W3C

Technical Architecture Group F2F Meeting, Cambridge, MA

08 Dec 2009

Agenda

See also: IRC log

Attendees

Present
Noah Mendelsohn, Tim Berners-Lee, Jonathan Rees, Ashok Malhotra, Larry Masinter, Henry Thompson, Dan Connolly, John Kemp
Regrets
TV Raman (partial regrets, present in afternoon via phone)
Chair
Noah
Scribe
John Kemp (morning), Tim Berners-Lee (afternoon)

Contents


<scribe> Scribe: JohnK

<scribe> ScribeNick: johnk

Convene, review agenda

<noah> Thomas, we're missing a phone here, working on getting one. Should be a few mins. Sorry.

trackbot-ng, start telcon

<trackbot> Date: 08 December 2009

Web Application Architecture: Security and Policy

NM: (connects us with TLR)

TLR: there was a well-attended session at TPAC on Web Security
... strict transport security paypal proposal
... XSS discussion

<DanC_> strict transport security wiki topic

TLR: next steps for Origin header draft
... no formal minutes available, however
... have the impression that Origin draft is moving forward in IETF
... HTTP state WG is "under review"

<DanC_> (I saw a draft charter re cookies, I think; where did I see that? ...)

<tlr> ietf mailing list

TLR: sense is that group should do two deliverables: - one documenting current state, another more normative

<DanC_> public-web-security archive

<noah> FWIW, I recommend that TAG members willing to deal with the traffic subscribe to the mailing list. I find it to be interesting/worthwhile.

<masinter> News on http-state http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01182.html

<masinter> HTTP-STATE WG charter finished IETF review and IESG Evaluation, and waiting on a few edits & input responses

TLR: fairly happy with state of affairs

DC: has an area director stepped forward to shepherd the Origin draft?

TLR: I believe so

<DanC_> ( "Lisa" == Lisa Dusseault , as in http://www.ietf.org/iesg/members.html )

LMM: haven't heard a positive direction on Origin yet

some of the mics appear to be on mute

<Zakim> DanC_, you wanted to ask which AD is shepherding the Origin draft

<Zakim> noah, you wanted to ask for a bit of intro on the strict transport/paypal stuff

<tlr> http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html

NM: what is strict transport security about?

TLR: let a site declare that it wants to use HTTPS even if it sees an HTTP link

<DanC_> http://www.w3.org/Security/wiki/Strict_Transport_Security -> http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html

<DanC_> "draft specification proposed by Jeff Hodges (=JeffH, Paypal.com), Adam Barth (UC Berkeley), Collin Jackson (CMU-SV). "

2.2 Strict Transport Security Policy Summary

The characteristics of the Strict Transport Security policy, as applied to some given web site, known as a STS Server, is summarized as follows:

1. Insecure ("http") connections to a STS Server are redirected by the STS Server to be secure connections ("https").

2. The UA terminates, without user recourse, any secure transport connection attempts upon any and all errors, including those caused by a site wielding self-signed certificates.

3. UAs transform insecure URI references to a STS Server into secure URI references before dereferencing them.

<masinter> Miller's note about "origin:" header being harmful http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0035.html

TLR: limits DNS corruption and MITM attack

LMM: what are future plans for organizing web security in some way?

more microphone mayhem...

TLR: TPAC tried to coerce volunteers to get involved in review
... usual problem: how do we recruit volunteers?

LMM: is there some possibility for a "formal" security board - a way of being able to sign up more consistently?

TLR: use the chairs of the security WGs, but we don't have critical mass
... create a TAG-like body, focused on security?

HT: I had a conversation with Mark Miller at TPAC - he was heartened by the meeting
... disagreements are purely technical

<Zakim> ht, you wanted to mention personal feedback from Mark Miller

TLR: skillful chairing has contributed to the positive movements

<tlr> +1 to the value of face-to-face meetings, in these points, btw

LMM: keep this as a topic to review periodically
... too early to decide on a formal structure, but would encourage some thought about a process for improving security review

NM: anything specific for us to follow up on?

<DanC_> I'm gonna close this in a minute unless anybody objects:

<DanC_> ACTION-323?

<trackbot> ACTION-323 -- Dan Connolly to as Thomas for a report form the security BOF -- due 2009-12-08 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2001/tag/group/track/actions/323

NM: any specific specifications?

<DanC_> (I'm glad Noah is persuing getting actions if we're to keep this on our agenda. LMM seems to be pursuing a process point, which is not the TAG's mandate, so I'm OK if nothing comes of it.)

<masinter> origin header -- is it in, is it out, is it dead, is it shipping?

<DanC_> (tlr, do you want to be here when we talk about confused deputy?)

<masinter> IRI spoofing -- who has the responsibility for insuring that user agents don't depend on showing the user a IRI and expecting them to distinguish

<DanC_> (where's the list tlr is reading? I don't see websockets on http://www.w3.org/Security/wiki/Main_Page )

TLR: XHR, CORS, HTML5, WebSockets... encourages LMM to add his short list

<tlr> I said "I think websockets should go on there, too"

<jar> johnk: Add Uniform Messaging to the list

JK: asks about Uniform Messaging Policy proposal

<tlr> XHR has a last call that closes in a week.

TLR: XHR documents current usage and is in LC

<tlr> http://www.w3.org/TR/2009/WD-XMLHttpRequest-20091119/

<tlr> LC for XHR ends on 15 December

JK: XHR and UMP both have XHR-like APIs, and seem to be related

<jar> tlr: XHR assumes SOP

<DanC_> DanC: the XHR whose LC is 15 Dec is async with one that takes on UM, right? [tlr said right]

JK: and UMP allows cross-origin with opt-out from SOP

ACTION johnk to review XHR and UMP together and provide comments to TAG as relevant

<trackbot> Sorry, couldn't find user - johnk

<DanC_> trackbot, status?

