- From: <noah_mendelsohn@us.ibm.com>
- Date: Fri, 22 Jan 2010 14:36:34 -0500
- To: www-tag@w3.org
Draft minutes of the TAG teleconference of 21 January are available at [1] and in text-only form below. Thanks to scribe Ashok Malhotra for wrapping these up at a busy time. Noah [1] http://www.w3.org/2001/tag/2010/01/21-minutes.html -------------------------------------- Noah Mendelsohn IBM Corporation One Rogers Street Cambridge, MA 02142 1-617-693-4036 -------------------------------------- [1]W3C [1] http://www.w3.org/ - DRAFT - TAG Weekly Telcon 21 Jan 2010 See also: [2]IRC log [2] http://www.w3.org/2010/01/21-tagmem-irc Attendees Present T_V_Raman, Ashok_Malhotra, Noah_Mendelsohn, Dan_Applequist, Larry_Masinter, Jonathan_Rees, Dan_Connolly Regrets TimBL, John_Kemp, Henry_Thompson Chair Noah_Mendelsohn Scribe Ashok Contents * [3]Topics 1. [4]Opening 2. [5]Approval of Minutes 14 January 2009 3. [6]ACTION-278: Draft changes to 2.7 of Metadata in URIs to cover the "Google Calendar" case 4. [7]ACTION-372: Redrafting of HTML for resource vs. representation 5. [8]Review Pending Actions * [9]Summary of Action Items _________________________________________________________ <raman> on and muted. <scribe> scribe: Ashok <scribe> scribenick: Ashok <DKA> FYI I will have to leave the call at 19:20 GMT today. <raman> will need to bail in 25 mins Opening Noah: 5 of us present ... Regrets from TimBL for 5 weeks or so ... There will be a call next week Approval of Minutes 14 January 2009 RESOLUTION: Minutes of Jan 14 meeting are approved ACTION-278: Draft changes to 2.7 of Metadata in URIs to cover the "Google Calendar" case Noah explains action <jar> The finding: [10]http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity [10] http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity <jar> ACTION-278? <trackbot> ACTION-278 -- Jonathan Rees to draft changes to 2.7 of Metadata in URIs to cover the "Google Calendar" case -- due 2010-01-20 -- PENDINGREVIEW <trackbot> [11]http://www.w3.org/2001/tag/group/track/actions/278 [11] http://www.w3.org/2001/tag/group/track/actions/278 <noah> Jonathan's email: [12]http://lists.w3.org/Archives/Public/www-tag/2009Dec/0121.html [12] http://lists.w3.org/Archives/Public/www-tag/2009Dec/0121.html Jar: This is a draft not a proposal ... came out of our discussion of capabilities <noah> Could you say a bit more about the Google Calender use case in particular? What are they doing? Jar: URIs to carry secrets are used all over the web. Finding should talk about this ... Scope of finding is not limited to public URIs ... There is a web interface and you can say "share this calendar"... it mints a URI and says send this URI to your friend ... If you send URI to friend and he clicks on it, the calendars are shared Noah: Does it carry authority as well as allow sharing? <noah> Crucial case is that the URI carries not just the identification, but also the authorization. JAR: Yes, carries authority <noah> Speaking for myself, I don't like that, and don't want to encourage it. <masinter> "click here to unsubscribe" also <noah> I think AWWW is right to make identity and authorization orthogonal JAR: Tyler Close says this is used and it is good <DKA> Is it a one-time use URI? JAR: the person getting URI could publish it and then everyone has access <noah> DKA, I don't think so. Sounds like you can explicitly kill it. JAR: but capability can be retracted <jar> Google docs is another example DKA: Is this a one time use? It is a pattern they use. <noah> One time use seems break GET/safe JAR: For calendar it is one time use ... in Google docs you can send to many people Raman: URL works only if you are in the ACL for document ... you can manage access control <masinter> Adobe Buzzword (acrobat.com) has similar options: "open to anyone who has the URL" is an access control option Noah: Is this also true of Calendar? Raman: Calendar has different model. Events have URLs ... if private no one can see it ... there is a single sign-in mechanism ... access to URL does not give access <jar> code.google.com/apis Noah: Crucial question: Should a URI ever give access control? <masinter> "Allow anyone with a link to view this document" is a access control option that the user can set <Zakim> Noah, you wanted to question the appropriateness of the use case Noah: or is just an