Steven Pemberton, CWI/W3C
Charlie Wiecha, IBM
Leigh Klotz, Xerox
John Boyer, IBM
Steven Pemberton: I have gotten OK for two invited experts and will do my part of the action now.
Steven Pemberton: This looks like the last week of holiday regrets.
Steven Pemberton: Please look at
it.
Leigh Klotz: I'm getting
exceptions.
Steven Pemberton: I'll look at it.
I'll try to get a Ubiquity version as well, as I've been talking to
Mark.
John Boyer: We'd like to get the
stable version up soon. There's a lot of working going on. For IE
it uses HTC files for behaviors, but there's a way to do it without
those files, and that eliminates XSS issues.
Steven Pemberton: Please let me know.
We do have to have models in the body, right?
John Boyer: We're doing DOM walking
instead of HTC, so possibly that limitation can be removed.
Steven Pemberton: I thought it had
something to do with Firefox.
John Boyer: It has to do with when
certain things can happen.
Steven Pemberton: So please skim
through the tutorial.
Leigh Klotz: Our new experts would be
good to review this as they've been involved in advocacy.
Leigh Klotz: We might want to consider some sort of liaison with XQuery and possibly either an XQuery action as we have planned for XSLT, or an expression version (as Nick van den Bleeken proposed) for using XQuery. I think Nick, Erik Bruchez, Dan McCreary, and Alain would be interested in watching this space.
John Boyer: Do we have any?
Leigh Klotz: I think there was a Dutch
company.
Steven Pemberton: Let me look...it was
sent to www-forms. http://www.seneca.nl. I'll add that.
"SmartSite iXperion".
John Boyer: I started this and did
two other action items.
Steven Pemberton: Should our actual
errata document point to this?
John Boyer: The spec itself points to
a specific location. We can snapshot this.
John Boyer: In the final rec pub
process, someone changed the link. They only changed it in the
link, not the diff-marked version (which has no diffs), so the
diff-marked version pointed to one and the formal rec pointed to
another. It looked like "help" but Ian fixed it immediately. I
provide previous version links in errata documents and the
previous-link trail takes us to the now empty one. We decided we
would use the wiki to collect errata.
John Boyer: The second erratum is the
schema change for select and select1 elements to allow UI common
(help|hint|alert|action) to appear after item|itemset. I did not
change the schema yet.
Leigh Klotz: Right, because it's a
prose change as well.
John Boyer: Actually, because I
forgot. The schema we can change right now.
John Boyer: I've done three. It's
been a couple of months since the list has been updated. Was Nick
supposed to be back today?
Steven Pemberton: Next week.
John Boyer: Maybe next week. I know
there are errata and other action items.
John Boyer: There are people who
say that your web services work in XForms is good, but what about
secure services? I think they mean digital signature on the SOAP
envelope. I don't have a lot of experience with secure web
services, but that's my suspicion. I think it's just a piece of XML
in the SOAP envelope. I had kind of thought that secure web
services were secured with digital signatures that used HMAC, and
you were securing server-to-server communications, but they're
asking for end-user private keys. I'm not so sure that it makes a
lot of sense, and wonder if anyone else thinks it makes sense. What
I tell people to do now is to use XForms HTTP and HTTPS
submissions; we send SOAP envelope submissions over that call, and
if you want to use secure server-to-server communications, use a
proxy service that is access-controlled to the users and use XForms
submission to submit to that service; that service can then do
server-side secure service with digital signatures and using the
server-side HMAC password or server-side private key, and then
return the result to the client.
Steven Pemberton: So we don't have to
make the XForms mechanism more complicated because you can handle
it on the server.
John Boyer: Yes, but the downside is
that the server is authenticating on behalf of the user and has to
be trusted. That proxy service gets the userid from the servlet
application context that the end user has authenticated to in the
first place. I don't think there's anything weird about it. The
secure service trusts only certain servers (which have which have
the HMAC password or trusted public key). It should only trust
those that server should trust, and trust them to authenticate
users. That seems to work, but on the other hand, that does seem to
work. They want end-users to be trusted to use the service and end
up using the direct digital signatures of those end users. So far
we don't do this.
Steven Pemberton: It's a whole area
not properly addressed in the web as a whole. I often wonder why,
when we fill in our credit card number, that doesn't get encoded
with a public key of the bank so it's passed on to the bank.
John Boyer: Somehow users aren't
supposed to use anything but HTTPS.
Steven Pemberton: No, the vendor (the
shop) gets your credit card number.
John Boyer: So why can't they just
pass it on?
Steven Pemberton: The bank can check
it and the vendor call.
Leigh Klotz: I think they do the
absolute cheapest thing that works. In France they all have SIM
cards.
Steven Pemberton: I dream of a
mechanism where the form contains a field for you to contain secret
information that also contains the link to the public key so that,
on submission, it gets encrypted so that you, as the buyer (or
voter) can be sure that nobody knows.
John Boyer: That's not so much the
end-user authenticating, but the encryption.
Steven Pemberton: That's the nice
thing; it goes both ways.
John Boyer: That requires the vendor
to write the intermediate JavaScript.
Steven Pemberton: If XForms supports
it, that's not necessary.
John Boyer: You'd have to configure it
as a credit card, or a secure field, and here's where you get that
credential from.
Steven Pemberton: And that's the
dream.
Leigh Klotz: You can't trust a
downloaded implementation from the vendor.
John Boyer: And also the encryption
can't be done on submission; it has to be done before it hits the
instance.
Steven Pemberton: Right
Leigh Klotz: It's like the lexical
conversion.
John Boyer: Except it doesn't go
backward.
Steven Pemberton: Michael
Sperberg-McQueen is back at W3C and he's doing a workshop on
XFOrms.
Steven Pemberton: He has some
questions:
how do I supply an attribute value? (Easy: bind it to a widget)
Steven Pemberton: He's approach
XForms as a generalized editor for XML.
Leigh Klotz: Like Sebastian.
John Boyer:
http://www.w3.org/TR/xforms11/#data-mutation-patterns-move-element
Steven Pemberton: Primitive actions
for manipulating an XML document.
John Boyer: The rename is a little
difficult without element creation. We can copy, but unless you can
make a new node and copy content...For rename, we need the new
"create" capability that Nick has been designing.
Steven Pemberton: It would be good to
keep the conversation going.
Charlie Wiecha: I was wondering about distributed extensibility. Did anything happen with HTML5? It will probably come up at TPAC again.
Leigh Klotz: We need to get into
it.
Steven Pemberton: I need to look at
modularization.
Charlie Wiecha: And I need to look at
the wiki syntax.
Leigh Klotz: John's provided a bit of
a start for you.
Charlie Wiecha: This is our first
example of pure-Dojo MVC with single-node binding. We got back some
good responses that they want to do MVC.
Steven Pemberton: It's sort of got a
model.
Charlie Wiecha: It definitely has a
model. The repeat template is temporarily in a comment. Binding
expressions aren't queries; we need a query language and dependency
graph, but that's understood as an interesting direction to
go.
Steven Pemberton: Very good.
Charlie Wiecha: We're trying to get
this onto the Dojo-2.0 agenda for 2011.