ACTION John to review XHR and UMP together and provide comments to TAG as relevant

<trackbot> Created ACTION-340 - Review XHR and UMP together and provide comments to TAG as relevant [on John Kemp - due 2009-12-15].

<DanC_> http://www.w3.org/Security/wiki/HTML5 has an answer to NM's Q

<tlr> (and that's just the *trivial* list of likely relevant sections)

NM: any TAG members willing to look at this security wiki and take any other actions regarding the items listed there?

TLR: HTML5 security policies are worthy of review!
... we don't know what we don't know
... possibility of a workshop around these items

NM: rough guess about when that might happen?

TLR: probably a few months out

<DanC_> . ACTION: noah to let the TAG know about any upcoming HTML 5 security workshop

<tlr> ACTION: noah to follow up with Thomas about security review activities for HTML5 [recorded in http://www.w3.org/2009/12/08-tagmem-minutes.html#action01]

<trackbot> Created ACTION-341 - Follow up with Thomas about security review activities for HTML5 [on Noah Mendelsohn - due 2009-12-15].

<masinter> http://www.w3.org/Security/wiki/Talk:HTML5

DC: do "sandboxed iframes" work as well as they could or are there possible improvements?

(seems like no-one knows the specifics well-enough)

TBL: permeability of iframe boundary has been in flux during our work on tabulator...

<masinter> at least 100 messages on sandboxed iframes in http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html

TBL: is this in research phase, or fairly solid in browsers?

TLR: (thinks still research phase)

LMM: lots of messages on sandboxed iframes this week, so situation is still evolving

NM: (reviews the agenda item)

<DanC_> close action-321

<trackbot> ACTION-321 lightly edit TAG input to DAP WG per 8 Oct and tell Noah closed

<DanC_> close action-318

<trackbot> ACTION-318 Send note to Device APIs and Policy (DAP) Working Group on behalf of the TAG closed

DC: can I close actions?

<DanC_> close action-323

<trackbot> ACTION-323 As Thomas for a report form the security BOF closed

LMM: I would be happy if there were an interest group for tracking these issues

<tlr> (encouragement heard, but not going to happen this year. ;-)

LMM: part of web arch is security, and it probably requires more attention than the TAG is able to give it

NM: TAG still has a role, and I'm not sure if a W3C mechanism to track all of these things outside W3C is useful
... what problem does IG solve?

DC: possibility of a workshop is a good start

<jar> I just added uniform messaging to the security wiki FYI

ACTION Noah January 15th ask the TAG again about more formally tracking security issues in HTML5

<trackbot> Created ACTION-342 - January 15th ask the TAG again about more formally tracking security issues in HTML5 [on Noah Mendelsohn - due 2009-12-15].

AM: read the UMP draft, which speaks about 2 actors

<tlr> jar, CORS and UM are closely enough linked that I'd prefer to keep them together

AM: does UMP extend to multiple actors?

<DanC_> (I'd like to see an explanation of how UM generalizes to multiple parties)

JAR: yes

<DanC_> action-340: to include an explanation of how UM generalizes to multiple parties

<trackbot> ACTION-340 Review XHR and UMP together and provide comments to TAG as relevant notes added

LMM: in last IETF, long discussion about non-ASCII chars in IRIs and related security issues
... possibility of constructing IRIs that the user cannot really tell whether they represent what the user is actually trying to do
... this is not a security mechanism, but there is a security issue there

<DanC_> http://www.w3.org/Security/wiki/Trusted_User_Interface#IDN_Spoofing

NM: is the current group of the group working around the web security wiki looking at issues such as the one Larry describes?

TLR: not specifically, no

<DanC_> (I too think Singer wrote that bit)

NM: next steps?
... should someone from TAG work with the community around this wiki to frame the issues?

LMM: would like to make normative references from various specs. to something relevant for web security
... a wiki is not enough

DC: we have IRIEverywhere issue - can we track the relevant security portion under that?

NM: HTML5 tells user agents what to do; should perhaps be giving advice about, for example, IRIs that might confuse the user dangerously

thanks Thomas

<ht> Everyone says "Thank you Thomas"

DC: there's an opportunity to engage the people involved in this wiki... but not sure how/whether we will declare victory

<noah> TLR, thank you >so< much for taking the time to join us. It was very, very useful!

JAR: mentions pet names: that one should never trust the names given to you by anyone else
... you get to designate your own name, rather than blindly accepting the name given you by a server

DC: I visit 10000 web pages a day, can't give them all pet names

JAR: solution is proposed, but isn't yet usable perhaps?

NM: when about to click on a link, I should know what I'm clicking on

<DanC_> (tracker, note we're discussing ISSUE-27 IRIEverywhere-27 )

NM: if a page contains 50 links (to images for example), should I get to choose whether I want to access all 50 of them?
... associate my own pet name with a given URI?

TBL: what's the process?

JAR: the point is that it makes it possible for the user to discriminate

NM: the user can be confused, but only the first time - when they make the pet name association

TBL: system should protect you from confusing your pet names

JAR: overall constraint is exactly that - to make it more difficult to confuse the user with names

DC: can you (JAR) post to www-tag about pet names?

LMM: how about IRI list instead?

<tlr> note that petnames were discussed and even speced *extensively* in the WSC WG. Implementers wouldn't have any of that.

<DanC_> ACTION: jonathan discuss petname application to IRI spoofing in public-iri and www-tag [recorded in http://www.w3.org/2009/12/08-tagmem-minutes.html#action02]

<trackbot> Created ACTION-343 - Discuss petname application to IRI spoofing in public-iri and www-tag [on Jonathan Rees - due 2009-12-15].

HTML5, WebSockets, XHR, CORS

<DanC_> action-343?

