- From: Noah Mendelsohn <nrm@arcanedomain.com>
- Date: Fri, 20 Apr 2012 16:14:27 -0400
- To: "www-tag@w3.org" <www-tag@w3.org>
- CC: Dominique Hazael-Massieux <dom@w3.org>, Chris Lilley <chris@w3.org>, Dan Appelquist <dan@bluevia.com>
Draft minutes of the TAG F2F of 2-4 April 2012 are now ready for review at [1] and in text-only form below. TAG members: please review these during the next few days, and correct as necessary, so we can take a formal vote to approve them on Thursday. Thank you. Noah [1] http://www.w3.org/2001/tag/2012/04/02-agenda ============2 April 2012 ============= [1]W3C [1] http://www.w3.org/ - DRAFT - Technical Architecture Group Teleconference 02 Apr 2012 [2]Agenda [2] http://www.w3.org/2001/tag/2012/04/02-agenda See also: [3]IRC log [3] http://www.w3.org/2012/04/02-tagmem-irc Attendees Present Ashok_Malhotra, Dan_Appelquist, Jeni_Tennison, Larry_Masinter, Noah_Mendelsohn, Robin_Berjon, Tim_Berners-Lee, Yves_Lafon, Henry_Thompson, Jonathan_Rees Regrets Chair Noah Mendelsohn Scribe Larry Contents * [4]Topics 1. [5]Convene 2. [6]httpRange14 - URI Documentation Discovery 3. [7]part 1, use cases 4. [8]Report on Paris IETF Meeting 5. [9]Can publication of hyperlinks constitute copyright infringment? 6. [10]Web Applications: Privacy by Design in APIs for Web Applications * [11]Summary of Action Items __________________________________________________________ <trackbot> Date: 02 April 2012 <noah> [12]http://www.w3.org/2001/tag/2012/04/02-agenda [12] http://www.w3.org/2001/tag/2012/04/02-agenda Convene noah: agenda review ... couple of logistical announcements ... DanA will be joining us after lunch <scribe> scribe: Larry <scribe> scribenick: Larry noah: (reviewing agenda, visitor schedules) httpRange14 - URI Documentation Discovery [13]http://www.w3.org/2001/tag/2012/04/02-agenda#httpRange14 [13] http://www.w3.org/2001/tag/2012/04/02-agenda#httpRange14 <scribe> chair: henry ht: I'll have a go at chairing, see how that goes ... plan: 45 minutes, trying to get a state of play review, want to hear what jar thinks we need to know. then spend 11-12 slot seeing if we can identify a way forward ... my inclination is to not try to get to the resolution right away jar: Jeni and I spent two hours yesterday talking about the plan for this session, and came up with an outline for a sequence of events ... roughly 5 parts (maybe 6) ... part 1: use cases, of which there are 2-3 ... part 2: two architectures ... part 3: categorization of approaches ... part 4: visualizing the two roads to go down.... "what would it be like to go in that direction" ... part 5: criteria for making decision ... part 6: actually making a decision part 1, use cases jar: RDF spec from 1997, section 5, Examples ... http:/www.w3.org/TR/WD-rdf-syntax-971002/ ... "RDF is a foundation for processing metadadta" ... this is the first of 2.5 use cases. What's going on here is you're making a database about bibliographic information, using sparkle or some other results ... RDF was motivated by PICS whichc was about rating, before powder ht: (want a sense of how jonathan is using the terminology) jar: this is the way i see this use case, as formulated, which i translated into a form that makes sense now ... "If I do a get, I will get something which has the properties) ... second use case: [14]http://www.w3.org/TR/WD-rdf-syntax-971002/ [14] http://www.w3.org/TR/WD-rdf-syntax-971002/ <noah> I'm very surprised the assertion in the example is claimed to be about the representation. I had assumed the assertions were about the resource. e.g. If the assertion is "created-on-date", then I assume that's the resource, not the representation that was created. If I really need to talk about representations, then I should find a way to get URI for the (various) representation(s) jar points to <?namespace href="[15]http://docs.r.us.com/bibliography-info" as="bib"?> [15] http://docs.r.us.com/bibliography-info <?namespace href="[16]http://www.w3.org/schemas/rdf-schema" as="RDF"?> [16] http://www.w3.org/schemas/rdf-schema <RDF:serialization> <RDF:assertions href="[17]http://www.bar.com/some.doc"> [17] http://www.bar.com/some.doc <bib:author href="#John_Smith"/> </RDF:assertions> </RDF:serialization> <RDF:resource id="John_Smith"> <bib:name>John Smith</bib:name> <bib:email>john@smith.com</bib:email> <bib:phone>+1 (555) 123-4567</bib:phone> </RDF:resource> jar: the RDF:resource id="John_Smith" in the second use, is really about the person ... "URI-based structured data" ... expand on this: netflix use case, we have actors, films, separate files in some format, in each entity, there might be some application ... 3rd case is one i will talk about an demand, the use of a URL from Amazon to talk about a book ht: press on ... jar: I've been trying not to make this RDF specific ... About "two architectures": where we are now, for whatever we are, people are wanting to use hashless URIs for both use cases ... the relationship between the retrieval results ... that's my analysis ...? "the other one is description. The content you get back is different ..." ... I'm saying a fact about the two ways these fragments are meant to be used ... in the one case, the URIs are being used as forming a document web. In the other case, the content you get back is more of a "REST"... ... Tim's vision and Roy's vision are different ht: please be more specific jar: Roy's latest formulation is "the representation is a record of the state of the resource" noah: if a "hashless http refers to me" ? jar: in Tim's version, people don't have hashless URIs? <ht> "Relationship between the representation and the resource is arbitrary and application-dependent" Roy Fielding, as channelled by Jonathan Rees jar: "If we need to" ... i think it might be useful to go over the three definitions of the word 'representation' <ht> "The way I interpret Roy, a server could validly return a JPG image of [Noah] with a 200 in return for a GET of a URI alleged to identify Noah" <ht> [Above quote from JAR, I think] larry: *munch* (eating another spoon) ... I think "alleged" is a problem jar: I've found 15-20 definitions of 'representation', 3 of which are interesting ... Rep #1: TBL, 2616? email, the word representation, comes from content negotiation, "Encoding-format-desensitized methods and means for interchanging electronic document appearances." Patent no., 5,210,824, 1993 May 11 (filed Mar., 1989). (JAR reviews matrix on board) jar: Rep #2: REST, by Roy fielding, in thesis, 3 publications, and in HTTPbis ... the type of indentified resource is unconstrained ... this is similar to ordinary language use of the word 'representation', "is a picture of noah a representation of noah, yes". Is a picture of jonathan a representation of jonathan ... "Definition of Reputation #3" by 'fiat' -- if the URI identifies something and you do a GET and you get some bits, then by definition, the represenation of the resource ... Yves is correct that Roy is working to correct the terminology to be consistent with Rep #2 <JeniT> Definition in HTTPbis: [18]http://tools.ietf.org/html/draft-ietf-httpbis-p3-payload-19 #section-4 [18] http://tools.ietf.org/html/draft-ietf-httpbis-p3-payload-19#section-4 <JeniT> "A resource representation is information that reflects the state of that resource, as observed at some point in the past (e.g., in a response to GET) or to be desired at some point in the future (e.g., in a PUT request)." jar: does "Information Resource" belong here. I don't understand, in roy's view, ways that we should not use the term "Information Resource" in this discussion <Zakim> noah, you wanted to ask about assertions about resources vs. assertions about representations noah: let's say the triple says "was created on" ... and it's my thesis, does the assertion apply to the representation or the resource jar: my theory of resources in sense 1 ... if you say "if you do a get, you'll come up with something that satisfies the metadata" ... it is my belief that there is an operational behavior ... the operational behavior is predictive <Zakim> Larry, you wanted to note that I think representation vs. resource is irrlevant <noah> ScribeNick: noah Larry: I am interested in a view where the distinction between representation is not interesting, therefore the definitions of the terms are unimportant. We don't need the words. jar: Right, we just need to talk about the relationship between the two. Larry: No, we don't want to use the words at all, therefore there's no issue of the relationship. ... I think it's possible to not talk about resources, representations, HTTP status codes, or what happens when you do a GET. I like that story. jar: Everything I'm talking about is empirical. I'm talking about these two framings, and related them to the use cases. Larry: I don't think the use cases are different. jar: Consider the Flickr use case: you have two things... a description, and what it describes...and they have different properties. Thus, you NEED to say which one you're talking about. Larry: No you don't. timbl: Why not. Larry: We're having a conversation. In the old days, using English or French. You had languages you both understood, with dictionaries like OED to refer to. ... We communicate because we use the same language, not the same dictionary. ... Then we invented the Web, on which we can not only exchange text, we can annotate text, and hyperlink it. We can now say this Moby Dick was written by Melville, and can hyperlink, and can give representaitons e.g. in different natural languages. <ht> "This book I read, it's called 'Moby Dick', it was written by Hermann Melville, it has a green cover" LM Larry: Then we can reference things like Wikipedia we kind of understand how to share and retrieve. ... But then we wanted more...to make it more formal with triples... e.g. to formally say things about a book, using URIs to make formal the objects being discussed, who wrote it, etc. ... That is more precise, yet ambiguity remains. Maybe you can't tell if I'm talking about the book or the Web page about the book. ... Maybe the triples weren't good enough, in not allowing us to distinguish things we care about. jar: In 1998, it was very clear in the RDF draft (some mumbling in the room as to whether everyone agrees) Larry: We invented RDF, rev'd it, and still have ambiguities, some of which make us uncomfortable. That's just the way it is. We can't, in my view, retrofit now. We have to live with the ambiguities. Specifically, we can't do it by now more precisely stating what a URI means. ht: Jumping in...Jonathan has said repeatedly that 1998 draft was clear, but I don't think it addresses Larry's concern. I think the example in the spec is clear. <Larry> we can't retrofit the definition of what a URI means in order to fix this possible ambiguity in RDF. ht: It's unclear whether the example in the 1998 draft is about Moby Dick or the Web page about MD Larry: Even if you think RDF has got metadata...the library of congress has Abraham Lincoln's glasses, the glasses themselves, in the catalog. jar: The description is in the catalog. Larry: Right, but the catalog entry is for the actual glasses. <Larry> ScribeNick: Larry jar: the RDF draft itself does not resolve this question, in that sense that Larry is right. It is my belief that certain people had this view #1 in mind, that if you do a GET you will get something that has the property ... one example is "automatic mashups", you do a query of documents... and you produce something that has one paragraph from each document ... second example: text mining, what do you point your database on? ht: i think you're right, they wanted (Guha and Tim Bray) to give web docs metadata <Zakim> timbl, you wanted to say that JAR's way of defining 'content of' is very good and to timbl: You (LM) said RDF had an ambiguity; there is no ambiguity, the triples aren't ambiguous ... RDF constrained the ways in which .... <JeniT> ScribeNick: JeniT timbl: RDF was completely clear: under my view, it's clear what the URIs refer to ... which is documents ... This constrained how you could use URIs, but it is not ambiguous <timbl> The RDF system had no inhereent ambiguity om the trips. It did decide to use URIs and HTTP, and in designing them into the system, it constrained them, so URIs adn HTTP were interpreted in a more cconstrined manner which produced a very nice very clean system, whcih was very useful. But it involved imiteing the way one talks about URIs and HTTP <timbl> compared to what was in REST. jar: there are applications where you need to know whether the bits are content rather than description ... for example, showing the first paragraph of all the documents that can be found ... and it needs to make sure that the paragraphs are content from the documents, not from descriptions of the documents ht: if I want the train schedule, to display the numbers, you have to pay attention to the response code... ... if it comes back as 404 then you know you don't want to display those numbers ... you need to know whether the bits are the document or about the document jar: you need to know whether the bits are the content timbl: the concept of a document is crucial ... it's like the content of a string <ht> jar: It's like 'quote' in LISP larry: this is a distinction that I think is impossible to make timbl: the URI of the content of Moby Dick and the URI of a review of Moby Dick are different larry: can we describe this in terms of communication, asserting things in English, then in markup, then in triples noah: maybe we are tripping over what may be distinguished and what's worth distinguishing ... a document rendered with different backgrounds on different ways ... these are two artefacts, roughly different representations larry: I'm not happy with "I have a document and I give it a URI" noah: I minted a URI by leasing a domain name etc etc larry: I'm not happy about 'minting' and 'owner' noah: two operations were done, two sets of bits came back ... there were two artefacts, and we can't say they're the same ... one had a blue background, one not ... whether we care about that is something else ... perhaps you're saying we don't care about that larry: RDF doesn't let me express things that I want to express timbl: I think originally said that the difference between description and content was not one we could make <Larry> not one we could make reliably ht: clarification of relationship between resource and representation under Roy's view jar: it cannot be predicted what the relationship is ... there are applications where the content/description relationship is essential for the application to work ... you need to be able to identify whether something is content or description larry: there may be applications that you want to build, that depend on that distinction, but I do not think you can make that distinction reliably ht: there are people who are building these applications, because they assume a uniform answer to the question ... if they own both ends, they can satisfy the uniform definition <Larry> so the applications are unreliable. maybe they're reliable enough for the applications to be useful anyway ht: own the server and the client ... so there's no possibility of disagreement <Larry> the web is unreliable -- we get 404 not found all the time, but the web is sitll useful timbl: the RDF folks have built systems where they own both ends, but they include things outside that space, and that's the problem <Larry> i think this really leads into persistence, that we want <A> <R> <B> to be mean the same thing for all time, but it's unreliable jar: we should be able to ground this in a discussion where there's an application that do want to be able to make that distinction larry: we have a system where all URIs are not cool, in 10,000 years they will stop working jar: we can scope to something within the next 5 minutes ... so you're right, but we're willing to make bets larry: there are applications that want to make distinctions reliably, and can't, but that doesn't mean they can't be useful ... the web is not completely reliable, but it's still useful ... getting the first paragraph of the review of Moby Dick is still useful ht: let's move on to 'proposal's <Larry> ScribeNick: Larry ht: let's spend 15 minutes on the third item of the agenda jar: supposing that we want to make distinctions, let's look at the proposals ... what are the possible sources ... in this case, let's suppose you can determine one bit of information, "content" vs. "description", where can this come from? ... (1) it could be in the specification ht: that's the state we could have been in, if Dan & Tim could have enforced the hash convention jar: (2) it could be in the status code, headers, content ... it could be in the response ... or the information could come from the exchange in http ... (3) 3rd source: "the message", the use of the URI, the document in which the URI occurs ... (we're not talking about the merits of these) ... information could come from any of these places, or a combination of them ht: this story is situated in a context where you sent me a message that contains a URI noah: there are other contexts? ht: we're trying to reduce the uncertanty of a message noah: "There are situations where i might just find a URI" ? ... there might "I just saw a URI?" jar: categorization of approaches (1), (2) and (3), the architecture i attributed to tim that is very heavy on (1) that does also involve (3) in the language spec .... ... ... in the GET + 200 case of (2), 'retrieval', the way that i make this distinction, i'll look at "httpRange-14a" and then I've answered the question ... we could have another answer, "httpRange-14b" ... Roy believes HTTPbis can't answer this question ... "He cares not to discuss this" ... New taxonomy of change proposals ... "Fixed mode" proposals: 'the answer comes from source (1)" ... proposal httpRange-14Strengthened ... AlwaysDescription ... these are the two fixed answer ones ... "Variable Answer" proposal: <JeniT> ScribeNick: JeniT jar: 1. 'no agreement' / 'nuclear' option -- no statement about relationship between resource and representation ... 2. Mode determined from server response ... 2a. new header that always answer the question, which has to always be present in order to tell ... 2b. Mode sometimes implicit ... 2bi. by default content, header means that it's not content but description (TimBL proposal for Document: header) ... 2bii. by default not content, header/message says it's content ... 2c. Mode determined at point of use ... you can't tell from the HTTP exchange at all ... only from the use of the URI ht: these could fall into two categories in the same way as 2b, different defaults jar: 2d. Mode determined from the request (eg MGET, Want-Other) timbl: I don't see how 2c works ... how does the server know what to give back? jar: the application will interpret whatever response the server provides back in the way indicated by the context in which it got the URI ht: handing chair back to noah noah: we have some unscheduled time <ht> [My 'want-other' proposal about a request header is here: [19]http://www.ltg.ed.ac.uk/~ht/wantOther.html] [19] http://www.ltg.ed.ac.uk/~ht/wantOther.html ht: I would like 1-1.5 hours <scribe> ScribeNick: Larry Larry: would like to minimize the amount of time on this subject <ht> The want-other document has a potentially useful input to the role-playing discussion timbl: this has taken up a huge amount of mailing list... would like to make progress in f2f JeniT: I think we can make some progress at this F2F ht: I think the "role-playing", the next step wants to be "What life would be like in the major categories" ? henry put a pointer that has an analysis by cases <ht> I.e. an analysis by cases of what happens wrt server vs. client uptake noah: we'll spend a significant amount of time on this... jeni made the case... we pay a lot to swap in and out <JeniT> ScribeNick: JeniT <Larry> my criteria: (1) persistence... meaning should persist independent of what happens in DNS <Larry> (2) URI equivalence ... how to decide on whether URIs are the same <Larry> (3) reading on registries, registered values, vs. using URIs in protocols <Larry> (4) play without using 'owner', 'mint',... <Larry> (5) read on MIME, ... <Larry> (6) doesn't rely on 'resource/representation', 'defining what a resource is or whether two resources are the same', larry: A story without talking about owners ... it should work for all URIs, not just HTTP ... without a distinction between information resource or non-information resource ... RDF has to be taken as a context, and there are other languages that might have different answers ... like to talk about persistence, which is part of not talking about HTTP ... something where there's no timeout ... something that someone can put in a book jar: a story in which timeout is not implicit timbl: I suggest that's out of scope larry: I'm saying what's important to me ... it's important that it works in archives ... I'd like it to talk about equivalence of URIs, but not equivalence of resource ... we don't have a language for naming resources aside from URIs ... we can compare code points in URIs ... but not resources ... We had some other related findings around URIs and registeries jar: what's the criterion that comes from registeries? larry: the discussion about URIs is more appropriate around URNs ... where there is an owner ... URNs have a story where there are naming things, and documentation and owners ... but that's the only naming scheme that has that property ... no one gets to say what HTTP URIs mean other than the implicit meaning jar: so the criterion is that it should touch on the relationship to registeries? larry: touch on the relationship between these things ... I laid out a story around talking in English, then markup languages, then triples <noah> Whiteboard photos for inclusion in agenda: <noah> [20]http://www.w3.org/2001/tag/2012/04/httpRange14Board2_1000px .jpg [20] http://www.w3.org/2001/tag/2012/04/httpRange14Board2_1000px.jpg larry: whatever proposal we accept should be cast into why we care about this as a way of enhancing communication <noah> Closeup of small print on upper right: [21]http://www.w3.org/2001/tag/2012/04/httpRange14Board2Closeup .jpg [21] http://www.w3.org/2001/tag/2012/04/httpRange14Board2Closeup.jpg larry: with the communication being enhanced, so that it's not just talking about philosophy ... I'm looking for a use case where adopting a solution helps ... persistence is the one that's hardest, because no one is talking about it and I think it's important noah: I have a couple of evaluation criteria too ... there are constraints and good practices in Architecture of the WWW and in our findings ... eg don't use one URI to identify two different things ... that interactions in HTTP should be self-describing ... if we have a solution that involves HTTP interactions, we should make sure they are consistent <Larry> "should work for all URIs, not just HTTP ones, should work for mailto:, data:, ftp:, file:, ..." jar: the criteria for the story is different from criteria for the solution noah: apply the criteria at the appropriate point ashok: I'm nervous about adding lots of equations ... work on some criteria and then worry about the others ht: I want a solution that we think is going to change behaviour ... there are two outcomes that are plausible ... one is that we figure out that the current state of play is OK ... the other is that we adopt a new position ... if we're going to do that, we had better have a vision about how we get behaviour to change to go there ... we can't just say what the Right Answer is and then say we're done timbl: my criteria is that the specific cases that got us into this discussion should be addressed ... eg 303s, OGP, Flickr should be addressed specifically ... add Dublin Core as a use case ... and an answer where we're confident that if they need to change, we can get them to change ... it must work for Dublin Core and FOAF and RDFS ... ie hash-oriented vocabularies must continue to work noah: at what point is it worth identifying one or two solutions might be promising, based on intuition ... we can ask about whether those hold up ... then at the end we can look at the other proposals Report on Paris IETF Meeting [22]http://www.w3.org/2001/tag/2012/04/02-agenda#IETFParis [22] http://www.w3.org/2001/tag/2012/04/02-agenda#IETFParis Yves: about HTTP/2.0 <Larry> [23]http://www.mnot.net/blog/2012/03/31/whats_next_for_http [23] http://www.mnot.net/blog/2012/03/31/whats_next_for_http Yves: we had representations about 1. SPDY <Larry> [24]http://tools.ietf.org/agenda/83/slides/slides-83-httpbis-4. pdf [24] http://tools.ietf.org/agenda/83/slides/slides-83-httpbis-4.pdf Yves: 2. from Willy Tarreau, whose view came from an intermediary point of view, so included info from Squid ... 