IRC log of tagmem on 2007-01-09

Timestamps are in UTC.

16:57:17 [RRSAgent]

RRSAgent has joined #tagmem

16:57:17 [RRSAgent]

logging to http://www.w3.org/2007/01/09-tagmem-irc

16:58:44 [ht]

Meeting: TAG telcon

16:58:50 [ht]

Scribe: Henry S. Thompson

16:58:55 [ht]

ScribeNick: ht

16:59:07 [ht]

Chair: Vincent Quint

16:59:22 [ht]

Agenda: http://www.w3.org/2001/tag/2007/01/09-agenda.html

16:59:38 [ht]

ht has changed the topic to: Today's agenda: http://www.w3.org/2001/tag/2007/01/09-agenda.html

17:04:55 [Stuart]

Stuart has joined #tagmem

17:05:30 [ht]

Evening sir

17:17:57 [Stuart]

Stuart has left #tagmem

17:59:22 [Vincent]

Vincent has joined #tagmem

18:00:54 [ht]

zakim, please call ht-781

18:00:54 [Zakim]

ok, ht; the call is being made

18:00:55 [Zakim]

TAG_Weekly()12:30PM has now started

18:00:56 [Zakim]

+Ht

18:01:24 [noah]

noah has joined #tagmem

18:01:44 [Zakim]

+[IBMCambridge]

18:01:49 [noah]

zakim, [IBMCambridge] is me

18:01:49 [Zakim]

+noah; got it

18:02:03 [Zakim]

+Ed_Rice

18:02:31 [Zakim]

+??P11

18:02:49 [Vincent]

Zakim, P11 is Vincent

18:02:49 [Zakim]

sorry, Vincent, I do not recognize a party named 'P11'

18:03:12 [Vincent]

Zakim, ??P11 is Vincent

18:03:12 [Zakim]

+Vincent; got it

18:04:21 [Vincent]

Zakim, who is here?

18:04:21 [Zakim]

On the phone I see Ht, noah, Ed_Rice, Vincent

18:04:22 [Zakim]

On IRC I see noah, Vincent, RRSAgent, Zakim, ht

18:06:03 [Ed]

Ed has joined #tagmem

18:08:57 [ht]

zakim, who is making noise?

18:09:08 [Zakim]

ht, listening for 10 seconds I heard sound from the following: Ed_Rice (32%)

18:09:09 [ht]

I've pinged DanC, no sign of timbl. . .

18:09:23 [Vincent]

Tim has sent regrets

18:09:31 [Zakim]

-Ed_Rice

18:09:55 [Zakim]

+Ed_Rice

18:10:08 [Zakim]

-Ed_Rice

18:10:10 [ht]

zakim, who is making noise?

18:10:21 [Zakim]

ht, listening for 10 seconds I heard sound from the following: Vincent (100%)

18:10:21 [DanC]

DanC has joined #tagmem

18:10:34 [Zakim]

+Ed_Rice

18:10:53 [ht]

zakim, who is making noise?

18:11:04 [Zakim]

ht, listening for 10 seconds I heard sound from the following: Vincent (95%)

18:11:14 [ht]

zakim, mute vincent

18:11:14 [Zakim]

Vincent should now be muted

18:11:22 [Zakim]

-Vincent

18:12:20 [Zakim]

+??P3

18:12:35 [Zakim]

+DanC

18:12:36 [Vincent]

Zakim, ??P3 is Vincent

18:12:36 [Zakim]

+Vincent; got it

18:12:52 [Vincent]

Zakim, who is here?

18:12:52 [Zakim]

On the phone I see Ht, noah, Ed_Rice, Vincent, DanC

18:12:53 [Zakim]

On IRC I see DanC, Ed, noah, Vincent, RRSAgent, Zakim, ht

18:13:45 [ht]

Topic: Administrative

18:15:04 [ht]

RESOLUTION: Minutes from last week approved

18:15:42 [ht]

VQ: Next telcon 16 January

18:15:52 [ht]

Regrets from DanC, timbl, Norm

18:16:59 [ht]

VQ: Agenda accepted as published

18:17:22 [ht]

ER: Comments on Noah's document are the most urgent item

18:17:52 [ht]

NM: Agree we shouldn't lose it, but let's delay a bit in hopes DaveO will join

18:18:14 [ht]

VQ: Agree to postpone that item for a while

18:18:41 [ht]

VQ: Stuart, our new chair, cannot make this timeslot

18:19:04 [ht]

... I'd like to have him join asap, even before he takes over as chair

18:19:23 [ht]

... We'll know the new participants by the end of this week

18:19:36 [ht]

... Everyone please send your timing constraints to tag@w3.org

18:20:26 [noah]

Noah's pretty sure he sent an email with scheduling guidance.

