- From: Tyler Close <tyler.close@gmail.com>
- Date: Sat, 23 Jan 2010 02:24:11 -0800
- To: noah_mendelsohn@us.ibm.com
- Cc: www-tag@w3.org
I understand that sometimes meaning is lost in email and especially in meeting transcripts, so I just want to check that I understand the current status of the discussion on ACTION-278. 1. The TAG does not dispute any of the arguments made in my web-key paper <http://waterken.sf.net/web-key>. 2. The TAG understands that unguessable URLs are used for access-control by many of the most popular sites on the Web. For example, this email contains a Google Docs URL [1] for a document I have chosen to make readable by all readers of this mailing list, even those who have never used Google Docs. Had I not so chosen, these readers would not have access and I could have shared access with a smaller group of people, or no one at all. 3. Some members of the TAG believe that an unguessable https URL is a "password in the clear", but that sending someone a URL and a separate password to type into the web page is not a "password in the clear". 4. The TAG is currently sticking to its finding that prohibits use of the web-key technique because Noah Mendelsohn says: "I don't like that". There are no other substantive arguments that I could attempt to refute. 5. The TAG does not dispute my argument that the current finding is self-contradictory. I'm hoping there is some significant nuance I have missed. If so, please point out which of the above statements is false and exactly why, so that I can engage with that part of the discussion. --Tyler [1] https://docs.google.com/Doc?docid=0AYOd4-51pI6HZGc0d2Q3N2RfMGYyZmZ0cGdt&hl=en On Fri, Jan 22, 2010 at 11:36 AM, <noah_mendelsohn@us.ibm.com> wrote: > Draft minutes of the TAG teleconference of 21 January are available at [1] > and in text-only form below. Thanks to scribe Ashok Malhotra for wrapping > these up at a busy time. > > Noah > > [1] http://www.w3.org/2001/tag/2010/01/21-minutes.html > > -------------------------------------- > Noah Mendelsohn > IBM Corporation > One Rogers Street > Cambridge, MA 02142 > 1-617-693-4036 > -------------------------------------- > > [1]W3C > > [1] http://www.w3.org/ > > - DRAFT - > > TAG Weekly Telcon > > 21 Jan 2010 > > See also: [2]IRC log > > [2] http://www.w3.org/2010/01/21-tagmem-irc > > Attendees > > Present > T_V_Raman, Ashok_Malhotra, Noah_Mendelsohn, Dan_Applequist, > Larry_Masinter, Jonathan_Rees, Dan_Connolly > > Regrets > TimBL, John_Kemp, Henry_Thompson > > Chair > Noah_Mendelsohn > > Scribe > Ashok > > Contents > > * [3]Topics > 1. [4]Opening > 2. [5]Approval of Minutes 14 January 2009 > 3. [6]ACTION-278: Draft changes to 2.7 of Metadata in URIs to > cover the "Google Calendar" case > 4. [7]ACTION-372: Redrafting of HTML for resource vs. > representation > 5. [8]Review Pending Actions > * [9]Summary of Action Items > _________________________________________________________ > > <raman> on and muted. > > <scribe> scribe: Ashok > > <scribe> scribenick: Ashok > > <DKA> FYI I will have to leave the call at 19:20 GMT today. > > <raman> will need to bail in 25 mins > > Opening > > Noah: 5 of us present > ... Regrets from TimBL for 5 weeks or so > ... There will be a call next week > > Approval of Minutes 14 January 2009 > > RESOLUTION: Minutes of Jan 14 meeting are approved > > ACTION-278: Draft changes to 2.7 of Metadata in URIs to cover the > "Google Calendar" case > > Noah explains action > > <jar> The finding: > [10]http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity > > [10] http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity > > <jar> ACTION-278? > > <trackbot> ACTION-278 -- Jonathan Rees to draft changes to 2.7 of > Metadata in URIs to cover the "Google Calendar" case -- due > 2010-01-20 -- PENDINGREVIEW > > <trackbot> [11]http://www.w3.org/2001/tag/group/track/actions/278 > > [11] http://www.w3.org/2001/tag/group/track/actions/278 > > <noah> Jonathan's email: > [12]http://lists.w3.org/Archives/Public/www-tag/2009Dec/0121.html > > [12] http://lists.w3.org/Archives/Public/www-tag/2009Dec/0121.html > > Jar: This is a draft not a proposal > ... came out