Access Control PI

See email from DanC linked from agenda

<DanC_lap> http://www.w3.org/TR/2006/WD-access-control-20060517/

<Norm> http://www.w3.org/TR/access-control/

tvr: Issues similar to the ones raised by above have also been encountered by the XForms WG.

See Mark Birbeck's work on ForsPlayer where he builds cross-site mashups that bring together data from different sites to create rich web applications.

tvr: we need to find an owner for this topic in the TAG if we want to cover it --

Vincent: let's move on if there is no owner right now
... Decentralized Identity

<DanC_lap> "Investigation of decentralized identity systems (OpenID, SXIP). Ed is reviewing DIX documents from IETF"

Decentralized Identity (not centralized!)

DanC: do we have anything to say before they freeze it?

Ed: have followed the email, not prepped for discussion

<DanC_lap> https://www1.ietf.org/mailman/listinfo/dix

Ben: has skipped specs -- looks vaguely like Open ID with end points as URIs

DanC: simplify A) users life with managing multiple passwords, make launching apps that need authentication easier.

TimBL: TAGS Goals?

TBL: help W3C pick amongst the various id efforts?

DanC -- sketches out one way how OpenID works.


home machine dirk -- wishes to comment on Bob's LiveJournal blog

swada is an Open ID server.

point browser on dirk at livejournal/blog

gives OpenID url

<timbl> http://www.w3.org/People/Connolly/research

types www.w3.org/people/danc

<timbl> View source on that

<timbl> <head profile="http://www.openid.net/specs.bml">

<timbl> <title>Dan Connolly's Research</title>

<timbl> <link rel="openid.server"

<timbl> href="http://swada.csail.mit.edu:9080/connolly?action=openid" />

<timbl> </head>

The link tag with the rel connects to swada

livejournal now redirects danc to swada with a referer url

livejournal forwards auth request to swada by doing a redirect; if that succeeds, swada redirects back to the url that needed the auth

linkjournal delivers a 30x to the swada url causing the browser on dirk to bring up the auth page.

note that this is very weak with respect to fishing

upon authentication swada redirects browser on dirk with an appropriate session token attached to go back to livejournal

<ht> This morning's minutes are in place at http://www.w3.org/2001/tag/2006/06/13-morning-minutes.html

Noah: is this vulnerable to man in the middle attach?

Probably ...

<EdR> likely

DanC: Above is jus t how one open-id scheme works.

<EdR> DIX logs;http://www1.ietf.org/mail-archive/web/dix/current/index.html

IETF DICX working drafts/

<timbl> http://dixs.org/index.php/DIX_Charter

DanC let's check if IESG has approved the working group

<DanC_lap> "dix" isn't on http://www.ietf.org/html.charters/wg-dir.html

tvr: dixs

<EdR> proposed charter: http://www1.ietf.org/mail-archive/web/dix/current/msg00036.html

DanC: no WG yet


sxyp --- sxyp.org

<timbl> SXIP and SXIP.com and SXIP.org

sxyp identity is commercial

at the bottom layer dixs and open-id are interchangeable

<EdR> s/sxyp/sxip (http://www.sxip.com/)

<EdR> tim: you type in msn.com/connoly

<EdR> dan: no, just msn.com not connoly specific. When I authenticate they ask me for a user-name.

<EdR> Dan: I tend to think there isnt much differance. But I'd have to look at that. What does look like a big deal is that the Sxip stuff has technology to go to the claims exchange area, not just write access to the web area.

<benadida> Google will release a similar web auth architecture, which will have a big impact, I think:

<benadida> http://code.google.com/apis/accounts/Authentication.html

Google programmatic login: http://code.google.com/apis/accounts/AuthForInstalledApps.html

I believe feed readers use this at present to access GMail via an atom feed ---

<DanC_lap> also...

<DanC_lap> W3C is having charter discussions, e.g. Tying "form-filler support" to HTTP authentication from tlr 24 May http://lists.w3.org/Archives/Public/public-usable-authentication/2006May/0001.html

<benadida> nice OpenID diagram:

<benadida> http://www.openidenabled.com/openid/openid-protocol

<DanC_lap> ooh... John M's SXIP slides are on http://www.w3.org/2005/Security/usability-ws/program now ...

<tlr> danc, yes, we've got all the slides (I think)

<DanC_lap> Secure Metadata Thomas Roessler (Monday, 10 April)

<DanC_lap> TimBL said in the security area, the idea he's most interested in is getting the name/address of the certificate holder in the browser UI...

<DanC_lap> ... and I said this is being shopped around as "Secure Metadata", which is not a very evocative name.

<timbl> And getting the cursor of abrowser to distinguish between GET, POST and secure or insecure channel.

<timbl> i said

<tlr> I'm actually looking for a more evocative name than "secure metadata".

<timbl> PhishGnet

<timbl> WaxSeal

<timbl> Ben: The browser will evolve signifcantly and we nne to enable a solid security model.

<timbl> DC: Thepeople doing this stuff seem to know more than we do.

<DanC_lap> in the webapi WG...

<DanC_lap> i.e. http://www.w3.org/2006/webapi/

<DanC_lap> (yeah, it makes sense that the user has to trust his web browser; it make much less sense that, in a cross-site app involving javascript, sites A and B should trust the users's browsers to act on their behalf.)

<EdR> for the identity discussion;

<EdR> Novell takes the wraps off of its open-source framework for integrating disparate identity management systems with hopes that other companies will buy in.

<EdR> http://ct.enews.eweek.com/rd/cts?d=186-3838-8-85-113271-450156-0-0-0-1

<DanC_lap> interesting, EdR

security discussion was a fairly broad ranging discussion with arguments on both sides ...

Vincent: Asks Ben if there are other security aspects that TAG needs to look at that we did not discuss.

<DanC_lap> keywords included mash-ups, javascript, cross-site scripting, access control, voiceXML access-control PI, webapi WG

Ben: nothing specific, keep an eye on it

Raman: suggest TAG watches this space, since the expertize --- and the rapid activity in this space -- is not in the TAG

<EdR> TV: at most the TAG can come up with architectural principles, which are best done after the fact.

<DanC_lap> http://lists.w3.org/Archives/Public/public-usable-authentication/2006Apr/thread.html

no clear conclusion ...