18:21:03 [ht]

VQ: DaveO to scribe next week, if possible, to be confirmed

18:21:25 [ht]

Topic: Issue utf7Encoding-55

18:21:44 [ht]

VQ: Created and announced this per our discussion last week

18:22:18 [ht]

... Waiting for input -- HST, DanC -- thoughts?

18:22:22 [DanC]

Zakim, mute VQ

18:22:22 [Zakim]

sorry, DanC, I do not know which phone connection belongs to VQ

18:22:25 [DanC]

Zakim, mute Vincent

18:22:25 [Zakim]

Vincent should now be muted

18:22:54 [DanC]

nor do I know about the security issue

18:23:04 [ht]

HST: Don't know anything about UTF7, no clue

18:23:14 [Zakim]

-Vincent

18:23:24 [ht]

DanC: Who voted this one on as an issue?

18:23:49 [ht]

ER: Me, for one -- I'll do some fact-finding

18:23:55 [Zakim]

+??P3

18:24:26 [ht]

NM: I'm also pretty ignorant -- it would be very helpful to get an entry-level summary of the issue and what the main positions are, thank you

18:24:54 [Vincent]

Zakim, ??P3 is Vincent

18:24:54 [Zakim]

+Vincent; got it

18:25:16 [Zakim]

+DOrchard

18:25:39 [ht]

Dave Orchard joins the call at 25 past the hour

18:28:38 [ht]

VQ: Thanks to ER, will wait for his input

18:29:04 [ht]

Topic: Last comments on the proposed submission to the workshop on Web of Services for Enterprise Computing

18:29:14 [ht]

http://lists.w3.org/Archives/Public/www-tag/2007Jan/att-0007/TAGEnterpriseServicesWhitePaper.html

18:29:14 [noah]

Note that a few minor typos, etc. that I intend to correct are at:http://lists.w3.org/Archives/Public/www-tag/2007Jan/0012.html

18:29:25 [DanC]

my review, in sum, is "thumbs up"

18:29:31 [ht]

ER: I sent my comments, I think it's a good summary of where we stand

18:29:35 [ht]

... It's a good document

18:29:51 [ht]

DaveO: I like the focus on use cases

18:30:13 [ht]

... Not sufficient mention of two things we've discussed in the past:

18:31:05 [ht]

... 1) The 'technology gap' which discourages option (3), e.g. EPR->URI conversion -- the limited discussion of this doesn't go far enough

18:31:05 [noah]

From the paper: Note that the SOAP Recommendation provides for such use of HTTP GET, though support for it is not widely deployed today.

18:31:52 [ht]

... Just a history of the TAG's interactions, w/o a discussion of the technology/state of play

18:32:09 [ht]

... I'd like to see more there, describing what we wished had happened there

18:32:11 [DanC]

(I would appreciate a bit more rah-rah around "Web description languages (e.g. WADL or the WSDL 1.2 HTTP Binding)" )

18:33:06 [ht]

NM: Wrt EPR->URI mapping, I could mention that, I guess my scepticism about likely success got in the way

18:33:34 [ht]

... I'd rather look towards a 'best practice' of not using Identifying params

18:33:46 [ht]

... DaveO, would that help

18:33:51 [ht]

DaveO: Yes

18:33:53 [dorchard]

dorchard has joined #tagmem

18:34:23 [ht]

NM: There is the mention of SOAP via HTTP GET

18:34:37 [ht]

DaveO: That's not what I was missing. . .

18:34:49 [ht]

DanC: What _were_ you looking for?