of our discussion of capabilities > > <noah> Could you say a bit more about the Google Calender use case > in particular? What are they doing? > > Jar: URIs to carry secrets are used all over the web. Finding should > talk about this > ... Scope of finding is not limited to public URIs > ... There is a web interface and you can say "share this > calendar"... it mints a URI and says send this URI to your friend > ... If you send URI to friend and he clicks on it, the calendars are > shared > > Noah: Does it carry authority as well as allow sharing? > > <noah> Crucial case is that the URI carries not just the > identification, but also the authorization. > > JAR: Yes, carries authority > > <noah> Speaking for myself, I don't like that, and don't want to > encourage it. > > <masinter> "click here to unsubscribe" also > > <noah> I think AWWW is right to make identity and authorization > orthogonal > > JAR: Tyler Close says this is used and it is good > > <DKA> Is it a one-time use URI? > > JAR: the person getting URI could publish it and then everyone has > access > > <noah> DKA, I don't think so. Sounds like you can explicitly kill > it. > > JAR: but capability can be retracted > > <jar> Google docs is another example > > DKA: Is this a one time use? It is a pattern they use. > > <noah> One time use seems break GET/safe > > JAR: For calendar it is one time use > ... in Google docs you can send to many people > > Raman: URL works only if you are in the ACL for document > ... you can manage access control > > <masinter> Adobe Buzzword (acrobat.com) has similar options: "open > to anyone who has the URL" is an access control option > > Noah: Is this also true of Calendar? > > Raman: Calendar has different model. Events have URLs > ... if private no one can see it > ... there is a single sign-in mechanism > ... access to URL does not give access > > <jar> code.google.com/apis > > Noah: Crucial question: Should a URI ever give access control? > > <masinter> "Allow anyone with a link to view this document" is a > access control option that the user can set > > <Zakim> Noah, you wanted to question the appropriateness of the use > case > > Noah: or is just an identifier > > <raman> Calendar API:[13]http://code.google.com/apis/calendar/ > > [13] http://code.google.com/apis/calendar/ > > <raman> All Google APIs: [14]http://code.google.com/apis/ > > [14] http://code.google.com/apis/ > > Larry: I can create a doc from acrobat.com and I can create a doc > and share it > ... describes sharing options > > <noah> I think the question is: how much do you bend what you would > otherwise do with Web architecture to enable Larry's case, which he > acknowledges as "weak" > > <Zakim> Masinter, you wanted to propose drafting a document and > getting review of it in the security community > > <Zakim> Noah, you wanted to say, I take Larry's point > > Noah: Seems like passwords in clear discussion > ... its a weak security mechanism. URIs are widely shared. Not like > private key. > > <masinter> +1 that this is like password in the clear > > Noah: but people use it because it's convenient > ... people use it and understand the risks > > JAR: Why do they give 64-bit URIs if it is not a protection scheme? > > <masinter> obfuscation is a useful technique. I don't think anything > about "protected channels" doesn't really help much > > JAR: Key word is "trade-offs". Finding should describe trade-offs > > Noah: Finding says access control should be done orthogonally. I > think this is right. > > <masinter> obfuscation isn't "access control" > > Noah: We should not be vague about that. > > <DKA> After just trying to share a Google calendar I can confirm > that that seems to be how it works. The URI does not allow automatic > access to the calendar. It seems to encode expected access > credentials but still requires a credentials check (authentication). > > JAR: If finding says do not do the Google Calendar case we lose > ccredibility. > > <masinter> [15]https://acrobat.com/#d=Y5W06lRXkILNhbfV1yUjsw > > [15] https://acrobat.com/#d=Y5W06lRXkILNhbfV1yUjsw > > Larry: I made a doc, and service creates a URL and anyone