IRC log of tagmem on 2007-07-02

Timestamps are in UTC.

15:37:26 [RRSAgent]
RRSAgent has joined #tagmem
15:37:26 [RRSAgent]
logging to
15:46:09 [ht]
Norm, DanC -- can you read www-tag online OK? My browser is hanging. . .
15:48:44 [Norm]
Yes, works fine for me, ht
15:50:01 [ht]
Nope, still stuck -- nslookup is for me -- you too?
15:50:38 [Stuart]
Stuart has joined #tagmem
15:51:55 [Norm]
Yep, for me too, ht
15:52:32 [ht]
Stuart, can you see www-tag OK? Specifically, ?
15:54:39 [DanC]
DanC has changed the topic to: TAG 2 July scribe: Raman
15:58:08 [Zakim]
TAG_Weekly()12:00PM has now started
15:58:15 [Zakim]
15:58:30 [Rhys]
Rhys has joined #tagmem
15:58:36 [Zakim]
15:58:39 [Zakim]
15:58:40 [Zakim]
15:58:55 [Stuart]
zakim, ??p2 is me
15:58:55 [Zakim]
+Stuart; got it
16:00:55 [Zakim]
16:02:26 [ht]
zakim, please call ht-781
16:02:26 [Zakim]
ok, ht; the call is being made
16:02:29 [Zakim]
16:03:18 [DanC]
(reviewing agenda, it occurs to me that for "Enabling Read Access..." , it would have been nice to have that in the same meeting as passwords-in-the-clear, in that they're security-related. )
16:03:19 [Zakim]
16:04:43 [Rhys]
scribenick: Rhys
16:05:01 [Rhys]
Topic: Convene
16:05:18 [Zakim]
16:05:19 [Rhys]
Stuart reviews the agenda and claims it could be a short meeting
16:05:45 [Rhys]
DC: Confirms he can scribe for next week
16:06:13 [Rhys]
Stuart asks for AOB and requests agenda items for next week
16:06:35 [Rhys]
DC: Do you send the agenda at end of day on Friday?
16:06:45 [Rhys]
SW: Yes
16:06:53 [Rhys]
DC: Would be good to have additional time
16:07:02 [Rhys]
SW: We'll talk off line
16:07:14 [Rhys]
SW: Proposese that last week's minutes are ok
16:07:36 [Norm]
16:07:39 [timbl_]
timbl_ has joined #tagmem
16:07:39 [Rhys]
SW: Proposes minutes - hearing no objections, resolved to accept
16:07:44 [Zakim]
16:08:06 [Rhys]
Topic: Review request for Enabling Read Access for Web Resources
16:08:06 [raman]
raman has joined #tagmem
16:08:11 [DanC]
DanC has changed the topic to: TAG 2 July scribe: Rhys
16:09:31 [DanC]
-> No path in access item, etc. Tim Berners-Lee (Monday, 21 May)
16:10:00 [Rhys]
16:12:00 [Rhys]
DC: Thinks that lack of distinction between resource and representations is not a problem
16:12:09 [Rhys]
HT: Thinks it might be
16:13:14 [DanC]
(it's not a problem that shows up in the way software behaves, that is.)
16:13:43 [timbl_]
16:14:02 [DanC]
ack timbl
16:14:31 [Rhys]
TBL: You write a script to access data from behind a firewall and it can do it because its a browser
16:15:13 [Rhys]
HT: Help me out with this example. I download a page from a known site A. Script on that page accesses a document somewhere else
16:15:51 [Rhys]
HT: Right now, the same domain access rules doesn't allow that.
16:16:39 [Rhys]
HT: Seems that this opens up a hole that causes me to loose protection. Right now, no resources can be accessed that are outside a site
16:17:07 [Rhys]
TBL: This is not to prevent damage to your machine.
16:17:32 [Rhys]
DC: Tim can you acknowledge that Henry's example causes increased risk?
