W3C home > Mailing lists > Public > www-tag@w3.org > January 2010

Draft minutes of TAG teleconference of 21 January 2010

From: <noah_mendelsohn@us.ibm.com>
Date: Fri, 22 Jan 2010 14:36:34 -0500
To: www-tag@w3.org
Message-ID: <OF061B65BA.5C559E68-ON852576B3.006B9A0F-852576B3.006BB932@lotus.com>
Draft minutes of the TAG teleconference of 21 January are available at [1] 
and in text-only form below.  Thanks to scribe Ashok Malhotra for wrapping 
these up at a busy time.

Noah

[1]  http://www.w3.org/2001/tag/2010/01/21-minutes.html

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                           TAG Weekly Telcon

21 Jan 2010

   See also: [2]IRC log

      [2] http://www.w3.org/2010/01/21-tagmem-irc

Attendees

   Present
          T_V_Raman, Ashok_Malhotra, Noah_Mendelsohn, Dan_Applequist,
          Larry_Masinter, Jonathan_Rees, Dan_Connolly

   Regrets
          TimBL, John_Kemp, Henry_Thompson

   Chair
          Noah_Mendelsohn

   Scribe
          Ashok

Contents

     * [3]Topics
         1. [4]Opening
         2. [5]Approval of Minutes 14 January 2009
         3. [6]ACTION-278: Draft changes to 2.7 of Metadata in URIs to
            cover the "Google Calendar" case
         4. [7]ACTION-372: Redrafting of HTML for resource vs.
            representation
         5. [8]Review Pending Actions
     * [9]Summary of Action Items
     _________________________________________________________

   <raman> on and muted.

   <scribe> scribe: Ashok

   <scribe> scribenick: Ashok

   <DKA> FYI I will have to leave the call at 19:20 GMT today.

   <raman> will need to bail in 25 mins

Opening

   Noah: 5 of us present
   ... Regrets from TimBL for 5 weeks or so
   ... There will be a call next week

Approval of Minutes 14 January 2009

   RESOLUTION: Minutes of Jan 14 meeting are approved

ACTION-278: Draft changes to 2.7 of Metadata in URIs to cover the
"Google Calendar" case

   Noah explains action

   <jar> The finding:
   [10]http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity

     [10] http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity

   <jar> ACTION-278?

   <trackbot> ACTION-278 -- Jonathan Rees to draft changes to 2.7 of
   Metadata in URIs to cover the "Google Calendar" case -- due
   2010-01-20 -- PENDINGREVIEW

   <trackbot> [11]http://www.w3.org/2001/tag/group/track/actions/278

     [11] http://www.w3.org/2001/tag/group/track/actions/278

   <noah> Jonathan's email:
   [12]http://lists.w3.org/Archives/Public/www-tag/2009Dec/0121.html

     [12] http://lists.w3.org/Archives/Public/www-tag/2009Dec/0121.html

   Jar: This is a draft not a proposal
   ... came out of our discussion of capabilities

   <noah> Could you say a bit more about the Google Calender use case
   in particular? What are they doing?

   Jar: URIs to carry secrets are used all over the web. Finding should
   talk about this
   ... Scope of finding is not limited to public URIs
   ... There is a web interface and you can say "share this
   calendar"... it mints a URI and says send this URI to your friend
   ... If you send URI to friend and he clicks on it, the calendars are
   shared

   Noah: Does it carry authority as well as allow sharing?

   <noah> Crucial case is that the URI carries not just the
   identification, but also the authorization.

   JAR: Yes, carries authority

   <noah> Speaking for myself, I don't like that, and don't want to
   encourage it.

   <masinter> "click here to unsubscribe" also

   <noah> I think AWWW is right to make identity and authorization
   orthogonal

   JAR: Tyler Close says this is used and it is good

   <DKA> Is it a one-time use URI?