identifier <raman> Calendar API:[13]http://code.google.com/apis/calendar/ [13] http://code.google.com/apis/calendar/ <raman> All Google APIs: [14]http://code.google.com/apis/ [14] http://code.google.com/apis/ Larry: I can create a doc from acrobat.com and I can create a doc and share it ... describes sharing options <noah> I think the question is: how much do you bend what you would otherwise do with Web architecture to enable Larry's case, which he acknowledges as "weak" <Zakim> Masinter, you wanted to propose drafting a document and getting review of it in the security community <Zakim> Noah, you wanted to say, I take Larry's point Noah: Seems like passwords in clear discussion ... its a weak security mechanism. URIs are widely shared. Not like private key. <masinter> +1 that this is like password in the clear Noah: but people use it because it's convenient ... people use it and understand the risks JAR: Why do they give 64-bit URIs if it is not a protection scheme? <masinter> obfuscation is a useful technique. I don't think anything about "protected channels" doesn't really help much JAR: Key word is "trade-offs". Finding should describe trade-offs Noah: Finding says access control should be done orthogonally. I think this is right. <masinter> obfuscation isn't "access control" Noah: We should not be vague about that. <DKA> After just trying to share a Google calendar I can confirm that that seems to be how it works. The URI does not allow automatic access to the calendar. It seems to encode expected access credentials but still requires a credentials check (authentication). JAR: If finding says do not do the Google Calendar case we lose ccredibility. <masinter> [15]https://acrobat.com/#d=Y5W06lRXkILNhbfV1yUjsw [15] https://acrobat.com/#d=Y5W06lRXkILNhbfV1yUjsw Larry: I made a doc, and service creates a URL and anyone who has URL can read document ... not so unreasonable Noah: I'm not conviced there is anything in the finding that's wrong. <noah> Pertinent section of finding: [16]http://www.w3.org/2001/tag/doc/metaDataInURI-31.html#hideforsecu rity [16] http://www.w3.org/2001/tag/doc/metaDataInURI-31.html#hideforsecurity <masinter> maybe expand the finding to cover the obfuscated URI being used as weak access control. <noah> A bank establishes a URI assignment policy in which account numbers <noah> are encoded directly in the URI. For example, the URI <noah> [17]http://example.org/customeraccounts/456123 accesses information for [17] http://example.org/customeraccounts/456123 <noah> account number 456123. A malicious worker at an Internet Service <noah> Provider notices these URIs in his traffic logs, and determines the <noah> bank account numbers for his Internet customers. Furthermore, if <noah> access controls are not properly in place, he might be able to guess <noah> the URIs for other accounts, and to attempt to access them. <noah> Good Practice: URI assignment authorities SHOULD NOT put into URIs <noah> metadata that is to be kept confidential. <noah> """ <masinter> Yes, so the use case I gave above would be a violation of the finding. Noah: Says only a little about access control. Larry: The finding is too strong. <noah> Unconvinced JAR: Finding rules out common usecase. Ashok: Noah and JAR disagree on what finding says and should say <jar> https <Zakim> masinter, you wanted to say I would rather findings be couched in terms of making people aware of the consequences, rather than telling them what to do Larry: Try and write findings based on consequences of doing things one way instead of another ... so finding should say use this mechanism if risks a acceptareble ... Some of these exposures are over the long run instead of short run Noah: A similar example is abt GET being safe ... I'm happy we said GET is unsafe <Zakim> Masinter, you wanted to suggest review on public-web-security Noah: Just because it is widespread we should not condone the practice Larry: Need more discussion of public-web-security Noah: I would feel better if we had better framing of the issue <noah> q <Zakim> DKA, you wanted to note that there seem to be a number of use cases here that look similar but are actually different - maybe the WSC group has already enumerated these? DKA: We need a list of usecases and need to categorize them Noah: How is Web Securiry Context connected with