See also: IRC log
Noah: See agenda. Ashok wrapping up Client-Side State work.
Ashok: For client-side storage, how much do we want to do on this? You have looked at slides and a vey brief write-up
Noah: Jeff Jaffe asked us to give him
alerts of upcoming possible crisis issues.
... Privacy and Security we have all felt we are high priority for
the web, but not clear whether TAG should engage and how.
... After lunch, we step back and declare our overall direction
again. Should we do that earlier?
[general warm noises about the agenda, and agreee to wrap at 3pm]
masinter: I was rethinking whether we should do a finding on MIME on the Web.
Noah: Ok, we will fit that discussion in.
<noah> http://www.w3.org/2001/tag/products/clientsidestorage.html
Noah: See product page [linked above]
Ashok: We can write a story about the
history of how this came to be, and I have some of that done.
... But then the question, what to use it for?
Two cases: You have an existing webapp, which you can now use offline.
In this case, the behaviour of the app does not change.
basically, the local storage is acting like a big cache -- controllable but a cache.
masinter: I see people moving to HTTP
hybi protoocol, bypasing the proxy infrastructure ..
... is this a tradeoff between doing this caching at the app design
level, or at a system level?
<Ashok> Cache by user or by application
jar: Good for user to have a model of what is going to work offline. With caching, is there any assurance that some sort of info will be available for browsing offline, then that can be an arch'l requirement.
We would like to then know the visible impact of this class of solutions.
Ashok: [to JAR] You mean, you will require data for an app -- you can get it in diff't ways?
jar: More a question of failures
being predictable. With current proxy caches, there is no contract
aout hat will work offline.
... Google mail uses client side storage to provide dependable
behaviour of offline storage.
<masinter> the title of the product page says "Web Application Storage" and not "Client Side Storage". I like "Web Application Storage" better, because we need to talk about the tradeoffs between local storage and local caches of remote storage and the question is whether hybi also has a caching architecture
<masinter> hybi aka "The Web Socket Protocol"
Noah: The model is there are HTTP proxy caches, and this system (client-side storage) should be able to work in that mode. But also it should be able to control so make sure right stuff is there , .
Noah: This last one is the biggie. To build things like email, you have to be able to change the web though your cache when you get back online. I would like to see the innovation there. Maybe there is a==some agent-based intention-to-update story. That would work as on- and off-line. The update capability is the fundamental thing which you lose when you use a cache.
Ashok: There is a spec from the web caching guys which gives the user control of the cache.
Tim: This fits very nicely with the read/write data model. I've described it in a design issue note.
Tim: Fits nicely with the read/write
data story
... easy to spool up
Tim: The changes all go through little SPARQL updates, which are posted.
Tim: The only thing you can't spool of course is a lock, an atomic thing where you need to fail if there is interference from another user or another app.
(See http://www.w3.org/ReadWriteLinkedData )
Noah: Are we queuing up a couple of posts, or a calendar entry, logically?
Noah: What level of abstraction? Post or book airline seat?
Tim: RPC systems had this problem that when the operation was transparently remote it was good for the dev but horrible for the usr, who would just see the app lock when an offline or online problem happened. The app was not aware of different offline and online errors. So web apps which use explicit app-level transfer can be written to be much more user-friendly with errors. Compare then with sync between a Mac and a server when the mac will run over the operations which were spooled, and where there is a conflict, it knows enough of the semantics of what has happened to ask a user which version of a calendar she wants. That requires the sync program being coded to understand all the semantcis of each type of object which can by synced. Maybe we have with offline read-write linked data a happy medium, where it is easier to make a generic sync gadget because the semantics of what is being stored is open and explicit
<masinter> I'm moving toward wanting TAG findings to be more about summarizing the architectural principles nascent in what's going on rather than being experts and publishing our own thoughs
<noah> I agree with Larry on that bit. Except that where there are clear principles, like "identify things with URIs", we should say so clearly and without hesitation.
<masinter> the main concern i have about storage is that the caching for web sockets / hybi doesn't fit into the previous architectural model we had in mind
<masinter> once you move into hybi, there aren't any URIs for anything other than the service i don't think, and certainly not for data or intermediate states
The first way, then is like a cache, and the second way this is used is this new capability to write different things back to different web sites.
<masinter> maybe we should invite some folks to come talk to us
Ashok: This has the characteristic that you can store stuff, that you can store parts of to different web sites. This is new
masinter: Are we mssing something in the move to web sockets etc? We are losing visibility by the main system of the dta, and we lose URIs for things. When people use hybi, then there is no URI.
