W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > January 2009

minutes W3C/IETF liaison teleconference 10 Jun 2008

From: Dan Connolly <connolly@w3.org>
Date: Mon, 05 Jan 2009 10:53:20 -0600
To: public-ietf-w3c <public-ietf-w3c@w3.org>
Message-Id: <1231174400.2513.2287.camel@pav.lan>

apologies for the delay...

IETF teleconference
                               10 Jun 2008

    See also: http://www.w3.org/2008/06/10-ietf-irc


           Plh, Mark Nottingham, Tim BL, Thomas, Dan C, Lisa_Dusseault

           Jon Klensin



      * Topics
          1. Agenda bashing
          2. XHR
          3. Media Fragments
          4. XML Sig
          5. XML Security WG
          6. OpenID + OAuth
          7. next call
      * Summary of Action Items

Agenda bashing

    XHR Object LC

    Media Fragments

    XML Sig

    XML Security WG

    anything else?

    Tim: anything in the IETF about OpenID?


    Mark: the HTTP looked into it in the past
    ... not sure if anyone looked at it recently
    ... looked at it 4 or 5 months
    ... kind of confusing as well since they're working on new stuff as
    ... has the WG closed the LC?

    Philippe: dunno

    Dan: as long as they don't reach the next steps, you might be fine

    Mark: the document is documenting current practices so can't do much

    Dan: it's not documenting current practices. tried an example and
    didn't work.

    Mark: I was aware that they were places where they weren't able to
    document current practices

    Dan: Hello World example doesn't work

    Mark: I'll talk to Yves.

    Thomas: web applications WG has been officially chartered yesterday
    ... Web application formats and webapps. new mailing list!
    ... new group, chaired by Art Barstow and Charles

    <tlr> public-webapps, member-webapps

    Mark: is the public list like the HTML public list? ie you have to
    be a member of the group?

    Thomas: dunno, check with Doug or Mike

    Mark: so XHR work is now taken place there?

    Thomas: yes

Media Fragments


    <DanC> (mnot, re
    ]http://lists.w3.org/Archives/Public/public-webapps/ , MikeSmith
    says "I believe that anybody can subscribe to that list" )

    Philippe: introduces the topic

    Mark: when will the Group start?

    Philippe: mid-July in the best case
    ... any special IETF group to be listed?

    Lisa: for media, RAI Groups are doing more in this area nowadays.
    Maybe MMusic. Drop to John Peterson?

    <scribe> ACTION: Mark to contact the RAI Groups about the Media
    Fragment charter


    Thomas: XML Security Maintenance Group has been working on a second
    edition of XML Signature, to include c14n 1.1 as mandatory
    ... Proposed Recommendation was successful and will be published as
    a REC today.
    ... include c14n 1.1, most of known errata
    ... some edge cases in tests
    ... tests included 5 implementations
    ... originally planned to have IETF LC at the same time as the PR,
    but did not happen
    ... will need an update of the RFC (?)
    ... RFC 3275

    <tlr> ... Don Eastlake will submit internet-draft soon-ish ...

    <tlr> ... expect Tim Polk to be sponsoring AD ....

    Thomas: Don will have a draft ready soonish, before next week

XML Security WG

    Thomas: we have chartered a new WG to re open Signature and
    Encryption. Aim to look into the pain points identified during
    workshop. streaming, performance, etc.
    ... expectation is the Group won't make breaking changes unless
    absolutely necessary
    ... charter is for 2 years
    ... will start at requirements, gathered at the workshop
    ... group will have initial f2f in July in Barcelona
    ... the security area should know about it

    Mark: how about apps folks as well?

    Thomas: could do it as well

OpenID + OAuth

    Tim: OpenID looked like a nifty solution for sign-on issues but
    instead of using HTTP URIs, it's using XRI URIs.
    ... the TAG has been very critical of XRIs, because they end up
    recreating functionalities of HTTP
    ... you have to duplicate the protocol
    ... and duplicate social aspects (naming space)
    ... XRIs don't use URI syntax natively, but could be converted.
    ... so we have fragmentation
    ... TAG suggested that it should not become OASIS standard
    ... as we know it's important to have liaison between orgs
    ... so, OpenID calls out XRIs
    ... when we tried to implement, there is a lot of round trips
    ... lots of HTTP connections for reason like it's too painful to
    distribute public keys or because of legacy
    ... could save some round trips with a better code base
    ... so what's the story of IETF and OpenID?