who has > URL can read document > ... not so unreasonable > > Noah: I'm not conviced there is anything in the finding that's > wrong. > > <noah> Pertinent section of finding: > [16]http://www.w3.org/2001/tag/doc/metaDataInURI-31.html#hideforsecu > rity > > [16] > http://www.w3.org/2001/tag/doc/metaDataInURI-31.html#hideforsecurity > > <masinter> maybe expand the finding to cover the obfuscated URI > being used as weak access control. > > <noah> A bank establishes a URI assignment policy in which account > numbers > > <noah> are encoded directly in the URI. For example, the URI > > <noah> [17]http://example.org/customeraccounts/456123 accesses > information for > > [17] http://example.org/customeraccounts/456123 > > <noah> account number 456123. A malicious worker at an Internet > Service > > <noah> Provider notices these URIs in his traffic logs, and > determines the > > <noah> bank account numbers for his Internet customers. Furthermore, > if > > <noah> access controls are not properly in place, he might be able > to guess > > <noah> the URIs for other accounts, and to attempt to access them. > > <noah> Good Practice: URI assignment authorities SHOULD NOT put into > URIs > > <noah> metadata that is to be kept confidential. > > <noah> """ > > <masinter> Yes, so the use case I gave above would be a violation of > the finding. > > Noah: Says only a little about access control. > > Larry: The finding is too strong. > > <noah> Unconvinced > > JAR: Finding rules out common usecase. > > Ashok: Noah and JAR disagree on what finding says and should say > > <jar> https > > <Zakim> masinter, you wanted to say I would rather findings be > couched in terms of making people aware of the consequences, rather > than telling them what to do > > Larry: Try and write findings based on consequences of doing things > one way instead of another > ... so finding should say use this mechanism if risks a acceptareble > ... Some of these exposures are over the long run instead of short > run > > Noah: A similar example is abt GET being safe > ... I'm happy we said GET is unsafe > > <Zakim> Masinter, you wanted to suggest review on > public-web-security > > Noah: Just because it is widespread we should not condone the > practice > > Larry: Need more discussion of public-web-security > > Noah: I would feel better if we had better framing of the issue > > <noah> q > > <Zakim> DKA, you wanted to note that there seem to be a number of > use cases here that look similar but are actually different - maybe > the WSC group has already enumerated these? > > DKA: We need a list of usecases and need to categorize them > > Noah: How is Web Securiry Context connected with public-web-security > > Larry: JAR could send note to public-web-security and see if we can > get discussion started > > Noah: We should try and get some shared terminology > > Larry: Next step? > > JAR: Spell out use cases more clearly? > > Noah: Some disagreement. Some feel just because it is a commen > usecase it should be condoned. > > JAR: We should say what the finding is about > > Noah: We have differeing assumptions about what people can put in > URIs > > JAR: Notion of URI is much broader than these public URIs > ... URIs used in all sorts of situations. Web is just one use. > > <masinter> I think the point that putting the secret in the FragID > rather than in the main URI itself is interesting. > > Noah: Way private keys are managed is fundamental to their use > > JAR: You are saying URIs have a connotation to a public space on the > web > ... I don't agree with this. > > <masinter> maybe this is also a justification for Origin vs. > Referer? because Origin doesn't include private keys > > JAR: Noah, this is your opinion > > <masinter> Use cases & discussions of them would be really great > > JAR: I'll take an action to drill down on the usecases > > Noah: Shall we add that to Action-278 and change the due date > > <noah> ACTION-278: Due 2010-02-04 > > <trackbot> ACTION-278 Draft changes to 2.7 of Metadata in URIs to > cover the "Google Calendar" case notes added > > Larry: I'm not hesitant to ask the Web Security Group to jump in > > <masinter> might