<trackbot> ACTION-343 -- Larry Masinter to discuss petname application to IRI spoofing in public-iri and www-tag -- due 2009-12-15 -- OPEN

<trackbot> http://www.w3.org/2001/tag/group/track/actions/343

NM: WebSockets is moving fast...

LMM: wanted to noted the IETF meeting on HyBi

<tlr> http://dev.w3.org/html5/websockets/

LMM: two groups - one documenting current practice on long-polling et al with HTTP

<tlr> http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol

LMM: and another discussing WebSockets
... result, I believe, was that WG forming would focus on WebSockets

NM: how about CORS?

<DanC_> ACTION-331 ?

<trackbot> ACTION-331 -- Dan Connolly to consider ways to track the 'confused deputy problem' issue in webapps/cors -- due 2009-11-24 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2001/tag/group/track/actions/331

<DanC_> http://www.w3.org/2008/webapps/track/issues/108

DC: TPAC goal achieved
... Mark Miller took the ball, resulting in the UMP proposal: http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html

<DanC_> DanC: what's critically different between UniformRequest and XMLHTTPRequest is that no cookies go out; it's not clear to me why that's more secure

<noah> NM: Note that uniform messaging looks at the Javascript level just like XHR, except that you "new" a different object to start.

<DanC_> ... if you want to do something different, you have to put your credential/permission elsewhere

JK: there are two parts to the spec:

<DanC_> HT: yes, you put it in your code

<DanC_> DanC: but who is "you"? the server? the client? the attacker?

i) that an HTTP response header can be sent saying that the server opts-out of SOP

<DanC_> JAR: the code is the attacker...

<DanC_> ... if he doesn't have permission, he can't do anything dangerous.

ii) the UA uses a new XHR that doesn't send cookies

meaning any "credentials" are i) not site-specific ii) not sent implicitly

<Zakim> DanC_, you wanted to talk about credential/permission

DC: some concerns about the terminology regarding 'permission' sent as editorial comments

<DanC_> on permission and such http://lists.w3.org/Archives/Public/www-archive/2009Dec/0021.html

JAR: proof of permission?

<DanC_> "proof of permission" would be good; maybe I'll suggest that in email to the editors

<Zakim> noah, you wanted to ask about community reaction to uniform messaging draft

DC: it's good that CORS has an issue open on confused deputy so the WG has to choose UM or not before going to LC
... how, for example, does this impact sandboxed iframes, for example?

ACTION Jonathan to alert TAG chair when CORS and/or UMP goes to LC

<trackbot> Created ACTION-344 - Alert TAG chair when CORS and/or UMP goes to LC [on Jonathan Rees - due 2009-12-15].

<DanC_> close action-321

<trackbot> ACTION-321 lightly edit TAG input to DAP WG per 8 Oct and tell Noah closed

<DanC_> action-331?

<trackbot> ACTION-331 -- Dan Connolly to consider ways to track the 'confused deputy problem' issue in webapps/cors -- due 2009-11-24 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2001/tag/group/track/actions/331

<DanC_> close action-331

<trackbot> ACTION-331 Consider ways to track the 'confused deputy problem' issue in webapps/cors closed

Review agenda, meeting goals

NM: we discussed 3 big items (linked in agenda) before the summer
... later moved to closely study HTML5
... is there something bigger than the sum of the parts (ie. action items) similar to webarch that we want to do beyond review of detailed actions?

AM: as we begin talking about web apps, metadata it might become obvious if we want to write something more "overarching"

LMM: we had talked about creating products of long-term value?

NM: such as the "architecture of web applications"
... agenda is in service of a set of goals
... agenda does reflect those goals

Metadata Architecture: ISSUE-63: Metadata Architecture for the Web

ACTION-282

ACTION-282?

<trackbot> ACTION-282 -- Jonathan Rees to draft a finding on metadata architecture. -- due 2009-12-02 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2001/tag/group/track/actions/282

JAR:Our job is to encourage a connected, open Web, and a "global" approach to metadata seems important for that. Is there a related way to understand some of the "puzzles" - RDFa vs. Microdata, XRD/LRDD/Link, related HTTP semantics; using URIs to "refer" rather than to "locate"; link rel="canonical", multimedia "bookmarking" and the nature of "authoritative"?

[Jonathan's draft at http://www.w3.org/2001/tag/2009/12/metameta.html is what we're reviewing]

TBL: I thought we were doing an overall model of the whole "shebang" - not just philosophical layer. This includes APIs, no?

JAR: that seems like an opportunity we have

<DanC_> (I'm not sure I agree with TBL that the AWWSW model is "not philosophical". I'm not sure there any falsifiable claims in it. Maybe around "immutable resources", but I don't see that as a pressing issue.)

AM: we should start from metadata use-cases
... these are the situations in which you might want some metadata
... then we can say "in situation N, here's what you ought to do..."

JAR: yes, use-cases are very important

JK: what if someone doesn't acquire metadata in the way you suggest even in a given use-case?

TBL: You can tell them what they would be losing by doing it differently

LMM: in my earlier work, I was taking a narrower perspective on "what is metadata" than I think we have generally taken. For example, perhaps related to the difference between metadata about information resources vs. metadata about non-information resources?

TBL: Metadata is data about documents. If it's about an information resource, then it's metadata. If it is about something else, it isn't.

LMM: That's the conventional meaning, I think

<ht> http://www.e-learningguru.com/articles/metacrap.htm

JAR: that is part of the work we need to do to bound this project. Metadata can come from many different places - a protocol might only get that metadata from one place - "first-party provided" metadata

NM: you're stopping short of discussing the impact of provenance?

JAR:No.

NM:There is a big difference between we know a claim about something, or whether we know the thing itself. There is a difference of trust. Is the statement "noah says the wall is brown", or "the wall is brown"?

AM: yes

<ht> [the metacrap reference is old: Version 1.3: 26 August 2001 -- here's the original http://www.well.com/~doctorow/metacrap.htm ]

TBL: Almost anyone who deals with any data on the web technology deals with and is aware of provenence. It is a large area, but we don't have to get into it deeply now.

