<scribe> Scribe: TV Raman
<scribe> ScribeNick: tvraman
Access Control PI
See email from DanC linked from agenda
<DanC_lap> http://www.w3.org/TR/2006/WD-access-control-20060517/
<Norm> http://www.w3.org/TR/access-control/
tvr: Issues similar to the ones raised by above have also been encountered by the XForms WG.
See Mark Birbeck's work on ForsPlayer where he builds cross-site mashups that bring together data from different sites to create rich web applications.
tvr: we need to find an owner for this topic in the TAG if we want to cover it --
Vincent: let's move on if there is no owner right now
... Decentralized Identity
<DanC_lap> "Investigation of decentralized identity systems (OpenID, SXIP). Ed is reviewing DIX documents from IETF"
Decentralized Identity (not centralized!)
DanC: do we have anything to say before they freeze it?
Ed: have followed the email, not prepped for discussion
<DanC_lap> https://www1.ietf.org/mailman/listinfo/dix
Ben: has skipped specs -- looks vaguely like Open ID with end points as URIs
DanC: simplify A) users life with managing multiple passwords, make launching apps that need authentication easier.
TimBL: TAGS Goals?
TBL: help W3C pick amongst the various id efforts?
DanC -- sketches out one way how OpenID works.
Task:
home machine dirk -- wishes to comment on Bob's LiveJournal blog
swada is an Open ID server.
point browser on dirk at livejournal/blog
gives OpenID url
<timbl> http://www.w3.org/People/Connolly/research
types www.w3.org/people/danc
<timbl> View source on that
<timbl> <head profile="http://www.openid.net/specs.bml">
<timbl> <title>Dan Connolly's Research</title>
<timbl> <link rel="openid.server"
<timbl> href="http://swada.csail.mit.edu:9080/connolly?action=openid" />
<timbl> </head>
The link tag with the rel connects to swada
livejournal now redirects danc to swada with a referer url
livejournal forwards auth request to swada by doing a redirect; if that succeeds, swada redirects back to the url that needed the auth
linkjournal delivers a 30x to the swada url causing the browser on dirk to bring up the auth page.
note that this is very weak with respect to fishing
upon authentication swada redirects browser on dirk with an appropriate session token attached to go back to livejournal
<ht> This morning's minutes are in place at http://www.w3.org/2001/tag/2006/06/13-morning-minutes.html
Noah: is this vulnerable to man in the middle attach?
Probably ...
<EdR> likely
DanC: Above is jus t how one open-id scheme works.
<EdR> DIX logs;http://www1.ietf.org/mail-archive/web/dix/current/index.html
IETF DICX working drafts/
<timbl> http://dixs.org/index.php/DIX_Charter
DanC let's check if IESG has approved the working group
<DanC_lap> "dix" isn't on http://www.ietf.org/html.charters/wg-dir.html
tvr: dixs
<EdR> proposed charter: http://www1.ietf.org/mail-archive/web/dix/current/msg00036.html
DanC: no WG yet
http://dixs.org/index.php/DIX_Charter
sxyp --- sxyp.org
<timbl> SXIP and SXIP.com and SXIP.org
sxyp identity is commercial
at the bottom layer dixs and open-id are interchangeable
<EdR> s/sxyp/sxip (http://www.sxip.com/)
<EdR> tim: you type in msn.com/connoly
<EdR> dan: no, just msn.com not connoly specific. When I authenticate they ask me for a user-name.
<EdR> Dan: I tend to think there isnt much differance. But I'd have to look at that. What does look like a big deal is that the Sxip stuff has technology to go to the claims exchange area, not just write access to the web area.
<benadida> Google will release a similar web auth architecture, which will have a big impact, I think:
<benadida> http://code.google.com/apis/accounts/Authentication.html
Google programmatic login: http://code.google.com/apis/accounts/AuthForInstalledApps.html
I believe feed readers use this at present to access GMail via an atom feed ---
<DanC_lap> also...
<DanC_lap> VeriSign launches free OpenID server
<DanC_lap> 5/18/2006 1:11:49 PM, by Nate Anderson
<DanC_lap> http://arstechnica.com/news.ars/post/20060518-6867.html
<DanC_lap> VeriSign launches free OpenID server
<DanC_lap> 5/18/2006 1:11:49 PM, by Nate Anderson
<DanC_lap> http://arstechnica.com/news.ars/post/20060518-6867.html
<DanC_lap> W3C is having charter discussions, e.g. Tying "form-filler support" to HTTP authentication from tlr 24 May http://lists.w3.org/Archives/Public/public-usable-authentication/2006May/0001.html
<benadida> nice OpenID diagram:
<benadida> http://www.openidenabled.com/openid/openid-protocol
<DanC_lap> ooh... John M's SXIP slides are on http://www.w3.org/2005/Security/usability-ws/program now ...
<tlr> danc, yes, we've got all the slides (I think)
<DanC_lap> we thought you wanted to call in just in the morning
<DanC_lap> at least... I did
<timbl> tlr, do you want to try skype?
<tlr> danc, I wasn't referring to anything not working right now, but to the poor sound quality in the morning
<tlr> timbl, sure
<tlr> timbl, I'm thomasroessler on skype
<timbl> "FAiled misc error"
<tlr> Assuming that you are timblee, I'm right now trying to call you
<tlr> fails, "reason unknown"
<tlr> oh well
<tlr> bad luck. I'll continue lurking on IRC
<timbl> OK
<DanC_lap> Secure Metadata Thomas Roessler (Monday, 10 April)
<DanC_lap> TimBL said in the security area, the idea he's most interested in is getting the name/address of the certificate holder in the browser UI...
<DanC_lap> ... and I said this is being shopped around as "Secure Metadata", which is not a very evocative name.
<timbl> And getting the cursor of abrowser to distinguish between GET, POST and secure or insecure channel.
<timbl> i said
<tlr> I'm actually looking for a more evocative name than "secure metadata".
<timbl> PhishGnet
<timbl> WaxSeal
<timbl> Ben: The browser will evolve signifcantly and we nne to enable a solid security model.
<timbl> DC: Thepeople doing this stuff seem to know more than we do.
<DanC_lap> in the webapi WG...
<DanC_lap> i.e. http://www.w3.org/2006/webapi/
<DanC_lap> (yeah, it makes sense that the user has to trust his web browser; it make much less sense that, in a cross-site app involving javascript, sites A and B should trust the users's browsers to act on their behalf.)
<EdR> for the identity discussion;
<EdR> Novell takes the wraps off of its open-source framework for integrating disparate identity management systems with hopes that other companies will buy in.
<EdR> http://ct.enews.eweek.com/rd/cts?d=186-3838-8-85-113271-450156-0-0-0-1
<DanC_lap> interesting, EdR
security discussion was a fairly broad ranging discussion with arguments on both sides ...
Vincent: Asks Ben if there are other security aspects that TAG needs to look at that we did not discuss.
<DanC_lap> keywords included mash-ups, javascript, cross-site scripting, access control, voiceXML access-control PI, webapi WG
Ben: nothing specific, keep an eye on it
Raman: suggest TAG watches this space, since the expertize --- and the rapid activity in this space -- is not in the TAG
<EdR> TV: at most the TAG can come up with architectural principles, which are best done after the fact.
<DanC_lap> http://lists.w3.org/Archives/Public/public-usable-authentication/2006Apr/thread.html
no clear conclusion ...