18:35:22 [ht]

NM: I understand DaveO never liked that (SOAP via HTTP GET) approach

18:36:04 [ht]

DaveO: What I was looking for was something along the lines of converting XML requests [?] into headerless SOAP requests

18:36:14 [ht]

[Scribe unsure -- DaveO, please correct]

18:36:19 [DanC]

(if Dave has a 1/2hr or whatever to suggest a few bullets/sentences about gaps and ideas for filling them, I think it's worth Noah's time to try to integrate those.)

18:36:47 [DanC]

q+

18:36:53 [ht]

NM: The lack of detail on the history was because of the guidance I got to try to be positive and forward looking

18:37:06 [ht]

... I can be more forthcoming on the day, if I'm asked to speak

18:37:15 [Vincent]

ack danc

18:37:37 [ht]

DanC: I like the length as it is.

18:37:58 [ht]

... About gaps and how to fill them, it's a bit subtle, but the detail is all there

18:38:21 [ht]

... Emphasizing the solutions more, with help from DaveO, would be good, but not required

18:38:57 [ht]

NM: Two different directions: more technical details (e.g. SOAP MEPs)

18:39:02 [DanC]

(yes, there are only so many gaps you can discuss in 5 pages; the WADL gap is one I'm interested in. I can see room for the EPR mapping, though I'm not as excited about it. I don't see room for much more.)

18:39:18 [ht]

zakim, disconnect ht

18:39:18 [Zakim]

Ht is being disconnected

18:39:19 [Zakim]

-Ht

18:39:30 [dorchard]

http://www.w3.org/2001/tag/doc/ws-uri.html

18:39:30 [ht]

zakim, please call ht_781

18:39:30 [Zakim]

I am sorry, ht; I do not know a number for ht_781

18:39:36 [ht]

zakim, please call ht-781

18:39:36 [Zakim]

ok, ht; the call is being made

18:39:38 [Zakim]

+Ht

18:40:28 [ht]

DaveO: The above pointer is one example of something which wasn't taken forward, which might have helped

18:40:41 [ht]

DanC: What about the printer example?

18:41:55 [DanC]

(yes, noting http://www.w3.org/2001/tag/doc/ws-uri.html in passing in the 3rd printer scenario seems worth a sentence or two)

18:42:02 [ht]

DaveO: Well, at least some of the EPR-based SOAP requests could have been handled via GET given that proposal

18:42:45 [DanC]

"Note that over the course of the last [n] years, a number of interesting proposals have been [darn]. including..."

18:42:46 [ht]

NM: So, not to discuss in detail, but frame a reference to this as a way of facilitating the integration suggested in (3)

18:43:15 [ht]

... and some others - - I would be happy to take suggestions - - if others agreed?

18:43:38 [ht]

DanC: three or four things?

18:43:52 [ht]

DaveO: Yes -- the above, Sam Ruby's, ...

18:44:19 [ht]

NM: Happy with mentioning both WADL and WSDL 2.0?

18:44:24 [ht]

DaveO, DanC: Yes

18:45:25 [ht]

NM: I'll integrate pointers when received from DaveO, look for a punchier way to discuss the description stuff, and make it valid XHTML

18:45:49 [DanC]

(I'm more comfortable deciding today than last time, but I don't need a decision)

18:45:57 [ht]

RESOLUTION: NM to submit on behalf of the TAG once that's done

18:47:42 [ht]

s/, Norm/, DaveO (at risk)/

18:48:24 [ht]

s/DaveO to scribe/TV to scribe, or ER if TV cannot/

18:48:44 [ht]

Topic: Issue passwordsInTheClear-52

18:49:00 [ht]

VQ: M-E Zurko sent detailed comments -- ER?

18:49:29 [ht]

Comments are at http://lists.w3.org/Archives/Public/www-tag/2007Jan/0009.html

18:49:40 [ht]

Draft is at http://www.w3.org/2001/tag/doc/passwordsInTheClear-52

18:50:13 [ht]

ER: She was happy with most of the Good Practices

18:50:21 [ht]

... some discussion of password masking

18:50:51 [ht]

... Also another bit of feedback contra password masking on handhelds

18:51:17 [ht]

DanC: New phone masks after a second or so

18:51:21 [ht]

HST: ditto

18:51:36 [ht]

NM: So, we say "you must mask, pretty quickly"?

