- From: <noah_mendelsohn@us.ibm.com>
- Date: Fri, 22 Jan 2010 14:36:34 -0500
- To: www-tag@w3.org
Draft minutes of the TAG teleconference of 21 January are available at [1]
and in text-only form below. Thanks to scribe Ashok Malhotra for wrapping
these up at a busy time.
Noah
[1] http://www.w3.org/2001/tag/2010/01/21-minutes.html
--------------------------------------
Noah Mendelsohn
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------
[1]W3C
[1] http://www.w3.org/
- DRAFT -
TAG Weekly Telcon
21 Jan 2010
See also: [2]IRC log
[2] http://www.w3.org/2010/01/21-tagmem-irc
Attendees
Present
T_V_Raman, Ashok_Malhotra, Noah_Mendelsohn, Dan_Applequist,
Larry_Masinter, Jonathan_Rees, Dan_Connolly
Regrets
TimBL, John_Kemp, Henry_Thompson
Chair
Noah_Mendelsohn
Scribe
Ashok
Contents
* [3]Topics
1. [4]Opening
2. [5]Approval of Minutes 14 January 2009
3. [6]ACTION-278: Draft changes to 2.7 of Metadata in URIs to
cover the "Google Calendar" case
4. [7]ACTION-372: Redrafting of HTML for resource vs.
representation
5. [8]Review Pending Actions
* [9]Summary of Action Items
_________________________________________________________
<raman> on and muted.
<scribe> scribe: Ashok
<scribe> scribenick: Ashok
<DKA> FYI I will have to leave the call at 19:20 GMT today.
<raman> will need to bail in 25 mins
Opening
Noah: 5 of us present
... Regrets from TimBL for 5 weeks or so
... There will be a call next week
Approval of Minutes 14 January 2009
RESOLUTION: Minutes of Jan 14 meeting are approved
ACTION-278: Draft changes to 2.7 of Metadata in URIs to cover the
"Google Calendar" case
Noah explains action
<jar> The finding:
[10]http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity
[10] http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity
<jar> ACTION-278?
<trackbot> ACTION-278 -- Jonathan Rees to draft changes to 2.7 of
Metadata in URIs to cover the "Google Calendar" case -- due
2010-01-20 -- PENDINGREVIEW
<trackbot> [11]http://www.w3.org/2001/tag/group/track/actions/278
[11] http://www.w3.org/2001/tag/group/track/actions/278
<noah> Jonathan's email:
[12]http://lists.w3.org/Archives/Public/www-tag/2009Dec/0121.html
[12] http://lists.w3.org/Archives/Public/www-tag/2009Dec/0121.html
Jar: This is a draft not a proposal
... came out of our discussion of capabilities
<noah> Could you say a bit more about the Google Calender use case
in particular? What are they doing?
Jar: URIs to carry secrets are used all over the web. Finding should
talk about this
... Scope of finding is not limited to public URIs
... There is a web interface and you can say "share this
calendar"... it mints a URI and says send this URI to your friend
... If you send URI to friend and he clicks on it, the calendars are
shared
Noah: Does it carry authority as well as allow sharing?
<noah> Crucial case is that the URI carries not just the
identification, but also the authorization.
JAR: Yes, carries authority
<noah> Speaking for myself, I don't like that, and don't want to
encourage it.
<masinter> "click here to unsubscribe" also
<noah> I think AWWW is right to make identity and authorization
orthogonal
JAR: Tyler Close says this is used and it is good
<DKA> Is it a one-time use URI?
JAR: the person getting URI could publish it and then everyone has
access
<noah> DKA, I don't think so. Sounds like you can explicitly kill
it.
JAR: but capability can be retracted
<jar> Google docs is another example
DKA: Is this a one time use? It is a pattern they use.
<noah> One time use seems break GET/safe
JAR: For calendar it is one time use
... in Google docs you can send to many people
Raman: URL works only if you are in the ACL for document
... you can manage access control
<masinter> Adobe Buzzword (acrobat.com) has similar options: "open
to anyone who has the URL" is an access control option
Noah: Is this also true of Calendar?
Raman: Calendar has different model. Events have URLs
... if private no one can see it
... there is a single sign-in mechanism
... access to URL does not give access
<jar> code.google.com/apis
Noah: Crucial question: Should a URI ever give access control?