   JAR: the person getting URI could publish it and then everyone has
   access

   <noah> DKA, I don't think so. Sounds like you can explicitly kill
   it.

   JAR: but capability can be retracted

   <jar> Google docs is another example

   DKA: Is this a one time use? It is a pattern they use.

   <noah> One time use seems break GET/safe

   JAR: For calendar it is one time use
   ... in Google docs you can send to many people

   Raman: URL works only if you are in the ACL for document
   ... you can manage access control

   <masinter> Adobe Buzzword (acrobat.com) has similar options: "open
   to anyone who has the URL" is an access control option

   Noah: Is this also true of Calendar?

   Raman: Calendar has different model. Events have URLs
   ... if private no one can see it
   ... there is a single sign-in mechanism
   ... access to URL does not give access

   <jar> code.google.com/apis

   Noah: Crucial question: Should a URI ever give access control?

   <masinter> "Allow anyone with a link to view this document" is a
   access control option that the user can set

   <Zakim> Noah, you wanted to question the appropriateness of the use
   case

   Noah: or is just an identifier

   <raman> Calendar API:[13]http://code.google.com/apis/calendar/

     [13] http://code.google.com/apis/calendar/

   <raman> All Google APIs: [14]http://code.google.com/apis/

     [14] http://code.google.com/apis/

   Larry: I can create a doc from acrobat.com and I can create a doc
   and share it
   ... describes sharing options

   <noah> I think the question is: how much do you bend what you would
   otherwise do with Web architecture to enable Larry's case, which he
   acknowledges as "weak"

   <Zakim> Masinter, you wanted to propose drafting a document and
   getting review of it in the security community

   <Zakim> Noah, you wanted to say, I take Larry's point

   Noah: Seems like passwords in clear discussion
   ... its a weak security mechanism. URIs are widely shared. Not like
   private key.

   <masinter> +1 that this is like password in the clear

   Noah: but people use it because it's convenient
   ... people use it and understand the risks

   JAR: Why do they give 64-bit URIs if it is not a protection scheme?

   <masinter> obfuscation is a useful technique. I don't think anything
   about "protected channels" doesn't really help much

   JAR: Key word is "trade-offs". Finding should describe trade-offs

   Noah: Finding says access control should be done orthogonally. I
   think this is right.

   <masinter> obfuscation isn't "access control"

   Noah: We should not be vague about that.

   <DKA> After just trying to share a Google calendar I can confirm
   that that seems to be how it works. The URI does not allow automatic
   access to the calendar. It seems to encode expected access
   credentials but still requires a credentials check (authentication).

   JAR: If finding says do not do the Google Calendar case we lose
   ccredibility.

   <masinter> [15]https://acrobat.com/#d=Y5W06lRXkILNhbfV1yUjsw

     [15] https://acrobat.com/#d=Y5W06lRXkILNhbfV1yUjsw

   Larry: I made a doc, and service creates a URL and anyone who has
   URL can read document
   ... not so unreasonable

   Noah: I'm not conviced there is anything in the finding that's
   wrong.

   <noah> Pertinent section of finding:
   [16]http://www.w3.org/2001/tag/doc/metaDataInURI-31.html#hideforsecu
   rity

     [16] 
http://www.w3.org/2001/tag/doc/metaDataInURI-31.html#hideforsecurity

   <masinter> maybe expand the finding to cover the obfuscated URI
   being used as weak access control.

   <noah> A bank establishes a URI assignment policy in which account
   numbers

   <noah> are encoded directly in the URI. For example, the URI

   <noah> [17]http://example.org/customeraccounts/456123 accesses
   information for

     [17] http://example.org/customeraccounts/456123

   <noah> account number 456123. A malicious worker at an Internet
   Service

   <noah> Provider notices these URIs in his traffic logs, and
   determines the

   <noah> bank account numbers for his Internet customers. Furthermore,
   if

   <noah> access controls are not properly in place, he might be able
   to guess

   <noah> the URIs for other accounts, and to attempt to access them.

