Draft minutes for TAG telecon of 2009-10-22

at
http://www.w3.org/2001/tag/2009/10/22-minutes.html
and below.

-Jonathan

---------------------------

W3C
- DRAFT -
TAG Weekly
22 Oct 2009

Agenda

See also: IRC log
Attendees

Present
    Jonathan_Rees, T_V_Raman, Ashok_Malhotra, Noah_Mendelsohn,
Dan_Connolly, Henry_Thompson, John_Kemp
Regrets
Chair
    Noah Mendelsohn
Scribe
    Jonathan Rees

Contents

    * Topics
         1. Convene
         2. Approve minutes of prior meeting(s)
         3. Administrative items
         4. Privacy policy
         5. CORS Security
         6. Forbidding hyperlinks
    * Summary of Action Items

<scribe> scribe: Jonathan Rees

<scribe> scribenick: jar
Convene
Approve minutes of prior meeting(s)

Minutes of 23-25 Sept F2F - table approval until next time

(discussion of 2 week minutes submission rule)

Resolved: approve minutes of 1 October 2009 (
http://www.w3.org/2001/tag/2009/10/01-minutes )

John K will read minutes of Oct 8; we'll take up approval next time
Administrative items

who will be at TPAC?

<ht> me

ashok, raman, noah, henry,

<DanC> I plan to be at TPAC

Noah has worked out meeting time with HTML WG

(well, the exact time depends)

danc: What shall we talk about?

noah: Thanks to those who responded to the issue summary request

<DanC> (re shepherd... here I was thinking I wasn't shepherding any
issues, but when I checked, I found the site-data thing was in my
court)

noah: Reminder about call for exclusions; period ends today.
... What HTML-related things might we want to discuss at TPAC?
... (re session planning)

danc: How about a poll.

<raman> level of enthusiasm on call is depressing

jar: Won't be at TPAC, no particular desires around TAG/TPAC discussions.

raman: Individual [one on one, not large group] discussions will be
the important thing

ashok: I would like to ask whether there has been any progress since
last meeting - is anyone listening to the TAG?
... authoring guidelines, extensibility, URIs, ...
... not that there hasn't been any; just would like to track progress ...

danc: Could you (Ashok) go over last time's notes?

noah: Ian did prepare an authoring draft and wants us to review it

<DanC> (I spent some time looking at the authoring draft, as did masinter)

noah: (continuing poll) I would like to go over our minutes in prep for TPAC

<noah> ACTION-319 on Noah: Consider HTML media type issue for TPAC
agenda(s) Due: 2009-10-29

<noah> I was supposed to get input from Larry as input to my ACTION
319 on media types. Was hoping Larry would be here today to clarify
status.

ht: we could get some benefit from discussing RDFa.

noah: consider the HTML media type issue

ht: yes, remember Tim's desire to have XHTML handled properly when
served as text/html

<noah> ACTION: Noah to respond to HTML WG chairs with suggested TPAC
topics -- see minutes of 22 Oct [recorded in
http://www.w3.org/2009/10/22-tagmem-irc]

<trackbot> Created ACTION-320 - Respond to HTML WG chairs with
suggested TPAC topics -- see minutes of 22 Oct [on Noah Mendelsohn -
due 2009-10-29].

danc: (continuing poll) about URIs, what is the time scale? sequencing
of the two specs (IRI / HTML5)

johnk: RDFa / microdata is worth discussing. also distributed extensibility

noah: Call for agenda for TAG meeting at TPAC

<Zakim> DanC, you wanted to note progress on spec modularity
Privacy policy

<DanC> action-318?

<trackbot> ACTION-318 -- Noah Mendelsohn to send note to Device APIs
and Policy (DAP) Working Group on behalf of the TAG -- due 2009-10-15
-- OPEN

<trackbot> http://www.w3.org/2001/tag/group/track/actions/318

<noah> * From minutes of 8 Oct 2009: RESOLVED that that LMM edit
2009Sep/0073 lightly as discussed 8 Oct and Noah send to Device APIs
and Policy Working Group on behalf of the TAG

<noah> * ACTION-318 Send note to Device APIs and Policy (DAP) Working
Group on behalf of the TAG - on Noah Due: 15 Oct 2009

<noah> Continued

action-318 due october 25

<trackbot> ACTION-318 Send note to Device APIs and Policy (DAP)
Working Group on behalf of the TAG due date now october 25