public-web-security Larry: JAR could send note to public-web-security and see if we can get discussion started Noah: We should try and get some shared terminology Larry: Next step? JAR: Spell out use cases more clearly? Noah: Some disagreement. Some feel just because it is a commen usecase it should be condoned. JAR: We should say what the finding is about Noah: We have differeing assumptions about what people can put in URIs JAR: Notion of URI is much broader than these public URIs ... URIs used in all sorts of situations. Web is just one use. <masinter> I think the point that putting the secret in the FragID rather than in the main URI itself is interesting. Noah: Way private keys are managed is fundamental to their use JAR: You are saying URIs have a connotation to a public space on the web ... I don't agree with this. <masinter> maybe this is also a justification for Origin vs. Referer? because Origin doesn't include private keys JAR: Noah, this is your opinion <masinter> Use cases & discussions of them would be really great JAR: I'll take an action to drill down on the usecases Noah: Shall we add that to Action-278 and change the due date <noah> ACTION-278: Due 2010-02-04 <trackbot> ACTION-278 Draft changes to 2.7 of Metadata in URIs to cover the "Google Calendar" case notes added Larry: I'm not hesitant to ask the Web Security Group to jump in <masinter> might add the acrobat.com one too while you're at it; let me know if you need more details <noah> AM: I hear Noah and Jonathan disagreeing about how URIs are used? Will doing use cases fix that? <noah> NM: Not sure it will, but it may clarify the context for the discussion. <masinter> Ashok: I think the finding needs to be more nuanced, and that different kinds of security situations will need different advice. Having use cases will help us understanding of the situations and thus what kind of contextual advice to give. Noah: There is no harm in any of us coming up with new text. This could spark useful discussion. ACTION-372: Redrafting of HTML for resource vs. representation <trackbot> ACTION-372 -- Larry Masinter to tell the HTML WG the TAG encourages the direction Roy's headed on resource/representation and endorse his request for more time. -- due 2010-01-20 -- PENDINGREVIEW <trackbot> [18]http://www.w3.org/2001/tag/group/track/actions/372 [18] http://www.w3.org/2001/tag/group/track/actions/372 <noah> Note error in agenda, should have referred to HTML not HTTP <noah> LM: I sent the email. Got a response which might be viewed as to me as HTML WG or to the TAG. Larry: I sent the mail. I got a response. The staus of the issue is - Roy is unavailable to work on this issue <noah> Larry: that's not quite right -- Roy says not available for 4 months, then available. Larry: actually Roy said "not available for 4 months to work on issue" ... not sure it was interpreted as a TAG request ... Noah, please, as chair clarify how we communicate. <scribe> ACTION: Noah to frame discussion about how TAG communicated with WGs [recorded in [19]http://www.w3.org/2001/tag/2010/01/21-minutes#action01] [19] http://www.w3.org/2001/tag/2010/01/21-minutes#action01 <trackbot> Created ACTION-377 - Frame discussion about how TAG communicated with WGs [on Noah Mendelsohn - due 2010-01-28]. Larry: I would like Noah to talk to HTML WG ... Noah: Some WGs communicate with other WGs. The WG votes on this and someone is asked to send the msg. ... the TAG has as part of its charter to help WGs do their work ... in some cases TAG will ask individuals to talk with WGs Larry: I got a response and I don't think the WGs response is in line with what was requested Noah: The process is fine ... we need to decide what to do? ... Larry, what should TAG do? Larry: If we are happy to give on this that's ok with me <masinter> i'm not sure they acknowledged hearing our opinion Dan: I don't understand why Roy cannot do the 2 edits? <masinter> Roy said: "Honestly, unless you can prove to ME that there is a substantial ... <masinter> burden being imposed upon *someone* by reordering the entirely random order that chairs have decided to call for consensus, then it should be obvious that *MY* constraints are more important than whatever you personally think the procedure should be. Otherwise, you are just railroading a particular conclusion. Dan: I can understand if