Minutes of Tag F2F Afternoon of 20 Sept. 2005

20 Sep 2005

See also: IRC log


Ed Rice
Vincent Quint
Noah Mendelsohn, Henry Thompson



<noah> scribe: Noah Mendelsohn

<noah> scribenick: noah

<timbl> tx

New Directions for the Tag

See: http://lists.w3.org/Archives/Public/www-archive/2005Jun/att-0010/tag-directions.html

VQ: Note resolution of httpRange-14
.... Note that Dan has offered some preliminary materials relating to educational materials.

<Roy> http://www.w3.org/2001/tag/em27.html

DC: Was going to give talk, oft postponed.
.... Not much is happening lately.
.... The talk will be at Park University, near Kansas City (http://www.park.edu) Contributions of slides would be welcome.

VQ: Idea was to put up educational materials on the web for use by others.

NM: Suggest Henry discuss at AC meeting in Montreal, to solicit contributions, offer what we have, ask for guidance on where to invest.

An acquaintance of mine wound up up spending 3 weeks teaching Web Arch because he and his students found the document so useful and interesting.

VQ: httpRange14 is done?

TBL: Did Noah try to reopen it?

NM: Well, I was suggesting there were some questions about abstract resources like namespaces.

HT: I'm still trying to figure out use of fragids and non-info resources (I.e. once you expect to give a 302)

DC: I'd put that with fragmentInXml-28

<DanC_lap> issue fragmentInXML-28

<scribe> scribe: Henry Thompson

<scribe> scribenick: ht

NM: Is a namespace an information resource? Well, maybe. It's not like my dog, which clearly isn't, but it's not like they NYT of 12 July, which clearly is, either
.... Have we dug a hole here, it's not right to return 200 from a namespace URI, but others seem OK with that.

<scribe> scribe: Noah Mendelsohn

<scribe> scribenick: noah

NM: So to be clear, I think I'm fine saying Namespaces are info resources, at least to the extent that the owner of the namespace claims there's nothing about it that isn't conveyable in a message.

VQ: Next sub-topic is web applications is there anything else we should do.

<scribe> scribe: Henry Thompson

<scribe> scribenick: ht

NM: Concerns in this area -- new technologies, e.g. Avalon, Flash, leading to content standards which we (the TAG) would think of as being on the web. Some of what they're doing isn't relevant, e.g. replacing Excel, but other stuff is, and...
.... a) what W3C does with WebApp should be competitive in some sense with what's happening in the pure commercial sphere: Competitive doesn't necessarily mean as good, but good enough that the network effect boost brings it in to contention
.... b) Some of this stuff will be retrievable/retrieved by http in the normal course of events, but the formats may not be standards-based, or even understandable at all to non-proprietary tools
.... c) Principle of least power is involved, as some of these, e.g. Flash, are less declarative than they perhaps should be
.... So on both of the fronts I think the TAG should work on, namely making sure the web remains viable and modern, and moving in good new directions, we should be paying attention to this.

VQ: So you should do a report on the MS Dev conference

TBL: And then what should we do about it
.... Produce a competitive standards-based 'product'?

NM: Well, W3C is already doing that, in that our technologies coexist with others, right? Among the things we need to do in situations like that is to keep an eye on things, and monitor from the outside the extent to which such external developments are likely to change expectations.
.... In this case, that means tracking the external work very closely, with attention to formats, tooling, etc.

<scribe> scribe: Noah Mendelsohn

<scribe> scribenick: noah

NM: Suggest it might be interesting to have the Rich Application workgroup look at things like what Microsoft's building in Avalon.

Lots of resources, for example: http://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/en-us/dnlong/html/fluid.asp

DC: Someone?? years ago mentioned to me that there were 3 areas we should worry about a) info exchange b) commerce c) games, entertainment, media

RF: Sony PSP firmware update gives you a really good mobile web browser.

DC: W3C should take some realistic position about this space. SVG and Flash is pertinent.
.... Flash is very widely deployed...is dominant computing platform

VQ: On phones?

DC: I think there are more flash than phones.

VQ: almost every new phone is SVG enabled.

DC: still, I think we do best when we do standardization after things sort of gel. Not ahead.

HT: we have taken a huge hit as well as rendering an important service by getting out ahead of vendors on XML Schema. Hard to tell whether that one was a good call.
.... still, history suggests we do better job when we do the 2nd version of a technology a bit later

DC: so, my starting position is that I'm not 100% sure working in the rich client space is pertinent for us, but I'm glad to support the membership given that they feel now is the time to invest resources.

<DanC_lap> that's a politically correct adaptation of what I said, which was: starting out, I thought there's no way W3C could produce something relevant in the rich apps space. But I gather the relevant members have heard my arguments and think W3C can be relevant, so away we go

TBL: We've tended to talk more about formats than how to write software. Maybe the CDF space is different.
.... maybe we should get into that space more.

NM: Yes, but I also think it's important that the bits of markup stand on their own and be as declarative as possible.

Gen'l: is there a role for the TAG here?

RF: maybe we should look at SVG & SMIL and see where it stands?

NM: to what extent should we do it vs. Rich Web App stuff.

RF: I.e. we should try to learn why things like SVG have not had more traction to date. Find out whether it's a technical issue.

DC: but it's all about timing. We can't rewrite history.