3. Waka from Roy Fielding ... 4. Microsoft S+M ... the goal now is to get more concrete proposals on the mailing list for evaluation before the next IETF meeting in July in Vancouver <Larry> pointers are in mnot's blog Yves: either one document to use as a basis, or two to be compared, one which will fail ... most of the proposals are for multiplexing at the application level noah: SPDY is like that? yves: yes ... layer 7 ... the main discussion about SPDY is about the use of TLS or not ... on the mailing list, though that wasn't so evident in the meeting <noah> noah: right, so not e.g. the Google Maps application, but rather the Application layer of the network stack yves: there was one comment about authentication methods ... the goal would be to completely cover HTTP/1.1 but be able to do extra things jar: is there an example of something you would be able to do in the new protocol? yves: eg a new method of authentication larry: eg Waka includes examples of a single request naming several targets (MGET) ... that would be a new feature or an optimisation ... what I was interested in is that SPDY is slower for some sites ... it requires some optimisation/prioritisation in the client to be used effectively ... eg high priority for the first part of the document, low for the rest, so you get image headers quickly ... it's about performance/reliability/security ... and latency ... so the features are oriented around that ... earlier, I sent out a list of IETF meetings of interest, so I can go through that list <Larry> APPSAWG - "Applications Area Working Group WG", and APPAREA (Applications area) Most things of interest to W3C are in the "applications" area The meeting reviews topics of interest, new BOFs, as well as ongoing documents [25]http://tools.ietf.org/wg/appsawg/ [25] http://tools.ietf.org/wg/appsawg/ larry: I talked with Thomas and Mark about IETF/W3C dependencies and how to reduce them ... normative references in W3C specs to IETF specs in progress ... Apps Area WG meeting ... Ned Freed's document on updating MIME registration guidelines ... new draft just out, soon to be last call ... if we want anything to change about MIME type registration, we need to get it into this document yves: we already said something about fragments larry: yes, but we should make sure that it's saying what we want it to say noah: what are the timing limits? larry: I don't know, but soon yves: I looked at a recent version, and it looked ok noah: it seems like this is something the TAG should look at ... does anyone else want to sign up to double check? ht: I will try to find the time, to see if the mime type to URI conversion is universal and reliable ... it's IANA that manage the registry ... you can get something back for some of them but not all of them larry: I suggest we schedule a phone conference to review this document noah: I need the URI to the document <Larry> [26]http://tools.ietf.org/wg/appsawg/ [26] http://tools.ietf.org/wg/appsawg/ <ht> [27]http://tools.ietf.org/html/draft-ietf-appsawg-media-type-re gs-04 [27] http://tools.ietf.org/html/draft-ietf-appsawg-media-type-regs-04 larry: the media type reg document is the one we need to review ... there is another one we need to talk about which is deprecating X- timbl: is it good? ht: yes ... it does say that using prefixes generally is a mistake, for reasons noah will love <noah> ACTION: Noah to schedule (soon) TAG telcon review of [28]http://tools.ietf.org/html/draft-ietf-appsawg-media-type-re gs-04 - Due 2012-04-17 [recorded in [29]http://www.w3.org/2001/tag/2012/04/02-minutes#action01] [28] http://tools.ietf.org/html/draft-ietf-appsawg-media-type-regs-04 <trackbot> Created ACTION-680 - schedule (soon) TAG telcon review of [30]http://tools.ietf.org/html/draft-ietf-appsawg-media-type-re gs-04 [on Noah Mendelsohn - due 2012-04-17]. [30] http://tools.ietf.org/html/draft-ietf-appsawg-media-type-regs-04 larry: it's an interesting document that's worth reading <Larry> [31]http://tools.ietf.org/wg/appsawg/draft-ietf-appsawg-xdash/ [31] http://tools.ietf.org/wg/appsawg/draft-ietf-appsawg-xdash/ larry: I like this document, but I think TAG members should read it <ht> ACTION: Henry S to prepare TAG discussion of [32]http://tools.ietf.org/html/draft-ietf-appsawg-media-type-re gs-04 - Due 2012-04-17 [recorded in [33]http://www.w3.org/2001/tag/2012/04/02-minutes#action02] [32] http://tools.ietf.org/html/draft-ietf-appsawg-media-type-regs-04 <trackbot> Created ACTION-681 - S to prepare TAG discussion of [34]http://tools.ietf.org/html/draft-ietf-appsawg-media-type-re gs-04 [on Henry Thompson - due 2012-04-17]. [34] http://tools.ietf.org/html/draft-ietf-appsawg-media-type-regs-04 noah: should these be reviewed together? <timbl> "Deprecating the X- Prefix and Similar Constructs in Application Protocols" larry: they are independent, and the X- document may not require TAG discussion, though I recommend reading it <timbl> and Similar Constructs Larry: Not convinced we need telcon discussion of x-prefix, but TAG should review. noah: OK, I'll only schedule x-dash if asked. robin: should this be brought to general attention within W3C? ... should it be sent to the Chairs list for broader review? larry: yes, that would be good ... there's another document which was discussed <Larry> [35]http://tools.ietf.org/html/draft-nottingham-appsawg-happian a-00 [35] http://tools.ietf.org/html/draft-nottingham-appsawg-happiana-00 <noah> Who's going to send it to chairs' list? I suggest Larry as he has most context, but could do it if that helps for some reason. larry: being prepared to be accepted by the Apps Area WG ... talking about the process around getting things into registeries ... based on the happiana effort ... that document is even more important for Chairs at W3C ... that's it for the AppAreaWG meeting ... on to WebSecWG ... mainly working on strict transport security & TLS ... also an issue around the mime sniffing document, which has expired ... the security problem could be addressed by giving sniff content a different origin ... if you have overridden the mime type, then you have given it a different origin ... this would address the cross-origin problems that arise from sniffing ... and I have not seen counter examples ... it was discussed and dismissed because "browsers won't do it" ... but browsers don't do what's being said anyway ... why not have a different fantasy ... email clients do sniffing all the time ... the Web Security Handbook talks about sniffing ... just like we have URIs in different contexts, does sniffing happen differently in different contexts ... meant to go to URNbis ... WG revising URN document ... the TAG has expressed opinions about URNs, and I wish I had gone ... we should review their documents jar: I think Julian has been paying attention to what they're doing larry: my opinion has changed about them ... it may have been a design goal to have something persistent ... in fact it is not about persistent, but about ownership ... there's no owner of an HTTP URI, but there is one about URNs ... Technical Plenary on browser security ... HTTP 1.1 is reaching closure yves: there's currently discussion about folding back documents together, adding a Part 0 so it's easier to find stuff ... merging Parts 1-3 ... not sure about Part 0 ... currently Part 4-7 are in IETF last call ... everything else should be in last call from the last draft larry: these are core documents, and the TAG should review them yves: most particularly Parts 1-3, the others are extensions jar: Part 2 is pretty important yves: wait for next draft for review noah: we often say we should review things, but we don't get people's attention to review them ... perhaps an email that points to particular things jar: I could point to the parts I've been paying attention to <noah> ACTION: Jonathan to suggest to TAG sections of HTTPbis specification that TAG should review - Due 2012-04-17 [recorded in [36]http://www.w3.org/2001/tag/2012/04/02-minutes#action03] <trackbot> Created ACTION-682 - suggest to TAG sections of HTTPbis specification that TAG should review [on Jonathan Rees - due 2012-04-17]. yves: Dom should be able to report on RTC web <jrees_> Note to minutes editor: Please add link [37]http://lists.w3.org/Archives/Public/www-archive/2012Apr/000 3.html at end of previous topic (that's the emacs buffer that was projected) [37] http://lists.w3.org/Archives/Public/www-archive/2012Apr/0003.html yves: it was also about security larry: security is what makes most protocol design hard ... because you can't just optimise for performance and reliability ... you have to design against hostile players ht: what's HyBi doing? yves: it's WebSockets ... not the API, the protocol larry: the relationship between IETF and W3C work in many of these areas is that W3C focuses on API in JS on how you invoke it, and IETF on what goes on the wire noah: I had missed these were the two sides of the same coin larry: I don't know what the status is ... the TAG should have a review or invite someone to come and talk to us about it ... where we don't have the impetus to review it ourselves, we should get someone in ht: this is close to home because it's getting integrated into HTML ... we have to be sure this isn't going to change the architecture of browsing over the next 5 years larry: I think we should look for someone to come and present to us noah: any suggestions about who? yves: Thomas is watching this larry: we might ask Thomas to recommend someone ... there was a BOF, where I gave a presentation, to consider the document format of RFCs <noah> ACTION: Yves to figure out who might be a good choice to present Hybi (and as appropriate WebSocket protocols) to the TAG [recorded in [38]http://www.w3.org/2001/tag/2012/04/02-minutes#action04] <trackbot> Created ACTION-683 - Figure out who might be a good choice to present Hybi (and as appropriate WebSocket protocols) to the TAG [on Yves Lafon - due 2012-04-09]. larry: the driving use case is documents that need non-ASCII characters ... to show encoding ... IETF does allow alternative presentations in PostScript and PDF ... Martin Durst submitted a document on internationalisation of mailto URIs ... where the PDF version has examples that are in Unicode ... running a pre-processor on the XML so that you can have an HTML version with Unicode, and a text version in ASCII ... the IRI WG ... again, planning on last calling IRI documents before next IETF meeting ht: please could you tell me when the XML Core WG should look at those larry: there are four documents: ... guidelines & process for registering schemes ... takes 3987 which used to be one document, and split out section on comparison and bi-directional IRIs ... the comparison document needs work, because it's a security document to avoid spoofing ... it can't be a ladder ... my take is IRI everywhere is not the right answer ... that there are some contexts where you will want URIs Adjourn for lunch <robin> ScribeNick: robin Can publication of hyperlinks constitute copyright infringment? <ht> [39]http://www.guardian.co.uk/world/2012/apr/02/email-web-monit oring-powers-privacy [39] http://www.guardian.co.uk/world/2012/apr/02/email-web-monitoring-powers-privacy noah: worth reviewing the goals of this work <JeniT> [40]http://www.w3.org/2001/tag/products/PublishingLinking-2011- 12-27.html [40] http://www.w3.org/2001/tag/products/PublishingLinking-2011-12-27.html [NM reads from the product page] jar: who wrote that, it's really good? noah: we did it together ... we can always change these goals, but we should do so consciously <JeniT> [41]http://www.w3.org/2001/tag/products/PublishingLinking.html [41] http://www.w3.org/2001/tag/products/PublishingLinking.html noah: we claimed PR in 2012-06, that seems tight <JeniT> dated version: [42]http://www.w3.org/2001/tag/products/PublishingLinking-2012- 01-08.html [42] http://www.w3.org/2001/tag/products/PublishingLinking-2012-01-08.html noah: DKA, are you avaialble for more work on this? DKA: not in an official capacity, but I will help ashok: how do we make sure it is valuable to policymakers noah: I don't know, trying to get us in a mindset where we try to make it useful to them ... we can try, and if it fails learn from our errors ashok: how about asking them earlier if it helps noah: not sure we want to debate this now Larry: I think it would be useful after reviewing the draft to look into administrative next steps ... e.g. forming a CG around this <JeniT> [43]http://www.w3.org/2001/tag/doc/publishingAndLinkingOnTheWeb -2012-01-04.html [43] http://www.w3.org/2001/tag/doc/publishingAndLinkingOnTheWeb-2012-01-04.html noah: review the draft ... aiming for FPWD JeniT: my aim for this session is to get agreement on publication ... what I'd really like to do is focus on points that people feel strongly should prevent it from FPWD ... rather than editorials <Zakim> timbl, you wanted to say that JAR's way of defining 'content of' is very good and to JeniT: editorials should be sent by email ... is there anything that people want to say fisrt off? Larry: this is a marvellous piece of hard work, my only concerns are about positioning and how we move forward with this ashok: me too Larry: no matter how much we polish it, we will get feedback and divergent comments JeniT: but the only way to get those is to put this out there Larry: yes, but I would like to encourage their participation actively ... (in SotD) [JT goes through section by section] JeniT: Abstract timbl: this isn't an abstract at all jar: matching with goals, does more than set definitions for terms ... try to match the abstract with the goals from the product page which were really good Larry: the product page could be the abstract noah: extract some of it at least Larry: not an academic abstract, treat it like an ad for why people should read it ashok: it mentions issues that were raised to the TAG - were they really raised to the TAG? Larry: I'd get rid of the bit about legal issues JeniT: OK ... we'll rephrase that last paragraph DKA: pull it out, highlight that in introduction noah: can be very picky, but don't want to drag the group down ... but since we're writing for a community of lawyers we should be ruthless about drawing clear distinctions ... do people agree that that level of care is required? <Larry> I think we should indicate that we need to be ruthless, but not before we publish FPWD noah: concerned that this could be used in court jar: there's a tension between explaining words used in our community versus words defined by this document <Larry> explain words used in the community, as well as defining specific terms which could be used more precisely jar: if the goal is former, then entries need citations (though probably good as a FPWD) ... different goals: being clear, and explaining usage noah: users versus user agent, not clear <Larry> I think we have to do both jar: careful definition of UA in document, different from usage in some places JeniT: different places that define these things are conflicting jar: agree, but hard to resolve to tension Larry: the document may have to do both ... explain how terms are used in the community, and where there are contradictions come up with a new definition and recommend caution in future <Zakim> Larry, you wanted to argue for doing both noah: usually in the community UA == browser ... but here the definition is different because it's anything that accesses web content JeniT: what I'm taking away is to go through that set of terms, find citations/existing uses, and discuss the multiple existing/confliction terms then make sure the document is consistent noah: be precise where we can be, and if it's inappropriate signal it ... UA is an example of this timbl: for the TAG in general, the idea of UA is really important ... for me, a UA is a piece of software that represents me ... when you put User-Agent, you're representing someone else <Larry> unfortunately, "User Agent" is also used for identification of the HTTP client, even when it isn't working on behalf of any particular user.... a spider or web crawler has a "User-Agent" string. It was an error to name this "User Agent" in HTTP Larry: the problem is that User-Agent header is used to identify the web client rather than a UA noah: explain the different uses in technical community, and say which one is used here Larry: in most cases there isn't a problem, but for legal cases it may matter JeniT: arguably spiders are acting on behalf of someone Larry: but there's no identifiable user <timbl> Many subsystems with thin the web, like proxies and archives, are automated and incapable of exercising moral judgement, and requiring them to would be impossibly onerous. JeniT: moving on to Introduction <timbl> ^ attemtp to capture the best practuces in a scentence for the abstract <Larry> well, or at least for identification of whether there is a single responsible person for whose benefit the agent is operating timbl: Abstract is very good compared to most abstracts out there <noah> 1.0 Introduction: <noah> I suggest chg/The page itself may cause/logic encoded with the page may cause/ noah: reason is, we in the community understand what it means when we say "the page cause a retrieval", but that notion would seem bizarre to people outside ... hence the use of "logic", which is easier to explain jar: the notion of agency is central, because this is legal - who causes something to happen? <noah> Well, it's really that, in the real world, pages don ashok: yes <noah> don't caus things to happen. ashok: have you looked at the legal interpretation of agency, there's a whole bunch of stuff there <noah> 2nd paragraph. jar: not sure it's relevant here, might be useful in writing the document, but not necessary to capture it directly ... good thing to put on the TODO list, but no need to prevent FPWD ashok: yeah <noah> Suggest chg/Proxy servers and services that combine and repackage data from other sources may also retain copies of this material, due to the user's original request for the page./Proxy servers and services that combine and repackage data from other sources may also retain copies of this material/ (I.e. delete phrase at end) <noah> Reason: proxy servers wind up holding onto things for lots of reasons. timbl: agency makes my rant stronger about UAs acting on behalf of users <noah> 3rd para: <noah> Still other services on the web, such as search engines and archives, make copies of content as a matter of course jar: "intents and conditions...." don't use passive -- this is not editorial because agency matter <noah> Suggest after "matter of course": in part to facilitate the indexing necessary to their operation, and in part to enable presentation of search results" <noah> Suggest delete: (as it enables the content to be found more easily) DKA: the problem is that if you load these paragraphs with contextual clarification then it starts to get quite heavy jar: use your judgement noah: legal community have an extraordinary capability for this, clarity is important JeniT: already talked about tightening up terminology -- so we can skip over that section <timbl> "For instance, one standard set of terms and conditions includes" -- reference? noah: "not taking into account this complexity" -- is this a bad thing? JeniT: yes, this is an example of trouble ... with "distribute", the problem is transfer of ownership because there is no transfer noah: would be useful to clarify this below the box ht: the Guardian has this profile thing where they put footnotes ... you could use little anchors to highlight or signal problems in the text ... this is a great way to show where the problems are, to make people realise that standard boilerplate is full of gotchas noah: might be worth picking the problem apart JeniT: would you say that throughout the entire background, it would expand it ht: I was thinking mostly about the box examples jar: might be nice to have a couple sentences after each example to explain what is an example about it Larry: can you use a different style for examples? RB: you can use class=example noah: this is fine, we can refine style JeniT: used blockquote to indicate them timbl: when you quote gsip.com, is it possible to use a copy of their T&C since it may not be stable <noah> Propose after box on scraping: "Yet, the automated agents on which the Web depends are incapable of reliably understanding such written licenses." jar: you can't even mention aa.com, so you couldn't cite the source properly noah: paragraph that says "limits placed on use of a website"... suggest that after that, you put [pasted above in IRC] ... you don't want to fix this, NLP is not an option ... explain why deep link paragraph is a problem JeniT: similar to previous comment noah: happy to skip if you feel you've got that for all instances ... the SHOULD not be misleading part รข something about the different between SHOULD and MUST ought to be clarified jar: this is legal language noah: right, which may be different from RFC2119 jar: should we include reference to 2119 in terminology? ... I don't think it's implied that everything in the box is bad noah: it's fine if it's clear that these are just examples of things we need to talk about ... wonder if scope should move up, to establish expectations? JeniT: Publishing section ... 