add the acrobat.com one too while you're at it; let > me know if you need more details > > <noah> AM: I hear Noah and Jonathan disagreeing about how URIs are > used? Will doing use cases fix that? > > <noah> NM: Not sure it will, but it may clarify the context for the > discussion. > > <masinter> Ashok: I think the finding needs to be more nuanced, and > that different kinds of security situations will need different > advice. Having use cases will help us understanding of the > situations and thus what kind of contextual advice to give. > > Noah: There is no harm in any of us coming up with new text. This > could spark useful discussion. > > ACTION-372: Redrafting of HTML for resource vs. representation > > <trackbot> ACTION-372 -- Larry Masinter to tell the HTML WG the TAG > encourages the direction Roy's headed on resource/representation and > endorse his request for more time. -- due 2010-01-20 -- > PENDINGREVIEW > > <trackbot> [18]http://www.w3.org/2001/tag/group/track/actions/372 > > [18] http://www.w3.org/2001/tag/group/track/actions/372 > > <noah> Note error in agenda, should have referred to HTML not HTTP > > <noah> LM: I sent the email. Got a response which might be viewed as > to me as HTML WG or to the TAG. > > Larry: I sent the mail. I got a response. The staus of the issue is > - Roy is unavailable to work on this issue > > <noah> Larry: that's not quite right -- Roy says not available for 4 > months, then available. > > Larry: actually Roy said "not available for 4 months to work on > issue" > ... not sure it was interpreted as a TAG request > ... Noah, please, as chair clarify how we communicate. > > <scribe> ACTION: Noah to frame discussion about how TAG communicated > with WGs [recorded in > [19]http://www.w3.org/2001/tag/2010/01/21-minutes#action01] > > [19] http://www.w3.org/2001/tag/2010/01/21-minutes#action01 > > <trackbot> Created ACTION-377 - Frame discussion about how TAG > communicated with WGs [on Noah Mendelsohn - due 2010-01-28]. > > Larry: I would like Noah to talk to HTML WG ... > > Noah: Some WGs communicate with other WGs. The WG votes on this and > someone is asked to send the msg. > ... the TAG has as part of its charter to help WGs do their work > ... in some cases TAG will ask individuals to talk with WGs > > Larry: I got a response and I don't think the WGs response is in > line with what was requested > > Noah: The process is fine ... we need to decide what to do? > ... Larry, what should TAG do? > > Larry: If we are happy to give on this that's ok with me > > <masinter> i'm not sure they acknowledged hearing our opinion > > Dan: I don't understand why Roy cannot do the 2 edits? > > <masinter> Roy said: "Honestly, unless you can prove to ME that > there is a substantial ... > > <masinter> burden being imposed upon *someone* by reordering the > entirely random order that chairs have decided to call for > consensus, then it should be obvious that *MY* constraints are more > important than whatever you personally think the procedure should > be. Otherwise, you are just railroading a particular conclusion. > > Dan: I can understand if they close this; we might say we don't like > it, but unless we have a proposal... > > <Zakim> masinter, you wanted to note issue in abarth-mime-sniffing > > <jar> > [20]http://www.ietf.org/mail-archive/web/apps-discuss/current/msg012 > 50.html > > [20] > http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01250.html > > Larry: John Kemp on authoritative metadata finding cites > abarth-mimesniffing. I did a review of this > ... go down to "terminology" > > <noah> Quoting: > > <noah> TERMINOLOGY "resource" > > <noah> This document seems to have the same use of "resource" > > <noah> to talk about what is fetched and not just the source > > <noah> from which it is fetched, as discussed in HTML-WG > > <noah> at length: > > <noah> [21]http://www.w3.org/html/wg/tracker/issues/81 > > [21] http://www.w3.org/html/wg/tracker/issues/81 > > <noah> For example > > <noah> For HTTP resources, only the last Content-Type HTTP header, > > <noah> if any, contributes any type information; the official type > > <noah> of the