JAR: Most of my draft is a list of questions. Those questions could stimulate actions items - there is a lot of work here. Does metadata have any special role on the web?

TBL: Metadata is data about documents, and as docuements have a special role in web architecture, so metdata has a special role to a certain extent.

LMM: In the narrow definition, metadata is data about "information resources"

NM: if someone makes a statement about a document, it is clearly metadata. If someone makes a statement such as "I was born on November 3rd" what do we call that statement?

LMM: There are some special properties of documents that make them more interesting in this regard.

DC: Can you be more specific?

HT: There's a fundamental difference between representations whose referents are available digitally and those which are not. Therefore reasoning about them is different

DC: Larry, can you be more specific about the properties of a document that make it more interesting this way?

TBL: AWWW spends a lot of time trying to describe this so it's very important - deal with the Web, you deal with docs.

<masinter> the library and digital library community have a long history of establishing "metadata" for items that might appear in a world of managed information, and that this tradition is instructive, helpful, and with available techniques for management, refinement. The general "knowledge management" problem is hard, but the "metadata management" problems are tractable

NM: take a set of measurements and record them
... if I then also record that I took these measurements on a particular date, then that is metadata about the measurements
... if you limit only to digital representations, it seems to me you lose the historical meaning of metadata

<DanC_> ("I don't want to get hung up on terminology" <-- famous last words. terminology _is_ the problem. Agreeing on terminology is solving the problem.)

LMM: metadata was about "what was in the card catalogue"

<noah> let's do terminology after we cover use cases.

<DanC_> no, let's not

LMM: common way to describe that the book in library a was the same book as in library b

<DanC_> let's try out terminology as we discuss use cases, and keep careful eye on which terms comfortably fit and which ones don't.

LMM: Dublin Core was a way of cataloging metadata about documents / IRs
... value is to leverage that work

NM: you don't buy my 'measurements' example?
... not scoped only to library usage

AM: I think we should ask different questions

<masinter> there are things that are on the boundary ... you can treat them as "information resources" or not

AM: what could *we* write that would be useful here?

<DanC_> (http://en.wikipedia.org/wiki/Metadata is disappointing in that it doesn't have a history section like most good encyclopedia articles)

<Zakim> ht, you wanted to say "yes" to NM wrt measurements

Dublin Core: I think you should split the screen

HT: yes, Noah, your example is within "metadata" scope
... I think Dublin Core is useful for any set of digital data

right...

JAR: back to document...
... not a lot of standardization
... poor incentives for creating explicit metadata
... difficult to deploy - why?
... difficult to validate
... it doesn't feel that all of these things are adequately connected - it doesn't feel like a "Web"

<DanC_> (the mismatch betwen CiteULike and Amazon ... I wonder how many man-hours a day that costs the world. Sounds a lot like what LMM was talking about for library metadata in the 1st place... "how do you know it's the same book?")

HT: host-meta is data about a set of resources

LMM: there's a question about metadata when related to statements made about a person

TBL: lots of people are not doing metadata when they are making statements of identity of people. The issue of different people assigning different names to the same person is quite general. Let's not expand the scope of "Metadata" to the semantic web in general. There is a general problem of co-reference... different people assigning different names to the same thing ... let's not try to tackle that under the rubric Metadata as though it were special to people or people were special to metadata.

TBL: people, music, place names, countries (and other administrative areas) all have data about them and coreference issues
... we shouldn't focus only on authors

JAR: is RDF "nose-following" a metadata use-case?

LMM: metadata has a data model, a vocab, a serialization, and method of association (linking/embedding)

<DanC_> Framing an Architecture for Metadata on the Web

<DanC_> LMM was talking about that ^

<timbl> RDF nose-following is a technical solution for many of these problems, coupled with the stitched-together quilt of grass-roots ontologies.

<Noah_phone> From Wikipedia:

JAR: what are interesting cases that deal with metadata?

<Noah_phone> Metadata (meta data, or sometimesmetainformation) is "data about data", of any sort in any media. Metadata is text, voice, or image that describes what the audience wants or needs to see or experience. The audience could be a person, group, or software program.

LMM: if we have a framework for metadata, we can use this to explore the specific cases and see how/if it applies

<Noah_phone> The above is Wikipedia def of metadata. Consonant with my assumptions.

JAR: that suggests a matrix between your framework items (LMM - see earlier list) and the uses documented in my draft
... (describes examples listed in linked document)

<masinter> note http://tools.ietf.org/html/draft-reschke-rfc2731bis-05

JAR: is anything different since RDF/Dublin Core?
... (references Metadata Activity statement)

<masinter> http://dublincore.org/documents/2008/08/04/dc-html/

metadata activity statement: http://www.w3.org/Metadata/Activity

NM: ADJOURN FOR LUNCH

<jar> http://gov2.net.au/files/2009/12/Draft-Government-2-0-Report-release.pdf

<timbl> jar, http://gov2.net.au/about/draftreport/#rec6

<DanC_> that's wierd.

<timbl> --------------------------

<timbl> scribenick: timbl

<DanC_> just a sec while I sync the agenda

Noah: We have to Web App Arch slots, one now and one for the same time tomorrow.

Raman: I can't make tomorrow morning PST
... I can make 15:00-17:00 EST

Noah: Philippe Le Hégaret has offered to join us.

