WSC WG weekly
21 Nov 2006


See also: IRC log


Mary Ellen Zurko
Bill Doyle
Anthony Nadalin
Thomas Roessler
Hal Lockhart
Yakov Sverdlov
Stephen Farrell
George Staikos
Michael Smith
Phillip Hallam-Baker
Tyler Close
Mary Ellen Zurko




Pick a scribe http://www.w3.org/2006/WSC/scribes

Sunil to scribe

Approve minutes from f2f

assuming there are no problems, we'll approve the mintues

<tlr> Last meeting's minutes: http://www.w3.org/2006/11/14-wsc-minutes; http://www.w3.org/2006/11/15-wsc-minutes

ok, the minutes are not approved

<tlr> RESOLVED: minutes approved.

scribe: email doesn't get to MEZ as quickly as one would expect, as her org runs pre-beta servers, so there's a possibility of glitch...
... try to contact MEZ through some other media or go through Thomas...

Update from Tyler re note

<Mez> http://www.w3.org/2006/WSC/drafts/note/

<stephenF> took a peek earlier - it looks good

scribe: the above link contains the notes Tyler had put up so far...

The notes has the skeletal version, and he has put in some use cases. He'll continue to extract more content from the email and put them in the notes...

He'll send out an update when he has done that

MEZ says that we should get the content on Wiki so that's easy on Tyler...

Thomas will send out instructions either end of today or by tomorrow on how to use Wiki

The Wiki will NOT use the same username/password as their W3C username/password

Discussion of Goals and Non-Goals

MEZ says we should work on the Goals/Non-goals agenda item

<stephenF> got a ptr to that email?

MEZ has started the list in one of the email responses to Mike...

<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2006Nov/0041.html

The charter, 2 days of f2f has provided enough context to discuss what is within scope and what is out

MEZ claims that the existing list seems quite uncontentious

MEZ is reading out the contents of the email...

<Zakim> malware, you wanted to ask about high-level problem description

Mike says the goal is to help the user protect themselves becoming victims of the phishing attacks, or correctly identity the biz they are sharing information with

MEZ says we should be able to get couple of use cases, before deciding either way

Mike says that with such work, we have to explain to the outside world what we are doing, what's the value of the work to the 'unsophisticated user'. He agrees, that it's little early to take a stance yet...

<Zakim> Thomas, you wanted to note it's probably ok to talk about overall goal for ourselves, and then see how far the use cases get us

Hal: has a different perspective, says phishing is an example of what we are solving.

Phishing maybe a short term problem, but we should focus solving problem in general.

Mez says tactically speaking, the problem we are solving is phishing, but strategically we are tyring to get across to layman on the browser who they are talking to.

<malware> so for the record, what I wanted to say was that I think it might benefit to consider formulating a high-level description that explains in simple terms to an unsophisticated users what problems we are trying to solve with this work.

Stephen: If there's a unsophisticated user whose user agent supports both HTTP and FTP, then how do we get it across to the user

MEZ says that what we are trying to put in the security context that is general in nature, irrespective of http/ftp

scribe: but when we get into specifics, we would like to leave out some set of protoocols in the universer...

Stephen says that if we fix all the holes in HTTP, the hackers will move to FTP.

MEZ agrees there will be holes

Stephen thinks that it might not be correct to leave out FTP as user are using general purpose User Agent

<staikos> without wasting air time, SOAP == HTTP

MEZ is looking for a place to start with

<tjh> can we formulate a use case for non-HTTP?

Mez tells Stephen to come up with a use case scenario that includes FTP

<scribe> ACTION: Stephen to come up with a use case for FTP's usage [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action01]

<trackbot> Created ACTION-32 - Come up with a use case for FTP\'s usage [on Stephen Farrell - due 2006-11-28].

<stephenF> http as biggest deal is just fine by me

scribe: MEZ says seems nobody has problems with keeping HTTP front and center...

PHB says we secure HTTP and call FTP legacy. He's happy keeping protocols like IRC, SMTP out of scope too at this point

<tlr> data: URIs?

George agrees with PHB, that FTP should be out of scope. But thinks the 'data' protocol is quite interesting

MEZ says that generally people seem to be ok with what's in scope, but folks seem to have problem with what's out of scope

scribe: we should start populating the goals/non goals section of note

Hal says that if we are putting the goals and non-goals in the document, we should be very precise.

scribe: Goals and scope are a little different...
... the point is we are talking about is goals, but actually they are the things within scope or out of scope...

<staikos> yes

scribe: the document has a section for goals/non-goals...