3.1 Hosting noah: paragraph1 too strong, trying to say it's not a proxy ... but is confusing timbl: what do you mean by that? JeniT: it's not a copy of something that's being hosted somewhere else ... trying to separate out the case where this is the original content noah: if we have a photograph, hosted on her website ... I want to copy it (with permission); now we're both hosting it ... but with your definition I'm not JeniT: here we really want to talk about the original, not the copy timbl: I disagree, if you set up software on your server you're serving pre-existing content, not the original but you're still hosting it jar: delete the notion of "original" <noah> Section 3.1, suggest: ht: the two cases I am concerned with are those in which jailed infringer is said to "just link" to content JeniT: he was embedding it <noah> chg/does not necessarily mean that the organisation that owns and maintains the server has an awareness of that data being present/does not necessarily mean that the organisation that owns and maintains the server has an awareness of the details or intended meaning of that data./ <noah> Reason: surely it's aware of the bits. JeniT: but he was not hosting it ht: "just linking" conjures up the notion of clicking, a user action ... so we need to be clear that hosting here covers that case noah: my ISP knows what files I've put there ht: no they don't ... "know" is not a helpful word noah: they shouldn't be asked to find out if you have child pornography ht: they know a whole lot less than that timbl: two types of know 1) is are aware of it as a matter of business, and 2) could find out if they paid someone to do it JeniT: has "specific" awareness? ht: ok <Larry> to what extent does provenance help ? [discussion about Wendy] noah: we should check the awareness issue with her <jrees> a to-do (after Dijkstra): check verbs to consider appropriateness of automata or documents being active agents, replace when appropriate with people or organization (e.g. "server being aware" to "server operator being aware") noah: would like this paragraph to dig deeper into the difference between knowing that data is there and knowing its nature JeniT: I understand the comments, will rephrase Larry: does the work on provenance help here? ... were you to record provenance, could you push responsibility back to originator jar: out of scope <noah> Noah notes we're run off the end of the parts he's read :-( Larry: why is it out of scope? jar/robin: because the technology is not there Larry: but to what extent *could* this be useful? Ask the provenance group? JeniT: maybe this could go into section 4 since it's about tecniques? <ht> "any specific awareness of that data being present, much less of its nature." would do it for me Larry: the TAG has more influence over W3C and its groups than web page hosters ht: there's a WG [meta discussion] JeniT: would like to come out of f2f with plan forward, not just publishing but also potential CG ht: would anyone object to FPWD at this stage, assuming Jeni takes comments into account? Larry: so long as the abstract is clearer on next steps I would be fine <Larry> my only concern is that the introduction makes it clear that we're open as to next steps JeniT: let me try to draft something and when we come back on Wednesday we can figure that out <Larry> clearer that 'next steps' are open noah: so no one likely objects to FPWD, how much do we need a longer session? [no objection] noah: anything other than actions? ashok: yes. the idea here is to influence the legal ecosystem. ... publishing it as a finding will not do that ... a Rec is not enough either ... it's not sufficient jar: you need publicity ashok: need to involve a broader community jar: won't be hard to sell, if the EFF learns about it it will be pushed ht: we will work to push this in public outlets noah: take an action long term on getting this on policy radar? Larry: we need to get to a position that people who have a stake in this game can voice their opinions, concerned about a TAG Rec <Larry> i'm concerned that we establish a next step process which actually engaged in discussing the content noah: so you're saying that some of the relevant people might not be comfortable with www-tag? Larry/ashok: yes noah: we'll talk on Wednesday about next steps Larry: want some feedback from relevant community, not sure how politically sensitive this is JeniT: please email further comments [break] noah: there will be a short session on this on Wednesday <Larry> [44]http://www.adobe.com/content/dam/Adobe/en/devnet/xmp/pdfs/D ynamicMediaXMPPartnerGuide.pdf#page=6 [44] http://www.adobe.com/content/dam/Adobe/en/devnet/xmp/pdfs/DynamicMediaXMPPartnerGuide.pdf#page=6 <JeniT> ScribeNick: JeniT noah: welcome to Robin Web Applications: Privacy by Design in APIs for Web Applications noah: Product page is no longer a draft: [45]http://www.w3.org/2001/tag/products/apiminimization-2012-02 -02.html ... review of [46]http://www.w3.org/2001/tag/doc/privacy-by-design-in-apis-20 12-03-27 [45] http://www.w3.org/2001/tag/products/apiminimization-2012-02-02.html [46] http://www.w3.org/2001/tag/doc/privacy-by-design-in-apis-2012-03-27 robin: the feedback I've got is that the scope should be clarified ... so I will clarify it here ... the background is: we started working on Geo API ... this had privacy impacts ... in DAP we tried to take into account privacy from day one ... DAP started to think about how to do privacy in APIs ... one principle was API minimisation which led to DKA's draft ... now, that is only used in one API ... and not used in any other WG ... because we've moved on to other techniques ... so API minimisation needs to be set into a broader framework ... applicable to several groups who are defining APIs <Zakim> DKA, you wanted to ask robin to put the good parts back in DKA: that all sounds great ... *but* I think you've taken out bits that shouldn't have been taken out <DKA> [47]http://www.cs.virginia.edu/~evans/cs551/saltzer/ [47] http://www.cs.virginia.edu/~evans/cs551/saltzer/ DKA: for instance, the original draft referenced Saltzer & Schroeder jar: in academia, this is the seminal classic on the subject <DKA> [48]http://escholarship.org/uc/item/0rp834wf [48] http://escholarship.org/uc/item/0rp834wf DKA: I understand why you might not want to bring those things up ... but I think it's important to do so, to mend the fence between the "privacy nuts" and the "script kiddies" ... there is really good information in the Dierdre Mulligan document ... and in the Saltzer document ... these are architectural principles that could be brought into the modern age <jrees> Official but paywalled location of S&S's classic: [49]http://dx.doi/org/10.1109/PROC.1975.9939 [49] http://dx.doi/org/10.1109/PROC.1975.9939 DKA: if the additional techniques that you think could be recommended enhance these ... then point that out ... point out that it helps to minimise the data that flows down the line ... I would like that work, which I think is good, to be brought through robin: I hear that the digestion process was too aggressive DKA: you know the latest stuff from DAP ... have the principles been tossed out? robin: mostly the document from which they come has not been updated in three years ... no one has read it in two years DKA: did they need to be updated? robin: I don't have a problem with the meaning of the principles, but the phrasing is probably off ... because the discussions have happened in other WGs ... and whenever the document has been cited, it's been ignored <DKA> [50]http://dev.w3.org/2009/dap/privacy-reqs/#privacy-minimizati on [50] http://dev.w3.org/2009/dap/privacy-reqs/#privacy-minimization robin: so clearly it's not expressing things in a way that people are able to use it ... I'm happy to try to revive those principles more actively, but we need to rephrase them ... and I'm happy to do that ... I really tried to make this document a how-to manual for people busy writing specs ... so if I'm writing a spec, what do I need to read to get it right ... a short, checklist document ... I could re-organise the document so it serves both ends ... there's good architectural matter in the documents you cited ... so I will try to restructure to serve both documents, I think that's doable ... the fast reading for the spec writers, and then there's the background that can inform further thinking DKA: yes, and give the reasons for why the techniques work ashok: when we started this work, we really wanted to do something in the privacy area ... DKA found this well-scoped, well-defined area, which he wrote up ... and we hoped we could close on it quickly ... what I'm worried about is that the scope has been enlarged robin: slightly ashok: the parts that you've added are different ... they seem to be addressing a different problem with different solutions ... it looks like two ideas in this space, and I'm not sure whether we shouldn't break them up into two things jar: or there might be more, two is a funny number ashok: there's lots of issues in privacy, and we couldn't possibly handle them all robin: I don't want to boil the privacy ocean ... this document is scoped to what you can do about privacy inside a User Agent API ... it's not everything that could possibly do in this area ... but I think it does scope the problem in a way that is useful and applicable by people who are working in this space ... and it would be difficult to explain them in isolation ashok: so these are two directions that a user agent could take to help protect privacy <Zakim> noah, you wanted to talk about tradeoffs robin: not the user agent, but the design of the API to be run within the user agent noah: this is good work ... I think it's coherent in its scope ... I'm worried about it taking a long time, so focusing on the most important thing is a good idea ... you were saying that you wanted to do a quick guide for people building these things ... I think the TAG is at its best when it tries to tell stories that have longevity ... there are tradeoffs in the designs of the APIs ... I'd expect to see those tradeoffs set out, for example how testable the API is ... as it will have a bigger surface area <Larry> I don't think this is the right recommendation for "privacy by design". I'm not certain privacy-by-design if only because there isn't even a clear definition of the "privacy" design goal. I think this is consistent, I was worried about API minimization. Note GEOPRIV policy document [51]http://tools.ietf.org/html/draft-ietf-geopriv-policy-25 in 25th revision [51] http://tools.ietf.org/html/draft-ietf-geopriv-policy-25 noah: also talk about performance ... numbers of calls on the API ... draw out the core things ... to teach people to think deeply ... handy guides are great as well ... but I'd skew it more towards longevity <Zakim> timbl, you wanted to feel that a document of this sort should mention acceptable use tracking, and the concept of accptabl euse for a user aget and fo a community of agents of timbl: basically, I think it's a very useful document ... two separate things that occur to me ... talking about acceptable use ... that's what came out of a privacy workshop at MIT ... about capturing policy ... if you're a user agent, you don't want to do anything unexpected or damaging ... if I've decided to share something (eg a calendar entry) ... I select the two people to share it with ... my app might decide to send them emails ... it would be more reasonable for it to pop up the email so I can edit it ... it's different to add the name & address to a mailing list ... which leads to the idea that sometimes there's an implicit use ... you haven't captured what you said the data could be used for robin: looking at data usage is a fundamental question in privacy ... but it's hard to put that into API design ... but you'll get pushback from API designers ... and you'll get a fight, and it won't give progress jar: can we learn from that conflict? timbl: the related thing is between a trusted and an untrusted app ... web apps have to have total power, so they become trusted apps ... with an untrusted app, it's difficult to stop them from using the data for something different ... but then there's a trusted app talking to an untrusted app <Larry> note long discussion about whether SPDY's use of SSL offers a "promise of improved privacy" timbl: at that point it might be reasonable to have a negotiation about acceptable use ... because the trusted app gathers the data to do something specific robin: it would make sense, but we don't want to reinvent P3P ... DAP started looking at rulesets, a simplified version of P3P ... so a server could say what it wants to do with the data ... there's only one person in the privacy community who cares ... and no one in the browser space ... no one sees how to make that work in the broader sense ... the solution we've come up with at the moment is user mediation ... so web intents allow the initiation of communication between a server you trust and another that you don't ... or vice versa ... with the user in the middle saying ok about the transfers <Zakim> DKA, you wanted to comment on scope <Larry> main problem is that the design requirements for privacy, accessibility, performance, security from eavesdroppers, etc. can't be evaluated in isololation, so "X by design" in general is problematic DKA: I want to comment on scope and support Robin ... the original idea we had for privacy on the TAG was data minimisation as one targetted document as a series of things we could say ... I struggled to think about what that set should say ... your revised title and scope for this document really made sense to me ... how do you apply the 'privacy by design' idea to API design ... I have been thinking about this for a while, and this brought that back to me ... so I support that idea <Larry> [52]http://www.ietf.org/mail-archive/web/privacydir/current/msg 00053.html [52] http://www.ietf.org/mail-archive/web/privacydir/current/msg00053.html DKA: and I think the scope you've chosen is not boil the privacy ocean ... it's focusing on the API design, rather than all the potential issues that the TAG might hit on privacy robin: yes, and it stops where the IAB's work on privacy starts ... the IAB works up to the protocol layer ... and I hope their work will also address data usage larry: I'm really concerned about the TAG taking this on as a work item ... not because it's not important, but because we're optimising about a moving set of requirements ... we had a discussion about SPDY's use of SSL and found we didn't really have a common understanding of what privacy meant ... we're optimising against a goal that is not clearly understood in the industry ... the GeoPriv policy expression language has been repeatedly revised ... the subject is controversial enough and has a lot of different perspectives ... it seems unlikely that the TAG will converge on a finding that will fit with those ... especially as the IAB is moving about what it covers ... we have the area of variability around the tradeoffs ... and about the definition of privacy and the channels of communication ... and then there's the boundary between this and other TAG work ... the boundaries feel very fuzzy to me robin: you're worried about us broadening the scope? larry: we have a risk of overlapping and saying something contradictory, or leaving a gap between this work and others' work ... to shallow to the point it's not actionable, or too deep yves: what about the risk of saying nothing? larry: what's the boundary between the TAG and the privacy interest group etc ... there are other groups who are strongly chartered to work on this <Larry> wonders if we are really ready to negotiate a boundary with IAB larry: maybe we could come up with something that's shorter and more generic to encourage further work robin: we should talk about this in the session with Dom tomorrow ... I did meet up with Christine who is chairing the privacy interest group ... to discuss whether this is of interest to them, whether they should be doing it, whether the TAG should be doing it ... I've also been talking about it with the IAB as well <robin> [53]http://tools.ietf.org/html/draft-iab-privacy-considerations -02 [53] http://tools.ietf.org/html/draft-iab-privacy-considerations-02 robin: the reasonable consensus is that the IAB are working at the protocol level ... and I have the impression that they are happy with this noah: isn't there a lot of conceptual stuff that has to be sorted out across these robin: yes, so we've spoken about terminology ... which is still a moving target noah: do they include a threat matrix? robin: they start with an internet privacy threat model noah: that seems important to agree on, what the problem space is robin: yes, so their terminology is too much of a moving target to be reused, so that will need to be revisited at intervals ... as far as the Privacy IG goes, Christine felt that some joint work, either joint review or a joint TF ... to look at policy and that we could contribute technological view larry: I talked to people at the IETF meeting, to the IAB, to Wendy, to Thomas, and they didn't mention any of this ... for you to have a private discussion, that the others in the IAB and Privacy IG aren't aware of makes me worried robin: these discussions happened Thursday and Friday larry: we need to arrange discussions with the IAB in order to collaborate with them noah: getting colocated with the IAB has proven difficult ... we couldn't have a TAG meeting at the same time as the IETF meeting larry: my concern is about overlapping with other groups <Zakim> jar, you wanted to urge disclaimer about sampling of techniques, it's not a comprehensive treatment jar: there's something that feels incomplete about the draft ... about how the scope is set ... if you just look at the title it looks like it's about all privacy issues ... what you've said today about the scope is really important, and should go into the introduction ... this is really just a sampling of things that have come up through the WG process timbl: you could have a related work section jar: there's a lot of interesting stuff in this space ... you should say that noah: say why we chose these bits now ... and what you should watch out for because we haven't covered it here ... stuff that hasn't been touched: different threat models, different capabilities jar: give space for the reader to realise that this is a sampling of what we know about right now ... it might end up being complete, but because it's an active area it's unlikely to be robin: this is like a BCP more than anything else noah: it might just be early ... a year ago people were talking about minimisation timbl: I like 'patterns in API design' ... and you could mention an anti-pattern, things that you didn't cover ... you're not saying they're best, that they could work for some people robin: the reason I didn't use 'pattern' was that several groups said it would tie it to 'design patterns' ... which is a little old-fashioned ... personally 'pattern' would have been something that I would have used, but some people are scared of using that word <Zakim> noah, you wanted to say we must be willing to say we don't have good answers on, e.g. policy robin: I'm happy to try using it <timbl> Alexander et al A Pattern