W3C home > Mailing lists > Public > www-tag@w3.org > January 2010

Re: Draft minutes of TAG teleconference of 21 January 2010

From: Jonathan Rees <jar@creativecommons.org>
Date: Sat, 23 Jan 2010 10:55:09 -0500
Message-ID: <760bcb2a1001230755i6cc50080p1c561db5f88ddf22@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: noah_mendelsohn@us.ibm.com, www-tag@w3.org
On Sat, Jan 23, 2010 at 5:24 AM, Tyler Close <tyler.close@gmail.com> wrote:
> I understand that sometimes meaning is lost in email and especially in
> meeting transcripts, so I just want to check that I understand the
> current status of the discussion on ACTION-278.
> 1. The TAG does not dispute any of the arguments made in my web-key
> paper <http://waterken.sf.net/web-key>.

"The TAG" is a bunch of people and as a group they have formed no
consensus. But from Thursday's discussion it seems quite clear that
Noah disagrees with your paper. Whatever the benefits of web-keys, he
doesn't think URIs should *ever* require protection or carry
authority, and given where he starts I'm not sure how your paper could
have much effect.

I think part of the problem is that "sharing" in web architecture
means "sharing with everyone" rather than the more general web-key
notion of "sharing with those who you want to share with". The TAG
findings seem to take an all-or-nothing view to sharing, putting
access control basically outside of the purview of web architecture,
even though it has a very simple solution within it. The roots of this
position are historical (the web was created as a global information
space), political (let's not make it too easy to create secret things
that "divide the web"), and technical (access control is complicated
and if we worried about it the architecture would topple under its own
weight). This is an awful lot of baggage to try to put aside all at

> 2. The TAG understands that unguessable URLs are used for
> access-control by many of the most popular sites on the Web. For
> example, this email contains a Google Docs URL [1] for a document I
> have chosen to make readable by all readers of this mailing list, even
> those who have never used Google Docs. Had I not so chosen, these
> readers would not have access and I could have shared access with a
> smaller group of people, or no one at all.

Noah said that he didn't find popularity to be convincing, so this is
irrelevant to him.

> 3. Some members of the TAG believe that an unguessable https URL is a
> "password in the clear", but that sending someone a URL and a separate
> password to type into the web page is not a "password in the clear".
> 4. The TAG is currently sticking to its finding that prohibits use of
> the web-key technique because Noah Mendelsohn says: "I don't like
> that". There are no other substantive arguments that I could attempt
> to refute.

"The TAG" is just a bunch of people. "Sticking" sounds like an active
thing, but all we have is "has not yet resolved to fix a previous
TAG's consensus statement on the matter" which doesn't imply consensus
in the current group that UMU is OK as it stands. It's very difficult
to get any group to make any kind of consensus statement, especially
when the group contains views as different as the ones Noah and I hold
on this subject.

> 5. The TAG does not dispute my argument that the current finding is
> self-contradictory.

Again, better not to say "The TAG"...

If I can paraphrase Noah's argument, he asserts that URIs, simply by
virtue of being URIs, are so likely to be made public that they
shouldn't ever hold bits that need to be protected. If something needs
to be kept private it shouldn't be in a URI. Somehow the password by
virtue of being called a password is going to be protected, while the
URI by virtue of being called a URI is going to be exposed.

I don't agree with this; like you I think using URIs to designate is a
good idea. While creating public good and "network effects" is a good
thing, and the architecture should strive to make it easy to create
public benefit, the public aspects of web architecture are not the
only important ones - otherwise we wouldn't have https: and access
control at all.

I'm at a bit of a loss how to put the argument on a rational footing.
One attempt to follow in subsequent email.


> I'm hoping there is some significant nuance I have missed. If so,
> please point out which of the above statements is false and exactly
> why, so that I can engage with that part of the discussion.
> --Tyler
> [1] https://docs.google.com/Doc?docid=0AYOd4-51pI6HZGc0d2Q3N2RfMGYyZmZ0cGdt&hl=en
Received on Saturday, 23 January 2010 15:55:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:32 UTC