MEZ says Goals/Non-goals is right for the document and not sure we need scope/out of scope

<malware> where F00 is (in this case), base64-encoded GIF data

<malware> oh

Hal can you please type your example of goals/non-goals scope/out-of-scope

<malware> then:

<malware> just thinking and suggests that perhaps at a high level, we may be saying that we are trying to help users correctly evaluate the identity of an online business in order to decide if that business is worthy of trust (that is, decide if they want to exchange personal information with that online business)

<Paul> HTTP is a protocol on the wire, but a lot of the attacks that we talk about are display issues. For example, manipulation of the chrome, or obscured URLs. So should HTML be in the scope?

<malware> the 'data' protocol that staikos mentions is e.g., '<img src="data:image/gif;base64,F00"/>

<staikos> tlr: should fix that logging :)

MEZ says there are two aspects that are within scope. i) security context, definitely protocols are within context, ii) protecting from chrom manipulation, hence DHTML is within scope

<Paul> So we want to nail the use cases before we write to specific a scope statement.

<Mez> I think it's iterative; some people like the abstract scope then the concrete use cases, some the other way around

tyler says, we should have a scope/out-of-scope section, as it will help the patent attorneys

PHB: and non-goals need to be described at a much higher level abstraction then what Hal did

<Paul> I agree with PHB.

PHB, I am missing the subtlety, can you please type in what you just said

<Paul> I think the scope should be driven more by use cases than jumping to a protocol discussion.

<malware> I believe I agree with PHB's distinction about statement of "goals" being at a higher level of abstraction than "scope"

MEZ says we should someone drafting the goals/non-goals (more abstract) and have someone draft the use cases (the more concrete)

<stephenF> MEZ's plan sounds good, but makes me wonder when we get to closure on those

<Mez> in 2 minutes...

<tlr> ACTION: hallam-baker to draft goals / non-goals section [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action02]

<trackbot> Created ACTION-33 - Draft goals / non-goals section [on Phillip Hallam-Baker - due 2006-11-28].

<scribe> ACTION: PHB draft the Goals/Non-Goals [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action03]

<tlr> ACTION: zurko to draft scope/out-of-scope [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action04]

<trackbot> Created ACTION-34 - Draft scope/out-of-scope [on Mary Ellen Zurko - due 2006-11-28].

mez is trying to verify if there's any section of the note as drafted by tyler, that is under explored or sections are missing completely

scribe: the action items that are most imp are scope/non-scope, use cases and foundation principles
... she doubts that we have good use case coverage...

Next meeting (28th is during AC meeting)

mez asks thomas, should we have a meeting next week?

thomas says that traditionally we don't have meeting during AC meeting, suggest we skip next meeting and have the next one on Dec 5th

<staikos> I have a full-day meeting Dec 5

post Dec 1 will be good, as lots of actions are due by then

<malware> I'll be in Boston on Dec. 5 for XML 2006

Mike is fine with Dec 5

RESOLUTION: The next phone meeting will be on Dec 5th, same time (10am EST).

Hal asks how action items get closed

Thomas says that his pref is that action items not get closed promptly. As we go forward, during meetings we actually decide that an action has been resolved, and we close them then

thomas is trying to bring up list of action items and see if we can close them...

<malware> I checked XML 2006 schedule. 10am sessions on Dec. 5 are about XQuery and w3C XML Schema, both of which I am glad to miss :)

Action item review

Action 1 is closed

<tlr> http://www.w3.org/2006/WSC/track/actions/3

make action 3 out of scope (as it's related to sandboxing).

<malware> About the XPath/XQuery question, I think Staikos' point on the list (about it essentially being no different from Javascript) was right.

<stephenF> yes, to what thomas said

<tlr> ACTION: thomas to open issue for xpath/xquery in/out-of scope [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action05]

<trackbot> Created ACTION-35 - Open issue for xpath/xquery in/out-of scope [on Thomas Roessler - due 2006-11-28].

action 10, mike, rejected the action.

hal suggests we close action 12, enumerating the context.

thomas asks do we have agreement that action 12 has been discussed sufficiently?

<tjh> shouldn't then the action close once the info is in the wiki?

<tlr> ACTION-12 to be closed; done at the meeting; see http://www.w3.org/2006/WSC/security-context-info-sources

<Mez> Tim, only if Hal really deserved to own it.

action 14 is duplicate is something else

action 28, minute cleanup, action 31, produce a skeletal doc, done.

scribe: the only one that needs more attention is action 35...

Summary of Action Items

[NEW] ACTION: hallam-baker to draft goals / non-goals section [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action02]
[NEW] ACTION: PHB draft the Goals/Non-Goals [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action03]
[NEW] ACTION: Stephen to come up with a use case for FTP's usage [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action01]
[NEW] ACTION: thomas to open issue for xpath/xquery in/out-of scope [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action05]
[NEW] ACTION: zurko to draft scope/out-of-scope [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action04]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.127 (CVS log)
$Date: 2006/12/05 16:00:11 $