16:57:17 RRSAgent has joined #tagmem 16:57:17 logging to http://www.w3.org/2007/01/09-tagmem-irc 16:58:44 Meeting: TAG telcon 16:58:50 Scribe: Henry S. Thompson 16:58:55 ScribeNick: ht 16:59:07 Chair: Vincent Quint 16:59:22 Agenda: http://www.w3.org/2001/tag/2007/01/09-agenda.html 16:59:38 ht has changed the topic to: Today's agenda: http://www.w3.org/2001/tag/2007/01/09-agenda.html 17:04:55 Stuart has joined #tagmem 17:05:30 Evening sir 17:17:57 Stuart has left #tagmem 17:59:22 Vincent has joined #tagmem 18:00:54 zakim, please call ht-781 18:00:54 ok, ht; the call is being made 18:00:55 TAG_Weekly()12:30PM has now started 18:00:56 +Ht 18:01:24 noah has joined #tagmem 18:01:44 +[IBMCambridge] 18:01:49 zakim, [IBMCambridge] is me 18:01:49 +noah; got it 18:02:03 +Ed_Rice 18:02:31 +??P11 18:02:49 Zakim, P11 is Vincent 18:02:49 sorry, Vincent, I do not recognize a party named 'P11' 18:03:12 Zakim, ??P11 is Vincent 18:03:12 +Vincent; got it 18:04:21 Zakim, who is here? 18:04:21 On the phone I see Ht, noah, Ed_Rice, Vincent 18:04:22 On IRC I see noah, Vincent, RRSAgent, Zakim, ht 18:06:03 Ed has joined #tagmem 18:08:57 zakim, who is making noise? 18:09:08 ht, listening for 10 seconds I heard sound from the following: Ed_Rice (32%) 18:09:09 I've pinged DanC, no sign of timbl. . . 18:09:23 Tim has sent regrets 18:09:31 -Ed_Rice 18:09:55 +Ed_Rice 18:10:08 -Ed_Rice 18:10:10 zakim, who is making noise? 18:10:21 ht, listening for 10 seconds I heard sound from the following: Vincent (100%) 18:10:21 DanC has joined #tagmem 18:10:34 +Ed_Rice 18:10:53 zakim, who is making noise? 18:11:04 ht, listening for 10 seconds I heard sound from the following: Vincent (95%) 18:11:14 zakim, mute vincent 18:11:14 Vincent should now be muted 18:11:22 -Vincent 18:12:20 +??P3 18:12:35 +DanC 18:12:36 Zakim, ??P3 is Vincent 18:12:36 +Vincent; got it 18:12:52 Zakim, who is here? 18:12:52 On the phone I see Ht, noah, Ed_Rice, Vincent, DanC 18:12:53 On IRC I see DanC, Ed, noah, Vincent, RRSAgent, Zakim, ht 18:13:45 Topic: Administrative 18:15:04 RESOLUTION: Minutes from last week approved 18:15:42 VQ: Next telcon 16 January 18:15:52 Regrets from DanC, timbl, Norm 18:16:59 VQ: Agenda accepted as published 18:17:22 ER: Comments on Noah's document are the most urgent item 18:17:52 NM: Agree we shouldn't lose it, but let's delay a bit in hopes DaveO will join 18:18:14 VQ: Agree to postpone that item for a while 18:18:41 VQ: Stuart, our new chair, cannot make this timeslot 18:19:04 ... I'd like to have him join asap, even before he takes over as chair 18:19:23 ... We'll know the new participants by the end of this week 18:19:36 ... Everyone please send your timing constraints to tag@w3.org 18:20:26 Noah's pretty sure he sent an email with scheduling guidance. 18:21:03 VQ: DaveO to scribe next week, if possible, to be confirmed 18:21:25 Topic: Issue utf7Encoding-55 18:21:44 VQ: Created and announced this per our discussion last week 18:22:18 ... Waiting for input -- HST, DanC -- thoughts? 18:22:22 Zakim, mute VQ 18:22:22 sorry, DanC, I do not know which phone connection belongs to VQ 18:22:25 Zakim, mute Vincent 18:22:25 Vincent should now be muted 18:22:54 nor do I know about the security issue 18:23:04 HST: Don't know anything about UTF7, no clue 18:23:14 -Vincent 18:23:24 DanC: Who voted this one on as an issue? 18:23:49 ER: Me, for one -- I'll do some fact-finding 18:23:55 +??P3 18:24:26 NM: I'm also pretty ignorant -- it would be very helpful to get an entry-level summary of the issue and what the main positions are, thank you 18:24:54 Zakim, ??P3 is Vincent 18:24:54 +Vincent; got it 18:25:16 +DOrchard 18:25:39 Dave Orchard joins the call at 25 past the hour 18:28:38 VQ: Thanks to ER, will wait for his input 18:29:04 Topic: Last comments on the proposed submission to the workshop on Web of Services for Enterprise Computing 18:29:14 http://lists.w3.org/Archives/Public/www-tag/2007Jan/att-0007/TAGEnterpriseServicesWhitePaper.html 18:29:14 Note that a few minor typos, etc. that I intend to correct are at:http://lists.w3.org/Archives/Public/www-tag/2007Jan/0012.html 18:29:25 my review, in sum, is "thumbs up" 18:29:31 ER: I sent my comments, I think it's a good summary of where we stand 18:29:35 ... It's a good document 18:29:51 DaveO: I like the focus on use cases 18:30:13 ... Not sufficient mention of two things we've discussed in the past: 18:31:05 ... 