<noah> http://www.w3.org/2001/tag/tag-weekly#Application

Web Application Architecture

<noah> http://www.w3.org/2001/tag/doc/content-to-apps.html

<noah> http://www.w3.org/2001/tag/2009/09/webAppsTOC-20090921 That is the thing which Ashok et al did, This is what JAR did

Noah: We have two documents to frame this discussion:

  1. Jonathan as revised the Table of Contents for Web Application Architecture that was gathered at the June and Sept. TAG F2F Meetings.
  2. Ashok, with help from Raman and Larry, has prepared From Web Content to Applications

Ashok: Most of this talks about how the web started as a web of documents, and is now turning into a web of apps.
... That is useful stuff, but we wanted to extract the issues engendered by this fundamental shift.
... None of us looked at Web IDL -- we didn't have the knowledge
... One question is, how to capture state. This is complicated.
... There is HTML5 work split out into Storing Client-Side State, as there are two specs, one SQL-based, and the other keyword/value based.
... You send in data from the user, and the app by its nature has lots of data. It has to be protected: it has to have policies about its access.
... The third on which Larry put up is that the Web is now more complex.
... It has different sorts of user agent, different URI schemes, and so on. What does this imply?
... So those were are main pints, plus the UMP stuff -- how does UMP extends to multiple agents? (UMP = Uniform Messaging) [seee required reqding]
... The trouble is, you are going to make a request of an app, and the app is in fact behind many appliances. The appliances can communicate. WHat do we do about this data being secure, protected?

<noah> http://www.w3.org/2001/tag/2009/09/webAppsTOC-20090921

Masinter: My intent, I thought, was to elaborate some of these points into paragraphs.

Masinter: Other bits still need to be done.

<Zakim> DanC_, you wanted to answer tbl: yes, the state of the art is (a) "installed stuff", including extensions and MacOS widgets and phone apps (b) remote code, e.g. scripts in web

Tim: Some times will the application be downloaded by the user and installed and trusted, making the security situation surely much simpler? Like with an installed desktop app or a iPhone app

DanC: There are two design centers. The installed code, and the web site script case. But they are starting to overlap in some cases.

<Zakim> noah, you wanted to talk about device APIs permissions

TimBL: Like running Mac mail and a web version of it which try to be the same interface.

Noah: If I am a smart user, then I expect there are bounds to what I have trusted it to do, and those bounds are being stretched, like with geolocation. The stickiness of the policy is where this happnes. Does the permission stick?

<DanC_> (speaking of letting my browser run javascript, after reading crockford's writings, I installed noscript immediately. It's fairly painful, but the alternative is to turn my computer over to anybody on the internet who wants to use it for whatever purpose they see fit and blame it on me.)

Noah: A huge barrier to getting people to move apps to the web, it asks anew whether it can have your location, which is frustrating. Maybe a longer term storage of the preferences would help.

TimBL: I am surprised if these things are not remembered by web site

Ashok: Where would that be stored? On the client or server?

Noah: Not relevant

DanC: In fact a Firefox extension can change that from local to remote

John: A common trust model is this origin-based thing -- a (widget) package which is verified as coming from an origin via a signature.
... Another common trust model is like iGoogle -- Google gadgets are assembled onto a home page for you, and Google has 'vetted' the code: Google is the thing which you trust

<Zakim> johnk, you wanted to note that code for an application might come from multiple un-trusting (of each other) elements

<Zakim> ht, you wanted to ask TBL about gmail

John: There is a third possibility we hadn't even counted about, where the client is making the mashup and assembling things from multiple sources which may not trust each oither. A more dynamic situation. This involves cross-site scripting.

Henry: Normal users do not really understand the distinction.

TimBL: They know whether they have installed an iphone app

Noah: GMail on the gPhone is really a web abb which behaves like an app.

<noah> zaki, close the queue

Ashok: It looks as though there are just two cases, downloaded [installed] app and web app. There could be a third situation.

Henry: No, the consumer would not distinguish.

<masinter> (a) The "WebApps" working group is working on something like Adobe AIR -- something that uses web technology for building traditional applications, where the fact that it's using web technology is pretty much irrelevant to the end user experience.

<masinter> (b) I want to see if we can separate the conversation between mechanisms for providing security, vs. the different kind of user models. of course they don't match, and getting them to match -- is that in scope for this ?

JAR: The problem of getting the user to connect them is them user programming system.

<DanC_> ack

<Zakim> DanC_, you wanted to ask if anybody knows the state of the art in maybe cultural anthropology about how many brand names we can trust: mom, dad, my school, my town, my country,

DanC: What is the state of the art in what we can trust?

HT: People trust a lot.

LM: There are people working on web apps more like adobe air, which is like installing an application because it gets the same privileges.

<ht> LMM mentioned Adobe Air, Microsoft silverlight is another

<ht> ... distributed app deployment platform

Noah: There is a widget spec which allows you to make an installable thing.

Masinter: Note that Web Application can be used for either animal.

<noah> I propose the following working terminology for use in the TAG:

Masinter: We have mechanisms for providing security -- and user perception -- and we know they don't match. But that we knew.

<noah> Web Application -> A zero-install application accessed by doing HTTP GET of the main page (which in turn tends to use Javascript)

Masinter: To tackle it, we would have to understand the [inherent] user models of security. I am not sure we are ready to deal with them.

<noah> W3C Widget -> An installable application built of Web technologies per http://www.w3.org/TR/2009/CR-widgets-20091201/

<masinter> lmm: are we ready to take on the "user model"

<DanC_> I prefer "zero-install" and "installed".

<masinter> -1 don't like Noah's "Web Application" definition

Noah: I propose we use "Web Application" to mean a zero-install application.

<ht> So I hear three categories: functionality running in the browser on the [AJAX] platform or, maybe, on browser plugins, e.g. Flash; functionality runninng on other metal-installed distributed deployment platformsl, e.g. Silverlight; and Widgets, which are installed but run on the [AJAX] platform

<masinter> the line between these two things are blurry, and it's not clear that making categories is useful

<ht> DC: Running is not the same as getting: when you run, you allow all kinds of privileges, e.g. to write all over your disk

<masinter> why is it useful to make these categories when they are aspects of technology decisions with many variables which don't correspond to these categories, and users have trouble distinguishing too

Noah: We have 45 minutes . We have no future work in the web apps area.
... . We can let this go and go back to the table of contents.