Language <timbl> 1865 noah: talking about policy, and that we don't have good answers ... there's a risk of telling the piece of the story we understand in isolation ... and perhaps without policy it doesn't matter ... need to explain which part of the problem these designs will solve <timbl> [54]http://www.amazon.com/Pattern-Language-Buildings-Constructi on-Environmental/dp/0195019199/ref=sr_1_1?s=books&ie=UTF8&qid=1 333378641&sr=1-1 [54] http://www.amazon.com/Pattern-Language-Buildings-Construction-Environmental/dp/0195019199/ref=sr_1_1?s=books&ie=UTF8&qid=1333378641&sr=1-1 noah: and what issues it doesn't solve ... if it can do it without talking about policy, I'm happy robin: I think that's part of explaining the scoping better noah: let's see if we can tell enough of the story with this ... we have another session on this tomorrow to review how this went with Dom ... and we can go over logistics at that point ... so let's wrap this up for now and come back on it tomorrow Adjourned Summary of Action Items [NEW] ACTION: Henry S to prepare TAG discussion of [55]http://tools.ietf.org/html/draft-ietf-appsawg-media-type-re gs-04 - Due 2012-04-17 [recorded in [56]http://www.w3.org/2001/tag/2012/04/02-minutes#action02] [NEW] ACTION: Jonathan to suggest to TAG sections of HTTPbis specification that TAG should review - Due 2012-04-17 [recorded in [57]http://www.w3.org/2001/tag/2012/04/02-minutes#action03] [NEW] ACTION: Noah to schedule (soon) TAG telcon review of [58]http://tools.ietf.org/html/draft-ietf-appsawg-media-type-re gs-04 - Due 2012-04-17 [recorded in [59]http://www.w3.org/2001/tag/2012/04/02-minutes#action01] [NEW] ACTION: Yves to figure out who might be a good choice to present Hybi (and as appropriate WebSocket protocols) to the TAG [recorded in [60]http://www.w3.org/2001/tag/2012/04/02-minutes#action04] [55] http://tools.ietf.org/html/draft-ietf-appsawg-media-type-regs-04 [58] http://tools.ietf.org/html/draft-ietf-appsawg-media-type-regs-04 [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [61]scribe.perl version 1.136 ([62]CVS log) $Date: 2012/04/06 19:34:47 $ [61] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [62] http://dev.w3.org/cvsweb/2002/scribe/ ============3 April 2012 ============= [1]W3C [1] http://www.w3.org/ - DRAFT - Technical Architecture Group Face-to-Face 03 Apr 2012 See also: [2]IRC log [2] http://www.w3.org/2012/04/03-tagmem-irc Attendees Present Robin Berjon, Tim Berners-Lee, Dominique Hazaรซl-Massieux (in part), Yves Lafon, Ashok Malhotra, Larry Masinter, Noah Mendelsohn, Jonathan Rees, Jeni Tennison, Henry S. Thompson Regrets Peter Linss Chair Noah Mendelsohn Scribes Tim Berners-Lee, Jeni Tennison, Henry S. Thompson Contents * [3]Topics 1. [4]Web APIs and security 2. [5]Web Applications: Security and Web Applications Permissions 3. [6]URI comparison 4. [7]WebApps Storage 5. [8]Mobile threats and opportunities 6. [9]Administration 7. [10]XML Error Recovery * [11]Summary of Action Items __________________________________________________________ Web APIs and security JAR: I know what Adam Barth is up to, SES people are up to Noah: Robin and i exchanged email. Noah:My previous experience was that web apps have been less successful than I had hoped. I got this music catalog though the post, with "ios rocks" in the music catalog -- an amazing list of ting s people are building with native apps. Like a mixing board with ipad dock and the software on the ipad. This needs a proprietary hardware connector for example. 6 channel streaming recorder, effects pedal, etc. so you need low-level access to things like DSPs Robin: That is access to the core audio API. Yves: Actually for audio you can do all the processing in JS: it is a question of latency why you need core audio. <masinter> aspects of native: (a) performance (b) access to APIs (c) monetization (d) trust <masinter> maybe (b) and (d) are related? vendors link (b) to (c) because platform vendors take percentage <masinter> (a) performance = throughput but also latency Noah: A risk of de-facto standardization around a particular connector TimBL: An RDF client library has to be aware of 303s etc, so that it understands the right relationships between things. You must be able to write code which will work in trusted and untrsuted Apps, write once runanywhere. When running as a script (untrusted) rather than Firefox (say) extension (trusted code) it must be the same RDF library. In Extensio mode, it's omnipotent, otherwise in script mode it is very constrained. But the API must be bascially the same. If you violate the cross-site-scripting attack checks in a browser, at the moment, there is no error code, no error message, so it is really hard to invoke code conditional on and in adaptation the untrusted environement. TimBL: When I tried this there was no error code or exception. I raised it on the list. The response I got is "it's really important not to give a response, so the app can't phish to find out what's possible. And trusted apps are not a goal." TimBL: Two points: 1) I think it's distressing to have a system that doesn't help you debug; 2) the system has to be capable of running in a trusted mode where you're sure you'll get some kind of response, either success or error JAR: Seems analogous to Noah's point about access to the hardware port Noah: Yes, except the port access stuff may be harder to make portable if the ports are proprietary and different <masinter> air & phonegap ([12]http://phonegap.com/) are examples of 'native app' development tools which allow writing apps as both webapps and native [12] http://phonegap.com/ TimBL: A lot of people have assumed there will be shades of gray between fully trusted and untrusted apps. Seeming like some people are feeling the middle ground may be too hard to work out. The architecture which is emerging has only the two extremes. JAR: Do you, Tim, agree that the middle ground is unlikely to worth working toward? TimBL: Seems like a research project. I'm interested in the TAG's position on the question: should APIs always give good responses for both trusted and untrusted apps? jar: The question is, is there any middle ground between the completely trusted and untrusted app. Orthogonal question, can you design APIs which work in either situation? There are two general approaches on the table, from 50km view. One approach is origin case, origin(module) defines power of module, links to CORS design and Adam Barth's academic work. The other design is you get power by being passed it as a parameter. This is a 30 year old ACL vs Capability argument, we should not get into it now. People are polarized. In Tim's example, using XHR, you are saying 'here is the URL' and later getting a response callback, or your callback just doesn't happen in the bad case. In the origin case, you would use the origin of the module to decide whether to authorize the delivery of the error code to the XHR caller. Robin: The origin is the one -- the HTML page -- which involved the js, not the actual URI the js was loaded from, which is irrelevant/not tracked Robin: The js is not namespaced -- anything can put callbacks on anything, no boundaries. jar: Javascript's kind of like Java -- The aim is "write once, run anywhere". NM: Well, Java has a pretty elaborate class loader model that's pertinent to how Java code is loaded and gets privilege jar: java security was a disaster -- based on call chain -- like the origin system jar: in the capability method, you have a param you can pass which gives you the right to do things and you pass it to the library ... there is intense pressure to make js apps work and access things for which you need privs Dominique Hazaรซl-Massieux joins the meeting dom: a lot of the topics you have been discussing may be very relevant to what I will present jar: personally, i find this the way to think about it -- it is a question of privs and to whom they are granted. There are more than two priv levels -- in fact there are many levels -- it might have access to the net but not the core audio for example. In fact there are questions of to what inside the app it is granted -- not the whole app, as now. <Zakim> darobin, you wanted to point out that there is some possibility for APIs in the grey areas as well; point out new work; different design for trusted APIs and to say that SES does <Zakim> noah, you wanted to talk about shared libraries Robin: many things to say Robin: 1) w3c has sent out announcement that it is looking into new work for system level APIs -- see member only [13]https://lists.w3.org/Archives/Member/w3c-ac-members/2012Jan Mar/0057.html [13] https://lists.w3.org/Archives/Member/w3c-ac-members/2012JanMar/0057.html dom: The device API meting is open and discussed this robin: When you design APIS which work inside the browser security model, the API looks very different from something done with full trust access. There is investigation of new work area for APIs specifically for completely trusted APIs Robin: 2) even if we take the very simple binary on/off trust, there is some room for grey area. Robin: The example for the XHR where you want to not give error messages Robin: In firefox, you double-click the tab and it makes it an installed app. tim: really? Robin: Concept of installed apps. They don't have to have high-level apps, you can give them specific privs -- greater local storage, system notifications, getting error messages could be some Robin: [Who said this? RB, tutti to check] Most of what I wanted to talk about can go into DOM's session Robin: [Who said this? RB, tutti to check. JAR thinks Dom said this.] SES are not a solution to the trust issue jar: you mean security Robin: They intermesh -- SES allows you to bring in 3rd parties which operate inside a limited space without access to each other Robin: [Who said this? RB, tutti to check. JAR guesses Dom] All policy based systems which don't plug the XSS hole are really threatened by that hole jar: SES doesn't give you a notion of what things [principals] have what authority in running code - you have to say, (like in Powerbox etc. and ongoing work) how you [? collect the query - (missed)] TimBL: This isn't just about trusted apps. I use the same code, server side, and on the command line, including for test harnesses. I want all that to run my AJAX code. This needs to be part of normal computing. So, it's not just trusted and untrusted apps in the browser, includes things like node.js on the command line and server side. <darobin> [14]http://www.phantomjs.org/ -> PhantomJS, run a browser on the command line [14] http://www.phantomjs.org/ <darobin> [15]https://github.com/tmpvar/jsdom -> JSDOM, emulation of a browser environment in NodeJS [15] https://github.com/tmpvar/jsdom TimBL: Also... when you download software modukles from different people and representing different people, we'll need the concepts of agents running on behalf of completely different entities. We will have to surface remote entities as first class principals withing the system. Like having Adobe have an account of my system with the privilege to update its own apps. TimBL: If I install a bunch of stuff like /application/microsoft, I'm willing to give Microsoft certain rights to e.g. update code in that part of the space. I'd like to know what rights I'm giving them. I think the origin represents this legal entity in an obviously broken way. Maybe some Un*x systems will go some way toward associating origins with such points in the filesystem trees. jar: I think you have to specify the granularity of the grant of authority -- is it object, function, program, etc ashok: how can I as a user give this authority to an app? robin: unsolved problem. ... Policy of a rathole to fall into. [? RB to check] jar: what about Powerbox? robin: later ... My personal take e [? RB to check] is a hard-to-get-through process you can't do by mistake. dom: at the moment you can buy stuff on the web no review Noah: We are out of time. Web Applications: Security and Web Applications Permissions <noah> ACTION-344? <trackbot> ACTION-344 -- Jonathan Rees to alert TAG chair when CORS and/or UMP goes to LC to trigger security review -- due 2012-03-27 -- OPEN <trackbot> [16]http://www.w3.org/2001/tag/group/track/actions/344 [16] http://www.w3.org/2001/tag/group/track/actions/344 Noah: Note the change in order from the published agenda, this brought forward from 10:00 today <dom> [17]http://www.w3.org/2012/Talks/dhm-tag/ [17] http://www.w3.org/2012/Talks/dhm-tag/ Dom: [ presents a talk of 16 slides] Larry: Isn't monetization also a driver for native apps? dom: Phonegap is addressing that, but I don't thing it is the biggest driver ... We also are looking at payment in the W3C headlights process ... [edits slide 2 to add Monetization] <darobin> FYI I proposed an approach to modularisation for features, but there was no interest: [18]http://w3c-test.org/dap/proposals/request-feature/ [18] http://w3c-test.org/dap/proposals/request-feature/ jar: For privacy with camera, how about confinement? dom: basically impossible jar: confinement being limiting the ability of the app to send any data back home dom: Interesting to explore this approach though ... [slide 6] robin: recommend panopticlick ([19]http://panopticlick.eff.org/) [19] http://panopticlick.eff.org/ anon1: [identity suppressed for privacy reasons] I see [from [20]Panopticlick]: [20] https://panopticlick.eff.org/ Your browser fingerprint appears to be unique among the 2,119,594 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 21.02 bits of identifying information. [discussion of fingerprinting details] <Ashok> Hmmm... I got exactly the same message from Panopticlick <darobin> [21]http://www.mozilla.org/en-US/b2g/ -> The B2G Project [21] http://www.mozilla.org/en-US/b2g/ <darobin> [22]https://www.tizen.org/ -> Tizen Project [22] https://www.tizen.org/ <darobin> [23]http://www.w3.org/community/coremob/ -> Core Mobile Web Platform CG [23] http://www.w3.org/community/coremob/ <masinter> [24]http://tools.ietf.org/html/draft-ietf-geopriv-dhcp-lbyr-uri -option-14 [24] http://tools.ietf.org/html/draft-ietf-geopriv-dhcp-lbyr-uri-option-14 <jrees> RSA Conference 2011 - Making Security Decisions Disappear into the User's Workflow - Alan Karp [25]http://www.youtube.com/watch?v=POA8SLCT5EY&noredirect=1 [25] http://www.youtube.com/watch?v=POA8SLCT5EY&noredirect=1 <masinter> [26]http://www.w3.org/2010/api-privacy-ws/ [26] http://www.w3.org/2010/api-privacy-ws/ <jrees> here's Karp's tech report [27]http://www.hpl.hp.com/techreports/2009/HPL-2009-341.pdf [27] http://www.hpl.hp.com/techreports/2009/HPL-2009-341.pdf _______ Robin: this is how web intents basically works. You have a service page which defines an action, like Pick. Picking a set of contacts from the addressbook for say sending an email. The service definition declares what it can do, pick a set of contacts. Then the user agent registers this service, modulo user input (?TBD (chrome people think it can be registered without UI)) RB to check Robin: You then have a client page. Suppose you have a game -- you don't give the game full access to the entire addressbook. You just want access to it to be given to a set of people. The client page says "Start activity... pick contacts" and includes a button which the user must press on. This pops up a dialog to chose which service. Then it instantiates the service page on the side [in an iframe?] and you pick your contacts, and the contacts are returned to the original page. RB to check jenit: Who defines which fields are actually transferred? robin: The service page just gives a URI identifying the action, and one identifying the "type" which is a random semantic-free parameter used just as a filter ______ [break] _____ Dom: Right now, policy considerations are all at the browser level -- ability to access a website is granted indefinitely Ashok: You asked about geolocation -- that uses policy? dom: In a browser-dependent way - it all depends on whether user has granted it many times, etc. ... this is all left to the browser Ashok: Not to the user? Dom: For geolocation... Ashok: Can you as a user author a policy? dom: you can revoke access for a given website. There is no UI for it, there is no policy API in the web browser. In device APIs, we really did explore that space quite a lot. They could see the long term value but ... dom: Some talk about having a generic application-wide policy, like CIA want to prevent location ever being available dom: [slide 9/16] Robin: The ideal is for the user to make an informed decision without thinking 0.5 ;-) jar: what info is not sensitive? larry: sometimes a problem is one person giving away info sensitive another person. Like mentioning their name and email in the same sentence. larry: [Who said this? LM, tutti to check] We can't just restrict heis [?] talk of privacy to a user's own information larry: When geopriv talked about privacy policy, they ended up with a API extension which insisted on passing a policy and a timeout with every API call dom: I am not saying this is the solution, I am just pointing out what is out there larry: Consent, opt in and opt out .. we should look hard at the assumption that assent helps. ht: I am personally in the "always run virus check" mode for anything I install, as I had a terrible experience with a bad download once. ht: there is nothing comparable on my phone which allows me to look at any web app, look at the Javascript, and figure out whether it is a bad one. <jrees> [28]http://www.veracode.com/ ??? [28] http://www.veracode.com/ Noah: Different - viruses you just look for signature of particular hacks, on js in general, you can't just look at the code tim: Codepath tracing is getting pretty sophisticated, and maybe in the future you might be able to robin: There is a crowd-sourced database of known bad web apps timbl: Some kind of "Nutrition Facts" for what apps do for you would be a great addition to the add-on store, as it would remove the "after that a free-for-all" problem. Noah: Different users might care about different things robin: The android UI is generally regarded as horrible <darobin> [29]http://i.imgur.com/JWEII.jpg -> screenshot of the Android permissions dialog [29] http://i.imgur.com/JWEII.jpg tim: Maybe with some rethinking it could be better, particularly if it makes promises about what the app will do rather than talk about the low-level access the app is allowed. larry: We don't have a vocabulary for trust. I would like to see use cases; we have stories that we should collect together, then analyse them. tim: We've been doing that within MIT for 10 years. Anyone who tries to make an algebra of trust is making a big mistake. They don't match the real world. Trust systems have to connect to the real world, and therefore has to be a semweb application. I want to be able to say that my coworkers can access something, that the DIG blog could be commented on by friends of friends or who had attended a particular conference. I don't want to have a Google Circle to drag them into. You have to connect trust to reality, which is what the semantic web does. <masinter> [30]http://masinter.blogspot.com/2011/08/internet-privacy-telli ng-friend-may.html [30] http://masinter.blogspot.com/2011/08/internet-privacy-telling-friend-may.html larry: I was complaining about the word 'owner' to talk about meaning, because we don't have a good notion of identity. In order to talk about trust, you have to have a model of identity. If there's a problem defining the owner of a URI, or the namespace of individuals, perhaps we create a namespace of identity by projecting owners. You provide identity by saying which URIs they control. Larry: maybe we could identify principals by the URI [domain names, email ids etc] they control timbl: That's OpenID. It identifies you as the person who has write access to a given page. robin: and BrowserID identifies you through an email address timbl: and WebID does the same thing [URI you control] <masinter> I wonder what is the identity of "browser vendors": product safety evaluations Larry: This is like product safety. Cars that you can drive off a cliff aren't unsafe. There's an assumption that asking permission where people understand the permission is better than one where the permission isn't clear. Perhaps these are like product safety ratings. Are we looking for PICS extended to apps, as we talk about rating and validating? robin: That could be done in the ecosystem, but not at this level larry: The stuff about what apps gets into the app store robin: If you have a policy-based system; that's the question we have to ask first dom: Out-of-band curation is one possible approach. I think we'll see multiple approaches. There isn't a shared understanding within the WGs about what will work for the Web robin: Or what the stories are, what the problem spaces are, what the terminology is larry: The stuff about origin is also a matter of trust. A matter of brand. I trust my bank, and things I download from my bank. Brands give you trust dom: I agree that origin is related to brand larry: There's something about PICS we don't want to repeat, as it didn't succeed. But we can't avoid it by just saying we're not going there dom: I don't think any of us know where exactly we're going. I think the TAG, as involved with ,cross-group, cross-technology issues should be helping: To identify terminology, to identify experts larry: I'm trying to map out the space: brand, trust, rating, authority. Finding others who have mapped out the space, and adopt the framework noah: We've often said that the TAG should work in this space, but not found someone to do it robin: I would like to do this work. The first step, which might lead to further work . . . would be to agree on some terminology. Which is currently chaotic. It would be very helpful for