See also: IRC log
<scribe> scribenick: jar
<scribe> scribe: Jonathan Rees
Date: 20 Dep 2012
<Larry> are there any minutes to approve?
<Yves> http://lists.w3.org/Archives/Public/www-tag/2012Sep/0019.html
Minutes of the 13th = http://www.w3.org/2001/tag/2012/09/13-minutes.html
ashok: draft minutes of the 13th look OK
RESOLUTION: Draft minutes of the 13th approved as a record of that meething by acclaim
<Larry> i will note that i personally blogged http://blogs.adobe.com/standards/2012/09/19/governance-and-standards/
yves: Publishing & linking WD has been published and announced.
ashok: No comments yet, right?
<Larry> F2F meeting all set?
<Larry> logistical?
discussion of hotel
<Larry> everyone set on logistics for London F2F
<Larry> i have a couple of topics to talk about today
Review of agenda items added by chair
<Larry> new agenda items: web+ and registerXXHandler
<Larry> new agenda item: governanceFramework, and timely news
<Larry> new agenda item: testing the web and performance and urls
<Larry> new agenda item: IRIs and URL
[In editing the minutes the scribe has reordered contributions in an attempt to make the proceedings easier to reconstruct. Much of the conversation was in IRC instead of voice due to audio and scribing difficulties.]
<Larry> registerProtocolHandler
lm: gmail wants to say, when you see a mailto: URL, go to gmail, passing the parameters
... this is supposed to change the [operating] system so that from now on mailto: URLs are handled by gmail
... There was an issue in the HTML WG - they were concerned about security.
... Some schemes would be bad to redefine. So, whitelist or blacklist?
... A: We don't know... so we're going to have a whitelist...
... and in order to make the whitelist open-ended, include all scheme names beginning web+
... There's a browser dialog [as a protection measure]
... There was a procedural question, how to have new URI schemes, without registering with IETF?
<Larry> http://lists.w3.org/Archives/Public/public-ietf-w3c/2012Sep/
<Larry> looking at thread on "web+ and registerProtocolHandler" subject thread
(looking up thread)
lm: This looks like the nail in the coffin of the [IANA] registries [relating to the web]. The IANA URI scheme registry would be killed by this move.
<Zakim> ht, you wanted to ask all? really?
lm: It's supposed to change the entire OS.
ht: The issue was in whatwg, are you sure it's an html5 feature/issue?
<Larry> http://lists.w3.org/Archives/Public/public-ietf-w3c/2012Sep/
<Larry> http://lists.w3.org/Archives/Public/public-ietf-w3c/2012Sep/0000.html
<Larry> http://lists.w3.org/Archives/Public/public-html/2012Aug/0115.html
ht: I can't find it in the HTML5 bug tracker.
<Larry> http://www.w3.org/html/wg/tracker/issues/189
ht: OK
<noah> Should I be worried that [issue 189 is] closed?
<Larry> [See] http://dev.w3.org/html5/spec/system-state-and-capabilities.html#custom-handlers
lm: My conclusion is that web+ was a red herring... the real issue is not 189, but section 6.5.1.2, see the link.
... register-content-handler has a blacklist only ...
... with an install security dialog
noah: I see this as attempting, in the API, a way to express an intention.
... This seems to be in that spirit, where the application is packaged as a web app
... just as photoshop might say, I think I'm a good handler for media type M.
... so it's ok for the spec to not say much about this.
lm: Any application can install media type handlers.
... It's not appropriate; it's poorly defined and has the wrong security model
... and reduces the motivation [to nil] for ever registering a URI scheme.
<noah> Ah, OK, so you're not pushing hard against what they're >trying< to do, just suggesting that it's either under-specified and/or has an insufficient security story
am: Why [does it reduces the motivation for registering a URI scheme]?
lm: There's lots of unregistered schemes and types anyway, but [before this] there was hope [that they might eventually be registered].
... But now the web site has the authority to modify the OS.
<noah> The browser routinely does this stuff for file types that the browser handles directly, including at least HTML, but also XML, or even JPG.
<noah> The difference here is that the browser will not handle things with its own (somewhat trusted) code.
am: Are you nervous that someone could screw with my browser?
... [What are the] attacks?
lm: This changes security model: it used to be you could scan for viruses, but with the new feature, you're trusting the site dynamically into the future.
... In this workflow, the registry adds no value.
<Larry> My conclusion is this is the nail in the coffin for IANA registries for URI schemes & media types.
<ht_home> I think there's nothing here [in the draft] about scope -- temporal, or web/scope.