<DanC_> (fwiw, we do have actions in the webapps area/product, though they're mostly about security http://www.w3.org/2001/tag/group/track/products/7 )

<Zakim> ht, you wanted to underline _three_ categories

<DanC_> (I stipulate that we _need_ to manage storage; I still don't _want_ to 1/2 ;-)

TimBL: Users need to be able to see which applications are taking up the space on their phone, and a good UI would let a user manage that and decide which apps to let go in order to install another when the device is full

Henry: Look at Silverlight aps -- they don't fall well into Noah's two categories.

E.g OpenStreetMap: 3.46G [x] Uses location [ ] use contacts [remove]

<DanC_> ("open standard" is orthogonal to most of the technical issues we've been talking about, no?)

<johnk> plugins i) get access to platform APIs below the browser ii) get to "violate" the SOP

<Zakim> masinter, you wanted to argue against premature categories as per above

<raman> it's very hard to participate in this discussion via the phone

<Zakim> noah, you wanted to note that installable iPhone apps are, in may respects, sandboxed

(( [...something missed here...]ways of disrupting discussions like this:(on webapp) 1) Widening -- "ah, but what about apps in general?" 2) Splitting hairs "If authorship of the data is webapp, is the author's address? or is that data about a person and so not metadata?" 3) Considering time-variance: "But isn't it not just a question of the webapp now, but how the webapp has changed over time"? 4) Let's see what happens when we look "webapp" up in the dictionary. 5) .. i

wikipedia... 6) Do we really have an agreement on a definition of "webapp"? ))

Raman: If you have the (Google) 'native client' plugin installed, you can run them locally as apps

<DanC_> (yeah... native-client goes one way, and phonegap goes the other)

Noah: I think the web app case I was talking about is fairly well isolated.
... Limited access to other clients, etc

Raman: The browser sandbox is getting richer .. so the sandboxing is getting more powerful, so the line is blurring.

<Zakim> johnk, you wanted to note that there is probably no useful distinction to be made between widget and "web app"

Raman: Like web and internet being pervasive.. The net is one more part of the computer.

John: I don't think there is a useful distinction between "widget" and "webapp". One possible distinction would be if you have separate decisions to make as to whether you will download it and whether you will run it.
... I am not sure it is a useful distinction.

<Zakim> ht, you wanted to emphasise DC's point which I scribed above

Henry: Categories are valuable
... Desktop apps can do anything

<Zakim> DanC_, you wanted to try to get "native-client goes one way, and phonegap" in a TOC or TODO list or something

Noah: iPhone apps can only run in theor own memory, not communicate one to the other.

DanC: Phonegap allows you to write HTML and JS and deploy it as an application.
... NativeClient allows you to download machine object code.

These are existing technologies

<DanC_> These are existing, concrete technologies that we could use to explain concepts to people.

<DanC_> (IE's trust categories are, in a distant way, similar to noscript's trusted site lists and petnames.)

TimBL: Maybe making up distinctions as a design point, then defining the properties of them (like IE did with levels of trusted sites in the past say) so that you can then prove what sorts of functionality you can get from applications in each category. Not observing a distinction but inventing one.

<Zakim> noah, you wanted to note that W3C Widgets share things like device access APIs with Javascript apps running in the browser

Noah: I am convinced by the point that proprietaryness is not an *architectural* concern.
... However, there things we W3C are responsible for as we are not responsible for silverlight or Flash. these are the AJAX technologies.
... We additionally have the widget work. With W3C Widget packaging.
... I am told phonegap may converge with widgets.
... I think the policy model will be shared by those two models.
... For example the geolocation API can be used from either type of application.
... I think that the policy issues are interesting in both cases.

Raman: Also it is our responability to make sure all bits of tech work on the web whether or not they come from W3C.

Ashok: If you use a webapp, the danger is that you will give it data. It might sell that data.

Noah: Same for iPhone apps.

Ashok: You will need different types of protection mechanisms, different types of policies.
... I was talking at lunch to Lalana Kagal, who is a policy person.

<DanC_> http://people.csail.mit.edu/lkagal/

Ashok: She felt that the note we sent out about policy [@@link] wasn't strong enough.

<DanC_> action-318?

<trackbot> ACTION-318 -- Noah Mendelsohn to send note to Device APIs and Policy (DAP) Working Group on behalf of the TAG -- due 2009-11-20 -- CLOSED

<trackbot> http://www.w3.org/2001/tag/group/track/actions/318

Ashok: She would like something stronger,. with an outline of architecture and outline of protection mechanisms.
... It just said "You have to have a policy" Nothing in what kind, where enforced, etc .. the next layer of the architecture.

<Zakim> DanC_, you wanted to prompt for "what are we trying to promote/prevent?" and to note "phonegap converge with w3c widget work" as perhaps something we're trying to promote

DanC: What are we trying to promote? to prevent? Maybe we should promote the convergence of phonegap and w3c widget work.

<DanC_> problem making ajax crawlable http://lists.w3.org/Archives/Public/www-tag/2009Dec/0030.html

<noah> I would be willing to take an action to investigate Phonegap/W3C Widget convergence plans

<johnk> I think your distinction is interesting, Larry (re: which sandbox is used) and definitely, the issues you raise re protection et al are correct

DanC: Also I wrote an email about his idea about making AJAX space crawlable: a mapping from a URI with an AJAX hash in it to a URI without an AJAX hash in it. There is a question then as to whether the original URI should be the one without the hash or the one with. There is a really broken idea of having a standard mapping from any URI with a hash to some equivalent/related URI without. The people who define such mappings don't have the right to say things about everyone else's URI space.