cross-group understanding noah: Who else would we have to involve? robin: From B2G project, from the Trident project noah: Could we do that without starting a Community Group? robin: maybe a TF?. I'd avoid a CG because it can be hard for members to join. I'd prefer a TF, separate from www-tag ashok: A Finding on this would be wonderful. Terminology, mapping the landscape, use cases noah: We have to work out the initial scope ashok: I would go beyond terminology, to use cases and landscape robin: Terminology alone won't cut it. first success would be to get the right people talking together. include people from Privacy IG noah: What other deliverables? jar: The use case list and terminology mesh very nicely robin: I'm happy to do that, and I can get funding to do it noah: Does anyone object to this? JeniT: how does the privacy draft fit into this? robin: I will need to think about whether it should be a product of the TF noah: From TAG logistics, is it one or two things to track? timbl: We could bank what we have, publish it as a Note. get it out there noah: There's a dated editor's draft available. To publish it as a Note, we'd need more sessions timbl: We should produce something sooner rather than later noah: We were reviewing as first draft yesterday robin: I have a bunch of updates to make on it. I'll do another draft, and let's see what people think of it then larry: I'd be happy publishing it to say "this is our initial work on this topic, which we will take forward". My objections were about taking it forward as a longer-term effort. In terms of RFC categories, it's not April Fools and it's not Standards Track. Publishing things early is good as long as the status is clear noah: I'm only worried that people might take it as being something the TAG believes <darobin> ACTION: Robin to update Privacy by Design in APIs [recorded in [31]http://www.w3.org/2001/tag/2012/04/03-minutes.html#action01 ] [31] http://www.w3.org/2001/tag/2012/04/03-minutes.html#action01 <trackbot> Created ACTION-684 - Update Privacy by Design in APIs [on Robin Berjon - due 2012-04-10]. ashok: How does this relate to the bigger Finding we talked about? noah: Robin should scope that larger thing, I think we should leave it to him. Draft a product page jar: Limited scope for Note as written. I don't see the relationship with the other larry: I think this is more about an architecture around security and permissions <noah> ACTION-514? <trackbot> ACTION-514 -- Robin Berjon to draft a finding on API minimization -- due 2012-05-01 -- PENDINGREVIEW <trackbot> [32]http://www.w3.org/2001/tag/group/track/actions/514 [32] http://www.w3.org/2001/tag/group/track/actions/514 <noah> close ACTION-514 <trackbot> ACTION-514 Draft a finding on API minimization closed <noah> ACTION-684 Due 2012-05-08 <trackbot> ACTION-684 Update Privacy by Design in APIs due date now 2012-05-08 <darobin> .ACTION: Robin to create a product page proposing the Task Force on Web Security/Privileges/Trust/etc. <noah> ACTION: Robin to create a product page proposing the Task Force on Web Security/Privileges/Trust/etc. - Due 2012-04-17 [recorded in [33]http://www.w3.org/2001/tag/2012/04/03-minutes.html#action02 ] [33] http://www.w3.org/2001/tag/2012/04/03-minutes.html#action02 <trackbot> Created ACTION-685 - create a product page proposing the Task Force on Web Security/Privileges/Trust/etc. [on Robin Berjon - due 2012-04-17]. <jrees> Task force on X where X = ? some options: [Web] Privilege Grants; Web Trust use cases & terminology URI comparison <masinter> [34]http://tools.ietf.org/html/draft-ietf-iri-comparison-01 [34] http://tools.ietf.org/html/draft-ietf-iri-comparison-01 A percent-encoding mechanism is used to represent a data octet in a component when that octet's corresponding character is outside the allowed set or is being used as a delimiter of, or within, the component. A percent-encoded octet is encoded as a character triplet, consisting of the percent character "%" followed by the two hexadecimal digits representing that octet's numeric value. For example, "%20" is the percent-encoding for the <jrees> Larry and I agree that [35]http://www.w3.org/TR/rdf-concepts/#section-Graph-URIref is inconsistent with RFC 3986 view of equivalence [35] http://www.w3.org/TR/rdf-concepts/#section-Graph-URIref <jrees> and that therefore the strings that are called "URIs" in RDF are not really URIs <timbl> We noted that the HTTP BIS had been changed significantly to be consistent with a non-document view of the web which it had not started with. <timbl> over lunch WebApps Storage [36]http://www.w3.org/2001/tag/2012/04/02-agenda#storage [36] http://www.w3.org/2001/tag/2012/04/02-agenda#storage <masinter> [37]http://trac.tools.ietf.org/wg/iri/trac/ticket/111 [37] http://trac.tools.ietf.org/wg/iri/trac/ticket/111 <masinter> [38]http://trac.tools.ietf.org/wg/iri/trac/ticket/113 [38] http://trac.tools.ietf.org/wg/iri/trac/ticket/113 NM: Time to get this over the last hurdles <masinter> [39]http://trac.tools.ietf.org/wg/iri/trac/ticket/114 [39] http://trac.tools.ietf.org/wg/iri/trac/ticket/114 <masinter> [40]http://trac.tools.ietf.org/wg/iri/trac/ticket/112 [40] http://trac.tools.ietf.org/wg/iri/trac/ticket/112 [41]http://www.w3.org/2001/tag/doc/Seamless%20Applications.pdf [41] http://www.w3.org/2001/tag/doc/Seamless%20Applications.pdf AM: The above is a discussion document asking us to consider whether we should go in this direction LM: We could also consider combining this with web vs. native apps topic NM: [points us to draft product page: [42]http://www.w3.org/2001/tag/products/clientsidestorage-2012- 03-02.html] [42] http://www.w3.org/2001/tag/products/clientsidestorage-2012-03-02.html <masinter> I think there's a strong correlation between local storage with backup (for native apps), vs web storage with caching (for web apps) <darobin> [larry, I think that native or web is orthogonal to this problemโissues are about identifying resources irrespective of storage location, and the value of client/server synch] NM: [takes us through the product page] NM: Is this roughly in the right direction <noah> [43]https://www.w3.org/2001/tag/doc/Seamless%20Applications.pdf [43] https://www.w3.org/2001/tag/doc/Seamless%20Applications.pdf AM: My doc addresses the question of how to write apps which would run seamlessly whether connected or disconnected ... Three requirements I came up with: ... 1) What it requires when it's connected; ... 2) Minimum requirement when not connected ... 3) Where it might find those requirements <noah> I think we need to state the relationship between identification and access when connected and when not AM: Hints about (3) might be AppCache, IndexedDB, local file store, Web Storage ... Regardless of how the local information is found, should be accessible in a uniform way NM, TBL: That sounds contradictory RB: By user or by app? AM: By app TBL: MySQL API and filestore API are different, right? AM: Yes, but once you access a particular resource, the API thereafter is the same TBL: So a resource is for instance a JSON blob Tutti: So there are two layers -- a layer of access, which is different for different stores, and a layer of utilisation of a resource once accessed, which is uniform whereever it comes from NM: So if the store happens to be a SQL store, access might involve joins AM: Yes <masinter> I'm concerned about error recovery, update conflict resolution, etc. when working offline? NM: So we don't lose the unique value of the particular storage media AM: Right TBL: Does anyone understand where this is going/why? AM: The fact is that there will be lots of different storage media <jrees> ashok urging shared API for the objects retrieved using all the various APIs? NM: So once I've got a JSON blob I can do another join AM: Not talking about that ... Think of this as a calendar app ... So suppose you got the blob which is your calendar ... as you work with it, you update it ... If the app was running connected it would be working with both local and global calendar ... but if running disconnected, you have only the local resource available NM: does this require distributed 2-phase commit AM: yes AM: Once you get connected, you start transactions at both levels, back out all local-only changes, recommit them all both locally and globally, then complete the transactions NM: That requires a lot of mechanism, to support distributed two-phase commit, and is typically not nearly stateless. TBL: Backing up, 'access' built out of parts, or blob stored monolithically? AM: Let's not go to complex access, e.g. joins, simpler to assume monolithic storage. TBL: iPhoto stores [in a more complex way] NM: I'm pushing on this because I think he's solving the wrong problem AM: If you exploit a particular storage scheme's special properties, then you are tied to it ... but I didn't want to go there HST: I've had this problem: you have a storage problem and an interoperability problem. You don't know what provision the different Web platforms have. I had to write different shims for the different storage facilities across the different browsers: cookies, Google Gears or whatever. That's what Ashok is trying to solve. HST: I understand the problem AM is trying to solve, it's the fact that different platforms today support different basic offline storage models NM: Right, that's just a matter of API design, not a problem the TAG needs to work on AM: The problem I see is that not all the backends have transactions, which my story needs JAR: They will RB: localStorage won't TBL: You can use e.g. git on top of a local filestore. . . AM: Moving on -- if the commit described above fails, the user loses all their work NM: Fails, or there's a conflict? AM: Conflict, right -- that's the bad case ... Can we say anything beyond "The app has to do what it can" NM: There is 30 years of work on this problem TBL: Apple Sync Services requires you to declare your object type, e.g. Calendar Event ... Mostly works, but if you have conflicting values for the same field, there's a generic tabular conflict resolution display to the user ... My experience is that this sometimes happens when I can't see any difference in that display, or even when I haven't touched the app on the phone at all. . . NM: Lotus Notes has application-specific handlers ... Default is to make two copies of the relevant unit ... Difference between deletion and creation is tricky, sometimes handled by 'tombstones', with timeouts ... so you can tell the difference between "I deleted, you didn't" and "You created, I didn't" ... Multi-person, multi-year task and then you don't get it right -- we shouldn't go there TBL: Another route is to enforce universal undo, so you can step back one step at a time NM: You're relying on there always being a human available to help <noah> Right...that's my bottom line. This is the wrong problem for us to be trying to solve and, even if it were the right problem, the solutions are horrendously difficult, have been worked on for 30 years, and would be in the hands of a design/development group, not the TAG AM: Yes, some DBs to that <noah> I would like us to look at one particular problem: when I use an application that runs locally and potentially disconnected, to update information that we otherwise want on the Web, what is good architecture regarding identification, and what latitude should be available for implementation? <noah> I would like to see a finding that if information is to be identified with a URI for use on the Web, then it should be identified with the same URI when accessed disconnected. Tutti: discussion of various source control systems' approach to related problems JAR: I agree with NM that there is a huge background wrt sync -- is that what we want to work on? AM: Is it important for us to be able to write "seamless apps", and support others who want to do so RB: We are seeing a collection of offline stores being deployed, can we get in now to help exploit them responsibility NM: If information is to be identified with a URI for use on the Web, then it should be identified with the same URI when accessed disconnected. AM: I asked Raman about this, wrt using GMail offline -- does the message have a URI? ... He said probably not until it gets online NM: I'm not saying it's obvious how to do this, but it would have real value if we did ... Consider working on an airplane, writing a document and an email which points to the document, by its URI ... So that when I get online, I synchronize and the email ships ... The email should point to the document online ... This is (close to) what Lotus Notes has done for years ... This may be too hard, at least in some cases, but it is an architectural desideratum AM: How can you have the same URI -- you're not on the Web when you are on the airplane NM: Yes I am -- the Web is not a set of servers, it's an information space ... I suspect if follows that the apps do any necessary synchronization, not the underlying storage mechanism ... That means e.g. the JScript in GMail knows enough to create URIs in a way consistent with the way those names will be created at sync time AM: So, is all we can say application-specific architectures will exist, or can we say something overarching? NM: Well, at least Good Practices, as above, and maybe design patterns and even maybe APIs to support them? TBL: LDP API work relevant? AM: Maybe NM: I'm guessing that in practice apps would mostly do the syncing, as they do today. There might be some shareable infrastructure the emerges to help the apps, e.g for storing URI-identified rows in index-DB or SQL and/or tracking updates since last connect. I don't think the TAG should spec the exact sync protocol or shared facilities. We should make statements about how URIs are used. Of course, we need to be sure that what we recommend is deployable in practice, and that it meets the intended needs. TBL: LDP apps use a triple-based API, which is grounded in a generic store TBL: Interaction between API and store is "fetch/store the entire store" or "delta" ... That's where sync has to happen ... So this would enable a generic approach to sync NM: So, where do we go with this? ... We've seen AM's proposal, my alternative, and TBL's LDP example ... Not sure whether LDP is a third proposal AM: I think the LDP story goes way beyond NM's approach NM: So what story are we trying to tell? HST: Do we have a client? Is anybody asking for this? Is anybody listening? NM: Not as such -- people are building stores, but no-one has asked for our advice JAR: I prefer RB's "Goal is to try to anticipate pitfalls and raise awareness" better than the existing product page's goal NM: Yes, if you mean high-level pitfalls, i.e. we are the T A G RB: I have these problems today, and don't know where to look for help NM: As long as we don't try to roll our own TBL: Pointing to existing solution spaces JAR: Commissioning ourselves to do a report on the problem NM: CouchDB guys said they were building on some of the Lotus Notes work, e.g. tombstones <darobin> [44]http://couchdb.apache.org/ [44] http://couchdb.apache.org/ <noah> CouchDB Overview: [45]http://couchdb.apache.org/docs/overview.html [45] http://couchdb.apache.org/docs/overview.html RB: CouchDB is simple, you put JSON docs in, nothing is deleted, you access with Map-Reduce AM: What can we say generally? <dom> [I'm not sure the TAG documenting Web apps sync will reach the right audience (presumably Web developers?)] HST: I think this is a Vietnam, we should walk away NM: Straw poll: . . . Nothing: 3+ . . . Work towards a uniform API, maybe including sync, per AM/Product page: 0? . . . Patterns/pitfalls: 5 NM: If we tried to do PaPi (per RB), volunteers? RB: I'll review and advise LM: As before AM: Yes, I'll try NM: I'll review ... So, clean up the Product page and get started on the work <masinter> the product page is meta, not worth spending much time on when we can work on the document <noah> ACTION-647? <trackbot> ACTION-647 -- Ashok Malhotra to draft product page on client-side storage focusing on specific goals and success criteria -- due 2012-03-06 -- OPEN <trackbot> [46]http://www.w3.org/2001/tag/group/track/actions/647 [46] http://www.w3.org/2001/tag/group/track/actions/647 <masinter> are we commissioning a study or just a survey LM: If we find a survey then this can be simple -- we just distil and point <masinter> telling people where the cliffs are that they might fall off, we don't have to build the guard rails HST: I was worried that if JAR's summary, that we need to do the survey ourselves is the case, then this is too big a task <masinter> the product page is just there to tell people the general area where we're working, don't deep end on it <darobin> .ACTION: Robin to draft scope and goals for the Patterns/Pitfalls work in local/remote storage synch <HST> This was not done here, but was done subsequently (telcon of 2012-04-12 and is [47]ACTION-693 [47] https://www.w3.org/2001/tag/group/track/actions/693 <noah> ACTION-572? <trackbot> ACTION-572 -- Yves Lafon to look at AppCache in HTML5 -- due 2012-03-06 -- CLOSED <trackbot> [48]http://www.w3.org/2001/tag/group/track/actions/572 [48] http://www.w3.org/2001/tag/group/track/actions/572 NM: Adjourned until 1600, then DHM on threats and opportunities on the Mobile Web <masinter> [49]http://tools.ietf.org/html/draft-ietf-iri-comparison-01 should update 3986 [49] http://tools.ietf.org/html/draft-ietf-iri-comparison-01 <masinter> [50]http://trac.tools.ietf.org/wg/iri/trac/ticket/112 [50] http://trac.tools.ietf.org/wg/iri/trac/ticket/112 <masinter> [51]http://trac.tools.ietf.org/wg/iri/trac/ticket/114 [51] http://trac.tools.ietf.org/wg/iri/trac/ticket/114 <masinter> at IRI meeting last week we resolved to look at [52]http://tools.ietf.org/wg/precis/ [52] http://tools.ietf.org/wg/precis/ <jrees> on break, TimBL, Larry, JAR about whether web spec level should be separated from application level and/or social good level (?) <jrees> maybe s/level/scope/? <masinter> conformance vs. social expectation <masinter> conformance doesn't require you to do things that the social expectation for normal use of the web might require you to do <masinter> and if you want to create applications that rely on conforming properties, you might not be able to rely on the social conventions being followed [Resuming at 1608] NM: Mobile issues, then Admin Mobile threats and opportunities DHM: Two main points ... Disruptive impact coming from Web being on some many different platforms, but that you can build cross-/multi-platform applications ... E.g. using web app on phone so that tilting phone reorients image on a different device ... "Hyper-devices": the Web enables new use of our devices <jrees> dom, link to blog post please? <dom> [53]http://www.w3.org/QA/2011/11/from_hypertext_to_hyperdevices .html [53] http://www.w3.org/QA/2011/11/from_hypertext_to_hyperdevices.html NM: Blue Spruce at IBM looked at cross-linked browsing experience <noah> Project Blue Spruce may be of interest: [54]http://www-01.ibm.com/software/ebusiness/jstart/bluespruce/ [54] http://www-01.ibm.com/software/ebusiness/jstart/bluespruce/ <darobin> [55]http://www.readwriteweb.com/archives/ibm_blue_spruce_first_ look.php [55] http://www.readwriteweb.com/archives/ibm_blue_spruce_first_look.php AM: WebEx ? NM: Bluespruce is not shared desktop, but rather a coordinated browsing experience in which DOM changes are hooked, and broadcast to all participants. NM: Linkage at the level of DOM DHM: Not sure about the architectural impact, but thought worth mentioning ... Other area is WebRTC ... Real-time peer-to-peer communication ... File-sharing as a side-effect ... WebRTC is essentially Skype within the browser ... Audio-Video comms within the browser is the driving app ... Two parts: Access to the camera, mike and audio out; peer-to-peer connection ... There is a requirement for a mediation server, but there is work at eliminating it ... There's a Javascript API defined at W3C, plus a UDP-based protocol defined at IETF ... Two phases, establishing the connection and then actually trading data ... RTCWeb is name for IETF protocol, WebRTC is the W3C API <masinter> [56]http://tools.ietf.org/wg/rtcweb/ [56] http://tools.ietf.org/wg/rtcweb/ <masinter> [57]http://tools.ietf.org/html/draft-ietf-rtcweb-data-channel-0 0 [57] http://tools.ietf.org/html/draft-ietf-rtcweb-data-channel-00 <masinter> The Web Real-Time Communication (WebRTC) working group is charged to provide protocol support for direct interactive rich communication using audio, video, and data between two peers' web-browsers. This document describes the non-media data transport aspects of the WebRTC framework. It provides an architectural overview of how the Stream Control Transmission Protocol (SCTP) is used in the WebRTC context as a generic transport service allowing Web Browser to exchange generic data from peer to peer. NM: Patent problems? DHM: Pretty confident at IETF this stuff is safe ... But the codec issue is still live, as it must be common between the two peers ... Some vendors don't want MPEG4 to be allowed LM: How far along is codec and transport? DHM: Last week at IETF Paris chairs put pressure on getting to consensus JAR: Doesn't this raise the possibility of peer-to-peer HTTP? DHM: Yes in principle, but not in practise yet, but that's one of the potential disruptive impacts that's coming TBL: I've always been interested in p2p for HTTP as a tool against censorship DHM: At the moment the peers have to access essentially the same Web page to initiate the connection <masinter> note that SCTP vs. SPDY was a hot discussion at IETF TBL: Jonathan Zittrain at the Berkman Center at Harvard has a project "Mirror as you link" to develop data sharing on the Web NM: We haven't yet proven that this approach to p2p maps to the existing uses of e.g. bittorrent JAR: I was