See also: IRC log
<Stuart> Scribe: David Orchard
<DanC> when we get to tagSoup, help me remeber to bring up http://lists.w3.org/Archives/Public/public-html/2008Apr/0205.html Supporting MathML and SVG in text/html, and related topics " we actively want to make sure that
<DanC> people can't willy nilly extend the language without coordination with
<DanC> anyone interested in the development of the language"
<DanC> scribenick: DanC
-> http://www.w3.org/2001/tag/2008/04/03-minutes minutes 3 Apr
SKW: propose to approve
HT: minutes 3 Apr should show my regrets
RESOLUTION: to approve, noting HT's regrets are recorded elsewhere
PROPOSED: to meet again 17 Apr, DanC to scribe, regrets Noah
regrets 24 apr from SKW, TBL, ...
SKW: propose to cancel 24 Apr tag meeting and meet again...
<Ashok> And me!
SKW: 1 May
NM: I offer to scribe 1 May
<trackbot-ng> ACTION-16 -- David Orchard to incorporate the NVDL text into the findings. -- due 2008-05-15 -- OPEN
<trackbot-ng> ACTION-38 -- Norman Walsh to review the XML part again -- due 2008-02-14 -- PENDINGREVIEW
NDW: material there is outside my expertise
<trackbot-ng> ACTION-38 review the XML part again closed
<trackbot-ng> ACTION-107 -- Dan Connolly to review compatibility-strategies section 3 (soon) and 5 for May/Bristol -- due 2008-05-15 -- OPEN
current draft is 28 March
action 107 continues
<trackbot-ng> ACTION-108 -- Ashok Malhotra to review compatibility-strategies section 2, 4 a week after DO signals review -- due 2008-04-04 -- OPEN
AM: yes, started, still expect to do it
SKW: Raman's review is at risk
<scribe> scribe: dorchard
<scribe> scribenick: dorchard
<DanC> DO: the 28 Mar draft incorporates comments to that point; since then, Marc D. has sent a bunch of detailed comments
<DanC> close action-111
<trackbot-ng> ACTION-111 Revise version of compatibility strategies document by next telecon (13 march) closed
<trackbot-ng> ACTION-112 -- Noah Mendelsohn to review compatibility strategies section 2 due 2008-04-04 -- due 2008-04-04 -- OPEN
<trackbot-ng> ACTION-112 -- Noah Mendelsohn to review compatibility strategies section 2 due 2008-04-04 -- due 2008-05-15 -- OPEN
Noah signs up for later date..
raman/danc brought up css versioning
discussion about what was the interesting issue..
noah: features are being introduced where the difference is greater than it was..
<DanC> (quite a long thread in http://lists.w3.org/Archives/Public/public-xhtml2/2008Mar/thread.html )
<noah> I also said that CSS was highlighted as an example of a language in which 1) there is no explicit version marker and 2) there is a default interpretation in earlier versions of features that become explicit later (I think that's right)
<DanC> yes, noah, I think David Baron makes that point pretty well
<noah> Then, as you said Dave: until now, as new features introduced have in some sense represented "modest" changes, whereas now a version is contemplated in which some of the new features will be in some sense "more incompatible" than would have been common before.
<Stuart> trackbot-ng, status
<scribe> ACTION: David to ask raman what he thinks should be done wrt css versioning [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action01]
<trackbot-ng> Created ACTION-133 - Ask raman what he thinks should be done wrt css versioning [on David Orchard - due 2008-04-17].
<DanC> From: Dominique Hazael-Massieux <firstname.lastname@example.org>
<DanC> To: w3c-tools <email@example.com>
<DanC> Subject: Tracker nicks can now be edited on the Web
<DanC> Date: Tue, 18 Mar 2008 16:41:47 +0100 (10:41 CDT)
Dave posted summary of responses.
discussion about how digest is actually done including nonces...
<Zakim> noah, you wanted to talk about some security sometimes being better than none
noah: what about the security where it's just a server under a desk..
danc: their point is that is training people to do the wrong thing..
noah: so I need to buy a cert?
danc: no, self-signed certs don't cost
<scribe> ACTION: david to ask security context about the exact breakage of digest [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action02]
<trackbot-ng> Created ACTION-134 - Ask security context about the exact breakage of digest [on David Orchard - due 2008-04-17].
<Ashok> Hal Lockhart -- BEA Security expert
should I say MUST not or SHOULD not send passwords in the clear?
<DanC> I think the differenence between MUST NOT and SHOULD NOT isn't that significant; I think SHOULD NOT is ok, but let's not celebrate the exceptions
<timbl_> must works for me, in the sense of "must for you to comply with this"
<timbl_> If you don't want to conform then on your head be it
<Stuart> The counter arguement such as it is comes/came from John Cowan in a thread based at: http://lists.w3.org/Archives/Public/www-tag/2006Nov/0085
Always use SSL or some equivalent security - there is no provision
in web browsers that allows passwords to be exchanged securely
without SSL. Not even hashing.
<DanC> true, "never acceptable" is pretty much synonymous with MUST NOT; then the question is: is this guy the only relevant constituency?