<DanC_> (the point I'm trying to make is about squatting; i.e. who gets to choose which names)

Masinter: Mainly the same except a widget as a security domain which is the local machine.
... We might be advantaged by not making the distinction at all.

<Zakim> noah, you wanted to say that the bit Dan talked about with server/client URI aliasing is exactly the sort of thing I'd like to see us explore, perhaps in an Arch of Web Apps.

<DanC_> . ACTION noah to investigate Phonegap/W3C Widget convergence plans

ACTION Noah to investigate possible convergence of phonegap and w3C widgets, by January 30

<trackbot> Created ACTION-345 - Investigate possible convergence of phonegap and w3C widgets, by January 30 [on Noah Mendelsohn - due 2009-12-15].

<DanC_> action-345 due 30 jan

<trackbot> ACTION-345 Investigate possible convergence of phonegap and w3C widgets, by January 30 due date now 30 jan

<DanC_> action-345?

<trackbot> ACTION-345 -- Noah Mendelsohn to investigate possible convergence of phonegap and w3C widgets, by January 30 -- due 2009-01-30 -- OPEN

<trackbot> http://www.w3.org/2001/tag/group/track/actions/345

<noah> b

<DanC_> action-345?

<trackbot> ACTION-345 -- Noah Mendelsohn to investigate possible convergence of phonegap and w3C widgets -- due 2010-01-30 -- OPEN

<trackbot> http://www.w3.org/2001/tag/group/track/actions/345

<DanC_> action-345?

<trackbot> ACTION-345 -- Noah Mendelsohn to investigate possible convergence of phonegap and w3C widgets -- due 2010-01-30 -- OPEN

<trackbot> http://www.w3.org/2001/tag/group/track/actions/345

Noah: About this trickery between client-side and server-side URIs .. the Google maps URIs are neat -- the server generates a map with URIs, but the javascript knows how tro generate permalinks to panned versions of the map which will work when you use them on the server
... This is a really useful idiom. We should promote it.
... In fact, if the code was really trusted, then the URI bar would change in real time as one pans anyway.

TimBL: A Firefox extension is trusted like that, so Tabulator can do that with URIs

<Zakim> DanC_, you wanted to ask about addressbar updating

Henry: A taxonomy or enumeration of who you are trusting when you perform which gestures would be interesting.
... When you are doing a GET then you are trusting the browser implementation to not do anything as a result of that get. But when you install something, you are trusting the source of the code you install.

DanC: Browsing isn't safe. When you do a GET, in fact you can load a script which can do a POST. Which is broken.

[ADJOURNED to XX:15]

______________________

HTML 5 review: ISSUE-20 (errorHandling-20): What should specifications say about error handling?

We start without John for the moment.

John arrives

Noah: This item is a combination of error handling and content override

<DanC_> action-308?

<trackbot> ACTION-308 -- John Kemp to propose updates to Authoritative Metadata and Self-Describing Web to acknowledge the reality of sniffing -- due 2009-12-25 -- OPEN

<trackbot> http://www.w3.org/2001/tag/group/track/actions/308

<DanC_> action-309?

<trackbot> ACTION-309 -- Henry S. Thompson to henry to bring back proposed TAG pushback on sniffing and HTTP bis draft http://trac.tools.ietf.org/wg/httpbis/trac/export/663/draft-ietf-httpbis/latest/p3-payload.html, or his recommendation that we leave it alone -- due 2009-11-26 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2001/tag/group/track/actions/309

action-309?

<trackbot> ACTION-309 -- Henry S. Thompson to henry to bring back proposed TAG pushback on sniffing and HTTP bis draft http://trac.tools.ietf.org/wg/httpbis/trac/export/663/draft-ietf-httpbis/latest/p3-payload.html, or his recommendation that we leave it alone -- due 2009-11-26 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2001/tag/group/track/actions/309

Henry: I attempetd in this email (http://lists.w3.org/Archives/Public/www-tag/2009Dec/0006.html) to get everyone up to speed. Section 3.2.1 of HTTP-bis is where we left our valiant hero.
... This has all stablized, and this is *all* the draft currently say about sniffing, and nothing else.

TimBL; When the spec says "[the receiver] MAY assume that it is application/octet-stream" then that does of course say much. It is a stream of bytes.

Henry: It is crucial that they say that you should not override the given media type.

Masinter: In the abarth draft, the introductory text is all about incorrectly labelled resources

masinter: Does it say you should override the content-type

Henry: It is careful about privilege escalation but that is *all* it is careful with
... We don't want to say "Authoritative metadata or death"

<DanC_> +1 phrase it in terms of "risks of misrepresentation"

Noah: Any agent which interprets data in a way inconsistent with the content-type risks drawing incorrect conclusions.

Masinter: I am reluctant to ask the HTTPbis group to say more than they think is in scope.
... We might recommend changes to the mime-sniffing document.

<DanC_> +1 getting the HTTPbis spec to cite the MIME sniffing draft

Masinter: As that is where the main analysis.

JAR: No "no security escalation" idea is one thing to keep. Can we isolate other principles?

DanC: Like "If a lot of people do it then it must be right' :-/

Henry: They did go against IE6

JAR: Error correction case, whether the given content type does not make the document valid

<ht> We've gone mute

[misssed HT]

Noah: Say what you want about existing servers -- but in many cases the user agent cannot distinguish betwen an error case and in fact a correct deployment. JAR gave a counterexample, if the bits are not legal for the advertized type, then you have more reason to try error recovery.

Masinter: I think apple mail clients sniff too.

JAR: Should we change the MIME registries?

<noah> http://www.noahdemo.com/rte/Metadata/broken_text.xml

Serves as text/plain, first bytes look like XML, but in fact is not well formed. Renders fine in Firefox, breaks in IE6

<jar> No, that's not what I asked. What I asked was, does anyone know if barth et al. considered updating lots of mime type registrations, INSTEAD of writing a sniffing RFC?