<jar> you mean: what might happen if you attempt a web socket connection when you're off line? (for example)
Noah: What is the priority of this work, then?
Tracker, new poll
<noah> Preference poll: with respect to storage work, should we commit to 1) serious project work now 2) I know enough to say not high priority for 6 mos to a year 3) go for a month or two fact finding and decide in telcon
<noah> HT = 3
<noah> DA = 2.5
<noah> JT = 3
<noah> PL = 3
<masinter> larry = 1
<noah> TB = 1
Masinter: This is happening, Web sites are bring rewritten now. This is the time to point arch'l choices they may not have thought about. People are making very local decisions, now, and it is timely for us to get up to speed on this.
Noah: Good for us to get priorities fixed at f2f
<JeniT> I agree :)
TBL: Larry is convincing. And besides, I'm interested in how we manage resources.
Tim: This is intersting because it overlaps with a pet want of mine, good user tools for resource management, grouping apps/things/sites/whatever by task, and allocating disk ram, cpu, data access, etc to them.
<JeniT> I wonder whether this ties into the Device API question we got at http://lists.w3.org/Archives/Public/www-tag/2011Sep/0002.html
<masinter> i'd like to look at how to get linked data and link relations into a world that is dominated by websocket access
Ashok: maybe we should start by setting out the architectural issues.
Ashok: How can I pick the brains of W3C staff?
Tim: Do a Project Review. Some thursday 9-10:30 am EST typically. Talk to amy@w3.org. You will need a presentation and a chair and a scribe and a notice explaining the scope of it and reason for it and objectives to send out a week or 3 in advance.
masinter: I don't see the connection with the Device API question
JeniT: it's asking whether "devices" (local data on a computer) should be accessed using an HTTP protocol
masinter: looking again...
JeniT: it was just a vague thought
masinter: maybe it's the same question for something other than storage
Noah: Proposal is that a finding would be timed as final in July
Masinter: I want to work on issues and good practices, and the issues first please.
Noah: [edits product page at http://www.w3.org/2001/tag/products/clientsidestorage.html]
masinter: The title "Web App Storage" is better than "Client-Side Storage" IMHO
[discussion of possible deliverables and timing]
Noah: Edits "Key deliverables with dates"
<Masinter> I wonder whether this ties into the Device API question we got at http://lists.w3.org/Archives/Public/www-tag/2011Sep/0002.html, https://lists.webkit.org/pipermail/webkit-dev/2011-July/017621.html
<JeniT> masinter, thanks, that's exactly the relationship that was niggling me
masinter: yes, thanks for raising this, might extend the scope of this product topic but i think that's ok. The question of whether the phone's calendar is just a local cache of my 'real' calendar stored remotely... if you use the HTTP/REST view the same app would work independently of that
Resuming after break
NM: [Recaps the background]
... I committed to produce something in October
... I will be asking for help
LM: We should take this seriously --
we are rarely asked for anything from W3C management
... We may not need to generate the entire list, we could
prioritize and summarize
NM: Where would the initial list come from
LM: We could request input on the public list
<masinter> and from the membership
<masinter> i would start with trying to keep a web site / wiki page / etc. listing technical issues of concern to the web community.....
NM: We could put out a public call for help in doing a better job in tracking/anticipating emerging issues of importance to the architecture of the Web
<masinter> i'd put out an initial list and invite community to add
TBL: "Upcoming train wrecks" as the title, not about "doing better", just doing it at all
LM: I was thinking of putting out an
initial list, asking for additions, better than a blank sheet of
paper
... E.g. I18N vs. CSS
... E.g. Hybi bypassing REST
... Microdata vs. RDFa
... Persistence
TBL: Move from phone apps to web
apps
... ... What more do we need to make this work
<masinter> can we give an executive summary of the issues, who the stakeholders are, and why that is an issue why is it a "potential train wreck"
TBL: ... In particular, for example, the fact that web apps can't access the web is a real problem but all the other things they need to do which phone apps can and they can't yet
DKA: How architect device APIs -- RESTful/????
LM: Part of my remit at my job is to
identify potential train wrecks between our products and
standards
... I've done this at various levels, from dozens of pages down to
a simple summary, and even red/yellow/green light labels
<masinter> list of issues, but would also like criteria of why they're a CEO-level problem
<masinter> Canvas and SVG
<masinter> W3C and IETF scope
<masinter> registries and IANA
<masinter> XML and HTML ... task force report?
<masinter> HTML.next
<masinter> already known on the list: privacy
NM: We need to be careful to avoid getting stuck on careful analysis, let's continue just listing issues at first
HST: We don't need to list things already on the wider W3C priority list(s)
AM: We got taken by surprise a few
times in the past
... and so we tried having a standing item on telcons for "Anything
new we should keep in mind?"