resource is then the value of that header, > > <noah> interpreted as described by the HTTP specifications. > > <noah> Right, the phrase "type of the resource" is highly suspect > > Noah: The continuing non-resolution of issue 81 is haveing > deleterious effect on the Web > > Larry: Roy is arguably the most qualified person on planet to do > this > > <noah> To be clear, I was asking Larry whether the "continuing > non-resolution" was his position, and he said "yes". > > Noah: We could send a note as the TAG saying that we feel it is very > important that this gets resolved > ... Just say "this remains impt" > > <masinter> > [22]http://lists.w3.org/Archives/Public/public-html/2010Jan/0853.htm > l > > [22] > http://lists.w3.org/Archives/Public/public-html/2010Jan/0853.html > > <masinter> Write clear definitions of all affected terms, possibly > in the form of suggested edits to the terminology section, and > demonstrate correct usage of the terms by suggesting specific edits > to one or two representative sections. > > Larry: The above is something the TAG could take on. > > <masinter> The definitions of these terms don't belong in HTML, they > belong in Webarch > > <masinter> Defining the terms of the web architecture seems like a > fine job for the TAG, and that there is no other group more > authoritative. > > Noah: This could take up a lot of resources/time > > Larry: I'm willing to work on it and I would like some help > > <jar> 799 occurrences of "resource" in Overview.html > > <masinter> are the terms not already clearly defined in WebArch? > > <jar> no > > Noah: You would a great volunteer, Dan! > > Larry: Deadline is Jan 23 > > <masinter> > [23]http://lists.w3.org/Archives/Public/public-html/2010Jan/0930.htm > l > > [23] > http://lists.w3.org/Archives/Public/public-html/2010Jan/0930.html > > <masinter> "... let the Chairs know if they are interested in > drafting a proposal to resolve Issue-81." > > <DanC> ACTION: Connolly to draft suggested text re > resource/representation in HTML 5 for discussion with LMM and JAR > [recorded in > [24]http://www.w3.org/2001/tag/2010/01/21-minutes#action02] > > [24] http://www.w3.org/2001/tag/2010/01/21-minutes#action02 > > <trackbot> Created ACTION-378 - Draft suggested text re > resource/representation in HTML 5 for discussion with LMM and JAR > [on Dan Connolly - due 2010-01-28]. > > <masinter> [25]http://www.w3.org/TR/webarch/#id-resources defines > "resource" > > [25] http://www.w3.org/TR/webarch/#id-resources > > <masinter> [26]http://www.w3.org/TR/webarch/#def-representation > defines "representation" > > [26] http://www.w3.org/TR/webarch/#def-representation > > Review Pending Actions > > <noah> > [27]http://www.w3.org/2001/tag/group/track/actions/pendingreview > > [27] http://www.w3.org/2001/tag/group/track/actions/pendingreview > > <DanC> ACTION-213 due next week > > <trackbot> ACTION-213 Prepare 21 Jan weekly teleconference agenda > due date now next week > > <DanC> ACTION-213? > > <trackbot> ACTION-213 -- Noah Mendelsohn to prepare 21 Jan weekly > teleconference agenda -- due 2010-01-26 -- PENDINGREVIEW > > <trackbot> [28]http://www.w3.org/2001/tag/group/track/actions/213 > > [28] http://www.w3.org/2001/tag/group/track/actions/213 > > <DKA> I must leave the call now - apologies - Noah please feel free > to put me on the scribe rota for a future call except for Feb 18 > where I will have to give my regrets. > > <DanC> action-278? > > <trackbot> ACTION-278 -- Jonathan Rees to draft changes to 2.7 of > Metadata in URIs to cover the "Google Calendar" case -- due > 2010-02-04 -- OPEN > > <trackbot> [29]http://www.w3.org/2001/tag/group/track/actions/278 > > [29] http://www.w3.org/2001/tag/group/track/actions/278 > > <masinter> > [30]http://www.ietf.org/mail-archive/web/apps-discuss/current/msg012 > 50.html is linked from ACTION-308 > > [30] > http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01250.html > > <noah> On ACTION-337, Larry wants to punt. > > <DanC> ACTION-337: Larry wants to punt. > > <trackbot> ACTION-337 Prepare material for next phone conf metadata > formats/representations notes added > > <DanC> close action-337 > > <trackbot> ACTION-337 Prepare material for next phone conf metadata > formats/representations closed > > <DanC> order? is Larry asking for futher discussion of ACTION-367? > > <DanC> it's done to my satisfaction. > > <noah> trying to find out > > <DanC> if there are possible follow-ons, then it should be kept > pending review. sigh. > > <DanC> (no, I don't see a URL for the bug) > > <masinter> [31]http://www.w3.org/Bugs/Public/show_bug.cgi?id=8220 > > [31] http://www.w3.org/Bugs/Public/show_bug.cgi?id=8220 > > <DanC> close ACTION-372 > > <trackbot> ACTION-372 Tell the HTML WG the TAG encourages the > direction Roy's headed on resource/representation and endorse his > request for more time. closed > > <masinter> action-373? > > <trackbot> ACTION-373 -- Noah Mendelsohn to convey, re language > reference, to encourage the path they've indicated; we can't tell if > we're satisifed; we'll stay tuned and comment when drafts become > available -- due 2010-01-28 -- PENDINGREVIEW > > <trackbot> [32]http://www.w3.org/2001/tag/group/track/actions/373 > > [32] http://www.w3.org/2001/tag/group/track/actions/373 > > <DanC> action-373? > > <trackbot> ACTION-373 -- Noah Mendelsohn to convey, re language > reference, to encourage the path they've indicated; we can't tell if > we're satisifed; we'll stay tuned and comment when drafts become > available -- due 2010-01-28 -- PENDINGREVIEW > > <trackbot> [33]http://www.w3.org/2001/tag/group/track/actions/373 > > [33] http://www.w3.org/2001/tag/group/track/actions/373 > > <DanC> I'm happy with Maciej's reply. > > <DanC> i.e. > [34]http://lists.w3.org/Archives/Public/www-tag/2010Jan/0031.html > > [34] http://lists.w3.org/Archives/Public/www-tag/2010Jan/0031.html > > <DanC> ACTION: Larry to check whether HTML language reference has > been published [recorded in > [35]http://www.w3.org/2001/tag/2010/01/21-minutes#action03] > > [35] http://www.w3.org/2001/tag/2010/01/21-minutes#action03 > > <trackbot> Created ACTION-379 - Check whether HTML language > reference has been published [on Larry Masinter - due 2010-01-28]. > > <DanC> action-379 due in 4 months > > <trackbot> ACTION-379 Check whether HTML language reference has been > published due date now in 4 months > > <noah> close ACTION-373 > > <trackbot> ACTION-373 Convey, re language reference, to encourage > the path they've indicated; we can't tell if we're satisifed; we'll > stay tuned and comment when drafts become available closed > > <DanC> action-379 due 21 may > > <trackbot> ACTION-379 Check whether HTML language reference has been > published due date now 21 may > > <noah> Hmm,10 pending non-trivial actions == approx 5 weeks telcon > time. > > <DanC> I note there's a list of docs the HTML WG chairs are > considering putting a publication question on, and the language > reference isn't one of them. > [36]http://lists.w3.org/Archives/Public/public-html-wg-announce/2010 > JanMar/0005.html > > [36] > http://lists.w3.org/Archives/Public/public-html-wg-announce/2010JanMar/0005.html > > > Summary of Action Items > > [NEW] ACTION: Connolly to draft suggested text re > resource/representation in HTML 5 for discussion with LMM and JAR > [recorded in > [37]http://www.w3.org/2001/tag/2010/01/21-minutes#action02] > [NEW] ACTION: Larry to check whether HTML language reference has > been published [recorded in > [38]http://www.w3.org/2001/tag/2010/01/21-minutes#action03] > [NEW] ACTION: Noah to frame discussion about how TAG communicated > with WGs [recorded in > [39]http://www.w3.org/2001/tag/2010/01/21-minutes#action01] > > [37] http://www.w3.org/2001/tag/2010/01/21-minutes#action02 > [38] http://www.w3.org/2001/tag/2010/01/21-minutes#action03 > [39] http://www.w3.org/2001/tag/2010/01/21-minutes#action01 > > [End of minutes] > _________________________________________________________ > > > Minutes formatted by David Booth's [40]scribe.perl version 1.133 > ([41]CVS log) > $Date: 2010/01/22 13:27:39 $ > > [40] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm > [41] http://dev.w3.org/cvsweb/2002/scribe/ > > > > > > -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Saturday, 23 January 2010 10:24:49 UTC