<noah> Updating mime type regs to say what?

<jar> To say whatever the Barth "sniffing rfc" draft says.

Henry: I wonder whether they are just rewriting things which could not be text plain documents. If the first bit is a unicode Byte Order Mark, then you treat it as text/plain, and if none of the first N bytes are binary then you must stick with text/plain. If the first bytes of the resource match a magic number the see the table. You can promote text/plain to application/postscript

TimBL: You can do denial of service with PS, no?

Masinter: Apple promise PS

<Zakim> timbl, you wanted to object to trapping HTML as "scriptable" early on when it is not necessarily.

Henry: you can promote to zip or image

TimBL: I'm constantly frustrated by the way my machine and its software deals with scriptable things. It keeps warning me about HTML files downloaded from the Internet or in email. Given that a lot of HTML doesn't have script in it, this idea that "HTML is scriptable" worries me.

the machine goes to so much trouble to keep track of where things came from; can't it use a non-scripting viewer? Why does it assume that the document is dangerous rather than the viewing app?

Jonathan: but isn't the point to get interoperability between apps that are going to do this [?] anyway?

<noah> FWIW, I'd like to gradually evolve this discussion to next steps.

<Zakim> DanC_, you wanted to note content security policy and to project the web apps product to show what actions we have

DanC: The idea of a non-scripting viewer is interesting.
... The content-providers have this problem as people contribute HTML which should not have scripts in, and no one notices.

<DanC_> http://lists.w3.org/Archives/Public/www-tag/2009Dec/0063.html

<DanC_> http://www.w3.org/Security/wiki/Content_Security_Policy

DanC: There is a proposal to add a feature to "please ignore all scripts in this.. it is our stuff but we are not sure about it".

<DanC_> http://people.mozilla.org/~bsterne/content-security-policy/

<johnk> https://wiki.mozilla.org/Security/CSP/Spec

<DanC_> http://www.w3.org/2001/tag/group/track/agenda

<Zakim> ht, you wanted to clarify my attitude to mime-sniff

Henry: Parenthetically, my own university allows me to publish by submitting an HTML body which wraps it by a wrapper I have no control over.

<DanC_> ... e.g. scripts

Henry: About the "Lowest Common Denominator" problem of tarring all HTML with the same brush. I don't think the current situation is the one we want to be in, but the current draft is the best for the given situation. This Barth-Hixie draft rules out the worst of the bad behavior, and documents the existing behaviour, so they should be encouraged, but so should the HTTP-bis folks, to comment on thhe best bits of the draft.

scribe: We need to both warn of the risks and identify the necessity.

John: Why in HTTP?

Henry: Because it is the HTTP spec which specifies the content-type

DanC, no the HTTP bis spec is not a big PR option -- but it is a reference to which people will fall back in their arguents.

Henry: I will still be arguing for "SHOULD"s in there

John: What about modularity of specifications

Henry: They changed the spec to licence sniffing but did not say that if you do that you get burned.

<Zakim> johnk, you wanted to rephrase my concern

Noah: Tim brought up the idea of a non-scripting viewer... but just showing the data with no script running is not always what we want. Maybe there should be a warning?

<DanC_> action-309?

<trackbot> ACTION-309 -- Henry S. Thompson to henry draft input to HTTP bis draft re sniffing based on 8 Dec discussion -- due 2009-12-09 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2001/tag/group/track/actions/309

<DanC_> action-309?

<trackbot> ACTION-309 -- Henry S. Thompson to draft input to HTTP bis draft re sniffing based on 8 Dec discussion -- due 2009-12-09 -- OPEN

<trackbot> http://www.w3.org/2001/tag/group/track/actions/309

Admin: Upcoming Teleconferences ...

<DanC_> NM: tag election ongoing...

<DanC_> HT: ends 9 Jan

<DanC_> NM: 4 candidates for 2 slots

<DanC_> NM: reminder: TAG meeting 17th-19th March 2010, MIT, Cambridge, MA, USA

<DanC_> NM: inclined to not schedule next ftf until election done, OK?

<DanC_> [agreement by silence]

<DanC_> discussion of timing of upcoming TAG ftf w.r.t. AC meeting...

<DanC_> someone suggests 24-26 Mar, Wed-Fri of the week of the AC meeting

<DanC_> better for 2 people, worse for 1

<DanC_> ACTION: Dan to collect March 2010 W3C Team day info [recorded in http://www.w3.org/2009/12/08-tagmem-minutes.html#action03]

<trackbot> Created ACTION-346 - Collect March 2010 W3C Team day info [on Dan Connolly - due 2009-12-15].

<ht> http://www.rfc-editor.org/rfc/rfc2046.txt

ISSUE-50 (URNsAndRegistries-50) (status check)

<trackbot> ISSUE-50 -- URIs, URNs, "location independent" naming systems and associated registries for naming on the Web -- OPEN

<trackbot> http://www.w3.org/2001/tag/group/track/issues/50

<DanC_> ACTION-121 due 1 Mar 2010

<trackbot> ACTION-121 HT to draft TAG input to review of draft ARK RFC due date now 1 Mar 2010

<DanC_> action-33 due 1 Mar 2010

<trackbot> ACTION-33 revise naming challenges story in response to Dec 2008 F2F discussion due date now 1 Mar 2010

<DanC_> ADJOURN (for today)

Summary of Action Items

[NEW] ACTION: Dan to collect March 2010 W3C Team day info [recorded in http://www.w3.org/2009/12/08-tagmem-minutes.html#action03]
[NEW] ACTION: jonathan discuss petname application to IRI spoofing in public-iri and www-tag [recorded in http://www.w3.org/2009/12/08-tagmem-minutes.html#action02]
[NEW] ACTION: noah to follow up with Thomas about security review activities for HTML5 [recorded in http://www.w3.org/2009/12/08-tagmem-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2010/01/05 17:42:21 $