16:18:49 [Rhys]
DC: Script changes on site A to grab data from a 'bad' site B. Right now that can't happen. But if this spec is adopted, site B can simply define that the resource can be used by anyone and the cross domain protection is lost.
16:19:27 [Rhys]
TBL: The main reason for the cross domain restriction was to protect information behind firewalls
16:20:01 [Rhys]
HT: Then I accept that this specification does have that effect
16:20:31 [Rhys]
DC: It may be that that was the original motivation, but there is a side effect that the restriction would help in the case where a site has been compromised
16:21:11 [Rhys]
TBL: but then if the site is compromised it could do anything it wants, and there are other mechanisms that could be employed by the 'bad guys'
16:21:15 [ht]
XSS is the common acronym for Cross Site Scripting
16:21:23 [Rhys]
HT: It's called cross site scripting
16:21:27 [ht]
which is what the cross-domain restriction prevents
16:21:52 [DanC]
(I find ; the first hit I found was )
16:22:12 [Rhys]
HT: I just searched and found a discussion about whether or not the restriction should be maintained for xmlhttprequest
16:22:50 [Rhys]
NW: I think that TBL is correct. The danger is that a script can get information from confidential sites.
16:23:11 [Rhys]
NW: It wasn't a vector for viruses, it was a vector for identity theft.
16:23:54 [Rhys]
HT: Ok, so in that case I understand. Is it apparent that this is the case from the spec?
16:24:34 [Rhys]
RL: I don't think that the motivation is clear from the spec, nor is the mechanism
16:24:36 [timbl_]
q+ to sy that the sec needs a summary of the attack in th eintro
16:24:46 [Rhys]
SW:There is a section in the spec where this might live
16:24:55 [Stuart]
ack tim
16:24:55 [Zakim]
timbl_, you wanted to sy that the sec needs a summary of the attack in th eintro
16:24:59 [DanC]
(re "that's not a TAG comment per se", I'm increasingly of the opinion that the TAG is, while perhaps not presently filled with security experts, in the best position to deal with security issues in W3C specs, as they tend to be cross-WG issues)
16:25:15 [Rhys]
HT: I think that my concern is not a TAG concern, but is one that I may respond with
16:25:21 [DanC]
16:25:30 [Stuart]
ack danc
16:25:49 [Rhys]
TBL: I think that the introduction does need explanation of the attacks that are being condsidered
16:26:41 [Rhys]
DC: You may ask, but they may not respond because typically people don't document the things against which they are providing protection
16:26:55 [Rhys]
SW: Is it worth asking?
16:27:13 [Rhys]
DC: I'd like to see it, but I'm not sure they'll provide it.
16:27:53 [Rhys]
SW: I was expecting something different. It seemed the other way around.
16:28:06 [timbl_]
q+ to note that pubic must be a very large proportion and should be optimzed for
16:28:10 [Rhys]
SW: It was a better design than I expected
16:28:12 [Stuart]
ack tim
16:28:12 [Zakim]
timbl_, you wanted to note that pubic must be a very large proportion and should be optimzed for
16:28:59 [Rhys]
TBL: The document has a mechanism that says scripts from a particular set of domains can access content
16:29:15 [timbl_]
Content-Access-Control: allow *
16:29:17 [Rhys]
TBL: I've been thinking about what it means for public documents.
16:29:30 [Rhys]
HT: The access should be * shouldn't it?
16:29:33 [DanC]
q+ to ask if any HTTP headers are in this design
16:29:45 [Rhys]
TBL: People know what I think about PIs
16:30:16 [Rhys]
TBL: I think the HTTP system is superior. A test would be to ask the W3C webmaster to implement it.
16:30:25 [Rhys]
HT: I think it's bizzarre
16:30:28 [DanC]
ack danc
16:30:28 [Zakim]
DanC, you wanted to ask if any HTTP headers are in this design
16:30:49 [Rhys]
DC: Is there an HTTP header
16:31:05 [ht]
q+ to 2nd DC in part
16:31:06 [Rhys]
DC: The name is much too long.