<ht_home> I.e. for how long? For which pages?
<noah> I infer it's sort of scoped to my desktop or phone or tablet.
<noah> Is that what you mean?
<ht_home> Yes.
<ht_home> And what about conflict?
<ht_home> [What if] several sites all try to register a handler?
<noah> I assume that's up to the OS (it can do what it wants), but typically [it would last] until explicitly changed.
<noah> That's how setting handlers for JPG or e-mail typically works.
<Larry> [In] http://lists.w3.org/Archives/Public/public-ietf-w3c/2012Sep/0033.html , Robin says: "this is intended to be system-wide"
<ht_home> That's what it [?] does!
<ht_home> No, no no [scribe: HT was muted here due to audio difficulties; not clear to what this was in reference]
am: Who is registering what?
<noah> I assume, the canonical use case is something like: "GMail is my mail handler, Google Voice does my phone dialing, etc."
<ht_home> Yes NM, but at least [in the pre-HTML5 status quo] they installed the App.
lm: This is a call on the OS to register a scheme or media type with the OS for the indefinite future.
<Larry> This belongs with an "install" security model and not a "web" security model.
<Larry> Web sandboxing is inappropriate.
noah: The browser is supposed to act on the user's behalf... except that maybe some users won't understand. But desktop apps have the same problem.
lm: I'm not saying it's a horrible thing and it should go away; it does need a better security, but that it will happen. I'm just saying that this is the end of the registries.
<Larry> See http://www.w3.org/2012/05/sysapps-wg-charter.html .
<Larry> Sysapps have a different security model:
<Larry> "The Working Group will focus on those operating system interactions that cannot be exposed safely to Web applications executing in the traditional browser security model."
<noah> I'm not convinced that the registries in >this< space, I.e. which desktop app showed show my photos, were ever a realistic model.
lm: Let's look at the sysapps [draft] charter...
<noah> Hmm. I thought this [registerXXHandler] is for apps that >are< in the traditional browser security model, and sysapps are for ones that aren't.
lm: the wording in the charter applies
<ht_home> NONONO
<ht_home> Not a web app [scribe: in the sense of sysapps]!
<ht_home> All that happens is a [different] URI is fetched. [due to substitution]
<noah> Right, but typically I register something with a lot of Javascript that is a web app
ht: No web app, no installation, no javascript, just [URI] substitution.
... Any javascript is going to be subject to [the usual] cross-site constraints.
... I see no evidence in the spec that it's a request to the OS to change what it does.
lm: The spec doesn't say, but as implemented this is how it works.
<Larry> image/jpg is blacklisted, but image/jpeg2000 isn't
noah: Once the OS is modified, it's possible that when I click, [the OS] might launch some web app, but that's subject to sandboxing.
... so [there is no change in the security model.]
<noah> I'm not seeing why registering such an app changes the security model. Does it say that registered apps have access to eg. local files that regular web apps don't?
lm: Clicking will go to some site.
jar: Let's not dive [too deep] into security, LM wanted to talk about what will happen to the registries.
<Larry> so why bother with IETF APPS area any more?
<noah> I can see why we would want this coordinated with the SysApps stuff, I'm less clear why anyone thinks a registry could work in this space, whether for webapps, native or both?
lm: [Because] if you want to do a new SIP, there's no point in bothering with IETF any more, you just build an app and register a protocol handler.
<noah> What would such a registry have, that GIMP is the world's handler for JPEG and Photoshop isn't? :-)
<Larry> I was starting to understand Hannes's "death of protocols" point.
<ht_home> I do want to get clarification on how they think the HTML5 spec. can change the OS.
<ht_home> I think we do need to discuss this at the F2F.
lm: I wanted the TAG to reflect on the role of registries in a world where registerXXHandler is common.
<noah> So what should we do about this, if anything?
lm: It's worth [at least] 1/2 hour at F2F [not to speculate how much time it is likely to take].
<ht_home> web+ and registerXXHandler
<Larry> gather some URLs from the discussion to queue this up as an issue
<noah> ACTION: Noah to schedule F2F discussion of XX handler registration see discussion on 20 Sept. [recorded in http://www.w3.org/2012/09/20-tagmem-irc]
<trackbot> Created ACTION-739 - Schedule F2F discussion of XX handler registration see discussion on 20 Sept. [on Noah Mendelsohn - due 2012-09-27].
<noah> ACTION-738?
<trackbot> ACTION-738 -- Noah Mendelsohn to schedule another discussion of World Wide Web Objectives Matrix per ACTION-726 -- due 2012-09-20 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/738
<noah> http://www.w3.org/2001/tag/2012/09/13-minutes
<Larry> http://www.w3.org/2001/tag/2012/09/action-726
action-726 deferred pending receipt of input
<noah> ACTION-738?