    Lisa: Dirk ? brought the OpenID BOF at the IETF
    ... told OpenID improved security but since it's using redirects for
    ... so platform for fishing
    ... I went around saying it's a platform to make fishers happy
    ... if you can get pass the requirement of running on existing
    browsers, you can do things that are a lot more security
    ... there are issues with redirect, ie you could be redirected to
    somewhere unknown instead of your entity

    Tim: yes, unless you have client that can check the sig

    Lisa: relaxing the backward compatibility was primordial
    ... so didn't find a crowd in IETF

    <DanC> (the verisign openid seatbelt extension intercepts the
    redirect... but again, that's not the "no changes to browsers"

    Tim: we have old timers at W3C and IETF in those fields, so we're
    not as friendly to them as we used to be

    Lisa: without the OpenID coming to IETF, I'm not sure we have
    critical mass
    ... we could document it
    ... but can't be published as an RFc until we have a better system
    to replace it
    ... it's a people mngt thing
    ... not enough consensus around anyone approach. some folks still
    want kerberos

    Thomas: several competitors

    Tim: OpenID.org, isn't there consensus there?

    Thomas: there is a community that thinks that OpenID is a really
    good idea but don't know if that extend outside this community
    ... liberty is not part of it
    ... kerberos coomunity either
    ... something around delegation would be worth doing but lots of
    existing investments and no consensus to move forward

    Tim: OpenID is the new kid on the block

    Philippe: several companies, like Yahoo!, deployed an OpenID entity
    but still not accepting OpenID from outside

    Thomas: don't think that OpenID solves single sign-on
    ... and in lots of cases, it's authorizing something specific
    ... OAuth addresses that
    ... I don't need to prove who I am to authorize a web site to access
    some data
    ... so solving a different problem but it's more relevant for

    Tim: two different models: give access to web sites or do the
    processing on your computer.

    Thomas: that last part is being addressed by WebApps (AccessControl)

    Tim: thanks for the update

    Mark: wearing my HTTP hat, I have issues with Oauth
    ... Yahoo! just hired the author of oauth, trying to engage in IETF
    ... I'll publish something at some point
    ... they define an HTTP authentification scheme without any
    ... so interop issues

    Thomas: so it's about being underspecified?

    Mark: yes
    ... it's going to be defined by the implementations, whoever comes

    Lisa: read Oauth a while ago, enough to conclude that it wasn't
    ready. but don't remember details

    Mark: yes, needs a lot of work

    Lisa: I'm not against a new HTTP auth mechanism
    ... some people would disagree
    ... would rather build it on top of HTTP

    Tim: issues with building it on top of HTTP, especially with
    redirects. No standard way to engage an auth dialog with the browser

    <tlr> 402 Payment Required ;-)

    Dan: how about 4xx?

    Tim: you want poop-ups, different colors, etc, creating a little
    sandbox environment
    ... the calendar could delegate that to the browser
    ... but folks want to work with existing browsers

    Lisa: if the application is not in the browser, it may be
    inappropriate to go an HTML page.

    Tim: yes, would need to connect it through the browser, taking care
    of offline/online mode, etc.

    Lisa: at the P2p workshop, topic came up about network conditions.
    might result in new work at IETF.
    ... bittorrent guys could certainly use more information about the
    ... they tried to be responsible, but no standard for it

    <DanC> New Status Code -- 2xx Greedy Hotel? Mark Nottingham 15 Mar

    Tim: yes, that would be useful indeed
    ... wifi should be made easier to use, as easy as dhcp
    ... including taken care of payment

    Lisa: will certainly push for something simple.

    Lisa: dhcp has a new option for HTTP URI
    ... we can talk about recommended information but can't force

    <DanC> (hmm... if it's XML or RDF, how do you sell the user a new
    boingo subscription?)

    Tim: obviously, if it's rdf, you can throw more data.

next call

    DanC will chair

    and take the ball

Summary of Action Items

    [NEW] ACTION: Mark to contact the RAI Groups about the Media
    Fragment charter

Dan Connolly, W3C http://www.w3.org/People/Connolly/
gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E
Received on Monday, 5 January 2009 16:56:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:09:47 UTC