16:31:45 [Rhys]
TBL: I will ask the W3C webmaster to put this on every W3C public document.
16:33:07 [Rhys]
SW: Aside from Rhys' comments, I noted two other comments. Header name too long, and request to explain why the mechanism is secure
16:33:44 [Rhys]
HT: I think TBL is right and that it needs to be in the introduction.
16:33:57 [Rhys]
DC: But there is text in the introduction about this
16:34:19 [DanC]
("threat model" is the term of art, I think)
16:34:30 [Rhys]
TBL: That doesn't explain the particular situation covered by the spec
16:35:14 [Stuart]
16:35:15 [Rhys]
HT: I would not be happy if the header name were to be just CAC, rather than Content-Access-Control
16:35:19 [Stuart]
ack ht
16:35:19 [Zakim]
ht, you wanted to 2nd DC in part
16:35:38 [Rhys]
DC:There is a critical difference between requests that fit into one packet and those that need more
16:36:02 [Rhys]
HT: But we're only talking about responses here
16:36:34 [Rhys]
TBL: From the point of view of the IETF community, could we point to something about the volume of HTTP traffic?
16:36:57 [Rhys]
TBL: Could be traffic implications and cost, for people who pay for their traffic
16:37:18 [Rhys]
DC: TE (transfer encoding) is a precedent for short names
16:37:48 [Rhys]
SW: seems as though the point I made on feedback fell apart. Can someone summarise?
16:38:02 [Rhys]
TBL: Do we have consensus that the intro could do with explanation
16:38:07 [Rhys]
Generally - Yes
16:38:49 [Rhys]
DC: I'll follow up with comments on the header thing
16:38:52 [DanC]
(one in RDF?")
16:39:27 [Rhys]
HT: We now have two ways of making assertions about sets of URIs in two different ways. One is regular expression-like and one uses RDF
16:39:33 [DanC]
(ah... overlap with POWDER. quite.)
16:40:02 [timbl_]
q+ To argue the importaance of NOT using full regexp, but prefixes where possible
16:40:14 [Rhys]
HT: If these are a compact syntax and an expanded syntax for the same thing, it would be better if they were compatible
16:40:26 [Rhys]
DC: Should ask POWDER WG to review the spec.
16:41:18 [Stuart]
16:41:27 [Rhys]
TBL: POWDER is tackling the general question. So asking WAF to ask POWDER to provide a simple form of the expressions could be one approach
16:41:46 [Rhys]
HT: What about asking WAF to use POWDER
16:42:36 [Stuart]
ack tim
16:42:36 [Zakim]
timbl_, you wanted to argue the importaance of NOT using full regexp, but prefixes where possible
16:42:44 [Rhys]
TBL: I've thought about putting the POWDER approach into code. Whenever you access a URI, you need to check whether it is covered by rules like this
16:43:05 [Rhys]
TBL: Have wondered about asking POWDER about constraints based on prefices
16:43:35 [Rhys]
TBL: For this, the domain names are the wrong way around
16:43:51 [Rhys]
TVR: You need the java package name approach
16:44:20 [Rhys]
TBL: Yes, if the check was against the reversed domain name as a prefix
16:44:36 [Rhys]
TVR: This would be ok as long as you don't treat the URI as simply a string
16:45:12 [ht]
s/asking WAF to use POWDER/asking WAF to use POWDER to define the semantics of their patterns/
16:45:41 [Rhys]
TBL: When you do something like this then it can speed up the look ups
16:45:56 [DanC]
-> long HTTP header field name in WD-access-control Dan Connolly (Monday, 2 July)
16:46:01 [Rhys]
SW: Reminds me that they don't default to port 80 if there is no port specified
16:46:11 [Rhys]
TBL: Seems like a bug to me
16:46:55 [Rhys]
SW: Seemed to be a thread encouraging commonality between POWDER methods and the set of access items
16:47:25 [Rhys]
HT: How about the TAG sending a message to the two working groups pointing out the overlap
16:47:33 [Rhys]
TBL: Usually it needs more than that
16:47:45 [Rhys]
SW: Do you have a proposal Tim?
