- From: Peter Saint-Andre <stpeter@stpeter.im>
- Date: Thu, 01 Mar 2012 21:06:47 -0700
- To: public-ietf-w3c@w3.org
Minutes of the W3C/IETF Coordination Call 2012-02-28 Participants: Stephen Farrell (SF) John Klensin (JCK) Philippe Le Hegaret (PLH) Mark Nottingham (MNOT) Pete Resnick (PR) Peter Saint-Andre (PSA) Robert Sparks (RJS) Thomas Roessler (TLR) Agenda: 1. HTTP/2.0 / recharter of IETF HTTPBIS WG 2. Web authentication (see lively discussion triggered by #1) 3. Concerns about the "CA system" 4. IETF IRI WG / W3C i18n Core WG / URL processing spec 5. WebSocket extensions / HYBI WG recharter 6. Update on work in IETF WebSec WG and W3C WebAppSec WG 7. SIP provider identity - does it matter for WebRTC? 8. Crypto API chartering, Identity meetings in Paris 9. Paris IETF / IAB plenary 10. Next meeting 11. Any Other Business Notes: 1. HTTP Recharter MNOT: SPDY came out ~1 year ago, gained significant momentum in late 2011. Mark reached out to implementer community. Lots of interest and positive feedback. Mark worked on strawman charter and socialized it with Mike Belshe / SPDY folks, IETF ADs, W3C TAG, etc. Implementation is accelerating. Concern that input is needed sooner rather than later. Has been put before the IESG. Idea is to solicit proposals for HTTP/2.0 in the next few months. Open process to ensure that we're not just taking on SPDY, other approaches are welcome. PSA: Any coordination issues with W3C/IETF here? MNOT: Should make sure that HTML and HTTP/2.0 are well-coordinated. PLH: Are there specific people we need to get involved or specific issues related to HTML5 and HTTP/2.0? MNOT: No specific concerns here, probably involve Yves. TLR: Concur about involving Yves. 2. Web Authentication PSA: Lots of discussion over time, not clear that we have all the right people at the table yet. SF: I think it's gotten better. Might be useful to develop some experimental approaches / new auth schemes. TLR: Could you provide a summary of the discussion? SF: During external review of the proposed recharter, I raised the issue of perhaps developing new / better HTTP authentication approaches. This gives people an opportunity to introduce proposals to work on that during the work on HTTP/2.0. If so, the work would happen in HTTPBIS; for non-adopted, interesting proposals, we might decide to form an initiative in the IETF Security Area to work on experimental proposals (so they are not critical path for HTTP/2.0.) TLR: Are there any implementers strongly interested here? SF: We won't know until we see concrete proposals. 3. CA Concerns PSA: Could TLR/PLH fill us in? TLR: No obvious venue for a productive conversation. Some ideas for the W3C to form an initiative, also discussions at IETF (therightkey mailing list). One additional piece: notion among some in the W3C community that the DNS is more brittle than others think it is. PR: What parts do people think are brittle? TLR: Concerns not as well-defined as I'd like them to be. But heads-up, that discussion is going on. PR: My slightly snarky response to the CA problem is the existence of the DANE WG effort at the IETF. I personally feel like it could solve the problem. SF: DANE can change/improve stuff, but might not fix it. TLR: Personally I think we need to start thinking about / working on things like JavaScript APIs for some of this. SF: One wrinkle is that there are more unreliable registrars than unreliable CAs. JCK: If you look at it in terms of percentages, it's ugly all around. TLR: DANE appears to perhaps limit the attack surface. Also, this is a much longer discussion. TLR: Changing topics, the CA/Browser Forum is discussing whether to form a more open venue for work on this topic and is soliciting proposals: http://cabforum.org/index.html SF: Is there concrete W3C planning here? TLR: Not yet. Counter-question: is there concrete planning at the IETF? SF: Not yet, other than therightkey@ietf.org discussion list, but the proposals there are not yet stable and need more work before they can be reviewed more widely. Perhaps a W3C community group? TLR: Might be worth discussing the possibility of a workshop or, yes, a community group. 4. IRI PSA: i18n Core WG has agreed to review the IRI WG documents starting around the time of IETF83. JCK: ICANN IDN work important in this context. Note that, if ICANN declares that some sets of names are to be considered/ treated as "equal", anything based on comparisons of URIs or IRIs moves from "hard and not necessarily reliable" into "surreal". ACTION: PSA to pull together IRI / IDN folks for discussion around IETF 83, additional discussion later. Useful participants: folks on this call, Thomas Narten, Suzanne Woolf, Dave Thaler, Andrew Sullivan, Gervase Markham, Klensin, Faltstrom. Maybe Vint, maybe Steve Crocker. TLR: Where do we stand on the HTML5 / IRI front? PSA: See http://dvcs.w3.org/hg/url/raw-file/tip/Overview.html - based on conversation with Mike Smith the other day, it is a bit early to provide detailed feedback on that spec now. 5. WebSocket Extensions PSA: HYBI WG has been rechartered, we might want to make sure that we continue coordination between HYBI WG and WebApps WG. PLH: Main blocker now is tests, but progress is ongoing there. 6. WebSec / WebAppSec PSA: New version of Strict Transport Security. TLR: Discussion of clickjacking and Content Security Policy, trying to get CORS done, reasonable intensity of work. Reasonably confident that things are going well. 7. SIP Provider Identity and WebRTC TLR: There was discussion about having an IANA registry for SIP providers. Do we have a sense of the use case? RJS: I don't think you need to worry about it. The proponents for the SPID idea itself are continuing to pursue the idea, and I'll point you to the messages where they have making their motivating arguments. I have not seen any desire to bring this up in the WebRTC. JCK: Please loop me in on this. 8. W3C Crypto API TLR: WG is under review by Advisory Community, still working to find an additional co-chair. Expect approved charter in relatively near future. Other issue is relationship to OAuth, OpenID Connect, possibility for additional and broader work. Side meeting at IETF 83 in Paris. SF: Scheduled on the Thursday lunch break (1130-1300) in room 252A, just before the OAuth WG session. PSA: Stephen, do you see any coordination issues from the IETF side? SF: Definitely interest in seeing crypto in the browsers. Existence of such an API could have an impact in the future on OAuth design etc. TLR: Also note OpenID connect meeting Sunday, overlapping with training sessions 9. IETF 83 / IAB Plenary TLR: Do we have insights into the agenda for the IAB Plenary? I've heard it's related to web security. SF: We don't have details yet. PSA: Who will be there? TLR: Me part of the time, Philippe, Dominique for RTCWeb, Harry Halpin is local, Wendy Seltzer for a few days, Yves might be there too. I also expect a number of TAG members to be there since they are meeting in Europe the next week. Might be good to have a separate discussion about that with Yves and Larry. ACTION: Thomas to check in with Yves on TAG activities at IETF. 10. Next Meeting ~4-5 weeks after IETF 83? Week of April 23rd or 16th might work. To coordinate on the list. 11. Any Other Business PLH: Possibility of HTML meeting in May/June timeframe. TLR: There's been some discussion about impact of application work such as WebRTC on lower layers of the network, best practices for network usage, etc. Is this a general topic that comes up on the IETF side of the discussion or should there be some coordination here? There is a community group at http://www.w3.org/community/networkfriendly/ PR: Move to hallway discussion in Paris. END
Received on Friday, 2 March 2012 04:07:17 UTC