NM: I'll try that a bit, maybe
TBL: Should we remove JJ from the way we think about this, and just make it a TAG job?
JAR: Frequency?
NM: twice yearly was the request
JAR: Make it just a newsletter?
NM: Any more items for the list?
HT: HT: There is this notion of "the death of protocols".
NM:> NM: Meaning?
<masinter> this is the concern that Hybi taking over not only HTTP but everything else, including mail, etc.
HT: HTML5 represents a kind of disintermediation. In the past, to create an app you would design some sort of protocol and associated RFCs would be developed. Now, you just design an XML document type and use HTTP, and the standards process gets skipped, because we have less of a tradition of rigorous standardization that level of protocol.
LM: So e.g. with HyBI, being
2-directional it replaces HTTP
... Also, scripting now handles the 'protocols', so the network
middle-ware (proxies, caches, etc.) have no idea what's going
by
NM: Right, so what used to be a protocol is now being, or could be, tunneled through HTTP or HyBI
<masinter> http://www.w3.org/html/wg/tracker/issues/175 is an administrative process issue
<masinter> versioning
HST: I.e. a standard without end
<Yves> not only protocols, but also formats, as the libraries running in the browser "VM" are starting to replace document format definitions
JAR: OData
<jar> hhalpin message connecting odata to rdf http://lists.w3.org/Archives/Public/public-awwsw/2011Jan/0021.html
<masinter> well: http://masinter.blogspot.com/2011/06/irreconcilable-differences.html
<masinter> that was my list of standards issues
See: ACTION-545
<masinter> coordinate with http://www.w3.org/2011/07/appsecwg-charter.html
Also Web Apps/Security [http://www.w3.org/2001/tag/2011/09/13-agenda#security]
<masinter> and http://www.w3.org/Privacy/
<masinter> with other policy-based important initiatives like internationalization & accessibility, we rely on 'architectural' activities to take the lead, and for the TAG as more of a coordination body rather than doing the heavy lifting
NM: We need to decide if we are going to take either of these seriously and put resources in, or explicitly move them to the back burner
AM: Should we try to spell out the
landscape in these areas
... using a Wiki, ask other experts to contribute
AM: Particularly in Security, ask
Tobias Gondrom (tobias.gondrom@gondrom.org) for help
NM: What is the goal, what would be success wrt this Wiki
AM: If it spells out what the state-of-the-art is for Security on the Web
<masinter> W3C just started http://www.w3.org/2011/08/appsecwg-charter.html Web Application Security Working Group
JAR: Alternative to SOA, a roadmap
spelling out the parts of W3C that connect up to what security
questions
... compare that to the received WebArch position might be
LM: W3C just chartered a new Security
WG
... We have I18N and Accessibility for other
cross-cutting/horizontal issues
... This maybe is the right model for Security and Privacy as
well
YL: The new Security WG has good joint membership with the relevant IETF WGs
<Zakim> noah, you wanted to say concerned about roadmaps and overviews vs. hot button issues
NM: Is there a way we could follow
their work more closely
... Why should we try to lead in this area given that they are
there now
<masinter> review ongoing work and maybe a roadmap?
NM: Someone track this?
... Do we know how they are running -- f2f, telcons, ?
LM: Their scope is not all aspects of
Web Security
... The most valuable next step, per John Kemp's work, was an
analysis of what's happening vs. what W3C WGs need, to identify
gaps
NM: Scope is broad, isn't it
LM: Explicitly its WebApps
... but this can't help ramifying
TBL: Security issues by definition are rapidly changing, the arms race phenomenon
TBL: Tracking IETF is really
important, they're doing a lot
... Not sure about a roadmap that involves anything like an
ontology -- that's precisely what changes all the time, and we
couldn't keep up
LM: I'm thinking of a roadmap kind of like the broader issue list we were talking about earlier, but specifically for security issues and approaches. That's what JK was trying to get at.
NM: Who might take that on?
AM: To do what?
<masinter> solicit resources to help generate that list?
NM: Help the W3C community identify
(not a cosmic security taxonomy) an inventory of security concerns
for W3C WGs, sort and prioritise, and identify ones that are and
are not being addressed (in W3C or IETF or ...)
... This is a big job
... Starved for time
LM: Maybe this is on our list of potential train wrecks
NM: Surely a big potential vulnerability
HST: This is more than a day a week
TBL: Survey of issues, or of
organizations
... I don't see anyone around the table doing the first
... So maybe going meta -- if we were looking for a group to do
this, where would we look?