<masinter> "Allow anyone with a link to view this document" is a
access control option that the user can set
<Zakim> Noah, you wanted to question the appropriateness of the use
case
Noah: or is just an identifier
<raman> Calendar API:[13]http://code.google.com/apis/calendar/
[13] http://code.google.com/apis/calendar/
<raman> All Google APIs: [14]http://code.google.com/apis/
[14] http://code.google.com/apis/
Larry: I can create a doc from acrobat.com and I can create a doc
and share it
... describes sharing options
<noah> I think the question is: how much do you bend what you would
otherwise do with Web architecture to enable Larry's case, which he
acknowledges as "weak"
<Zakim> Masinter, you wanted to propose drafting a document and
getting review of it in the security community
<Zakim> Noah, you wanted to say, I take Larry's point
Noah: Seems like passwords in clear discussion
... its a weak security mechanism. URIs are widely shared. Not like
private key.
<masinter> +1 that this is like password in the clear
Noah: but people use it because it's convenient
... people use it and understand the risks
JAR: Why do they give 64-bit URIs if it is not a protection scheme?
<masinter> obfuscation is a useful technique. I don't think anything
about "protected channels" doesn't really help much
JAR: Key word is "trade-offs". Finding should describe trade-offs
Noah: Finding says access control should be done orthogonally. I
think this is right.
<masinter> obfuscation isn't "access control"
Noah: We should not be vague about that.
<DKA> After just trying to share a Google calendar I can confirm
that that seems to be how it works. The URI does not allow automatic
access to the calendar. It seems to encode expected access
credentials but still requires a credentials check (authentication).
JAR: If finding says do not do the Google Calendar case we lose
ccredibility.
<masinter> [15]https://acrobat.com/#d=Y5W06lRXkILNhbfV1yUjsw
[15] https://acrobat.com/#d=Y5W06lRXkILNhbfV1yUjsw
Larry: I made a doc, and service creates a URL and anyone who has
URL can read document
... not so unreasonable
Noah: I'm not conviced there is anything in the finding that's
wrong.
<noah> Pertinent section of finding:
[16]http://www.w3.org/2001/tag/doc/metaDataInURI-31.html#hideforsecu
rity
[16]
http://www.w3.org/2001/tag/doc/metaDataInURI-31.html#hideforsecurity
<masinter> maybe expand the finding to cover the obfuscated URI
being used as weak access control.
<noah> A bank establishes a URI assignment policy in which account
numbers
<noah> are encoded directly in the URI. For example, the URI
<noah> [17]http://example.org/customeraccounts/456123 accesses
information for
[17] http://example.org/customeraccounts/456123
<noah> account number 456123. A malicious worker at an Internet
Service
<noah> Provider notices these URIs in his traffic logs, and
determines the
<noah> bank account numbers for his Internet customers. Furthermore,
if
<noah> access controls are not properly in place, he might be able
to guess
<noah> the URIs for other accounts, and to attempt to access them.
<noah> Good Practice: URI assignment authorities SHOULD NOT put into
URIs
<noah> metadata that is to be kept confidential.
<noah> """
<masinter> Yes, so the use case I gave above would be a violation of
the finding.
Noah: Says only a little about access control.
Larry: The finding is too strong.
<noah> Unconvinced
JAR: Finding rules out common usecase.
Ashok: Noah and JAR disagree on what finding says and should say
<jar> https
<Zakim> masinter, you wanted to say I would rather findings be
couched in terms of making people aware of the consequences, rather
than telling them what to do
Larry: Try and write findings based on consequences of doing things
one way instead of another
... so finding should say use this mechanism if risks a acceptareble
... Some of these exposures are over the long run instead of short
run
Noah: A similar example is abt GET being safe
... I'm happy we said GET is unsafe
<Zakim> Masinter, you wanted to suggest review on
public-web-security
Noah: Just because it is widespread we should not condone the
practice
Larry: Need more discussion of public-web-security
Noah: I would feel better if we had better framing of the issue
<noah> q
<Zakim> DKA, you wanted to note that there seem to be a number of
use cases here that look similar but are actually different - maybe
the WSC group has already enumerated these?
DKA: We need a list of usecases and need to categorize them
Noah: How is Web Securiry Context connected with public-web-security
Larry: JAR could send note to public-web-security and see if we can
get discussion started
Noah: We should try and get some shared terminology
Larry: Next step?
JAR: Spell out use cases more clearly?
Noah: Some disagreement. Some feel just because it is a commen
usecase it should be condoned.