<trackbot> ACTION-738 -- Noah Mendelsohn to only if there's e-mail news: schedule another discussion of World Wide Web Objectives Matrix per ACTION-726 -- due 2012-09-25 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2001/tag/group/track/actions/738
<Larry> action-728?
<trackbot> ACTION-728 -- Noah Mendelsohn to find editor for copyright and linking after group reviews Ashok's proposals on stronger messages -- due 2012-07-12 -- CLOSED
<trackbot> http://www.w3.org/2001/tag/group/track/actions/728
lm: We published P&L, and I blogged about it.
<Larry> http://blogs.adobe.com/standards/2012/09/19/governance-and-standards/
lm: I tried to give various people the elevator pitch about the governance draft. The blog post is what I came up with up. This is just a heads-up.
<Larry> http://www.w3.org/2001/tag/doc/governanceFramework-2012-07-19.html
<Larry> we talked about this one
<Larry> http://www.w3.org/2001/tag/doc/governanceFramework.html
lm: [clarifying] The feedback I got on the governance framework document was negative. So I tried to explain what I was trying to do. The outcome was the blog post. I plan to pull the new introduction (from the blog post) back into a new version of the framework document.
<Larry> i'll take an action to update in time for F2F
<noah> ACTION: Larry to update the governance frame for Oct F2F discussion [recorded in http://www.w3.org/2012/09/20-tagmem-irc]
<trackbot> Created ACTION-740 - Update the governance frame for Oct F2F discussion [on Larry Masinter - due 2012-09-27].
<noah> ACTION-740?
<trackbot> ACTION-740 -- Larry Masinter to update the governance frame for Oct F2F discussion -- due 2012-09-27 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/740
Skipping due to time constraints.
<noah> What's the question on the table for this discussion?
lm: There is progress on URLs in the W3C webapps working group.
<Larry> [and that i'm inarticulate about it]
lm: Hasn't been checked in, but people are doing testing now, to see what browsers actually do with IRIs.
<noah> So, this is interoperability, not performance (in the speed sense)?
lm: They're asking, do browsers reverse query parameters or not? etc.
... That's good. The procedural issue is how to coordinate IETF and W3C specs better.
<noah> Seems like the topic title is misleading. Should be "IRI Browser Interoperability"?
lm: The IETF WG has been really quiet. The browser implementors aren't there.
... Concerned that any work on the scheme registry might be moot. Will people really register vendor schemes?
noah: Are scheme names to be allowed to be nonascii?
lm: The aim of the registry work was to allow the part after the scheme name to be defined according to their unicode sequence rather than ASCII.
... ... this was about making scheme registration easier.
<Larry> making scheme registration easier was a whole theme and subject of discussion
noah: What were you concerned about in specific?
lm: I wanted to figure out if this is a topic of interest.
<Larry> maybe this is just a heads up if you're interested
noah: (procedural options)
lm: This is a heads-up. We've talked about it a lot, I want to note that there has been recent activity.
noah: Does this change anything that would be seen on the wire, or does it only affect how what we see is documented?
lm: the latter... so maybe not as big a deal [as registerXXHandler]
lm: The google response to the recent video [takedown request] was a propos the p&l work.
... If we want feedback on p&l, pointing out its relevance to topical issues would be a way to raise interest in it
noah: If we're going to do this, let's consider the timing - push it into public light now, or later when we're more sure of it?
... Your question is, should we solicit feedback, and if so, from who?
scribe notes departure of HT and AM
<Larry> informally ask at FPWD for feedback, esp from people who have given us feedback before
yves: We can send issues any time, no formal response required until last call
<Yves> [There's no need for] no formal accounting until LC
lm: Now that we have a public document, we can start asking people to review it
... I'm asking TAG members: If you've asked someone to review it before, please ask them again now.
<noah> Jonathan, I think I want to ask you about:
<noah> ACTION-692?
<trackbot> ACTION-692 -- Noah Mendelsohn to consider JAR's april request to discuss, for 10 mins, issues list at oct f2f -- due 2012-09-10 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/692
<Larry> action-692?
<trackbot> ACTION-692 -- Noah Mendelsohn to consider JAR's april request to discuss, for 10 mins, issues list at oct f2f -- due 2012-09-10 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/692
<Larry> this sounds like it's subsumed by JAR's matrix
<noah> Well, this is about our formal issues list.
Adjourned.