18:52:12 [ht]

ER: Update the discussion to cover the handheld case?

18:52:48 [ht]

NM: Dilute things so that it stays a fully general rule

18:53:08 [ht]

ER: But what's "a mobile device"

18:53:27 [ht]

NM: That doesn't matter, it's a counter-example

18:53:37 [ht]

q+ to say it's _not_ a counter-example

18:53:50 [Vincent]

ack ht

18:53:50 [Zakim]

ht, you wanted to say it's _not_ a counter-example

18:54:50 [ht]

HST: I think it's broken

18:54:57 [ht]

... and we should say so

18:55:10 [noah]

From Ed Davie's mail:

18:55:11 [ht]

ER: The case in the email is the OCR case

18:55:21 [noah]

"More substantially, PDAs which use handwriting recognition

18:55:21 [noah]

are good examples of devices where password masking is not

18:55:21 [noah]

a good strategy. Handwriting recognition is sufficiently

18:55:21 [noah]

unreliable that the user will want to see the characters

18:55:21 [noah]

entered to make sure they are correct. At the same time,

18:55:22 [noah]

with such devices it is easy to orientate the screen to

18:55:24 [noah]

avoid shoulder surfing."

18:55:49 [ht]

... on my handheld, the characters show after recognition, but are then masked

18:55:58 [ht]

DanC: A delayed mask is a mask

18:56:14 [ht]

ER: The HTML says it's to be masked

18:56:54 [ht]

... without that information, there's no basis for detecting password fields

18:57:11 [ht]

DanC: This note isn't about authoring, it's about UA's. . .

18:57:55 [ht]

ER: I agree there's flexibility in how 'masking' is done, e.g. after a delay

18:57:56 [DanC]

(I prefer the formulation that says: if you mask on the screen, you have to scramble over the wire, actually.)

18:58:59 [ht]

HST: How about saying "Exactly what masking amounts to will vary depending on input medium"

18:59:11 [ht]

DanC: Not clear it's worth the screen space

18:59:53 [ht]

NM: What are the current implications of "type='password'"

19:00:15 [ht]

ER: Puts you into the space where this finding applies

19:01:14 [ht]

NM, ER: Discussion about javascript submit-hooked scrambling

19:02:53 [ht]

NM: I'm worried in the presence of javascript onsubmit, the UA _can't_ implement the finding

19:03:13 [ht]

[above is scribe's summary of longer discussion]

19:04:12 [ht]

DanC: The conservative interpretation (type=password + non-secure connection) will warn in that case

19:04:55 [ht]

... because detecting encryption in the Javascript is impossible

19:05:34 [ht]

q+ to ask how we're converging on a change, if any

19:07:41 [Vincent]

ack ht

19:07:41 [Zakim]

ht, you wanted to ask how we're converging on a change, if any

19:07:43 [ht]

NM: We've focussed too narrowly on the UA -- no way this finding covers the case where someone _doesn't_ label a field as type='password', but uses the value as a password

19:08:54 [ht]

HST: Need to focus discussion on what we can say with certainty

19:08:59 [ht]

ER: I think we should drop it

19:09:23 [ht]

DanC: I don't think just because it's hard we should drop it

19:10:13 [ht]

HST: I'm not convinced we can't produce a useful result, by taking NM's idea of including the author in the mix

19:10:27 [Ed]

its not that its hard, its that the TAG cannot make everyone happy in this one and we're not willing to make anyone unhappy to resolve the issue.

19:11:08 [ht]

DanC: I'm inclined to ask Mary-Ellen if she has better wording. . .

19:11:47 [noah]

MEZ says: It's not clear to me actual security and user trust are tightly coupled in general, or in the case of the Web. User trust comes from perception. The best work I've seen on that is from:

19:11:47 [noah]

Andrew S. Patrick, Pamela Briggs, and Stephen Marsh, "Designing Systems That People Will Trust", Security and Usability: Designing Secure Systems that People Can Use, ed. Lorrie Faith Cranor and Simson Garfinkel.

19:12:19 [noah]

She was commenting on: "Security on the World Wide Web is an important issue which needs to be addressed or mistrust of the Web will limit its growth potential."