JAR: We should say what the finding is about
Noah: We have differeing assumptions about what people can put in
URIs
JAR: Notion of URI is much broader than these public URIs
... URIs used in all sorts of situations. Web is just one use.
<masinter> I think the point that putting the secret in the FragID
rather than in the main URI itself is interesting.
Noah: Way private keys are managed is fundamental to their use
JAR: You are saying URIs have a connotation to a public space on the
web
... I don't agree with this.
<masinter> maybe this is also a justification for Origin vs.
Referer? because Origin doesn't include private keys
JAR: Noah, this is your opinion
<masinter> Use cases & discussions of them would be really great
JAR: I'll take an action to drill down on the usecases
Noah: Shall we add that to Action-278 and change the due date
<noah> ACTION-278: Due 2010-02-04
<trackbot> ACTION-278 Draft changes to 2.7 of Metadata in URIs to
cover the "Google Calendar" case notes added
Larry: I'm not hesitant to ask the Web Security Group to jump in
<masinter> might add the acrobat.com one too while you're at it; let
me know if you need more details
<noah> AM: I hear Noah and Jonathan disagreeing about how URIs are
used? Will doing use cases fix that?
<noah> NM: Not sure it will, but it may clarify the context for the
discussion.
<masinter> Ashok: I think the finding needs to be more nuanced, and
that different kinds of security situations will need different
advice. Having use cases will help us understanding of the
situations and thus what kind of contextual advice to give.
Noah: There is no harm in any of us coming up with new text. This
could spark useful discussion.
ACTION-372: Redrafting of HTML for resource vs. representation
<trackbot> ACTION-372 -- Larry Masinter to tell the HTML WG the TAG
encourages the direction Roy's headed on resource/representation and
endorse his request for more time. -- due 2010-01-20 --
PENDINGREVIEW
<trackbot> [18]http://www.w3.org/2001/tag/group/track/actions/372
[18] http://www.w3.org/2001/tag/group/track/actions/372
<noah> Note error in agenda, should have referred to HTML not HTTP
<noah> LM: I sent the email. Got a response which might be viewed as
to me as HTML WG or to the TAG.
Larry: I sent the mail. I got a response. The staus of the issue is
- Roy is unavailable to work on this issue
<noah> Larry: that's not quite right -- Roy says not available for 4
months, then available.
Larry: actually Roy said "not available for 4 months to work on
issue"
... not sure it was interpreted as a TAG request
... Noah, please, as chair clarify how we communicate.
<scribe> ACTION: Noah to frame discussion about how TAG communicated
with WGs [recorded in
[19]http://www.w3.org/2001/tag/2010/01/21-minutes#action01]
[19] http://www.w3.org/2001/tag/2010/01/21-minutes#action01
<trackbot> Created ACTION-377 - Frame discussion about how TAG
communicated with WGs [on Noah Mendelsohn - due 2010-01-28].
Larry: I would like Noah to talk to HTML WG ...
Noah: Some WGs communicate with other WGs. The WG votes on this and
someone is asked to send the msg.
... the TAG has as part of its charter to help WGs do their work
... in some cases TAG will ask individuals to talk with WGs
Larry: I got a response and I don't think the WGs response is in
line with what was requested
Noah: The process is fine ... we need to decide what to do?
... Larry, what should TAG do?
Larry: If we are happy to give on this that's ok with me
<masinter> i'm not sure they acknowledged hearing our opinion
Dan: I don't understand why Roy cannot do the 2 edits?
<masinter> Roy said: "Honestly, unless you can prove to ME that
there is a substantial ...
<masinter> burden being imposed upon *someone* by reordering the
entirely random order that chairs have decided to call for
consensus, then it should be obvious that *MY* constraints are more
important than whatever you personally think the procedure should
be. Otherwise, you are just railroading a particular conclusion.
Dan: I can understand if they close this; we might say we don't like
it, but unless we have a proposal...
<Zakim> masinter, you wanted to note issue in abarth-mime-sniffing
<jar>
[20]http://www.ietf.org/mail-archive/web/apps-discuss/current/msg012
50.html
[20]
http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01250.html
Larry: John Kemp on authoritative metadata finding cites
abarth-mimesniffing. I did a review of this
... go down to "terminology"
<noah> Quoting:
<noah> TERMINOLOGY "resource"
<noah> This document seems to have the same use of "resource"
<noah> to talk about what is fetched and not just the source
<noah> from which it is fetched, as discussed in HTML-WG
<noah> at length:
<noah> [21]http://www.w3.org/html/wg/tracker/issues/81
[21] http://www.w3.org/html/wg/tracker/issues/81
<noah> For example
<noah> For HTTP resources, only the last Content-Type HTTP header,
<noah> if any, contributes any type information; the official type
<noah> of the resource is then the value of that header,
<noah> interpreted as described by the HTTP specifications.