surprised that these two were tied TBL: Discovery is a big complex problem ... E.g. use a distributed hash table of everyone who is looking for a connection DHM: There is a whole stack here, with security and encryption and so on ... Just SSL isn't good enough, to avoid man-in-the-middle attacks at the connection initiation time ... Because we don't have universal crypto-secure personal identities ... One proposal is to use mutually-trusted shared identity providers, such as Facebook, to reciprocally verify <dom> [58]http://tools.ietf.org/html/draft-rescorla-rtcweb-generic-id p-01 [58] http://tools.ietf.org/html/draft-rescorla-rtcweb-generic-idp-01 <masinter> we talked earlier about using "owner(URI)" as an identity token <masinter> [59]http://www.ietf.org/proceedings/83/slides/slides-83-rtcweb- 3.pdf [59] http://www.ietf.org/proceedings/83/slides/slides-83-rtcweb-3.pdf <jrees> The link that LM entered is to a presentation "Media Security: A chat about RTP, SRTP, Security Descriptions, DTLS-SRTP, EKT, the past and the future" <masinter> presentation from last week's RTCWEB discussing keys management and RTCWeb security AM: Isn't it easier to just encrypt the conversation? DHM: But we don't have a deployed PK system on the Web TBL: PK doesn't need PKI -- it can be much simpler NM: Ray Ozzie did instant group-creation before his company was bought by Microsoft, called Groove JAR: PKI can be decoupled from the problem, and p2p doesn't need the whole PKI as we understand it <noah> NM: Groove uses a peer exchange of public keys to establish identities, then allows collaboration groups to be created across organizations NM: Thanks to DHM! Administration RESOLUTION: Minutes of 8, 15, 22 March all approved as a fair record of the respective meetings <noah> [60]http://www.w3.org/2001/tag/tag-weekly#Admin [60] http://www.w3.org/2001/tag/tag-weekly#Admin NM: Agreed in the past that we would meet 12-14 June ... in Cambridge <masinter> does TAG have opinions about W3C process [61]http://lists.w3.org/Archives/Public/www-archive/2012Mar/att -0007/AB_List_of_Concerns-20120306.htm ? [61] http://lists.w3.org/Archives/Public/www-archive/2012Mar/att-0007/AB_List_of_Concerns-20120306.htm NM: Our end-of-summer f2f has yet to be scheduled ... I will have difficulty travelling in September or for TPAC in November ... Options include -- yet again in Cambridge, Septemberish <JeniT> [62]http://www.w3.org/2012/10/TPAC/ [62] http://www.w3.org/2012/10/TPAC/ NM: Another alternative would be a weekend before/after TPAC ... although that is in Europe again ... Or without me RB: Weekend OK but not next to TPAC NM: Net-net -- we will wait a while before trying to schedule the next f2f after June XML Error Recovery RB: At XML Prague March 2012 a lot of discussion about future of XML, XML and JSON, etc. ... A panel on XML / HTML issues, chaired by Norm Walsh ... There was consensus of interest in a processing model for XML that would not halt and catch fire at first well-formedness error JT: There would be reporting of any error recovery actions to e.g. Firebug and/or the console RB: The advantage would be that users would not be punished for the errors of others NM: The scoping to end-user browser scenarios seems too limiting. There are other important uses of XML, and the same XML that goes to a browser sometimes needs to be processed in other ways. Some of the recovery that's safe when presenting info to a user is dangerous if the resulting data is to be trusted as untainted in a database. JT: Not exclusively ... Other discussions identified other use cases: editors "of necessity" go through states where the documents are not well-formed, but a tree-view is still useful ... Mark Logic has an error-recovery mode for loading into the DB ... As do some editors ... but all of that is idiosyncratic ... So the question was if we could have uniform and predictable error recovery ... across all three use cases RB: [libxml pattern] -- same document twice gives same result ... Primary use case is in trying to deploy XML to user-facing apps ... The fact that the halt-and-catch-fire experience blows that, so browsers have started silently correcting JAR: But we know where silent error recovery leads -- it leads to HTML5 -- the moving target aspect is really bad NM: We can address that by publishing a TAG finding to insist on no silent error recovery JAR: Errors have to be ugly, to put pressure on fixing them TBL: Designing the level of ugliness is important -- the console is too well hidden -- show the warning briefly ... and allowing it to be configured to persist, for instance RB: So that discussion led to a W3C Community Group, with Anne van Kesteren editing his earlier XML 5 draft, but the work product will not be called XML 5 ... This is not going to run at breakneck speed, but will work its way along AM: Does Mark Logic have a patent in the area? JT: They use the schema to help, I don't know about a patent HST: There's prior art . . . <Zakim> noah, you wanted to comment on Robin's proposal and to discuss why use cases matter and why standardization matters NM: The stakes go up for automatic data import ... There are gambles you are willing to take when heading for a web page that are inappropriate for importing mission-critical data which may not be used for some time. . . ... So starting with an existing algorithm w/o much inclination to change it makes me nervous <masinter> quiet error recovery in popular browsers is more harmful than vendor prefix, but we have this with MIME type sniffing too, which is a kind of quiet fixup <masinter> sniffing application/xhtml+xml => text/html is an automatic fixup NM: The pervasiveness of consistent error recovery will change community expectations RB: For me user-facing software is the key case ... But browser deployment will leak, no matter what <Zakim> jrees, you wanted to comment on Noah's idea TBL: RDF allows XML buried in RDF, it would be good to allow XML ER in there [?] ... Feeds with XML in can cause real problems -- RSS readers must be super-tolerant -- but we keep seeing e.g. DOCTYPEs in tweets??? TBL to correct/fill in please JAR: So you are heading for tolerance RB: Not tolerance, they are still errors, with well-defined recovery strategies ... The HTML situation is horrible not because of tolerance, but because the recovery rules are so complicated because the recovery heritage is so complex JAR: This will promote a race to the bottom RB: Is that a problem, and if so why? JAR: There will be no selective pressure ... Drift in the correction landscape will eventually lead to meaning change LM: Sniffing itself has promoted this by the sniffing of application/xhtml+xml => text/html ... If the popular receivers are strict, then producers will check first RB: Indeed, and sending the same doc to different browsers with different media types makes it worse LM: The right place to put this is in Apache and IIS, so the data that goes out is fixed TBL: And sends a message to root! ... Whenever you have a string with two different potential readings, you have a security hole <jrees> correction is fine but *silent* (i.e. painless) correction is a big security risk TBL: Simple security attack example for different parsers doing different things: Tim puts up a page which he knows Larry's browser and Ashok's browser will see differently, asks Larry to OK it to Ashok, and then Ashok transfers money to Tim, as he sees a different message. JT: We are committed to non-silent recovery RB: Exactly what that means is up for discussion and implementation choice HST: It's precisely those honest additions to your assurances that make us worried . . . NM: Isn't this going to make the sniffing of text/plain as application/xml have dire consequences? RB: That isn't in scope for the XML ER CG in my opinion, because what causes the UA to treat something as XML is prior ... The sniffing stuff is someone else's problem LM: The sniffing document was originally in the HTML WG ... It was moved to the IETF Web Security group ... Where some members raised doubts ... I'm not involved in the document ... It expired at the IETF ... The WebApps packaging draft makes normative reference to the expired draft ... The HTML5 draft has a normative reference to the expired draft ... One of the issues raised against the document was to never sniff to PDF, the original editor declined to make any change ... No examples have been forthcoming RB: The opposite case does arise, that is, correctly labelled application/pdf docs being sniffed as something else, particularly short ones LM: My suggestion wrt sniffing was that any document whose media type was determined by sniffing to be different that its published type, then it should get a different/unique origin ... We have an abandoned document that a) is normatively referenced; b) creates a problem wrt XML and error recovery; c) contradicts the Authoritative Metadata finding ... We should do something, particularly about the XML case JAR: If the XML ER CG doesn't say anything about sniffing, the TAG will have to. . . NM: Sniffing XML as non-XML is clearly not relevant to the XML ER CG, but they can say "This algorithm is not robust / appropriate / safe when applied to non-XML sniffed as XML, don't do that" NM: Please reread authoritative metadata since it clearly talks about security holes NM: People know the arguments against sniffing, they just think *their* considerations are more important [scribe notes that discussion continued past the end of scheduled meeting closure] <timbl> Of course the semicolon-adding Javascript behaviour of js parsers is a possible security hole, bug etc too RB: I'm really concerned that the sniffing spec is dead LM: I tried to get that actioned w/o success <jrees> yes, applying the pressure early in the development chain is best, but if a problem gets past all intermediaries, then the final consumer needs to suffer a little, so that there is some selective pressure <darobin> ACTION: Robin to try to find who is in charge of the current browser content sniffing clustermess, and see if there is a way of moving out of the quagmire - due 2012-05-01 [recorded in [63]http://www.w3.org/2001/tag/2012/04/03-minutes.html#action03 ] [63] http://www.w3.org/2001/tag/2012/04/03-minutes.html#action03 <trackbot> Created ACTION-686 - try to find who is in charge of the current browser content sniffing clustermess, and see if there is a way of moving out of the quagmire [on Robin Berjon - due 2012-05-01]. <darobin> mmm, so long as automatic semicolon insertion is well-defined (and it is) I think it's security-safe <darobin> whether it's good programming style is another issue, of course <jrees> no. <jrees> speciation in xml would be bad <scribe> ACTION: Noah to look for opportunities to discuss putting forward something to the AB about the Process and the failed reference from RECs to expired RFCs as a side-effect of scope creep etc. [recorded in [64]http://www.w3.org/2001/tag/2012/04/03-minutes.html#action04 ] [64] http://www.w3.org/2001/tag/2012/04/03-minutes.html#action04 <trackbot> Created ACTION-687 - Look for opportunities to discuss putting forward something to the AB about the Process and the failed reference from RECs to expired RFCs as a side-effect of scope creep etc. [on Noah Mendelsohn - due 2012-04-10]. ACTION-687 due 2012-04-04 <trackbot> ACTION-687 Look for opportunities to discuss putting forward something to the AB about the Process and the failed reference from RECs to expired RFCs as a side-effect of scope creep etc. due date now 2012-04-04 <darobin> Jim Fuller has done some excellent work on generation of XML language validators based on XSLT/XQuery genetic algorithms, so I think speciation in XML may not be so bad ;-) Summary of Action Items [NEW] ACTION: Noah to look for opportunities to discuss putting forward something to the AB about the Process and the failed reference from RECs to expired RFCs as a side-effect of scope creep etc. [recorded in [65]http://www.w3.org/2001/tag/2012/04/03-minutes.html#action04 ] [NEW] ACTION: Robin to create a product page proposing the Task Force on Web Security/Privileges/Trust/etc. - Due 2012-04-17 [recorded in [66]http://www.w3.org/2001/tag/2012/04/03-minutes.html#action02 ] [NEW] ACTION: Robin to try to find who is in charge of the current browser content sniffing clustermess, and see if there is a way of moving out of the quagmire - due 2012-05-01 [recorded in [67]http://www.w3.org/2001/tag/2012/04/03-minutes.html#action03 ] [NEW] ACTION: Robin to update Privacy by Design in APIs [recorded in [68]http://www.w3.org/2001/tag/2012/04/03-minutes.html#action01 ] __________________________________________________________ [65] http://www.w3.org/2001/tag/2012/04/03-minutes.html#action04 [66] http://www.w3.org/2001/tag/2012/04/03-minutes.html#action02 [67] http://www.w3.org/2001/tag/2012/04/03-minutes.html#action03 [68] http://www.w3.org/2001/tag/2012/04/03-minutes.html#action01 Minutes formatted by David Booth's [69]scribe.perl version 1.135 ([70]CVS log) $Date: 2012/04/17 10:35:09 $ [69] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [70] http://dev.w3.org/cvsweb/2002/scribe/ ============4 April 2012 ============= [1]W3C [1] http://www.w3.org/ - DRAFT - W3C TAG F2F 4 April 2012 (Sophia Antipolis) 09 Apr 2012 Attendees Present Noah_Mendelsohn, Henry_Thompson, Jeni_Tennison, Ashok_Malhotra, Tim_Berners-Lee, Jonathan_Rees, Robin_Berjon, Larry_Masinter, Yves_Lafon, Chris_Lilley_(for_the_morning) Regrets Peter_Linss Chair Henry, Noah Scribe Noah Mendelsohn Contents * [2]Topics 1. [3]httpRange-14 (continued) 2. [4]Fragment Identifiers and Mime Types 3. [5]Administrative - f2f dates 4. [6]HTTP Range-14 5. [7]TAG Priorities 6. [8]PhiloWeb * [9]Summary of Action Items __________________________________________________________ <noah> scribenick: noah <scribe> scribe: Noah Mendelsohn httpRange-14 (continued) JAR: We're continuing to follow my 7 section plan. Trying to project consequences and criteria, interleaved. Shows whiteboard matrix of situations across top, solution categories down left, and consequences in middle JAR: Talking about receiver, I.e. what Dave Orchard called consumer -- someone trying to understand a URI, in context. ... Three parties, sender sends a message to receiver within which message is a URI. That URI is served by the linkee. HT: There are people who will buy in to what we propose (for httpRange 14), people who bought into what we proposed 5 years, ago, those who don't buy in TBL: Well, out there are people buying into a variety of means of doing this <masinter> I don't understand this deconstruction of having "bought in", since I don't see any records of transactions, what it is they "bought into", who they bought it from, etc... I can understand there are different constituents with different opinions about what they do TBL: scribe missed some stuff... JAR: Want to restrict discussion to default rule -- i.e., no special context in document around URI. ... mostly we're filling in the white board.... LM: I'm confused. <masinter> Whether people will buy into a theory depends on whether that theory is coherent to them and works for their use case, among other things <masinter> Some reference to "OGP" <HT> OGP is a label for the use of hashless URIs for non-documents <masinter> [10]http://ogp.me/ [10] http://ogp.me/ TBL: Roy says the server is an authority ... scribe struggling to keep up... [11]http://www.w3.org/TR/webarch/#pr-uri-collision [11] http://www.w3.org/TR/webarch/#pr-uri-collision <ht> [Chris Lilley joins the meeting] <masinter> Theory: take "behavior when used in a@href" as the definition of what a URI "means", derive all the other meanings from that. img@src uses are similar but imply transclusion, and xmlns. RDF use in A R B etc is then described in terms of the a@href meaning. <jrees> See also JARs emacs buffer: [12]http://lists.w3.org/Archives/Public/www-archive/2012Apr/001 8.html [12] http://lists.w3.org/Archives/Public/www-archive/2012Apr/0018.html <jrees> scribenick: jrees Fragment Identifiers and Mime Types reviewing draft product plan <noah> [13]http://www.w3.org/2001/tag/products/fragids-2012-01-05.html [13] http://www.w3.org/2001/tag/products/fragids-2012-01-05.html NM: Look at whole space of fragids and mime types. Immediately, concerns about 3023bis, about generic interpretation of fragids ... one problem was that rdf+xml was operating in a manner differing from rule proposed in 3023bis ... we said, please abandon the generic rule ... response was, the rule is important, we want to keep it ... TAG said, OK, call out rdf+xml as a special case. <ht> [14]http://lists.w3.org/Archives/Public/www-tag/2012Mar/0178.ht ml [14] http://lists.w3.org/Archives/Public/www-tag/2012Mar/0178.html HT: action-675 was to prepare for this discussion. maybe no one saw it action-675? <trackbot> ACTION-675 -- Henry Thompson to frame discussion of semantics of fragids and rfc 3023bis -- due 2012-03-27 -- CLOSED <trackbot> [15]http://www.w3.org/2001/tag/group/track/actions/675 [15] http://www.w3.org/2001/tag/group/track/actions/675 HT: Jeni, a year ago, did this prep. This has to do with advice for RDFa Core ... we've done half of one part of her advice, we gave advice to RDFa Core, they took it. ... we never addressed the semantic conflict issue re RDFa deployment, you retrieve HTML ... Here are more detailed aims for now: Let's decide which goals to tackle today ... 1. Should advice in AWWW re. conneg and fragids - is it a disagreement between media type registrations, or between individual documents? ... HT and JAR disagreed on this <ht> [16]http://www.w3.org/2006/02/son-of-3023/draft-murata-kohn-lil ley-xml-04.html#frag [16] http://www.w3.org/2006/02/son-of-3023/draft-murata-kohn-lilley-xml-04.html#frag HT: 2. What changes, if any would we like to see in 3023bis re fragids? ... (please ignore the expiration date, that's what we're working with) ... Are we still happy with our request to the editors? ... JAR gave options, TAG said we prefer on balance option 2, grandfather rdf+xml as a special case in 3023bis. One case exception. ... see reference 7 in ht's email <ht> [17]http://lists.w3.org/Archives/Public/www-tag/2012Mar/0178.ht ml [17] http://lists.w3.org/Archives/Public/www-tag/2012Mar/0178.html <ht> [18]http://www.w3.org/2001/tag/doc/mimeTypesAndFragids-2011-08- 12 [18] http://www.w3.org/2001/tag/doc/mimeTypesAndFragids-2011-08-12 3. What should we do with Jeni's draft finding? lm: The document defining media type regs is in last call in app area WG ... They added a vacuous SHOULD section about fragids. If we want it to be stronger we need to make a comment by LC deadline April 13 ... Maybe Jeni's note provides input JT: We're not scoping discussion not just to RDF, but also media fragment URIs (consult Yves), we found XML schema id complications (consult HT) ... would like to make sure these are part of the 3023bis discussion <Zakim> jar, you wanted to talk about xhtml+xml JR: New information, I think xhtml+xml has the same issue as rdf+xml, because of RDFa 1.0 <masinter> Proposal: create a separate internet draft on "Fragment Identifiers for Media Type Registration", and ask that the general media type registration document make normative reference to it. NM: Can we do #2 first? CL: (Chris) When I agreed to rdf+xml exception, I thought that was the only exception ... Jeni section 2.2 points out other contradictions ... SVG would need to change in order to allow media fragments <noah> [19]http://www.w3.org/2001/tag/doc/mimeTypesAndFragids-2011-08- 12#inconsistent-semantics-and-processing [19] http://www.w3.org/2001/tag/doc/mimeTypesAndFragids-2011-08-12#inconsistent-semantics-and-processing CL: Because SVG says syntax is either bare name or it's an xpointer of some kind ... this is true ... because we expect to use [etc] <darobin> [20]http://simonstl.com/articles/cssFragID.html [20] http://simonstl.com/articles/cssFragID.html <ht> Jeni's document: [21]http://www.w3.org/2001/tag/doc/mimeTypesAndFragids-2011-08- 12 [21] http://www.w3.org/2001/tag/doc/mimeTypesAndFragids-2011-08-12 CL: There is new CSS xpointer scheme that uses CSS selectors to address frags within document <darobin> [22]http://www.w3.org/community/cssselfrags/ [22] http://www.w3.org/community/cssselfrags/ CL: community group YL: Design was to avoid any conflict with SVG for example, CL: Fine, but the SVG spec does not allow the new syntax YL: SVG with a viewport, identify a region. It's about the scope of resolution of the fragment. Also based on application HT: We're currently stuck with 3986 which says determined by media type JAR: No, it only says 'depends on' HT: We've always assumed that 'depends on' means 'defined by' ... we've assumed fragid is discoverable from media type reg (maybe by normative ref) <masinter> RFC 3986 " The semantics of a fragment identifier are defined by the set of representations that might result from a retrieval action on the primary resource. " HT: The SVG media type defines fragids, doesn't say anything about media fragments CL: Surprise that the TAG has read it this way, not sure that this is a valuable direction <masinter> "The fragment's format and resolution is therefore dependent on the media type [RFC2046] of a potentially retrieved representation, even though such a retrieval is only performed if the URI is dereferenced. If no such representation exists, then the semantics of the fragment are considered unknown and are effectively unconstrained. Fragment identifier semantics are independent of the URI scheme and thus cannot be redefined by scheme <masinter> specifications." <masinter> we could update 3986 if we think that's wrong YL: SVG is a good example. image/svg+xml: there's a definition in SVG, plus the +xml convention, plus the image/ (media fragments) CL: multiple inheritance <masinter> I think the only resolution