W3C

TAG Weekly Teleconference

21 Nov 2006

Agenda

See also: IRC log

Attendees

Present
Ed Rice, Norm Walsh, Vincent Quint, Tim Berners-Lee, Dan Connolly , Dave Orchard, T.V. Raman
Regrets
Noah Mendelsohn, Henry Thompson
Chair
Vincent Quint
Scribe
Ed Rice

Contents


 

 

<scribe> Scribe: Ed Rice

Administrative

Propose next teleconference: 28 November - conflict with AC meeting?

Regrets Tim, Norm, Vincent and likely Henry

Norm: Propose cancel next week meeting

Ed +1

<timbl> +1

Resolved, next weeks meeting will be cancelled.

Propose next teleconference: 5 Dec

Propose Noah as scribe.

Approve minutes of last teleconference?

<Vincent> Minutes 14 nov. http://www.w3.org/2001/tag/2006/11/14-tagmem-minutes

Resolved: approve minutes of last teleconference.

Agenda review

<Zakim> DanC, you wanted to request discussion of tagSoupIntegration

agenda accepted with Dan's addition for tagSoupIntegration

PasswordsIntheclear

<Zakim> DanC, you wanted to suggest clarifying the scope to "never send passwords in the cear across the Internet"

Ed talks about the proposed exceptions to where it is ok to send passwords in the clear.

1) I just want to keep a page off the search engine, its not really 'secure'.

2) my network is secured, so I dont need to secure the password.

Dan: I think 'should not' would be ok, instead of a must not.

Timbl: if your running on a secured network, that doesn't mean there are no virus's on it.
... the one machine could be connected to other networks which are then not as secured.
... or it could be sniffed by someone else on the VPN.

<DanC> (this discussion of VPNs and firewalls starts to sound like IETF IPv6 discussions)

Dave: One person in my group went to a conference who said firewalls really dont work and its pushing more security on the local machine because only one client inside your firewall can compromise your entire network.

<DanC> http://www.w3.org/2006/WSC/ Web Security Context Working Group

Dan: W3C has a new security context WG. We may want to have them review this.

Ed, should we change it to 'should' then or send it to the working group?

Dan: I'm in favor of either of these.

Norm: If we say 'should' how do we point to anyone and say your in violation of the finding or not?
... So, I have a marginal preference for 'must' if we can get the community to buy in to it.

Dan: All these things are about managing risk.

dorchard: I think of must as a 'if you don't follow a "must" your outside the architecture', and we're saying sometimes its ok to violate a 'must' so I think a 'should' is probably ok on this one.

DO: I think that should is the right word to use.

<DanC> hmm... tim's idea has some appeal; put the MUST onus on the user agent to make the user aware of the risk. hmm....

<DanC> that's already in there: "A client or browser MUST NOT transmit passwords in clear text."

<Zakim> DanC, you wanted to express reservation about advocating a change that we don't have experience with.

Timbl: I suggest adding 'user agents MUST warn when a password is to be sent in the clear'
... and the user SHOULD NOT send passwords in the clear
... and the server SHOULD NOT request passwords be sent in clear text.

<DanC> (hmm... perhaps s/MUST warn/MUST not send without informed consent/ ? I think there's some precedent in WAI. but yes, that's just wordsmithing)

Dan: I'd like to see the use cases identified in a paragraph or two as well.

<DanC> replay:

<DanC> Timbl: I suggest adding 'user agents MUST warn when a password is to be sent in the clear'

<DanC> Timbl: and the browser SHOULD NOT send passwords in the clear

<DanC> Timbl: and the user SHOULD NOT send passwords in the clear

<DanC> timbl: and the server SHOULD NOT request passwords be sent in clear text.

<DanC> (disregard 2nd line of replay)

<scribe> ACTION: Ed to produce a new version with these changes. [recorded in http://www.w3.org/2006/11/21-tagmem-minutes.html#action01]

<DanC> indeed, raman , it's "user SHOULD NOT send passwords in the clear"

Face to face meeting in 3 weeks.

VQ: lets talk about what we'd like to achieve?

Schedule is Monday - Wednesday afternoon.

Dave: when to use Get - issue 7 (wstransfer)

Norm: I'm hoping to have namespace document 8 and semantic web dialog, web architecture. I'm hopeful I'll get these done by the face to face.

Timbl: Yes, particularly the semantic web.. we need to get the TAG to focus more on this.

Norm: I will also need to leave early on wednesday.

<Zakim> DanC, you wanted to note my TAG priorities are tagSoupIntegration and extensibility/versioning, though I haven't thought about group priorities much

Dan: My personal interests are tagSoupIntegration and versioning/extensibility.

DO: We never really closed on what we need to do since the last face to face. This paper has become more of a thesis and we discussed possibly breaking it up.

VQ: well, maybe we should discuss to try and resume progress on this.

TV: If I was coming I would like to see more on the TAGSoup issue.
... I will definatly not be able to attend the f2f due to prior commitments.

Ed: I'd like to try and close on passwords in the clear at the f2f if we could.

<timbl> Raman, you could not call in even, I gather?

TV: yes, I can call in during the evening hours. I'd like to participate in the TagSoup.

VQ: I'll send out a draft agenda so we can try and settle at least one week in advance.
... other topics for F2F?

TagSoupIntegration - Dan's addition.

Tag discusses..

<DanC> http://www.w3.org/2001/tag/2006/11/07-minutes.html#item08

VQ: anything else to cover today?
... Meeting adjourned, next meeting in two weeks.

Summary of Action Items

[NEW] ACTION: Ed to produce a new version with these changes. [recorded in http://www.w3.org/2006/11/21-tagmem-minutes.html#action01]
 
[End of minutes]