<noah> Right, the phrase "type of the resource" is highly suspect
Noah: The continuing non-resolution of issue 81 is haveing
deleterious effect on the Web
Larry: Roy is arguably the most qualified person on planet to do
this
<noah> To be clear, I was asking Larry whether the "continuing
non-resolution" was his position, and he said "yes".
Noah: We could send a note as the TAG saying that we feel it is very
important that this gets resolved
... Just say "this remains impt"
<masinter>
[22]http://lists.w3.org/Archives/Public/public-html/2010Jan/0853.htm
l
[22]
http://lists.w3.org/Archives/Public/public-html/2010Jan/0853.html
<masinter> Write clear definitions of all affected terms, possibly
in the form of suggested edits to the terminology section, and
demonstrate correct usage of the terms by suggesting specific edits
to one or two representative sections.
Larry: The above is something the TAG could take on.
<masinter> The definitions of these terms don't belong in HTML, they
belong in Webarch
<masinter> Defining the terms of the web architecture seems like a
fine job for the TAG, and that there is no other group more
authoritative.
Noah: This could take up a lot of resources/time
Larry: I'm willing to work on it and I would like some help
<jar> 799 occurrences of "resource" in Overview.html
<masinter> are the terms not already clearly defined in WebArch?
<jar> no
Noah: You would a great volunteer, Dan!
Larry: Deadline is Jan 23
<masinter>
[23]http://lists.w3.org/Archives/Public/public-html/2010Jan/0930.htm
l
[23]
http://lists.w3.org/Archives/Public/public-html/2010Jan/0930.html
<masinter> "... let the Chairs know if they are interested in
drafting a proposal to resolve Issue-81."
<DanC> ACTION: Connolly to draft suggested text re
resource/representation in HTML 5 for discussion with LMM and JAR
[recorded in
[24]http://www.w3.org/2001/tag/2010/01/21-minutes#action02]
[24] http://www.w3.org/2001/tag/2010/01/21-minutes#action02
<trackbot> Created ACTION-378 - Draft suggested text re
resource/representation in HTML 5 for discussion with LMM and JAR
[on Dan Connolly - due 2010-01-28].
<masinter> [25]http://www.w3.org/TR/webarch/#id-resources defines
"resource"
[25] http://www.w3.org/TR/webarch/#id-resources
<masinter> [26]http://www.w3.org/TR/webarch/#def-representation
defines "representation"
[26] http://www.w3.org/TR/webarch/#def-representation
Review Pending Actions
<noah>
[27]http://www.w3.org/2001/tag/group/track/actions/pendingreview
[27] http://www.w3.org/2001/tag/group/track/actions/pendingreview
<DanC> ACTION-213 due next week
<trackbot> ACTION-213 Prepare 21 Jan weekly teleconference agenda
due date now next week
<DanC> ACTION-213?
<trackbot> ACTION-213 -- Noah Mendelsohn to prepare 21 Jan weekly
teleconference agenda -- due 2010-01-26 -- PENDINGREVIEW
<trackbot> [28]http://www.w3.org/2001/tag/group/track/actions/213
[28] http://www.w3.org/2001/tag/group/track/actions/213
<DKA> I must leave the call now - apologies - Noah please feel free
to put me on the scribe rota for a future call except for Feb 18
where I will have to give my regrets.
<DanC> action-278?
<trackbot> ACTION-278 -- Jonathan Rees to draft changes to 2.7 of
Metadata in URIs to cover the "Google Calendar" case -- due
2010-02-04 -- OPEN
<trackbot> [29]http://www.w3.org/2001/tag/group/track/actions/278
[29] http://www.w3.org/2001/tag/group/track/actions/278
<masinter>
[30]http://www.ietf.org/mail-archive/web/apps-discuss/current/msg012
50.html is linked from ACTION-308
[30]
http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01250.html
<noah> On ACTION-337, Larry wants to punt.
<DanC> ACTION-337: Larry wants to punt.