... Existing group, or need a new one?
NM: Proposal?
TBL: To make a map of the entities (people, orgs) involved
NM: Same old same old: good ideas, no one for which this is more important than the things they are already doing
YL: IETF Security Area is an umbrella for all the security stuff at IETF, so they sort of have this responsibility
TBL: Get the Area head to come talk to us?
YL: Co-chair is on the new WebAppSec WG at W3C
JAR: Are they covering things up to the level we might think of as WebArch?
YL: Level crossing in the stack is what the IETF WebSec Area and W3C WebAppSec are aiming to coordinate on
NM: I am not hearing that Security is
a major area of work for the TAG
... It is still in order to track something at a lower level, but
we don't have a high-level goal that we are working toward
... "The TAG has no 6-month goal in Security"
... That makes me unhappy
TBL: I don't agree that it's bad for
us to pull back from that, I think it's not for us to do
... If IETF come to us and say there's a WebArch issue, perhaps
NM: We could get to a point where we could contribute, albeit it might take two years -- I'm sorry we can't find a way to do that
<noah> ACTION-341?
<trackbot> ACTION-341 -- Yves Lafon to follow up with Thomas about security review activities for HTML5 -- due 2011-05-10 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/341
LM: We could ask for a review of what's happening in the W3C security groups, and the gaps with respect to their needs
HST: Whom, and why would we do it?
NM: Background education is in scope at any time
LM: It might get us to push for more resources from W3C in this area
<noah> close ACTION-341
<trackbot> ACTION-341 Follow up with Thomas about security review activities for HTML5 closed
<noah> ACTION-344?
<trackbot> ACTION-344 -- Jonathan Rees to alert TAG chair when CORS and/or UMP goes to LC to trigger security review -- due 2011-09-13 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/344
JAR: We still want to review this.
NM: Even given that the Web Sec group is there to do it.
JAR: Yes.
<noah> ACTION-344 Due 2012-01-01
<trackbot> ACTION-344 Alert TAG chair when CORS and/or UMP goes to LC to trigger security review due date now 2012-01-01
<noah> ACTION-515?
<trackbot> ACTION-515 -- Larry Masinter to (as trackbot proxy for John) who will publish http://www.w3.org/2001/tag/2011/02/security-web.html, slightly cleaned up, with help from Noah and Larry -- due 2011-07-30 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2001/tag/group/track/actions/515
<Zakim> ht, you wanted to suggest we forward this doc to WebAppSec
HST: A new WG often gets more-or-less
informal submissions as input, which they may or may not take
forward
... I think that would be helpful for this doc, send it to WebAppSec
on this basis
<noah> close ACTION-515
<trackbot> ACTION-515 (as trackbot proxy for John) who will publish http://www.w3.org/2001/tag/2011/02/security-web.html, slightly cleaned up, with help from Noah and Larry closed
<noah> ACTION: Larry to find an appropriate way to make available http://www.w3.org/2001/tag/2011/02/security-web.html to the Web App Sec working group [recorded in http://www.w3.org/2001/tag/2011/09/15-minutes.html#action01]
<trackbot> Created ACTION-607 - Find an appropriate way to make available http://www.w3.org/2001/tag/2011/02/security-web.html to the Web App Sec working group [on Larry Masinter - due 2011-09-22].
<noah> ACTION-516?
<trackbot> ACTION-516 -- Yves Lafon to talk with Thomas Roessler about organizing W3C architecture work on security -- due 2011-07-19 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/516
<noah> close ACTION-516
<trackbot> ACTION-516 Talk with Thomas Roessler about organizing W3C architecture work on security closed
<noah> ACTION-554?
<trackbot> ACTION-554 -- Noah Mendelsohn to formulate product page for TAG work on security including John Kemp security draft Due: 2011-05-24 -- due 2011-09-15 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/554
scribenick noah
NM: Larry do you want discussion of ACTION-516
LM: To (Yves): what about the work that's beyond the scope of Web App Sec?
YL: If you have a topic in mind we can talk about it.
NM: I think we decided not to do the sort of security work that merits a product page. So, closing ACTION-554
<noah> close ACTION-554
<trackbot> ACTION-554 Formulate product page for TAG work on security including John Kemp security draft Due: 2011-05-24 closed
<noah> ACTION-33?