   <noah> Good Practice: URI assignment authorities SHOULD NOT put into
   URIs

   <noah> metadata that is to be kept confidential.

   <noah> """

   <masinter> Yes, so the use case I gave above would be a violation of
   the finding.

   Noah: Says only a little about access control.

   Larry: The finding is too strong.

   <noah> Unconvinced

   JAR: Finding rules out common usecase.

   Ashok: Noah and JAR disagree on what finding says and should say

   <jar> https

   <Zakim> masinter, you wanted to say I would rather findings be
   couched in terms of making people aware of the consequences, rather
   than telling them what to do

   Larry: Try and write findings based on consequences of doing things
   one way instead of another
   ... so finding should say use this mechanism if risks a acceptareble
   ... Some of these exposures are over the long run instead of short
   run

   Noah: A similar example is abt GET being safe
   ... I'm happy we said GET is unsafe

   <Zakim> Masinter, you wanted to suggest review on
   public-web-security

   Noah: Just because it is widespread we should not condone the
   practice

   Larry: Need more discussion of public-web-security

   Noah: I would feel better if we had better framing of the issue

   <noah> q

   <Zakim> DKA, you wanted to note that there seem to be a number of
   use cases here that look similar but are actually different - maybe
   the WSC group has already enumerated these?

   DKA: We need a list of usecases and need to categorize them

   Noah: How is Web Securiry Context connected with public-web-security

   Larry: JAR could send note to public-web-security and see if we can
   get discussion started

   Noah: We should try and get some shared terminology

   Larry: Next step?

   JAR: Spell out use cases more clearly?

   Noah: Some disagreement. Some feel just because it is a commen
   usecase it should be condoned.

   JAR: We should say what the finding is about

   Noah: We have differeing assumptions about what people can put in
   URIs

   JAR: Notion of URI is much broader than these public URIs
   ... URIs used in all sorts of situations. Web is just one use.

   <masinter> I think the point that putting the secret in the FragID
   rather than in the main URI itself is interesting.

   Noah: Way private keys are managed is fundamental to their use

   JAR: You are saying URIs have a connotation to a public space on the
   web
   ... I don't agree with this.

   <masinter> maybe this is also a justification for Origin vs.
   Referer? because Origin doesn't include private keys

   JAR: Noah, this is your opinion

   <masinter> Use cases & discussions of them would be really great

   JAR: I'll take an action to drill down on the usecases

   Noah: Shall we add that to Action-278 and change the due date

   <noah> ACTION-278: Due 2010-02-04

   <trackbot> ACTION-278 Draft changes to 2.7 of Metadata in URIs to
   cover the "Google Calendar" case notes added

   Larry: I'm not hesitant to ask the Web Security Group to jump in

   <masinter> might add the acrobat.com one too while you're at it; let
   me know if you need more details

   <noah> AM: I hear Noah and Jonathan disagreeing about how URIs are
   used? Will doing use cases fix that?

   <noah> NM: Not sure it will, but it may clarify the context for the
   discussion.

   <masinter> Ashok: I think the finding needs to be more nuanced, and
   that different kinds of security situations will need different
   advice. Having use cases will help us understanding of the
   situations and thus what kind of contextual advice to give.

   Noah: There is no harm in any of us coming up with new text. This
   could spark useful discussion.

ACTION-372: Redrafting of HTML for resource vs. representation

   <trackbot> ACTION-372 -- Larry Masinter to tell the HTML WG the TAG
   encourages the direction Roy's headed on resource/representation and
   endorse his request for more time. -- due 2010-01-20 --
   PENDINGREVIEW

   <trackbot> [18]http://www.w3.org/2001/tag/group/track/actions/372

     [18] http://www.w3.org/2001/tag/group/track/actions/372

   <noah> Note error in agenda, should have referred to HTML not HTTP

   <noah> LM: I sent the email. Got a response which might be viewed as
   to me as HTML WG or to the TAG.