16:48:27 [Rhys]
TBL: Well, I suppose we could respond by asking them to come back with a consistent architecture with POWDER
16:49:34 [timbl_]
It ISNT access control
16:49:46 [timbl_]
It is declaring stuff public
16:49:49 [Rhys]
TBL: I don't think it should be called access control, either. It doesn't prevent access
16:50:02 [Rhys]
SW: Well it does, but it's client side
16:50:30 [Rhys]
TBL: It's more like access policy than access control. It's defined by a site that is giving the material away anyway
16:51:04 [Rhys]
HT: Also, browsers don't have to implement this spec. Access control feels more like server side
16:51:41 [Rhys]
SW: So I have introduction including more explanation, Dan has already written to them about the header length,
16:52:25 [Rhys]
ACTION: Stuart to write to the chairs of the working groups about the overlap
16:52:25 [trackbot-ng]
Created ACTION-3 - Write to the chairs of the working groups about the overlap [on Stuart Williams - due 2007-07-09].
16:53:03 [Rhys]
HT: Would like to see a draft before it goes. Silence means assent
16:54:18 [Rhys]
RL: Other comment was that the only normative part seemed to be within the algorithm rather than also being in some normative explanation
16:54:45 [Rhys]
Topic: httpRange-14
16:55:01 [Rhys]
SW: Energetic thread on our list about terminology
16:55:48 [ht]
q+ wrt the matter at hand
16:55:59 [ht]
q+ to comment on the matter at hand
16:56:06 [Stuart]
ack ht
16:56:06 [Zakim]
ht, you wanted to comment on the matter at hand
16:57:07 [Rhys]
HT: Noah's recent contribution goes to the heart of the matter and I think progress is being made
16:57:17 [Stuart]
wanted to add wrt to the value of an accurate record (ie. email trail)
16:57:24 [Rhys]
DC: I think there could be value in discussion
16:57:38 [Rhys]
TBL: I think that a lot of the discussion is terminology not architecture
16:58:47 [Stuart]
16:59:36 [Rhys]
TBL: Access as an english word doesn't imply that it has to be used against resources as opposed to representations
17:00:08 [Rhys]
HT: I read access as meaning that if you can access it you have got your hands on it.
17:00:19 [Rhys]
TBL and DC disagree about this
17:00:28 [Stuart]
FWIW to my mind access in some sense is to provoke a response (from the resource).
17:00:35 [Rhys]
s/disagree/disagree with HT/
17:00:46 [Stuart]
17:01:06 [Stuart]
q+ to note that people typically use derefernce to mean GET
17:01:22 [Rhys]
TBL: Can we think of a better word than access? In any case, we just have to define a particular vocabulary
17:02:13 [Rhys]
HT: I understand. In this case, we don't use access a lot, we use dereference more. Does dereferencing a URI mean getting your hands on something?
17:02:23 [Rhys]
DC: Yes. I think it means HTTP Get
17:02:42 [Rhys]
HT: This is stronger than access
17:03:24 [DanC]
(I wish readers of the minutes good luck figuring out what "it" and "this" refer to ;-)
17:03:27 [dorchard]
dorchard has joined #tagmem
17:03:34 [Rhys]
TBL: I think that access is a good word for the relationship between the resource and the URI
17:04:16 [Rhys]
TBL: There are two routines. Look up an object, which dereferences every URI related to an object, and just dereferencing a URI
17:04:35 [Rhys]
HT: Dereference relates a URI and a representation of a resource.