1) The 'technology gap' which discourages option (3), e.g. EPR->URI conversion -- the limited discussion of this doesn't go far enough 18:31:05 From the paper: Note that the SOAP Recommendation provides for such use of HTTP GET, though support for it is not widely deployed today. 18:31:52 ... Just a history of the TAG's interactions, w/o a discussion of the technology/state of play 18:32:09 ... I'd like to see more there, describing what we wished had happened there 18:32:11 (I would appreciate a bit more rah-rah around "Web description languages (e.g. WADL or the WSDL 1.2 HTTP Binding)" ) 18:33:06 NM: Wrt EPR->URI mapping, I could mention that, I guess my scepticism about likely success got in the way 18:33:34 ... I'd rather look towards a 'best practice' of not using Identifying params 18:33:46 ... DaveO, would that help 18:33:51 DaveO: Yes 18:33:53 dorchard has joined #tagmem 18:34:23 NM: There is the mention of SOAP via HTTP GET 18:34:37 DaveO: That's not what I was missing. . . 18:34:49 DanC: What _were_ you looking for? 18:35:22 NM: I understand DaveO never liked that (SOAP via HTTP GET) approach 18:36:04 DaveO: What I was looking for was something along the lines of converting XML requests [?] into headerless SOAP requests 18:36:14 [Scribe unsure -- DaveO, please correct] 18:36:19 (if Dave has a 1/2hr or whatever to suggest a few bullets/sentences about gaps and ideas for filling them, I think it's worth Noah's time to try to integrate those.) 18:36:47 q+ 18:36:53 NM: The lack of detail on the history was because of the guidance I got to try to be positive and forward looking 18:37:06 ... I can be more forthcoming on the day, if I'm asked to speak 18:37:15 ack danc 18:37:37 DanC: I like the length as it is. 18:37:58 ... About gaps and how to fill them, it's a bit subtle, but the detail is all there 18:38:21 ... Emphasizing the solutions more, with help from DaveO, would be good, but not required 18:38:57 NM: Two different directions: more technical details (e.g. SOAP MEPs) 18:39:02 (yes, there are only so many gaps you can discuss in 5 pages; the WADL gap is one I'm interested in. I can see room for the EPR mapping, though I'm not as excited about it. I don't see room for much more.) 18:39:18 zakim, disconnect ht 18:39:18 Ht is being disconnected 18:39:19 -Ht 18:39:30 http://www.w3.org/2001/tag/doc/ws-uri.html 18:39:30 zakim, please call ht_781 18:39:30 I am sorry, ht; I do not know a number for ht_781 18:39:36 zakim, please call ht-781 18:39:36 ok, ht; the call is being made 18:39:38 +Ht 18:40:28 DaveO: The above pointer is one example of something which wasn't taken forward, which might have helped 18:40:41 DanC: What about the printer example? 18:41:55 (yes, noting http://www.w3.org/2001/tag/doc/ws-uri.html in passing in the 3rd printer scenario seems worth a sentence or two) 18:42:02 DaveO: Well, at least some of the EPR-based SOAP requests could have been handled via GET given that proposal 18:42:45 "Note that over the course of the last [n] years, a number of interesting proposals have been [darn]. including..." 18:42:46 NM: So, not to discuss in detail, but frame a reference to this as a way of facilitating the integration suggested in (3) 18:43:15 ... and some others - - I would be happy to take suggestions - - if others agreed? 18:43:38 DanC: three or four things? 18:43:52 DaveO: Yes -- the above, Sam Ruby's, ... 