<DanC> (does it matter when we send our thingy to the DAP WG? ht?
(picking on you somewhat arbitrarily))

ashok: There's a similar note on policy [...] to media annotations WG
-- should we make a more general statement? [Scribe didn't get this,
sorry]

danc: Not my style. The anybody/nobody/somebody problem

<noah> ACTION Noah to bug Larry about his input to ACTION-318

<trackbot> Created ACTION-321 - Bug Larry about his input to
ACTION-318 [on Noah Mendelsohn - due 2009-10-29].
CORS Security

The following is what wants an answer:
http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0095.html
[re server-side deployment]

<noah> NM: I'm not sure whether the link in the agenda
http://lists.w3.org/Archives/Public/www-tag/2009Oct/0042.html [re
confused deputy, Oct 19] is also pertinent [scribe: it is, but it's a
different issue]

<noah> [quoting 0095 from Anne, re server-side deployment:]

<noah> On Wed, 24 Jun 2009 19:22:35 +0200, Henry S. Thompson <ht@inf.ed.ac.uk>

<noah> wrote:

<noah> > One point of clarification: my (admittedly imperfect) understanding

<noah> > was that the most important parts of CORS have to be implemented

<noah> > _server_-side for the proposal to achieve its goals. If that's true,

<noah> > browser deployment alone is insufficient. Is that a misunderstanding

<noah> > on my part?

<noah> As was pointed out elsewhere in this thread it was.

<noah> I was wondering if the TAG considers this item closed or wishes to know

<noah> something more, in which case I'd like to hear about it! I'm trying to

<noah> wrap up email threads and this is one of them. Thanks!

<noah> Kind regards,

<noah> Anne van Kesteren

<DanC> ("this" = the confused deputy stuff or the server/client-side stuff?)

raman: I'm not a security expert, but have heard individuals I respect
question it

<DanC> [Raman's "it" = ] (a) the confused deputy problem in 0042 or
(b) the server/client-stuff in 0095? [scribe believes (a)]

noah: It's appropriate for the TAG to become a focal point.

ht: I'm looking to see the current state of the thread that my email
kicked off. [scribe: the thread mixes Dan's (a) and (b)]

noah: Does CORS go to LC on its own, or with the other webapps documents?

jar: On its own, I believe

raman: If we have things to say, we should do so now, not wait for their LC.

<noah> Dan, I'm curious whether
http://lists.w3.org/Archives/Public/www-tag/2009Oct/0042.html is about
CORS at all. [scribe: it is]

danc: Regarding 0042 [confused deputy] - there is a distinction
between "Anne and others" don't see a problem and "the WG" doesn't see
a problem.

<ht> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0104.html
[re core criticism about CORS / confused deputy]

danc: But confused deputy is not in their issues list ...
... If Mark Miller has a problem with this it needs to get onto their
issues list

ht: The thread peters out into unresolved disagreement.
... we could say: It doesn't look like you're done, but I see that
there is no open issue
... what is their process?

danc: I think Mark M has raised an issue, and I'm inclined to ask the
chair to add it to their list

<DanC> (ask the chair because: their chair might clarify the way they
handle issues)

noah: Propose ht to send a request on behalf of the TAG, that the WG
open an issue [re confused deputy]
... alternative: ht to send a request (not directly on behalf of TAG) etc

<DanC> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0095.html
[scribe: changing topic back to (b) = server-side deployment]

<noah> DC: I am [now] talking about the message of 8 Oct. [webapps
0095], not 19th [www-tag 0042]

danc: There are two parts of this agendum on today's meeting.

ht: Thought this _was_ about 19 October [0095].

danc: Let's put aside confused deputy for now.
... It's OK with me to let 8 Oct (0095) drop.

ht: I'm not competent to judge this...

<raman> need to leave --- bye all!

<noah> NM: Seems to me that the need for interoperable server side
implementations might be an important CR exit criterion.

(Discussion of CR exit critieria. Can criteria be added after LC?)

danc: Usually some of these decisions wait until discussion with the director.

<ht> [How about:] "Sorry for the delay -- the discussion has clarified
the current relevance of client-side implementations, and as far as
that goes the TAG is happy.

<ht> We do assume that demonstrating interoperable server-side
implementation will be a necessary part of your CR exit criteria --
could you please confirm that?"

<DanC> +1

<noah> should that be s/could/would/ ?

(Agreement that HT should send that)

<noah> JAR: The original one that Henry sent on behalf of the TAG,
http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1215.html,
is on confused deputy.