17:05:14 [Stuart]
17:05:33 [Rhys]
HT: I think that I can trace the confusion back to the notion that you can ever access a resource.
17:05:44 [ht]
zakim, disconnect ht
17:05:44 [Zakim]
Ht is being disconnected
17:05:45 [Zakim]
17:05:58 [ht]
zakim, please call ht-781
17:05:58 [Zakim]
ok, ht; the call is being made
17:06:00 [Zakim]
17:06:19 [dorchard]
I have just sent a link to updates to the versioning finding docs to
17:06:20 [Stuart]
ack s
17:06:20 [Zakim]
Stuart, you wanted to note that people typically use derefernce to mean GET
17:06:31 [dorchard]
I'd like to talk to them in about ten minutes, I can dial in then.
17:06:49 [Rhys]
SW: I noted that dereference is commonly taken as synonymous with HTTP GET, and that seems to be two things.
17:07:15 [Rhys]
SW: Dereference is moving to the other end of the pointer and access is any HTTP operation
17:07:24 [Norm]
17:07:39 [DanC]
(yes, "dereference" was a poor choice of words; it's suggestive of identification as much as access.)
17:07:50 [Rhys]
HT: That's a legitimate story but is distinct from either of the other two stories. It seems to make dereference weaker than access
17:08:17 [Rhys]
TBL: Maybe we should modify the document by removing access?
17:08:43 [Stuart]
17:09:00 [Rhys]
NW: I recall struggling with this when we were working on the document. We used access because we felt that it was easier to understand
17:09:15 [timbl_]
17:09:19 [DanC]
q+ to suggest the httpRange-14 finding is the next place I want to get this right; filing webarch errata is moderate cost; re-issuing webarchi is high cost
17:09:37 [Rhys]
HT: It's also clear that the section the quote comes from (3.1) that it tries to be catholic about schemes and then moves on to HTTP
17:09:48 [Stuart]
ack dan
17:09:48 [Zakim]
DanC, you wanted to suggest the httpRange-14 finding is the next place I want to get this right; filing webarch errata is moderate cost; re-issuing webarchi is high cost
17:10:31 [Rhys]
DC: httpRange-14 is where we have a chance to get this right. I'd rather get this right in this particular finding before we think about updating the webarch document
17:10:56 [Rhys]
SW: In which case, the current working title is interesting, because it says Dereferene
17:11:13 [Rhys]
17:11:48 [Rhys]
SW: I think that Pat feels that dereferencing doesn't touch the resource.
17:12:07 [Rhys]
HT: I think that dereference doesn't make sense in Pat's world
17:12:26 [Rhys]
SW: He also thinks we conflate access and reference
17:12:51 [timbl_]
What could we use instead?
17:12:59 [Rhys]
DC: We don't actually use reference. The issue may be use of dereference. I don't have a suggested alternative
17:13:32 [Rhys]
HT: In Pat's vocabulary, reference is ineffable, it does not imply an operation
17:13:38 [timbl_]
q+ so dereference is teh relationship between "foo" and <foo>
17:13:52 [timbl_]
q+ to say so dereference is teh relationship between "foo" and <foo>
17:14:03 [Rhys]
HT: In that world, you wouldn't use dereference in the way we do in the Web at all
17:14:39 [Rhys]
HT: So the first thing we would need to do is clarify that dereference takes almost none of it's meaning from the sense of reference
17:15:03 [Stuart]
17:15:13 [Rhys]
HT: Denote would be an alternative to refer
17:15:35 [Rhys]
TBL: As a verb, I can refer to something using an identifier
17:16:10 [Rhys]
HT: They are related, but are different parts of speech. But they are in the same area of philosophy
17:16:25 [Rhys]
TBL: Dereference comes from programming languages
17:17:00 [Rhys]
HT: I think Noah's example of memory locations is a really good example. They can be denoted and dereferenced
17:17:37 [ht]
I would have said they denote, but they can none-the-less serve as the basis for retrieval
17:17:40 [Rhys]
Discussion about the nature of equality
17:18:14 [Rhys]
TBL: So we do use dereference in a funny way in the context of the philosphy around denote
17:18:31 [Rhys]
TBL: Would making a circles and arrows diagram be helpful
17:19:12 [Rhys]
SW: I thought you were making good progress about relating the way we use terms and the way the philosophy of language uses them
17:19:18 [Rhys]
SW: Would be good to close that
17:19:21 [Zakim]
17:19:22 [ht]
Here's a picture that tried to use non-WebArch terminology to try to get clear on all this:
17:19:32 [Rhys]
HT: I will try and join this thread when I can
17:20:02 [Rhys]
HT: The diagram doesn't use web terminology
17:20:16 [Rhys]
TBL: I don't want to use this if it doesn't use web terminology
17:21:23 [Rhys]
HT: The distinction I think we need to make is between the HTML representation itself and the weather report itself.