18:44:19 NM: Happy with mentioning both WADL and WSDL 2.0? 18:44:24 DaveO, DanC: Yes 18:45:25 NM: I'll integrate pointers when received from DaveO, look for a punchier way to discuss the description stuff, and make it valid XHTML 18:45:49 (I'm more comfortable deciding today than last time, but I don't need a decision) 18:45:57 RESOLUTION: NM to submit on behalf of the TAG once that's done 18:47:42 s/, Norm/, DaveO (at risk)/ 18:48:24 s/DaveO to scribe/TV to scribe, or ER if TV cannot/ 18:48:44 Topic: Issue passwordsInTheClear-52 18:49:00 VQ: M-E Zurko sent detailed comments -- ER? 18:49:29 Comments are at http://lists.w3.org/Archives/Public/www-tag/2007Jan/0009.html 18:49:40 Draft is at http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 18:50:13 ER: She was happy with most of the Good Practices 18:50:21 ... some discussion of password masking 18:50:51 ... Also another bit of feedback contra password masking on handhelds 18:51:17 DanC: New phone masks after a second or so 18:51:21 HST: ditto 18:51:36 NM: So, we say "you must mask, pretty quickly"? 18:52:12 ER: Update the discussion to cover the handheld case? 18:52:48 NM: Dilute things so that it stays a fully general rule 18:53:08 ER: But what's "a mobile device" 18:53:27 NM: That doesn't matter, it's a counter-example 18:53:37 q+ to say it's _not_ a counter-example 18:53:50 ack ht 18:53:50 ht, you wanted to say it's _not_ a counter-example 18:54:50 HST: I think it's broken 18:54:57 ... and we should say so 18:55:10 From Ed Davie's mail: 18:55:11 ER: The case in the email is the OCR case 18:55:21 "More substantially, PDAs which use handwriting recognition 18:55:21 are good examples of devices where password masking is not 18:55:21 a good strategy. Handwriting recognition is sufficiently 18:55:21 unreliable that the user will want to see the characters 18:55:21 entered to make sure they are correct. At the same time, 18:55:22 with such devices it is easy to orientate the screen to 18:55:24 avoid shoulder surfing." 18:55:49 ... on my handheld, the characters show after recognition, but are then masked 18:55:58 DanC: A delayed mask is a mask 18:56:14 ER: The HTML says it's to be masked 18:56:54 ... without that information, there's no basis for detecting password fields 18:57:11 DanC: This note isn't about authoring, it's about UA's. . . 18:57:55 ER: I agree there's flexibility in how 'masking' is done, e.g. after a delay 18:57:56 (I prefer the formulation that says: if you mask on the screen, you have to scramble over the wire, actually.) 18:58:59 HST: How about saying "Exactly what masking amounts to will vary depending on input medium" 18:59:11 DanC: Not clear it's worth the screen space 18:59:53 NM: What are the current implications of "type='password'" 19:00:15 ER: Puts you into the space where this finding applies 19:01:14 NM, ER: Discussion about javascript submit-hooked scrambling 19:02:53 NM: I'm worried in the presence of javascript onsubmit, the UA _can't_ implement the finding 19:03:13 [above is scribe's summary of longer discussion] 19:04:12 DanC: The conservative interpretation (type=password + non-secure connection) will warn in that case 19:04:55 ... because detecting encryption in the Javascript is impossible 19:05:34 q+ to ask how we're converging on a change, if any 19:07:41 ack ht 19:07:41 ht, you wanted to ask how we're converging on a change, if any 19:07:43 NM: We've focussed too narrowly on the UA -- no way this finding covers the case where someone _doesn't_ label a field as type='password', but uses the value as a password 19:08:54 HST: Need to focus discussion on what we can say with certainty 19:08:59 ER: I think we should drop it 19:09:23 DanC: I don't think just because it's hard we should drop it 19:10:13 HST: I'm not convinced we can't produce a useful result, by taking NM's idea of including the author in the mix 19:10:27 its not that its hard, its that the TAG cannot make everyone happy in this one and we're not willing to make anyone unhappy to resolve the issue. 