for media fragments would be to *allow* media tpye registrations to point to it, rather than *define* it to apply <noah> Best Practice 3: Fragment Identifiers in Media Type Definition CL: Therefore carrying on with Jeni's doc. Best practice 3. <noah> Media type definitions should avoid 'must' language when describing supported fragment identifiers as in practice it is likely to be ignored. Instead, they should provide pointers to any known fragment structures that might be applied to that media type and give warnings of any contradictions between them. YL: Also, there might be Javascript in SVG, and maybe RDFa <masinter> media type registrations should explicitly reference everything they inherit YL: Someone might interpret it in JS, and make something out of it <timbl_> The TAG ought to encourage generic processing of media types to allow conneg to allow any form of migration between languages and hence evolution of languages. So generic for image/*, for RDFy things, etc. ... so we should not restrict the fragment id spec to be only the media type spec. I wonder in fact whether we should have a generic ruling that a localid with no other puctuation be pointed out that it could be RDFa or equivalent for any media type CL: SVG shouldn't try to give an exhaustive list ... Lots of things need to be excluded, not just rdf+xml TBL: I might have jumped to assume that the media type spec is the place to look, but generic media type semantics is important, for evolution of the web ... media fragments are important ... in any XML language, if there's a short name without punctuation, might be good to look for RDFa; then generic warning at top fragid level, ... if you have a language that allows barenames in host language, you should make sure that you don't use same id in rdfa to talk about something different ... we should encourage generic <masinter> two paths: leave 3986's definition alone, or update 3986. If you leave 3986 alone, you need to (a) require new registrations to follow generic methods, and (b) update all existing registrations CL: RDF ids are not XML ids ... You're saying the two sets should not overlap TBL: One bag has punctuation, the other doesn't <masinter> I think leaving 3986 alone is workable, and updating it is painful. TBL: Barenames should never be in the string set you define YL: You should avoid syntactical conflicts when you define a new feature TBL: Stay away from bare names in particular <masinter> +xml, +exi, +json, +zip .... (JR notes RDF says nothing special about barenames) TBL: The simple syntax is sufficiently distinct to suggest special treatment in 3023bis <masinter> There are some proposals to make scheme-specific fragments for streaming protoocols of time-sensitive material, e.g., "second 5-10 of rtp:<blah>" TBL: Otherwise, it's the local id idea, a huge flexibility point, e.g. if you define a python media type, maybe the fragid would refer to identifiers defined in the python content <masinter> Scripting language inheritance of fragment identifies is another generic fragment identifier method TBL: You should be able to make global ids using language native mode ... When you're using barenames be careful since they'll be used in this way. Be aware people inserting RDFa, and using barenames, and people using barenames in host language must be aware that they're sharing a single document-wide namespace, and avoid using the same barename for two different things <masinter> I think "bare names" needs to fall out of the collision avoidance for generic fragment identifier schemes HT: Some people not clear on what TBL said... here's an example from the wild <noah> I heard Tim say: If you're defining a >framework< for generating families of fragment IDs, e.g. XPointer, that framework should not use barenames, leaving them for non-framework use <timbl_> Yes (JAR has heard the directly contradicting opinion) HT: TBL, please see screen. An HTML doc with RDFa, primary topic is #jack, with info about that, it's clear #jack is meant by author to identify a person. And he's also put div id="jack". Is this OK or is it bad? TBL: My preferred answer: bad. I want to link to one or the other, in the same kind of context, to different kinds of things. The 2 things have different properties ... I want to be able to use RDF to talk about the DIV element <JeniT> Funnily enough, people who create these pages really want a link that includes the #jack to jump to the appropriate point in the document <ChrisL> So best practice, the set of (xml) IDs and the set of (RDF) IDS on a given resource should be disjoint HT: In the example, the author might say the DIV is about Jack, so what's the problem? <masinter> Generic fragment identifier mechanisms: +xml, rdf, image media fragments, xhtml, javascript HT: Stipulate TBL's position, which one ought to be changed? <JeniT> So people have to create Javascript to interpret the fragment identifier that is being used as the identifier for the resource and map that into an anchor within the HTML document TBL: Jack1 and jack2, separate fragids <timbl_> Meanwhile, for barenames, be aware that things like RDFA will use barenames and so in other langauges or mixins which use barenames, they share a document-wide space <masinter> I think what RDFa uses depends on httpRange-14 NM: I thought I heard CL say, that he has heard the TAG tell this story, but if you want to understand fragid semantics, then the pertinent spec is the media type registration ... Noah wonders if Chris is suggesting loosening this. CL: Having looked there then you're not necessarily done. NM: Pushing back. IMO, the FYN story is quite important ... specs should all point to each other ... CL, are you suggesting otherwise? LM: The scheme plays NO part CL: Yes, there is FYN, 3023bis points to registry, which points to registration. <darobin> [23]http://www.w3.org/2005/04/xpointer-schemes/ [23] http://www.w3.org/2005/04/xpointer-schemes/ CL: rec points to xpointer spec, which points to the xpointer scheme registry <masinter> I was speaking in reaction to Noah's story in which mentioned RFC 2616 SVG points to the +xml RFC, that gets 3023bis into play HT: 3rd thing, it acknowledges it's an image, so it points to image/, CL says it doesn't need to point to media fragments CL: Need to update image/ spec to point to media fragments ... that should do it NM: All pertinent specs should have such chains... ... Register image/ at generic level, so that semantics can be inherited from image/ ... Principle is that there should be no contradictions among the specs ... you can't allow the last in chain to make contradictions ... We may want to an equivalent thing in +xml, say that if you're registering an xml type, there should be no conflict <Zakim> masinter, you wanted to propose a solution AM: We've been working with a few media types, there are rules between them, they're connected ... There is this cloud business too, there are tons of media types. Cloud providers, machine, network, all media types ... Lots of specs need to specify a particular special use of fragids. They do so in media types, and sometimes that breaks generic processing ... All the cloud things use XML, without +xml in the media type name ... Suppose I want to specify a special semantics for fragids. I can make my own media type, but I use XML, but no generic processing <masinter> "Multiview": using multiple media types for the same content, to get different interpretations (including fragment identifier) NM: Generic processing is supposed to not conflict... there's nothing in cloud+xml where 3023bis doesn't say you can't [scribe missed] JR: Are they not using +xml because they don't want generic, or because they're not aware, or they would like to, or what? AM: Checking <Zakim> masinter, you wanted to propose a solution LM: I typed what I wanted to say into IRC... there are 2 solutions, we either keep 3986, or fix it. If we keep it, it says meaning comes from media type rec [and consequent FYN chain] ... see 3986 ... Semantics is defined by media type. Therefore it depends <noah> [24]http://www.ietf.org/rfc/rfc3986.txt [24] http://www.ietf.org/rfc/rfc3986.txt LM: That gets pointer to media type rec <noah> Quoting from the spec: <noah> "The semantics of a fragment identifier are defined by the set of <noah> representations that might result from a retrieval action on the <noah> primary resource. The fragment's format and resolution is therefore <noah> dependent on the media type [RFC2046] of a potentially retrieved <noah> representation, even though such a retrieval is only performed if the <noah> URI is dereferenced. If no such representation exists, then the <noah> semantics of the fragment are considered unknown and are effectively <noah> unconstrained. " LM: Now we have javascript, xml, media frags, rdfa. <ChrisL> the "the set of <ChrisL> representations that might result" is not known to the person using the fragment, so that is bogus for a start LM: Some of the real time folks have suggested fragids whose semantics come from the scheme, because there is no retrieval body ... How do we reconcile these multiple source? One way, is that you constrain all future registrations, and update the existing ones. ... Media type reg should mention that because you're +xml, it should do xml thing, if it says it's an image type then ..., YL: You can't say this for future things? ... I think it's good if the registration does best effort. LM: Can just inherit NM: HTML spec could allow for a registry LM: My point is either update 3986 to point to a different source of generic inheritance other than media type reg, or you change media type reg procedure to say that reg should point to sources of semantics <noah> +1, especially to option #2 LM: A template could say scripts gets first shot, XML gets a shot, +json, +exi, +zip, ... ... There's an I-D saying every +xml automatically gets a +exi ... We do have a use pattern to consider, the same document could be served with different media types because you want different processing, maybe because you want different fragid processing <darobin> [25]http://tools.ietf.org/html/draft-shelby-exi-registration-01 [25] http://tools.ietf.org/html/draft-shelby-exi-registration-01 LM: e.g. /svg vs. /svg+xml, or /xml vs. /rdf+xml, maybe media type distinguishes processing in general, including fragid semantics YL: One problem statement, we looked at it mainly from document point of view. Look at doc in multiple ways. ... Different problem is compound documents, i.e. a doc containing multiple language, e.g. RDFa <masinter> [26]http://tools.ietf.org/id/draft-shelby-exi-registration-01.h tml [26] http://tools.ietf.org/id/draft-shelby-exi-registration-01.html YL: The consumer often knows what's intended. E.g. an RDF tool that see HTML+RDFa, could present conflict to user. Issue in 3023bis, you are applying generic processing in particular instances , first problem space CL: If you start pointing to these, it's not going to work . Classic example of compound doc without generic rules, is XSLT, frags are not intended to be processed .... HT: If you use generic rules for XSLT, they work just fine. What doesn't apply is semantics of embedded material, but no one ever said that would work ... XSLT doesn't require that XSLT style sheets be valid ... validity not well-formed ... The fragid #foo has a defined meaning, xpointer definition says barename refers to first id= element TBL: That's a weasel. Consider spirit ... The other fragids are there because they're quoted, I support what CL says. It's not broken because of one-id requirement <Zakim> ht, you wanted to suggest we're being pushed back towards application-specific interpretations being allowed and to project view-source:[27]http://examples.tobyinkster.co.uk/hcard [27] http://examples.tobyinkster.co.uk/hcard <JeniT> Yves, what about the YouTube fragid into video example you were talking about yesterday? <masinter> from [28]http://tools.ietf.org/html/draft-ietf-appsawg-media-type-re gs-04 [28] http://tools.ietf.org/html/draft-ietf-appsawg-media-type-regs-04 <masinter> Since this was published, the defacto practice has arisen for using <masinter> this suffix convention for other well-known structuring syntaxes. In <masinter> particular, media types have been registered with suffixes such as <masinter> "+der", "+fastinfoset" and "+json". This specification formalizes <masinter> this practice and sets up a registry for structured type name <masinter> suffixes. HT: We haven't done the first half. Where does this leave us w.r.t. the +xml section of 3023bis. I'd be happy with: don't use the same barename in your RDFa and in your XML, in a +xml document. Unless you actually intend for them to have the same denotation TBL: Do do it if they're the same <masinter> But it doesn't say anything about inheriting a common definition of fragment identifier syntax <masinter> The primary guideline for whether a structured type name suffix <masinter> should be registerable is that it be described by a readily-available <masinter> description, preferably within a document published by an established <masinter> standards organization, and for which there's a reference that can be <masinter> used in a References section of an RFC. HT: A +xml that uses about="banana" as well as id="apply" is OK, even though at the type level, the two are different. ... What if the page had had jack1 and jack2, jack1 identifies an element, jack2 identifies a person, I'm happy with that ... That means there's no grandfathering required then ... As Chris said, neither rdf+xml nor RDFa introduce XML anchors in any way. Neither has any id= attribute <JeniT> There's no *technical* problem; of course the fact that barename fragments are used with two separate semantics makes it terribly confusing and impractical for people HT: So there is no problem with any XML generic processsor as every id= that it finds as identifying the element. RDFa never introduces id= NM: It now essentially says now and only, +xml owns the fragid namespace. It could say, we own the ones that are defined, but not the ones that aren't ... Use syntax disjoint with xpointer if resolution will never resolve to an id. <masinter> But javascript, image/ might add <ht> My proposal for 3023bis wrt fragids: The semantics of barename fragment identifiers is as follows: for those barenames in a +xml document which are "identifiers of an element" as defined in [XPointer Framework], a barename fragid identifies the element [XPointer Framework] says is does. The semantics of all other barename fragids are unconstrained by this specification. <JeniT> ChrisL, to capture what you said: document should be updated to reference latest version of SVG (ref?) and point to different handling in SVG Tiny <ChrisL> svg 1.1 first edition [29]http://www.w3.org/TR/2003/REC-SVG11-20030114/linking.html [29] http://www.w3.org/TR/2003/REC-SVG11-20030114/linking.html <ht> I was quoting w/o attribution from 3986 <ChrisL> svg 1.1 second edition www.w3.org/TR/SVG11/linking.html substantially identical <ChrisL> svg 1.2 big rewrite plus more sensible barename that is not an svg and not an svgview [30]http://www.w3.org/TR/SVGTiny12/linking.html [30] http://www.w3.org/TR/SVGTiny12/linking.html TBL: We were talking about XML and xpointer. Software that processes XML is going to use xpointers, whatever the mime type reg says. So we shouldn't be distracted by that. ... we could obsess and talk about XML URIs used in the pipeline, and so on. But MarkLogic will do xpointer, let's not be put off by it <masinter> Compound documents are a use case <masinter> HTML5 fragement identifier? TBL: We're getting into compound documents stuff. Maybe this pattern will become dominant. Maybe everything gets thrown into, say, HTML <masinter> PDF is a compound document format TBL: We want to refer to all kinds of things in the same namespace, maybe we should worry about this, not conneg, which is simpler <masinter> Active document fragments more important than compound document format? AM: To clarify, are you (TBL) saying we should back off on generic processing? TBL: No. We've just seen a conflict, need to be aware that many more may come along <masinter> "Last Call" in APPSAWG isn't IETF Last Call, it's working group Last Call. <Zakim> timbl_, you wanted to say that in fact Norm's code will process xpointers whatever specs say, in effect the things processed by xml processing pipelines are in away things which <Zakim> ChrisL, you wanted to complain about the set of possible representations CL: Reading through URI spec, it says you have to take the union of possible representations, which you have no way of knowing. Nobody will ever know about special leap day representations <masinter> "If you say incoherent things, people sometimes won't understand you" HT: Elsewhere in 3986 it talks about responsible administration. You should resolve all or none, and should happen consistently <timbl> For example, Ashok, people have been talking about putting turtle into script tags with a type=text/turtle NM: You weren't talking about conneg, but rather about time variation? <Zakim> ht, you wanted to propose the above as a resolution to what 3023bis should say HT: Varying representations. Varying along any dimension ... The example I put up leads to the proposal I entered ... (displaying, see above) ... Semantics is as follows CL: While this is good, there is a tendency for people to read this and say "this is bogus" ... Does it need to call out that other specs can nail it down? HT: TBL said don't trespass on the barename space, we ack that <Zakim> Masinter, you wanted to push Chris to submit 3023bis ASAP LM: I want to make sure there's the chain from IETF media type reg doc to +xml and to doc on fragids. ... Why not resubmit 3023bis as I-D? CL: Holdup. Current 3023bis deprecates text/xml because it has to be treated as US-ASCII. The reason is because of HTTP and email specs <masinter> Why not resubmit it now? CL: HTTPbis fixes that, email is fixing it <scribe> ... New 3023bis will have different authors. Will not deprecate text/xml, will say it is same as application/xml... that's why the I-D wasn't submitted. We're still working out sequence of change w.r.t. email LM: Just put a disclaimer, get it out before the 13th ... Because media type rec doc needs to reference something, deadline soon. CL: Acknowledged, I intend to publish I-D new 3023bis, new authors, as a placeholder, in next couple of days LM: TAG can send note to app area wg, with pointer to Jeni's document, saying ... NM: Doc status is, I wrote this and it hasn't been reviewed, ... ... We want app area to look at these two docs... does anyone object to pointing to unreviewed document? LM: I reviewed it NM: OK, referencing JT's doc as is OK? HT: Not comfortable yet, want to look at it LM: Can we put it on phone conference for Tues the 12th HT: Don't try to rush this <Zakim> Noah, you wanted to talk about Henry's proposal HT: I'm happy for it to go out tomorrow, to dated copy with what Noah signaled (refer to doc, but doc hasn't had TAG review) LM: No, we agreed to analysis, but not to the doc's recommendations NM: No objections were heard. But review is not over. JT: Could we have an action on someone to write the note? LM: I will draft note if JT will review it <masinter> You can fix this by *always* using the tools alias when you need to contact the chairs or ADs of this or any working group: <appsawg-chairs@tools.ietf.org> <appsawg-ads@tools.ietf.org>. LM: IETF only recognized individual people, not groups. NM: It will be signed by someone on behalf of the group ... If there's churn there's a problem LM: Maybe I will just send a note, saying the TAG has talked about it, long discussion. My own note. HT: I see no reason not to communicate officially NM: Problem is will this happen in the next week... ... I would be happy if additionally if we gave advice to those writing specific media type regs. Want to tell people how to write the specs to make sure everything fits together HT: Yes. Maybe go even further and say barename space is a valuable space, as TBL says... TBL: Advice to document authors HT: Where does this advice go? TBL: Would like to put it in 3986 HT: 3986? 3023bis? Media type reg RFC? ... 