<DanC> I guess MUST is simpler; I'd only go with SHOULD NOT if we didn't celebrate the exceptions at all.
noah: you could do SHOULD NOT then say note: the exceptional cases are truly exceptional..
<DanC> "2119" doesn't occur in http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
<Zakim> DanC, you wanted to note wikipedia on digest as a representation of popular understanding http://en.wikipedia.org/wiki/Digest_access_authentication
noah: you could say "we use rfc 2119 terminology, when we say must that means how to establish security on the web".
<Zakim> ht, you wanted to say we could try again
ht, ashok like must not
stuart calls the question.
<DanC> (tone? why ask about the tone? I think the proposal is clearer in terms of words)
stuart: do people approve a change in the tone of the finding to be a must not exchange passwords in the clear as well as saying it's a MUST to be secure..
<timbl_> Proposed: The document should say that passwords in the clear MUST not be used.
<timbl_> you will, zakim, you will
<Ashok> Please capitalize NOT
<scribe> ACTION: david to make the change to passwords MUST NOT be sent in the clear [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action03]
<trackbot-ng> Created ACTION-135 - Make the change to passwords MUST NOT be sent in the clear [on David Orchard - due 2008-04-17].
<timbl_> "Digest authentication is widely acknowledged to be the best available Internet standard for this purpose. " -- http://www.eweek.com/c/a/Past-Reviews/IE-Apache-Clash-on-Web-Standard/
<DanC> (I'd like to understand the problems with digest better, but I'm not sure the community should wait for me to get clued in, so perhaps silence about digest is best.)
<Stuart> That purpose being?
<DanC> (PHB at least has come around from the "it has to be perfectly secure before we deploy anything" POV.)
<ht> I just got dropped -- the traditional you lose after one hour bug
Finally, I think you should also warn about incorrect use of SSL/TLS,
specifically the incorrect method, still applied (at least by default)
in several major sites, of sending unprotected login forms, and
invoking SSL/TLS only upon submission, to encrypt the password -
<DanC> (the drupal community seems to see digest support as a goal http://drupal.org/node/160202 . they seem to be weighing dev costs without any reference to security deficiencies.)
consensus to do the warning SSL/TLS..
<timbl_> "or developers who want to build truly interoperable secure Web applications, the only available option is to encrypt all data between a Web client and server using SSL (Secure Sockets Layer) and to fall back to basic authentication. This is a secure option, but digest authentication is a valuable middle ground between almost no security (what unencrypted basic authentication provides) and complete SSL encryption, with its considerable CPU overhead, more complex
<trackbot-ng> ACTION-7 -- Dan Connolly to work with Olivier and Tim to draft a position regarding extensibility of HTML and the role of the validator for consideration by the TAG -- due 2008-03-14 -- OPEN
discussion about Noah's action 131
<DanC> ("Stuart's P1 proposal" is frustratingly obscure; we're talking about AIRA/HTML integration comments)
<Stuart> "TAG acceptance of a compromise on this occasion should not be regarded as establishing a precedent. Several factors contribute to it being workable: that the WGs involved happen to be active at the same time; that the WG with responsibility for the host language is not having to consider a lot of extension request at the same time; that the ARIA extensions are entirely attribute based - more general element based extensions with more complex content models present
stuart: would the tag find it useful to add the paragraph just posted to Noah's email?
<DanC> I don't agree with "we also suggest
<DanC> that the right medium term answer is for uniform treatment of names and
<DanC> values with colons to be specified for HTML."
<Stuart> So Dan... your suggesting removal of that sentence?
<timbl_> 'we also suggest that the right medium term answer is for uniform treatment of names and
<timbl_> values with colons to be specified for HTML" I agree has been asserted to be incompatibale with old browsers
<timbl_> which is werird when colon was supposed to be a name char
<DanC> I might rather just abstain, Stuart. the reason I don't agree is that I think it's a premature conclusion, without looking at enough of the options and state-of-the-art
Tim Berners-Lee said: The idea of using SVG without XML is horrifying."
<ht> HST notes that NM has left the call. . .
<ht> HST has to leave in the next minute or two
<Ashok> I agree -- +1 to HT and DaveO
henry: I've never liked the aria proposal..
danc: I've been told this a deliverable that has nothing to do with HTML..
<Norm> I agree with Henry
<DanC> where's the request from PF that has such urgency? I'm confused by recent communications from the PF chair, Al Gilman
timbl: this could be a deliverable for xhtml, but then say "this can be used with languages like html"
stuart: they may be encouraging people to use the no namespace approach
<DanC> "First: we need to be clearer about what the deal is as regards the time sequence of the following two milestones: ... " writes Al G. in http://lists.w3.org/Archives/Public/public-html/2008Apr/0192.html
stuart: where no namespace approach equals aria-
henry: needs to go, prefer to wait 1 week noting noah's absence as well.
<ht> I acknowledge that next week is a hard deadline for getting feedback decided on
<Stuart> trackbot-ng, status
<DanC> trackbot-ng, status
<scribe> ACTION: Dan to liaise with michael cooper on their expectations of the TAG [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action04]
<trackbot-ng> Created ACTION-136 - Liaise with michael cooper on their expectations of the TAG [on Dan Connolly - due 2008-04-17].