they close this; we might say we don't like it, but unless we have a proposal... <Zakim> masinter, you wanted to note issue in abarth-mime-sniffing <jar> [20]http://www.ietf.org/mail-archive/web/apps-discuss/current/msg012 50.html [20] http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01250.html Larry: John Kemp on authoritative metadata finding cites abarth-mimesniffing. I did a review of this ... go down to "terminology" <noah> Quoting: <noah> TERMINOLOGY "resource" <noah> This document seems to have the same use of "resource" <noah> to talk about what is fetched and not just the source <noah> from which it is fetched, as discussed in HTML-WG <noah> at length: <noah> [21]http://www.w3.org/html/wg/tracker/issues/81 [21] http://www.w3.org/html/wg/tracker/issues/81 <noah> For example <noah> For HTTP resources, only the last Content-Type HTTP header, <noah> if any, contributes any type information; the official type <noah> of the resource is then the value of that header, <noah> interpreted as described by the HTTP specifications. <noah> Right, the phrase "type of the resource" is highly suspect Noah: The continuing non-resolution of issue 81 is haveing deleterious effect on the Web Larry: Roy is arguably the most qualified person on planet to do this <noah> To be clear, I was asking Larry whether the "continuing non-resolution" was his position, and he said "yes". Noah: We could send a note as the TAG saying that we feel it is very important that this gets resolved ... Just say "this remains impt" <masinter> [22]http://lists.w3.org/Archives/Public/public-html/2010Jan/0853.htm l [22] http://lists.w3.org/Archives/Public/public-html/2010Jan/0853.html <masinter> Write clear definitions of all affected terms, possibly in the form of suggested edits to the terminology section, and demonstrate correct usage of the terms by suggesting specific edits to one or two representative sections. Larry: The above is something the TAG could take on. <masinter> The definitions of these terms don't belong in HTML, they belong in Webarch <masinter> Defining the terms of the web architecture seems like a fine job for the TAG, and that there is no other group more authoritative. Noah: This could take up a lot of resources/time Larry: I'm willing to work on it and I would like some help <jar> 799 occurrences of "resource" in Overview.html <masinter> are the terms not already clearly defined in WebArch? <jar> no Noah: You would a great volunteer, Dan! Larry: Deadline is Jan 23 <masinter> [23]http://lists.w3.org/Archives/Public/public-html/2010Jan/0930.htm l [23] http://lists.w3.org/Archives/Public/public-html/2010Jan/0930.html <masinter> "... let the Chairs know if they are interested in drafting a proposal to resolve Issue-81." <DanC> ACTION: Connolly to draft suggested text re resource/representation in HTML 5 for discussion with LMM and JAR [recorded in [24]http://www.w3.org/2001/tag/2010/01/21-minutes#action02] [24] http://www.w3.org/2001/tag/2010/01/21-minutes#action02 <trackbot> Created ACTION-378 - Draft suggested text re resource/representation in HTML 5 for discussion with LMM and JAR [on Dan Connolly - due 2010-01-28]. <masinter> [25]http://www.w3.org/TR/webarch/#id-resources defines "resource" [25] http://www.w3.org/TR/webarch/#id-resources <masinter> [26]http://www.w3.org/TR/webarch/#def-representation defines "representation" [26] http://www.w3.org/TR/webarch/#def-representation Review Pending Actions <noah> [27]http://www.w3.org/2001/tag/group/track/actions/pendingreview [27] http://www.w3.org/2001/tag/group/track/actions/pendingreview <DanC> ACTION-213 due next week <trackbot> ACTION-213 Prepare 21 Jan weekly teleconference agenda due date now next week <DanC> ACTION-213? <trackbot> ACTION-213 -- Noah Mendelsohn to prepare 21 Jan weekly teleconference agenda -- due 2010-01-26 -- PENDINGREVIEW <trackbot> [28]http://www.w3.org/2001/tag/group/track/actions/213 [28] http://www.w3.org/2001/tag/group/track/actions/213 <DKA> I must leave the call now - apologies - Noah please feel free to put me on the scribe rota for a future call except for Feb 18 where I will have to give my regrets. <DanC> action-278? <trackbot> ACTION-278 -- Jonathan Rees to draft changes to 2.7 of Metadata in URIs to cover the "Google Calendar" case -- due 2010-02-04 -- OPEN <trackbot> [29]http://www.w3.org/2001/tag/group/track/actions/278 [29] http://www.w3.org/2001/tag/group/track/actions/278 <masinter> [30]http://www.ietf.org/mail-archive/web/apps-discuss/current/msg012 50.html is linked from ACTION-308 [30] http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01250.html <noah> On ACTION-337, Larry wants to punt. <DanC> ACTION-337: Larry wants to punt. <trackbot> ACTION-337 Prepare material for next phone conf metadata formats/representations notes added <DanC> close action-337 <trackbot> ACTION-337 Prepare material for next phone conf metadata formats/representations closed <DanC> order? is Larry asking for futher discussion of ACTION-367? <DanC> it's done to my satisfaction. <noah> trying to find out <DanC> if there are possible follow-ons, then it should be kept pending review. sigh. <DanC> (no, I don't see a URL for the bug) <masinter> [31]http://www.w3.org/Bugs/Public/show_bug.cgi?id=8220 [31] http://www.w3.org/Bugs/Public/show_bug.cgi?id=8220 <DanC> close ACTION-372 <trackbot> ACTION-372 Tell the HTML WG the TAG encourages the direction Roy's headed on resource/representation and endorse his request for more time. closed <masinter> action-373? <trackbot> ACTION-373 -- Noah Mendelsohn to convey, re language reference, to encourage the path they've indicated; we can't tell if we're satisifed; we'll stay tuned and comment when drafts become available -- due 2010-01-28 -- PENDINGREVIEW <trackbot> [32]http://www.w3.org/2001/tag/group/track/actions/373 [32] http://www.w3.org/2001/tag/group/track/actions/373 <DanC> action-373? <trackbot> ACTION-373 -- Noah Mendelsohn to convey, re language reference, to encourage the path they've indicated; we can't tell if we're satisifed; we'll stay tuned and comment when drafts become available -- due 2010-01-28 -- PENDINGREVIEW <trackbot> [33]http://www.w3.org/2001/tag/group/track/actions/373 [33] http://www.w3.org/2001/tag/group/track/actions/373 <DanC> I'm happy with Maciej's reply. <DanC> i.e. [34]http://lists.w3.org/Archives/Public/www-tag/2010Jan/0031.html [34] http://lists.w3.org/Archives/Public/www-tag/2010Jan/0031.html <DanC> ACTION: Larry to check whether HTML language reference has been published [recorded in [35]http://www.w3.org/2001/tag/2010/01/21-minutes#action03] [35] http://www.w3.org/2001/tag/2010/01/21-minutes#action03 <trackbot> Created ACTION-379 - Check whether HTML language reference has been published [on Larry Masinter - due 2010-01-28]. <DanC> action-379 due in 4 months <trackbot> ACTION-379 Check whether HTML language reference has been published due date now in 4 months <noah> close ACTION-373 <trackbot> ACTION-373 Convey, re language reference, to encourage the path they've indicated; we can't tell if we're satisifed; we'll stay tuned and comment when drafts become available closed <DanC> action-379 due 21 may <trackbot> ACTION-379 Check whether HTML language reference has been published due date now 21 may <noah> Hmm,10 pending non-trivial actions == approx 5 weeks telcon time. <DanC> I note there's a list of docs the HTML WG chairs are considering putting a publication question on, and the language reference isn't one of them. [36]http://lists.w3.org/Archives/Public/public-html-wg-announce/2010 JanMar/0005.html [36] http://lists.w3.org/Archives/Public/public-html-wg-announce/2010JanMar/0005.html Summary of Action Items [NEW] ACTION: Connolly to draft suggested text re resource/representation in HTML 5 for discussion with LMM and JAR [recorded in [37]http://www.w3.org/2001/tag/2010/01/21-minutes#action02] [NEW] ACTION: Larry to check whether HTML language reference has been published [recorded in [38]http://www.w3.org/2001/tag/2010/01/21-minutes#action03] [NEW] ACTION: Noah to frame discussion about how TAG communicated with WGs [recorded in [39]http://www.w3.org/2001/tag/2010/01/21-minutes#action01] [37] http://www.w3.org/2001/tag/2010/01/21-minutes#action02 [38] http://www.w3.org/2001/tag/2010/01/21-minutes#action03 [39] http://www.w3.org/2001/tag/2010/01/21-minutes#action01 [End of minutes] _________________________________________________________ Minutes formatted by David Booth's [40]scribe.perl version 1.133 ([41]CVS log) $Date: 2010/01/22 13:27:39 $ [40] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [41] http://dev.w3.org/cvsweb/2002/scribe/
Received on Friday, 22 January 2010 19:37:27 UTC