3986 <masinter> To: apps area working group <masinter> Subject: draft-ietf-appsawg-media... review <masinter> The W3C Technical Architecture Group has been working on issues around conflicting sources of fragment identifier semantics in URIs, following the definitions in RFC 3986 through the media type definition. We believe that those defining and registering media types (including ones that follow generic rules such as 3023bis ) may need more explicit advice than currently contained within draft-ietf-appsawg-..... We're working on recording and defining best practice for media type definition and fragment identifier semantics; --jeni-draft- is a document currently in preparation; our intent is to develop this so it can be normatively referenced. CL: Generally OK with HT's proposal, need to think it over, but spirit seems OK <masinter> my goal was just to set the expectation that they should look at Jeni's draft as explaining the situation HT: Proposal: The TAG should make the proposal I entered to the 3023bis editors <noah> Let's copy it here.... HT: We had different advice earlier. New info leads to the above proposal <JeniT> Larry, that looks great to me <masinter> "draft-ietf-appsawg-media-type-regs" is the name of their document HT: Should we now say, consequent on today's discussion and JT's doc, there are multiple players, 3023bis to be responsible should be very narrow about what is reserved to generic processing and leave the rest open ... wrt barenames, it only talks about the ones defined in the doc, wrt to others, ... xpointer says error, we say no, not an error, the semantics is devolved to someone else ... we let others with a say in the matter to say it NM: Needs update to xpointer? HT: No, it's fine for media type reg to short circuit fragid semantics in xpointer spec ... As far as 3023bis and generic processing there's no there there CL: You've produced a level of ordering. If xpointer doesn't deal with it, then go to next level. HT: 3023bis can say this in advance of any update to 3986 <masinter> Jeni, should we point specifically to Best Practice 3 "Fragment Identifiers in Media Type Definitions" as something we want consensus on? HT: I'm trying to help 3023bis get out the door so it helps XML community LM: The document Chris is preparing, and needs IETF consensus, which is community wide. Whatever we say is obviously still subject to that ... Who would the TAG comment be to? HT: The 3023bis editors (JAR notes one of them is in the room) Discussion of whether it matters how this is said CL: I'd like to point out that I started down this road because the TAG came to me <JeniT> Larry, I think we should say something like that we anticipate there being recommendations about requirements on media type registrations, such as that in Best Practice 3? LM: We got here because some people wanted to assume that if they saw +xml, then generic xpointer processing was appropriate. <JeniT> Larry, or no, that we want to specifically discuss what to recommend <masinter> Jeni, would you like to suggest a rewording? <noah> We got here because the then current draft of 3023 bis said they MUST treat as generic <masinter> When there are multiple communities who disagree on best practice, it's hard to get consensus on recommending one of their uses over the other. <ht> RESOLUTION, The TAG requests the 3023bis editors to adopt the following wrt fragids: The semantics of barename fragment identifiers is as follows: for those barenames in a +xml document which are "identifiers of an element" as defined in [XPointer Framework], a barename fragid identifies the element [XPointer Framework] says is does. The semantics of all other barename fragids are unconstrained by this specification. Likewise wrt other fragids using registered XPointer schemes, i.e. that XPointer "failure to find" errors are not errors, rather a statement of unconstraint. <masinter> Can javascript eat up bare names before they get to xpointer or xml? <masinter> ... and what about [31]http://dev.w3.org/html5/html-xhtml-author-guide/html-xhtml- authoring-guide.html [31] http://dev.w3.org/html5/html-xhtml-author-guide/html-xhtml-authoring-guide.html JT: A bit concerned, this doesn't seem to give scope for individual media type registrations to override HT: Calling it generic processing means there is no way to override it for generic processing NM: I had proposed to go further JR: Can we propose that separately? HT: Consider MUST language in 3986 is separate LM: I don't understand the dependency ... Does this bear on Polyglot? ... If you have something that treats fragids as HTML differently than xhtml+xml, could be trouble HT: If you access an xhtml, the fact that the xhtml spec says something, is in scope. Indirection through xpointer spec handles this ... 3023 can't say anything about content not served with type something+xml NM: text/html - HT answered this, when xpointer is used in both, [3986 covers this case] ... The explanation is tortured <darobin> [you can't tell if it's XML or HTML while it's still in the box, but the cat is dead all the same] HT: Intent of xpointer authors [missed] ... Note that I added to make clear that we want something parallel for something for (...) xpointers as well. That's in the draft resolution <noah> RESOLUTION: The TAG requests the 3023bis editors to adopt the following wrt fragids: The semantics of barename fragment identifiers is as follows: for those barenames in a +xml document which are "identifiers of an element" as defined in [XPointer Framework], a barename fragid identifies the element [XPointer Framework] says is does. The semantics of all other barename fragids are unconstrained by this specification. Likewise wrt other fragids using registered XPointer schemes, i.e. that XPointer "failure to find" errors are not errors, rather a statement of unconstraint. <noah> Passed without objection. <JeniT> Larry, the only thing I'd add is to say what we'd like them to do as a consequence NM: This rule either must not define interpretations for fragids already covered here, or must not provide conflicting definitions. Should say new specs *may* do new non-conflicting stuff HT: What you must not do is specify a use for strings that will appear in documents that they will be determined to id elements by xpointers, so they'll fall under this clause; you must not set users up to fail (Discussion of Noah's proposal, how to word) <JeniT> Larry, something like that we would like to discuss how best to point media type registration authors to recommendations about the definition of fragment identifiers and the possibility of their draft pointing out to a separate document providing those recommendations? HT: TBL's proposal is for 3986. There's nothing wrong at the spec level with what rdf+xml says, since the user can always do the right thing. They're never obliged to do so ... You must not oblige users to hang themselves - that's hard to say or place. NM: Spirit is: You could write pathological RDFa, and that's OK. HT: Maybe we can find an example NM: We thought that RDF had made a mistake. The reasoning has been so subtle that it's had us talking in circles The reasons they didn't make a mistake we may have just discovered It appeared that 3023bis that would have applied to rdf+xml. Experts thought it was a bug then realized it wasn't. Therefore I'm inclined to urge health warnings. HT: You mustn't design your XML language so that people can't achieve necessary reference using any fragid scheme without introducing a semantic conflict with a URI involving a fragid, that they can't express in some other way ... After the comma isn't needed ... , with respect to generic proessing as per 3023bis ... You're trying to avoid: I need to use ids to identify components. So you must write an id. To id a component, you have to put an id on a piece of XML. ... to refer to the component you have to write foo#x. But generic XML says, if there's an id, then it ids an element. The spec shouldn't ever put anyone in that position ... that's what we're trying to warn against JT: It's OK if it's not typed as an XML id, yes? HT: Will the xpointer spec say that string ids an element? If so, not good. ... The one legit instance , the HTML spec says in English that it's an anchor ... Three ways xpointer says a string ids an element. schema, xml:id, or if you know independently that it ids an element. ... That's there so that you don't need the HTML DTD around NM: HT is not recommending exactly this text ... I hear no objection to this direction ... Not as urgent as the previous point. <ht> ACTION, Henry to work with Noah to draft a further request to the editor from the TAG to include advice along the lines in the discussion on media types and fragment identifiers at the f2f on 2012-04-04 regarding what a particular +xml media type registration should do wrt fragid semantics <ht> ACTION: Henry to work with Noah to draft a further request to the 3023bis editor from the TAG to include advice along the lines in the discussion on media types and fragment identifiers at the f2f on 2012-04-04 - Due 2012-05-01 [recorded in [32]http://www.w3.org/2001/tag/2012/04/04-minutes#action01] <trackbot> Created ACTION-688 - work with Noah to draft a further request to the 3023bis editor from the TAG to include advice along the lines in the discussion on media types and fragment identifiers at the f2f on 2012-04-04 [on Henry Thompson - due 2012-05-01]. <noah> ACTION-543? <trackbot> ACTION-543 -- Peter Linss to propose addition to MIME/Web draft to discuss sem-web use of fragids not grounded in media type -- due 2012-03-27 -- OPEN <trackbot> [33]http://www.w3.org/2001/tag/group/track/actions/543 [33] http://www.w3.org/2001/tag/group/track/actions/543 <ht> ACTION: Henry to work with Noah to draft a further request to the 3023bis editor from the TAG to include advice regarding what a particular +xml media type registration should do wrt fragid semantics along the lines in the discussion on media types and fragment identifiers at the f2f on 2012-04-04 - Due 2012-05-01 [recorded in [34]http://www.w3.org/2001/tag/2012/04/04-minutes#action02] <trackbot> Created ACTION-689 - work with Noah to draft a further request to the 3023bis editor from the TAG to include advice regarding what a particular +xml media type registration should do wrt fragid semantics along the lines in the discussion on media types and fragment identifiers at the f2f on 2012-04-04 [on Henry Thompson - due 2012-05-01]. <noah> ACTION: Jeni to sort next steps on Fragment Identifiers and Mime Types - Due 2012-04-17 [recorded in [35]http://www.w3.org/2001/tag/2012/04/04-minutes#action03] <trackbot> Created ACTION-690 - sort next steps on Fragment Identifiers and Mime Types [on Jeni Tennison - due 2012-04-17]. Administrative - f2f dates Mon-Tue-Wed Oct 8-10 (or maybe 7-9) Pencil in Oct 7-10 NM: pencil in Oct 6 too pls ... Drift is in England/France direction <timbl> The semantics of barename fragment identifiers in a mimetype with +xml documentis as follows: When a format mixes several languages, (as for example when we mix HTML, RDFa, SVG and MathML), then each language allows things to be described in terms of document-level bare names. Some of those may be defined using the XML ID parameter, ans so will be processable using XML pipeline tools. In this case, the barename fragid identifies the element [XPointer Framework] says it does. The semantics of all other barename fragids semantics of the fragment are unconstrained by this specification. . <timbl> [36]http://www.w3.org/wiki/HTTPURIUseCases#Refer_to_a_document_ from_RDFa_within [36] http://www.w3.org/wiki/HTTPURIUseCases#Refer_to_a_document_from_RDFa_within HTTP Range-14 <Ashok> scribenick: Ashok HT: JAR proposed we should start with the nuclear option ... and discuss what the TAG would recommend to various constituencies Jeni: What's the nuclear option? Noah: We need to discuss the change options that people have proposed Jeni: We should decide the next steps JAR: Consequences of solution categories, criteria for choosing a solution category, usecases for elucidating consequences ... The advice that would be most difficult for folks to swallow is retraction of HTTP Range-14 <masinter> Some people hate httpRange-14 and some people like it. If you withdraw it, you make the people hate it happy and the ones who like it unhappy <masinter> no? JAR: One criterion is interoperability among usecases Tim: Usecases are in different shapes <masinter> I'm concerned about sender and receiver communicating, and I don't care about whether the linkee is happy <masinter> The sender gets to decide which linkee to invoke Two Usecases for hashless URIs ... Dublin Core and FOAF scribe: See <jrees> [37]http://www.w3.org/wiki/HTTPURIUseCases [37] http://www.w3.org/wiki/HTTPURIUseCases LM: Define constituents more carefully ... senders or receivers o people building Dublin Core ontologies <masinter> if we make linkees unhappy, i don't care. if some recievers are unhappy but could be made happier by senders choosing some other linkee to link to, then it's up to the sender <masinter> Melville didn't write any web pages, did he? <masinter> [38]http://www.operationteafortwo.com/wp-content/uploads/2011/0 7/mickey-mouse-au-BAC.png dc:creator ?? [38] http://www.operationteafortwo.com/wp-content/uploads/2011/07/mickey-mouse-au-BAC.png HT: Melville is not creator of electronic artifact Discussion about Usecase A) HT: I see a contradiction <masinter> dc:creator has to disambiguate JAR clicks on gutenberg URI in the usecase <masinter> is [39]http://www.ietf.org/rfc/rfc5013.txt the appropriate spec? [39] http://www.ietf.org/rfc/rfc5013.txt HT: I cannot tell if foaf:maker encodes author or producer JAR: Tore Erickson claims every example like this is encumbered HT: Better if we choose a home page JT: Choose a blog <masinter> [40]http://dublincore.org/documents/abstract-model/ [40] http://dublincore.org/documents/abstract-model/ <masinter> Is there a mapping to the Dublin Core abstract model? JAR: It's a beautiful idea but no one uses it ... hard to tell what the properties of the URI are HT: The first usecases should be href=" ..." JAR: I want to avoid usecases that do not involve RDF Example 2: <masinter> You can only avoid use cases that don't use RDF if you're willing to scope the results to only apply to RDF JAR: We would need to know something about what was on the page <jrees> Contrast of 2 examples is not based on what's fetched LM: We need to look at how dc:title is defined <masinter> i'm looking at [41]http://dublincore.org/documents/abstract-model/ [41] http://dublincore.org/documents/abstract-model/ LM: I am looking at Dublin Core abstract model HT: Says "we build on RDF" ... and to Pat's semantics LM: Would this solution make them rewrite the Dublin Core abstract model? <masinter> Jonathan also wanted to review impact on creative commons JAR: Let's look at Opt-Out No negative consequences for sender or receiver <masinter> [42]http://wiki.creativecommons.org/CC_REL [42] http://wiki.creativecommons.org/CC_REL JAR: Opt-In applies only if there is RDFa in retrieved content <masinter> gives some markup that CC proposes... will they have to change? JAR: none of the Opt-In proposals describe what the representation is HT: We need more qualification with Opt-In JAR: Need to say something about the content Discussion of improved Example 1 JAR: Default rule is what is used when there is no other information about sender or receiver HT: Let us suspend attempt to fill in one more box ... How are we going to take this forward to create a recommendation and convince people we have followed due process? JT: Need to show what world looks for each example for each proposal JAR: We said we would interact with community for 2 weeks HT: Need more than another 10 days JAR: I would like to ask for some revisions HT: We should rewrite in an understandable format ... then involve others JAR: We should look at second usecase LM: I suggest we not spend a lot more time on this ... instead form task force of concerned individuals NM: This is one of our top priorites ... cannot abandon it JT: Larry said "If we cannot drop it let's start a taskforce" LM: I don't remember being asked if this was a top-priority ... but still should not absorb all of out attention ... we have other priorities JAR: Task force to make us more effective? LM: Yes <masinter> RDFa / microdata is a priority <masinter> XML / HTML is a priority HT: We cannot do this until we have table filled in ... getting others involved before that would be confusing ... It will take a few person/days to fill out table <masinter> [43]http://www.w3.org/2001/tag/products/ [43] http://www.w3.org/2001/tag/products/ <masinter> I'd like to balance work on this vs. other priorities JAR: We tried to form a taskforce and it failed ... we did not have enough focus ... did not have the table filled in Tim: How about a taskforce selected from the TAG <masinter> based on the feedback I've gotten from observers of the TAG, the priority vs. other topics should be adjusted Discussion of taskforce arrangements HT: Filling in table is not telcon time. ... JAR will fill in table with whatever help he needs NM: We may need calls to review filled out table <masinter> Noah: JAR had first step, was second? <masinter> Noah: First step was to fill out the table summarizing the functional characteristics of various solutions <jrees> 1. JAR with help fills out the table of categories X use case X 3 roles. 2. *In parallel* we tell the community we are doing so. Functional chars of different proposals. They should look for that. 3. When JAR et al done, we will schedule telcon. <masinter> Note that is plan JAR: Is this sufficient? <masinter> this is JAR getting help from other people <masinter> Jeni: happy to help <masinter> Ashok: do you want to set out a time frame? NM: Say 3 weeks? <jrees> ACTION jar to Prepare table as described in 2012-04-04 minutes, for TAG review <masinter> /me [44]https://www.w3.org/2001/tag/group/track/issues/63 [44] https://www.w3.org/2001/tag/group/track/issues/63 <trackbot> Created ACTION-691 - Prepare table as described in 2012-04-04 minutes, for TAG review [on Jonathan Rees - due 2012-04-11]. <noah> ACTION-282? <trackbot> ACTION-282 -- Jonathan Rees to draft a finding on metadata architecture. -- due 2013-04-01 -- OPEN <trackbot> [45]http://www.w3.org/2001/tag/group/track/actions/282 [45] http://www.w3.org/2001/tag/group/track/actions/282 <masinter> issue-63 has basis of draft: model, serialization, vocabularies, linking. Think RDFa/microdata is part of metadata architecture <masinter> issue-63? <trackbot> ISSUE-63 -- Metadata Architecture for the Web -- open <trackbot> [46]http://www.w3.org/2001/tag/group/track/issues/63 [46] http://www.w3.org/2001/tag/group/track/issues/63 <masinter> product-5? Noah takes picture of Whiteboard with filled out matrix <masinter> [47]http://www.w3.org/2001/tag/group/track/products/5 [47] http://www.w3.org/2001/tag/group/track/products/5 <jrees> ACTION-691? <trackbot> ACTION-691 -- Jonathan Rees to prepare table as described in 2012-04-04 minutes, for TAG review -- due 2012-04-24 -- OPEN <trackbot> [48]http://www.w3.org/2001/tag/group/track/actions/691 [48] http://www.w3.org/2001/tag/group/track/actions/691 TAG Priorities <masinter> issue-50? <trackbot> ISSUE-50 -- URIs, URNs, "location independent" naming systems and associated registries for naming on the Web -- open <trackbot> [49]http://www.w3.org/2001/tag/group/track/issues/50 [49] http://www.w3.org/2001/tag/group/track/issues/50 JT: We said we would spend 10 minutes on Publishing and Linking <noah> [50]http://www.w3.org/2001/tag/products/index-2012-02-16.html [50] http://www.w3.org/2001/tag/products/index-2012-02-16.html - Fragment Identifiers and MiME types LM: This is urgent ... need credible schedule for completing our work in the next few months NM: Jeni will update product page. Add Larry. HT: I can ask to be area reviewer for Ned's draft ... or I can recuse myself - Publishing and Linking on the Web <masinter> on "Publishing and Linking" as a TAG product, we may want to push it out of TAG into a CG <masinter> we publish a TAG note that suggests another body take it up <masinter> i'm nervous about the plan for Publishing and Linking <timbl> jrees, [51]http://www.w3.org/wiki/HTTPURIUseCaseMatrix [51] http://www.w3.org/wiki/HTTPURIUseCaseMatrix <masinter> there might be some discussion of scope of CG <masinter> initial draft asks feedback to TAG - URI Documentation Discovery JAR: Create an option for removing this work from the TAG <jrees> See also JARs emacs buffer: [52]http://lists.w3.org/Archives/Public/www-archive/2012Apr/001 8.html [52] http://lists.w3.org/Archives/Public/www-archive/2012Apr/0018.html HT: Let's postpone that discussion Noah updates table online - MIME Architecture for the Web NM: Move this to a lower priority - Privacy by Design NM: Robin to draft product page - HTML/XML Unification <masinter> [53]http://c2.com/cgi/wiki?AlanKayQuotes: A new point of view is worth 80 IQ points [53] http://c2.com/cgi/wiki?AlanKayQuotes: NM: Norm to visit TAG in June - Web Apps Storage NM: Robin to draft product page - HTML Data JT: Remove this NM: I owe you a closing note - XML/HTML Unification RB: Shall we shut down the taskforce? ... no action lately NM: We still have outstanding issues for the TAG <masinter> should turn task force report into REC? NM: should we look at the issues. Tim said assign shepherd's for the issues. JAR: I would like 10 minutes on this at the October f2f <noah> ACTION: Noah to consider JAR's april request to discuss, for 10 mins, issues list at oct f2f - Due 2012-09-10 [recorded in [54]http://www.w3.org/2001/tag/2012/04/04-minutes#action04] <trackbot> Created ACTION-692 - consider JAR's april request to discuss, for 10 mins, issues list at oct f2f [on Noah Mendelsohn - due 2012-09-10]. PhiloWeb LM: Henry, Tim and I are listed as talking for the TAG at PhiloWeb ... I was going to bring there my thoughts about Languages, Implementaions and Versioning NM: Say it is your perspective ADJOURNED Summary of Action Items [NEW] ACTION: Henry to work with Noah to draft a further request to the 3023bis editor from the TAG to include advice along the lines in the discussion on media types and fragment identifiers at the f2f on 2012-04-04 - Due 2012-05-01 [recorded in [55]http://www.w3.org/2001/tag/2012/04/04-minutes#action01] [NEW] ACTION: Henry to work with Noah to draft a further request to the 3023bis editor from the TAG to include advice regarding what a particular +xml media type registration should do wrt fragid semantics along the lines in the discussion on media types and fragment identifiers at the f2f on 2012-04-04 - Due 2012-05-01 [recorded in [56]http://www.w3.org/2001/tag/2012/04/04-minutes#action02] [NEW] ACTION: Jeni to sort next steps on Fragment Identifiers and Mime Types - Due 2012-04-17 [recorded in [57]http://www.w3.org/2001/tag/2012/04/04-minutes#action03] [NEW] ACTION: Noah to consider JAR's april request to discuss, for 10 mins, issues list at oct f2f - Due 2012-09-10 [recorded in [58]http://www.w3.org/2001/tag/2012/04/04-minutes#action04] [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [59]scribe.perl version 1.133 ([60]CVS log) $Date: 2012/04/09 20:15:34 $ [59] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [60] http://dev.w3.org/cvsweb/2002/scribe/
Received on Friday, 20 April 2012 20:15:04 UTC