe> ACTION: barstow make sure Mike Smith can attend next week's
    call [recorded in
    [26]http://www.w3.org/2008/01/30-waf-minutes.html#action09]

    <trackbot-ng> Created ACTION-166 - Make sure Mike Smith can attend
    next week's call [on Arthur Barstow - due 2008-02-06].

    <Hixie> DaveO: my opinion is that these telecons are a waste of
    time.

    AB: meeting adjourned

Summary of Action Items

    [NEW] ACTION: Anne add Jonas proposed change for Req #9 and add in
    the 2 substituions he proposed [recorded in
    [27]http://www.w3.org/2008/01/30-waf-minutes.html#action06]
    [NEW] ACTION: barstow make sure Mike Smith can attend next week's
    call [recorded in
    [28]http://www.w3.org/2008/01/30-waf-minutes.html#action09]
    [NEW] ACTION: barstow submit a request to get the subbullets
    numbered [recorded in
    [29]http://www.w3.org/2008/01/30-waf-minutes.html#action03]
    [NEW] ACTION: Jonas start an e-mail thread about req #4 [recorded in
    [30]http://www.w3.org/2008/01/30-waf-minutes.html#action05]
    [NEW] ACTION: Jonas submit a new proposal for req #12 reflecting
    Thomas' proposal [recorded in
    [31]http://www.w3.org/2008/01/30-waf-minutes.html#action08]
    [NEW] ACTION: Jonas submit a proposal for req #3 [recorded in
    [32]http://www.w3.org/2008/01/30-waf-minutes.html#action04]
    [NEW] ACTION: Thomas submit a proposed edit for Req #10 [recorded in
    [33]http://www.w3.org/2008/01/30-waf-minutes.html#action07]
    [NEW] ACTION: Thomas submit an input for requirement 1.1 [recorded
    in [34]http://www.w3.org/2008/01/30-waf-minutes.html#action01]
    [NEW] ACTION: Thomas submit an input for requirement 1.2 [recorded
    in [35]http://www.w3.org/2008/01/30-waf-minutes.html#action02]

    [End of minutes]

Received on Wednesday, 30 January 2008 21:41:15 UTC