   Larry: I sent the mail. I got a response. The staus of the issue is
   - Roy is unavailable to work on this issue

   <noah> Larry: that's not quite right -- Roy says not available for 4
   months, then available.

   Larry: actually Roy said "not available for 4 months to work on
   issue"
   ... not sure it was interpreted as a TAG request
   ... Noah, please, as chair clarify how we communicate.

   <scribe> ACTION: Noah to frame discussion about how TAG communicated
   with WGs [recorded in
   [19]http://www.w3.org/2001/tag/2010/01/21-minutes#action01]

     [19] http://www.w3.org/2001/tag/2010/01/21-minutes#action01

   <trackbot> Created ACTION-377 - Frame discussion about how TAG
   communicated with WGs [on Noah Mendelsohn - due 2010-01-28].

   Larry: I would like Noah to talk to HTML WG ...

   Noah: Some WGs communicate with other WGs. The WG votes on this and
   someone is asked to send the msg.
   ... the TAG has as part of its charter to help WGs do their work
   ... in some cases TAG will ask individuals to talk with WGs

   Larry: I got a response and I don't think the WGs response is in
   line with what was requested

   Noah: The process is fine ... we need to decide what to do?
   ... Larry, what should TAG do?

   Larry: If we are happy to give on this that's ok with me

   <masinter> i'm not sure they acknowledged hearing our opinion

   Dan: I don't understand why Roy cannot do the 2 edits?

   <masinter> Roy said: "Honestly, unless you can prove to ME that
   there is a substantial ...

   <masinter> burden being imposed upon *someone* by reordering the
   entirely random order that chairs have decided to call for
   consensus, then it should be obvious that *MY* constraints are more
   important than whatever you personally think the procedure should
   be. Otherwise, you are just railroading a particular conclusion.

   Dan: I can understand if they close this; we might say we don't like
   it, but unless we have a proposal...

   <Zakim> masinter, you wanted to note issue in abarth-mime-sniffing

   <jar>
   [20]http://www.ietf.org/mail-archive/web/apps-discuss/current/msg012
   50.html

     [20] 
http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01250.html

   Larry: John Kemp on authoritative metadata finding cites
   abarth-mimesniffing. I did a review of this
   ... go down to "terminology"

   <noah> Quoting:

   <noah> TERMINOLOGY "resource"

   <noah> This document seems to have the same use of "resource"

   <noah> to talk about what is fetched and not just the source

   <noah> from which it is fetched, as discussed in HTML-WG

   <noah> at length:

   <noah> [21]http://www.w3.org/html/wg/tracker/issues/81

     [21] http://www.w3.org/html/wg/tracker/issues/81

   <noah> For example

   <noah> For HTTP resources, only the last Content-Type HTTP header,

   <noah> if any, contributes any type information; the official type

   <noah> of the resource is then the value of that header,

   <noah> interpreted as described by the HTTP specifications.

   <noah> Right, the phrase "type of the resource" is highly suspect

   Noah: The continuing non-resolution of issue 81 is haveing
   deleterious effect on the Web

   Larry: Roy is arguably the most qualified person on planet to do
   this

   <noah> To be clear, I was asking Larry whether the "continuing
   non-resolution" was his position, and he said "yes".

   Noah: We could send a note as the TAG saying that we feel it is very
   important that this gets resolved
   ... Just say "this remains impt"

   <masinter>
   [22]http://lists.w3.org/Archives/Public/public-html/2010Jan/0853.htm
   l

     [22] 
http://lists.w3.org/Archives/Public/public-html/2010Jan/0853.html

   <masinter> Write clear definitions of all affected terms, possibly
   in the form of suggested edits to the terminology section, and
   demonstrate correct usage of the terms by suggesting specific edits
   to one or two representative sections.

   Larry: The above is something the TAG could take on.