NM: should I take an action to ask Dean Jackson what they're doing in terms of tracking external developments in the Rich App space.

DC: well, I sort of did that.
.... Yes, Dean has looked at things like Avalon vs. SVG in some details. I believe the proposal for the Rich App group accounts for building something realistic.

VQ: end of discussion of Rich apps.

Web Authentication

DC: I had action, not yet linkable, but I'll just give you this update here.
.... In the web, authentication is orthogonal to naming. You can always safely give out names. Access may or may not succeed.
.... Basic authentication has a design error. In the same number of round trips we could have done challenge/response, but instead of sending password in the clear.
.... Digest authentication addresses this with digest-based challenge response.
.... The server sends you some large pseudo-random number, that you hash with your passord, in a way that the server can check.
.... Kerberos style authentication is 3rd party. Avoids n by m key sharing between services and clients.
.... digest authentication

RF: WebDav does

DC: anyone use WebDav?

HT: Yes, iCal.

DC: When server supplies 401 insufficient credentials, you get a dialog that asks for user and password.

HT: doesn't support "only give me a few characters"
.... they ask for 1st, 4th chars of my password.

<DanC_lap> NM: at the recent Microsoft conference, I saw they're working on a big new UI for managing credentials

<DanC_lap> (missing SSL slide)

DC: providers use forms with <input type="password">. ISP policies make it cheaper to buy a website if you use this approach, but it's weak due to passwords in clear, unless you're also using SSL/HTTPS.

NW: takeaways...SSL is expensive to get and expensive to run

DC: right. It's overkill for just keeping passwords out of cleartext.
.... users put off by entering user name and password in any case
.... claim 90% of users give up when asked for authentication

HT: would be interested to know whether anyone has done a server to validate that intuition

DC: claim only few big services get to do this
.... I would like to get it to the point to which it's "criminal" to entice people to send passwords in the clear.
.... so, I want to make the alternative more practical

<DanC_lap> http://www.w3.org/TR/1999/NOTE-authentform-19990203

DC: the submission at http://www.w3.org/TR/1999/NOTE-authentform-19990203 says that we should use digest authentication at the place where password prompters give "*****", and a logout button.

TBL: why is this in XForms (I.e. as opposed to somewhere else)?

DC: Because you need new markup to support it.

TBL: does logout just delete cookies?

DC: there is a setting on Firefox that says no cross-site cookies. Has good uses for obscure cases.
.... It would be nice to have signed web pages, not just secured connections..
.... I want this in part for non-repudiation: you can prove I sent you this page.

NM: yes, but be a little careful. You really have to design this stuff to solve real world problems:
.... first of all, you often want to sign just a part of a page or form, e.g.. the contract itself, but not the chrome around it.
.... secondly, if there as an XSLT or other form mechanism separate from the content, you need to sign not just the piece parts, but the combination, as well as some indication of how they were composed to make the page you saw.

DC: ...{scribe got a bit behind}...
.... some stuff about livejournal {?scribe?} anti-spam stuff

Scribe: Dan discusses slides at: http://www.w3.org/2005/09dc-edi/web-auth.html (click to advance through slides)

>> Dan will paste link to technical details here before minutes are public <<

Scribe: The link Dan wanted to paste is: http://www.openid.net

DC: so, that's my review of state of the art
.... a number of cool things. I could keep my identity in the open id space while switching authenticators.

TBL: can we use this for email? SMTP explain might return someone's openid/

DC: you could encourage everyone who runs an SMTP server to also have web server exporting open-id pages.

TBL: yes, but then you have to map email addresses to HTTP URIs

DC: interestingly, they already let you elide the http://www part of a URI.
.... note that there is a growing set of communities that don't use email as heavily as we do. They use IM, etc.

VQ: Thank you Dan, for the update on your action.
.... is there anything else we should do regarding security?

DO: I've written up several examples, exploring the different ways state is managed in Web apps. The example I chose was security. Maybe Dan and I should coordinate.

DC: Please send a pointer. Sounds interesting.

DO: Is that an interesting example? Relating stateful and stateless models? Hmm. I guess you'd have to see it to decide.

DC: Please send it.

<scribe> ACTION: Dan to review materials on stateful application models to be sent by Dave Orchard. Relate to authentication work. [recorded in http://www.w3.org/2005/09/20-tagmem-irc]

DC: I'd still like to promote open id.
.... I also think the Paul Leach's work (see link above) is still pertinent.

<DanC_lap> ACTION: DanC to turn "state of the art in auth slides [http://www.w3.org/2005/09dc-edi/web-auth.html ]" into draft finding [recorded in http://www.w3.org/2005/09/20-tagmem-irc]

<timbl> Morning draft minutes: 2-tagmem-irc-minutes.html

Meeting is adjourned.

Summary of Action Items

[NEW] ACTION: Dan to review materials on stateful application models to be sent by Dave Orchard. Relate to authentication work. [recorded in http://www.w3.org/2005/09/20-tagmem-irc]
[NEW] ACTION: DanC to turn "state of the art in auth slides [http://www.w3.org/2005/09dc-edi/web-auth.html ]" into draft finding [recorded in http://www..w3.org/2005/09/20-tagmem-irc]
[End of minutes] [To be continued]

Minutes formatted by David Booth's scribe.perl version 1.126 (CVS log)
$Date: 2005/10/11 13:31:49 $