<trackbot> ACTION-33 -- Henry Thompson to revise naming challenges story in response to Dec 2008 F2F discussion -- due 2011-08-10 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/33
<noah> ACTION: Noah to schedule telcon discussion of TAG goals on privacy Due: 2011-10-01 [recorded in http://www.w3.org/2001/tag/2011/09/15-minutes.html#action02]
<trackbot> Created ACTION-608 - Schedule telcon discussion of TAG goals on privacy Due: 2011-10-01 [on Noah Mendelsohn - due 2011-09-22].
anon: Thomas is the domain lead
LM: There's an organizational meeting coming up for the Do Not Track WG.
Note: scribing cleanup: Henry Thursday, Jonathan Tuesday, Dan Wednesday
noah: framing priorities discussion
http://www.w3.org/2001/tag/products/
... trap: doing a good job on the wrong things
... we're not doing that but we might, we should look at our
products
((noah editing products page with discussion))
((HTML5 last call moved to 'other active projects'))
((Jeni no longer on Web Application State))
((etc, not capturing individual edits))
((MIME and the web looking at finding by 31 December, draft for review by 30 September))
JAR: the linking item ought to be higher up
dan: I don't have an action on API minimization
((discussion that when reviewing minutes to update product page and actions ...))
Which "Other Active Products" should raise in priorities?
((publishing and linking moved up to top priority))
larry: http://www.w3.org/standards/webarch/
<noah> ACTION: Appelquist to draft initial cut at http://www.w3.org/standards/webarch/identifiers Due: 2011-10-18 [recorded in http://www.w3.org/2001/tag/2011/09/15-minutes.html#action03]
<trackbot> Created ACTION-609 - Draft initial cut at http://www.w3.org/standards/webarch/identifiers Due: 2011-10-18 [on Daniel Appelquist - due 2011-09-22].
<JeniT> I'll volunteer for 'Meta Formats'
larry: I'll do Protocols
<noah> ACTION: Tennison to draft initial cut at http://www.w3.org/standards/webarch/metaformats Due: 2011-10-18 [recorded in http://www.w3.org/2001/tag/2011/09/15-minutes.html#action04]
<trackbot> Created ACTION-610 - Draft initial cut at http://www.w3.org/standards/webarch/metaformats Due: 2011-10-18 [on Jeni Tennison - due 2011-09-22].
<jar> the style for http://www.w3.org/standards/webarch/ arranges that you can't tell where the links are by looking at the page. this is wrong.
<noah> ACTION: Larry to draft initial cut at http://www.w3.org/standards/webarch/protocols Due: 2011-11-15 [recorded in http://www.w3.org/2001/tag/2011/09/15-minutes.html#action05]
<trackbot> Created ACTION-611 - Draft initial cut at http://www.w3.org/standards/webarch/protocols Due: 2011-11-15 [on Larry Masinter - due 2011-09-22].
noah: If I stand up at TPAC and say
these are our priorities, are these the right ones
... how do you feel about that?
... we're about to burn person-months on these topics ... is this
the right stuff?
... does this feel like the right work plan?
dan: missing HTML.next and workshop on web applications
((noah editing html.next into list))
jar: there are a lot of things we're talking about and thinking about, most of them not well-formed enough to put on a list like this
((discussion of microdata/RDFa))
JAR: I think the linking report is
more important than microdata/RDFa work
... it's already gone on months beyond where I think it would
go
((discussion of microdata/RDFa not a 'TAG' task force))
Larry: the task force is just a effort to help HTML working group resolve the problem, but ultimate responsibility is HTML WG.
((discussion of Jeni's priorities))
larry: suggest presentation to AC about TAG priorities and ask for feedback
ht: another entry for the 'train wreck' list is identity
<noah> Another for train wrecks: privacy, security.
<noah> s/we should work on/train wrecks/
timbl: the standardization around single sign-on ....
ht: reliable attribution in semantic web
jar: it's much more about accountability than attribution
larry: points out http://www.w3.org/html/wg/tracker/issues/175
timbl: we should put together some research projects ....
((discussion of access control and provenence ...))
Larry: want to ask about http://www.w3.org/2011/prov/wiki/Main_Page
ht: at this point worth mentioning afs, based on groups
((afs requires daily login))
timbl: kerberos and shibboleth open
source public key infrastructure
... would be very valuable for identity to be a HTTP URL
ashok: henry is talking about
verified identity
... most people think that's too heavy weight, and they resist
<plinss_> http://www.gpgtools.org/
<plinss_> lion mail plugin: https://github.com/downloads/GPGTools/GPGMail/GPGMail-2.0a4.dmg
<ht> I'm at http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x9239C98B1017581A
larry: move to adjourn
discuss next meeting & phone conference
Noah: TAG phone conference of sept 22 is cancelled
Noah: TAG next phone conference is sept 29th
Noah: THIS F2F MEETING IS ADJOURNED