   <masinter> The definitions of these terms don't belong in HTML, they
   belong in Webarch

   <masinter> Defining the terms of the web architecture seems like a
   fine job for the TAG, and that there is no other group more
   authoritative.

   Noah: This could take up a lot of resources/time

   Larry: I'm willing to work on it and I would like some help

   <jar> 799 occurrences of "resource" in Overview.html

   <masinter> are the terms not already clearly defined in WebArch?

   <jar> no

   Noah: You would a great volunteer, Dan!

   Larry: Deadline is Jan 23

   <masinter>
   [23]http://lists.w3.org/Archives/Public/public-html/2010Jan/0930.htm
   l

     [23] 
http://lists.w3.org/Archives/Public/public-html/2010Jan/0930.html

   <masinter> "... let the Chairs know if they are interested in
   drafting a proposal to resolve Issue-81."

   <DanC> ACTION: Connolly to draft suggested text re
   resource/representation in HTML 5 for discussion with LMM and JAR
   [recorded in
   [24]http://www.w3.org/2001/tag/2010/01/21-minutes#action02]

     [24] http://www.w3.org/2001/tag/2010/01/21-minutes#action02

   <trackbot> Created ACTION-378 - Draft suggested text re
   resource/representation in HTML 5 for discussion with LMM and JAR
   [on Dan Connolly - due 2010-01-28].

   <masinter> [25]http://www.w3.org/TR/webarch/#id-resources defines
   "resource"

     [25] http://www.w3.org/TR/webarch/#id-resources

   <masinter> [26]http://www.w3.org/TR/webarch/#def-representation
   defines "representation"

     [26] http://www.w3.org/TR/webarch/#def-representation

Review Pending Actions

   <noah>
   [27]http://www.w3.org/2001/tag/group/track/actions/pendingreview

     [27] http://www.w3.org/2001/tag/group/track/actions/pendingreview

   <DanC> ACTION-213 due next week

   <trackbot> ACTION-213 Prepare 21 Jan weekly teleconference agenda
   due date now next week

   <DanC> ACTION-213?

   <trackbot> ACTION-213 -- Noah Mendelsohn to prepare 21 Jan weekly
   teleconference agenda -- due 2010-01-26 -- PENDINGREVIEW

   <trackbot> [28]http://www.w3.org/2001/tag/group/track/actions/213

     [28] http://www.w3.org/2001/tag/group/track/actions/213

   <DKA> I must leave the call now - apologies - Noah please feel free
   to put me on the scribe rota for a future call except for Feb 18
   where I will have to give my regrets.

   <DanC> action-278?

   <trackbot> ACTION-278 -- Jonathan Rees to draft changes to 2.7 of
   Metadata in URIs to cover the "Google Calendar" case -- due
   2010-02-04 -- OPEN

   <trackbot> [29]http://www.w3.org/2001/tag/group/track/actions/278

     [29] http://www.w3.org/2001/tag/group/track/actions/278

   <masinter>
   [30]http://www.ietf.org/mail-archive/web/apps-discuss/current/msg012
   50.html is linked from ACTION-308

     [30] 
http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01250.html

   <noah> On ACTION-337, Larry wants to punt.

   <DanC> ACTION-337: Larry wants to punt.

   <trackbot> ACTION-337 Prepare material for next phone conf metadata
   formats/representations notes added

   <DanC> close action-337

   <trackbot> ACTION-337 Prepare material for next phone conf metadata
   formats/representations closed

   <DanC> order? is Larry asking for futher discussion of ACTION-367?

   <DanC> it's done to my satisfaction.

   <noah> trying to find out

   <DanC> if there are possible follow-ons, then it should be kept
   pending review. sigh.

   <DanC> (no, I don't see a URL for the bug)

   <masinter> [31]http://www.w3.org/Bugs/Public/show_bug.cgi?id=8220

     [31] http://www.w3.org/Bugs/Public/show_bug.cgi?id=8220

   <DanC> close ACTION-372

   <trackbot> ACTION-372 Tell the HTML WG the TAG encourages the
   direction Roy's headed on resource/representation and endorse his
   request for more time. closed

   <masinter> action-373?