<ht> [quoting from 1215] "the new functionality

<ht> > provided would, on the one hand, be insufficiently secure while, on

<ht> > the

<ht> > other, discouraging the provision of something more satisfactory.

ht: [speaking to why this discussion has gotten mixed up] There are
two parts to the paragraph in (1215).
... Anne responded to the part about server side deployment, asking if
that was still an issue for us...
... but that's not the deeper question posed at the end of the same
message (1215), about how secure it will be.

<ht> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0104.html

The 2nd part of 1215 is the "even if it did" part, which gave rise to
"unaddressed security concerns" thread (0104 see above)

<ht> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0102.html

ht: 0102 is from Mark Miller. He says: You never addressed confused
deputy vulnerabilities; that's what matters.
... That thread has not been reflected as an issue, or been brought to
a resolution

danc: And Anne is the editor, and says "I and others don't see an issue"...

noah: We agreed to say something right? So we're done?
... Henry will send a note to Art.
Forbidding hyperlinks

<DanC> URIs, deep linking, framing, adapting and related concerns
Rotan Hanrahan (Friday, 16 October)
http://lists.w3.org/Archives/Public/www-tag/2009Oct/0031.html

danc: Rotan H brought this to the TAG

noah: As you recall... TAG worked on "deep linking" way back when

<noah> TAG Finding on Deep Linking:
http://www.w3.org/2001/tag/doc/deeplinking-20030911

noah: and now some sites are saying "don't link to me *at all*"

<noah> From the finding's conclusion:

<noah> Attempts at the public-policy level to limit the usage,
transmission and publication of URIs at the policy level are
inappropriate and based on a misunderstanding of the Web's
architecture. Attempts to control access to the resources identified
by URIs are entirely appropriate and well-supported by the Web
technology.

<noah> JAR: I think people are looking for legal advice

<noah> NM: Finding is anappropriate?

<noah> JAR: No, but now we need a legal reading.

danc: But web architecture is also social, it's the whole thing.

<noah> +1

danc: There's no other body that can take a stand here.
... (than the TAG)

noah: Maybe take deep linking finding and turn it inside out?
... linking generally, with deep linking as a special case.

<noah> I think that's covered in metadata in URI finding, no?

<noah> Still could fix this one.

<ht> Oh bother, /me is late -- bye!

danc: Problem, it says don't use security by obscurity. But long
random numbers are used to good effect... so that needs revision

noah: So it seems we could do better.

<noah> Dan and I both seem intrigued about doing better, anyone else?

ashok: On a conversation about mobile devices, there was a question
that a URI couldn't be made public for security reasons.

noah: URI for a device - such as a phone?
... Web server associated with it?

ashok: Yes

noah: URIs move through the network in the clear a lot, yes?

johnk: Often there's a proxy, which might not be talking http on the
far side (to the device)

noah: Is this really the web, between proxy and the phone?

<DanC> (indeed, it's using web technologies, but it's not "The Web".
or something... I've never found a good way to write this up... it's
somewhat like http://my.yahoo.com/ too. and intranets.)

<Zakim> DanC, you wanted to note that our deep linking finding (and
webarch) goes to far in saying "the long-random-number /capability URI
pattern is bad"

johnk: Not sure that mobile phone URIs are relevant to this discussion...

<DanC> issue-25?

<trackbot> ISSUE-25 -- What to say in defense of principle that deep
linking is not an illegal act? -- CLOSED

<trackbot> http://www.w3.org/2001/tag/group/track/issues/25

jar: Will a revised finding serve the present need?

<Zakim> noah, you wanted to say, speaking for myself, I don't want to
hang up on the legal issues

noah: What needs to be said: You should understand the value of
network effects. That understanding needs to influence your legal
decisions. This affects what the web will be like.
... If we can say something about legal precedent in addition, that's good too

<DanC> ACTION: DanC to ask W3C management for writing resources re
hyperlinking [recorded in http://www.w3.org/2009/10/22-tagmem-irc]

<trackbot> Created ACTION-322 - Ask W3C management for writing
resources re hyperlinking [on Dan Connolly - due 2009-10-29].

jar: When you're deciding whether to publish a URI, you're not going
to ask what web architecture is, you're going to ask whether you're
likely to be sued

ADJOURNED.
Summary of Action Items
[NEW] ACTION: DanC to ask W3C management for writing resources re
hyperlinking [recorded in http://www.w3.org/2009/10/22-tagmem-irc]
[NEW] ACTION: Noah to respond to HTML WG chairs with suggested TPAC
topics -- see minutes of 22 Oct [recorded in
http://www.w3.org/2009/10/22-tagmem-irc]

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.133 (CVS log)
$Date: 2009/10/24 02:54:54 $

Received on Saturday, 24 October 2009 13:02:06 UTC