19:11:08 DanC: I'm inclined to ask Mary-Ellen if she has better wording. . . 19:11:47 MEZ says: It's not clear to me actual security and user trust are tightly coupled in general, or in the case of the Web. User trust comes from perception. The best work I've seen on that is from: 19:11:47 Andrew S. Patrick, Pamela Briggs, and Stephen Marsh, "Designing Systems That People Will Trust", Security and Usability: Designing Secure Systems that People Can Use, ed. Lorrie Faith Cranor and Simson Garfinkel. 19:12:19 She was commenting on: "Security on the World Wide Web is an important issue which needs to be addressed or mistrust of the Web will limit its growth potential." 19:12:59 MEZ also says: "There are a bunch of other places passwords can leak, starting with server logs, and going on to any (temporary) files written by either the browser or server. My product experience is that users do not want their passwords in the clear anywhere. Bugs that leave passwords in the clear immediately heighten user mistrust of the system. I'm guessing that the finding is restricting itself to the transmission because there's where the sufficient tec 19:13:12 NM: Let's ask MEZ to propose wording 19:13:15 DanC: +0 19:13:30 I said let's invite MEZ to propose wording on any or all of the points she's raised. 19:14:39 HST: I'm happy with both the MEZ situation and the masking, but not the Yahoo example 19:14:56 DanC: Please send that to www-tag 19:15:35 HST: Will do 19:16:14 -Vincent 19:16:36 NM: I am not sure we are describing Yahoo's usage correctly 19:16:47 HST: I'll be careful not to assume that 19:17:07 Vincent, Zakim, says you've disconnected... 19:17:15 ACTION: HST to send email about onsubmit hooking via javascript and its impact on PWintheclear to www-tag 19:17:18 ... shall we take that as a motion to adjourn? I think we've done a useful bit of work today. 19:17:28 +??P0 19:18:06 zakim, ? is vincent 19:18:07 +vincent; got it 19:18:26 topic: Issue siteData-36 19:18:56 Subject: sitemaps.org, siteData-36, standardizedFieldValues-51 19:18:56 Date: Tue, 21 Nov 2006 08:55:06 -0600 19:19:00 VQ: DanC, what was the thing which reminded you of this 19:19:21 DanC: Please withdraw that old action, I am not going to do it 19:19:22 http://lists.w3.org/Archives/Public/www-tag/2006Nov/0106.html 19:19:59 DanC: Google, MS and [?] have released a site-map story 19:20:28 ... Norm said he was interested in discussing this 19:20:32 DaveO: Me too 19:20:40 s/[?]/Microsoft 19:21:03 s/[?]/Yahoo/ 19:21:17 "Yahoo, Google, and Microsoft" -- http://www.sitemaps.org/terms.html 19:21:49 DanC: Is the only pblm that they're squatting on http address space, by using a well-known URI (robots.txt, sitemap.xml 19:22:01 DaveO: I don't know of a better way 19:22:38 ... This is part of discover of widgets as part of the light-weight services explosion 19:22:49 s/discover/discovery/ 19:23:20 DanC: Summary: Noted, return to 'someday' pile 19:24:05 VQ: I'll drop DanC's old action, the issue will go into 'sleep' mode 19:25:17 -DOrchard 19:25:19 ... Adjourned until next week 19:25:20 -Ed_Rice 19:25:23 -DanC 19:25:25 -noah 19:25:26 -vincent 19:25:27 zakim, bye 19:25:27 Zakim has left #tagmem 19:25:28 leaving. As of this point the attendees were Ht, noah, Ed_Rice, Vincent, DanC, DOrchard 19:25:38 rrsagent, make logs world-visible 19:25:46 rrsagent, please draft minutes 19:25:46 I have made the request to generate http://www.w3.org/2007/01/09-tagmem-minutes.html ht 19:25:52 rrsagent, bye 19:25:52 I see 1 open action item saved in http://www.w3.org/2007/01/09-tagmem-actions.rdf : 19:25:52 ACTION: HST to send email about onsubmit hooking via javascript and its impact on PWintheclear to www-tag [1] 19:25:52 recorded in http://www.w3.org/2007/01/09-tagmem-irc#T19-17-15