<trackbot> ACTION-337 Prepare material for next phone conf metadata
formats/representations notes added
<DanC> close action-337
<trackbot> ACTION-337 Prepare material for next phone conf metadata
formats/representations closed
<DanC> order? is Larry asking for futher discussion of ACTION-367?
<DanC> it's done to my satisfaction.
<noah> trying to find out
<DanC> if there are possible follow-ons, then it should be kept
pending review. sigh.
<DanC> (no, I don't see a URL for the bug)
<masinter> [31]http://www.w3.org/Bugs/Public/show_bug.cgi?id=8220
[31] http://www.w3.org/Bugs/Public/show_bug.cgi?id=8220
<DanC> close ACTION-372
<trackbot> ACTION-372 Tell the HTML WG the TAG encourages the
direction Roy's headed on resource/representation and endorse his
request for more time. closed
<masinter> action-373?
<trackbot> ACTION-373 -- Noah Mendelsohn to convey, re language
reference, to encourage the path they've indicated; we can't tell if
we're satisifed; we'll stay tuned and comment when drafts become
available -- due 2010-01-28 -- PENDINGREVIEW
<trackbot> [32]http://www.w3.org/2001/tag/group/track/actions/373
[32] http://www.w3.org/2001/tag/group/track/actions/373
<DanC> action-373?
<trackbot> ACTION-373 -- Noah Mendelsohn to convey, re language
reference, to encourage the path they've indicated; we can't tell if
we're satisifed; we'll stay tuned and comment when drafts become
available -- due 2010-01-28 -- PENDINGREVIEW
<trackbot> [33]http://www.w3.org/2001/tag/group/track/actions/373
[33] http://www.w3.org/2001/tag/group/track/actions/373
<DanC> I'm happy with Maciej's reply.
<DanC> i.e.
[34]http://lists.w3.org/Archives/Public/www-tag/2010Jan/0031.html
[34] http://lists.w3.org/Archives/Public/www-tag/2010Jan/0031.html
<DanC> ACTION: Larry to check whether HTML language reference has
been published [recorded in
[35]http://www.w3.org/2001/tag/2010/01/21-minutes#action03]
[35] http://www.w3.org/2001/tag/2010/01/21-minutes#action03
<trackbot> Created ACTION-379 - Check whether HTML language
reference has been published [on Larry Masinter - due 2010-01-28].
<DanC> action-379 due in 4 months
<trackbot> ACTION-379 Check whether HTML language reference has been
published due date now in 4 months
<noah> close ACTION-373
<trackbot> ACTION-373 Convey, re language reference, to encourage
the path they've indicated; we can't tell if we're satisifed; we'll
stay tuned and comment when drafts become available closed
<DanC> action-379 due 21 may
<trackbot> ACTION-379 Check whether HTML language reference has been
published due date now 21 may
<noah> Hmm,10 pending non-trivial actions == approx 5 weeks telcon
time.
<DanC> I note there's a list of docs the HTML WG chairs are
considering putting a publication question on, and the language
reference isn't one of them.
[36]http://lists.w3.org/Archives/Public/public-html-wg-announce/2010
JanMar/0005.html
[36]
http://lists.w3.org/Archives/Public/public-html-wg-announce/2010JanMar/0005.html
Summary of Action Items
[NEW] ACTION: Connolly to draft suggested text re
resource/representation in HTML 5 for discussion with LMM and JAR
[recorded in
[37]http://www.w3.org/2001/tag/2010/01/21-minutes#action02]
[NEW] ACTION: Larry to check whether HTML language reference has
been published [recorded in
[38]http://www.w3.org/2001/tag/2010/01/21-minutes#action03]
[NEW] ACTION: Noah to frame discussion about how TAG communicated
with WGs [recorded in
[39]http://www.w3.org/2001/tag/2010/01/21-minutes#action01]
[37] http://www.w3.org/2001/tag/2010/01/21-minutes#action02
[38] http://www.w3.org/2001/tag/2010/01/21-minutes#action03
[39] http://www.w3.org/2001/tag/2010/01/21-minutes#action01
[End of minutes]
_________________________________________________________
Minutes formatted by David Booth's [40]scribe.perl version 1.133
([41]CVS log)
$Date: 2010/01/22 13:27:39 $
[40] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[41] http://dev.w3.org/cvsweb/2002/scribe/
Received on Friday, 22 January 2010 19:37:27 UTC