19:12:59 [noah]

MEZ also says: "There are a bunch of other places passwords can leak, starting with server logs, and going on to any (temporary) files written by either the browser or server. My product experience is that users do not want their passwords in the clear anywhere. Bugs that leave passwords in the clear immediately heighten user mistrust of the system. I'm guessing that the finding is restricting itself to the transmission because there's where the sufficient tec

19:13:12 [ht]

NM: Let's ask MEZ to propose wording

19:13:15 [ht]

DanC: +0

19:13:30 [noah]

I said let's invite MEZ to propose wording on any or all of the points she's raised.

19:14:39 [ht]

HST: I'm happy with both the MEZ situation and the masking, but not the Yahoo example

19:14:56 [ht]

DanC: Please send that to www-tag

19:15:35 [ht]

HST: Will do

19:16:14 [Zakim]

-Vincent

19:16:36 [ht]

NM: I am not sure we are describing Yahoo's usage correctly

19:16:47 [ht]

HST: I'll be careful not to assume that

19:17:07 [DanC]

Vincent, Zakim, says you've disconnected...

19:17:15 [ht]

ACTION: HST to send email about onsubmit hooking via javascript and its impact on PWintheclear to www-tag

19:17:18 [DanC]

... shall we take that as a motion to adjourn? I think we've done a useful bit of work today.

19:17:28 [Zakim]

+??P0

19:18:06 [ht]

zakim, ? is vincent

19:18:07 [Zakim]

+vincent; got it

19:18:26 [ht]

topic: Issue siteData-36

19:18:56 [DanC]

Subject: sitemaps.org, siteData-36, standardizedFieldValues-51

19:18:56 [DanC]

Date: Tue, 21 Nov 2006 08:55:06 -0600

19:19:00 [ht]

VQ: DanC, what was the thing which reminded you of this

19:19:21 [ht]

DanC: Please withdraw that old action, I am not going to do it

19:19:22 [DanC]

http://lists.w3.org/Archives/Public/www-tag/2006Nov/0106.html

19:19:59 [ht]

DanC: Google, MS and [?] have released a site-map story

19:20:28 [ht]

... Norm said he was interested in discussing this

19:20:32 [ht]

DaveO: Me too

19:20:40 [Vincent]

s/[?]/Microsoft

19:21:03 [ht]

s/[?]/Yahoo/

19:21:17 [DanC]

"Yahoo, Google, and Microsoft" -- http://www.sitemaps.org/terms.html

19:21:49 [ht]

DanC: Is the only pblm that they're squatting on http address space, by using a well-known URI (robots.txt, sitemap.xml

19:22:01 [ht]

DaveO: I don't know of a better way

19:22:38 [ht]

... This is part of discover of widgets as part of the light-weight services explosion

19:22:49 [ht]

s/discover/discovery/

19:23:20 [ht]

DanC: Summary: Noted, return to 'someday' pile

19:24:05 [ht]

VQ: I'll drop DanC's old action, the issue will go into 'sleep' mode

19:25:17 [Zakim]

-DOrchard

19:25:19 [ht]

... Adjourned until next week

19:25:20 [Zakim]

-Ed_Rice

19:25:23 [Zakim]

-DanC

19:25:25 [Zakim]

-noah

19:25:26 [Zakim]

-vincent

19:25:27 [ht]

zakim, bye

19:25:27 [Zakim]

Zakim has left #tagmem

19:25:28 [Zakim]

leaving. As of this point the attendees were Ht, noah, Ed_Rice, Vincent, DanC, DOrchard

19:25:38 [ht]

rrsagent, make logs world-visible

19:25:46 [ht]

rrsagent, please draft minutes

19:25:46 [RRSAgent]

I have made the request to generate http://www.w3.org/2007/01/09-tagmem-minutes.html ht

19:25:52 [ht]

rrsagent, bye

19:25:52 [RRSAgent]

I see 1 open action item saved in http://www.w3.org/2007/01/09-tagmem-actions.rdf :

19:25:52 [RRSAgent]

ACTION: HST to send email about onsubmit hooking via javascript and its impact on PWintheclear to www-tag [1]

19:25:52 [RRSAgent]

recorded in http://www.w3.org/2007/01/09-tagmem-irc#T19-17-15