   <trackbot> ACTION-373 -- Noah Mendelsohn to convey, re language
   reference, to encourage the path they've indicated; we can't tell if
   we're satisifed; we'll stay tuned and comment when drafts become
   available -- due 2010-01-28 -- PENDINGREVIEW

   <trackbot> [32]http://www.w3.org/2001/tag/group/track/actions/373

     [32] http://www.w3.org/2001/tag/group/track/actions/373

   <DanC> action-373?

   <trackbot> ACTION-373 -- Noah Mendelsohn to convey, re language
   reference, to encourage the path they've indicated; we can't tell if
   we're satisifed; we'll stay tuned and comment when drafts become
   available -- due 2010-01-28 -- PENDINGREVIEW

   <trackbot> [33]http://www.w3.org/2001/tag/group/track/actions/373

     [33] http://www.w3.org/2001/tag/group/track/actions/373

   <DanC> I'm happy with Maciej's reply.

   <DanC> i.e.
   [34]http://lists.w3.org/Archives/Public/www-tag/2010Jan/0031.html

     [34] http://lists.w3.org/Archives/Public/www-tag/2010Jan/0031.html

   <DanC> ACTION: Larry to check whether HTML language reference has
   been published [recorded in
   [35]http://www.w3.org/2001/tag/2010/01/21-minutes#action03]

     [35] http://www.w3.org/2001/tag/2010/01/21-minutes#action03

   <trackbot> Created ACTION-379 - Check whether HTML language
   reference has been published [on Larry Masinter - due 2010-01-28].

   <DanC> action-379 due in 4 months

   <trackbot> ACTION-379 Check whether HTML language reference has been
   published due date now in 4 months

   <noah> close ACTION-373

   <trackbot> ACTION-373 Convey, re language reference, to encourage
   the path they've indicated; we can't tell if we're satisifed; we'll
   stay tuned and comment when drafts become available closed

   <DanC> action-379 due 21 may

   <trackbot> ACTION-379 Check whether HTML language reference has been
   published due date now 21 may

   <noah> Hmm,10 pending non-trivial actions == approx 5 weeks telcon
   time.

   <DanC> I note there's a list of docs the HTML WG chairs are
   considering putting a publication question on, and the language
   reference isn't one of them.
   [36]http://lists.w3.org/Archives/Public/public-html-wg-announce/2010
   JanMar/0005.html

     [36] 
http://lists.w3.org/Archives/Public/public-html-wg-announce/2010JanMar/0005.html


Summary of Action Items

   [NEW] ACTION: Connolly to draft suggested text re
   resource/representation in HTML 5 for discussion with LMM and JAR
   [recorded in
   [37]http://www.w3.org/2001/tag/2010/01/21-minutes#action02]
   [NEW] ACTION: Larry to check whether HTML language reference has
   been published [recorded in
   [38]http://www.w3.org/2001/tag/2010/01/21-minutes#action03]
   [NEW] ACTION: Noah to frame discussion about how TAG communicated
   with WGs [recorded in
   [39]http://www.w3.org/2001/tag/2010/01/21-minutes#action01]

     [37] http://www.w3.org/2001/tag/2010/01/21-minutes#action02
     [38] http://www.w3.org/2001/tag/2010/01/21-minutes#action03
     [39] http://www.w3.org/2001/tag/2010/01/21-minutes#action01

   [End of minutes]
     _________________________________________________________


    Minutes formatted by David Booth's [40]scribe.perl version 1.133
    ([41]CVS log)
    $Date: 2010/01/22 13:27:39 $

     [40] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [41] http://dev.w3.org/cvsweb/2002/scribe/
Received on Friday, 22 January 2010 19:37:27 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:05 UTC