17:21:59 [Rhys]
HT: The rendered version of the HTML that the browser displays is something that webarch doesn't seem to name
17:22:08 [DanC]
aha... found my diagram...
17:22:15 [Rhys]
HT: That's why I didn't use webarch terminology for the diagram
17:22:20 [DanC]
in particlular
17:22:21 [DanC]
17:22:26 [timbl_]
17:22:54 [Stuart]
ack danc
17:23:02 [ht]
Dan's picture is the same as the one in WebArch
17:23:38 [Rhys]
DC: I have a diagrams from 2003 that might be interesting.
17:24:08 [Rhys]
SW: Should we schedule more time for next week and ask Dan to walk through the diagram
17:24:29 [Rhys]
General agreement
17:25:15 [Rhys]
HT: We have some people away next week
17:25:28 [Rhys]
SW: This is the case for several weeks over the summer.
17:25:46 [Rhys]
Topic: Versioning finding
17:26:33 [Rhys]
DO: Been updating versioning finding. Items from F2F plus comments from individual TAG members. Still a few things to do
17:27:10 [Rhys]
DO: One possibility is to discuss this next week, but then I'm gone for several weeks
17:27:40 [Rhys]
DC: What's the summary of changes?
17:28:18 [Rhys]
DO: Pretty extensive changes throughout the document. Better definitions, stronger material
17:29:23 [Rhys]
SW: Happy to schedule 30 mins for next week's call for feedback and discussion. Could be that more time will be needed
17:29:46 [Rhys]
DO: Earliest after next week would be mid August.
17:30:27 [Rhys]
DC: It's worth doing if the people who had comments that were dealt with can look at the documents
17:30:44 [Zakim]
17:30:46 [Stuart]
17:30:47 [DanC]
(It'll help me if norm and/or stuart will send mail about versioning drafts)
17:31:08 [Norm]
(I'll send mail)
17:31:30 [Rhys]
SW: Dan suggested meeting schedule discussion. Results show three weeks in July where we are short by 4 TAG members
17:32:19 [Rhys]
SW: Question about having meetings for three weeks over the summer
17:32:39 [Rhys]
16 and 23 July and 6 August
17:33:07 [Rhys]
TBL: Could just have informal chat on IRC instead or voluntary sessions instead?
17:33:18 [Norm]
23 July, 30 July, and 6 Aug, I htink
17:33:37 [Rhys]
DC: Inclined to cancel those three dates
17:33:38 [Zakim]
17:33:47 [Zakim]
17:33:53 [Rhys]
SW: I think we'll cancel those three meetings.
17:34:07 [Rhys]
SW: Wer
17:34:11 [Zakim]
17:34:13 [Zakim]
17:35:31 [Stuart]
Propose to cancel 23rd July, 30th July and 6th Aug
17:36:32 [Norm]
I thought we had resolved to cancel them?
17:36:36 [Norm]
17:37:14 [Stuart]
17:37:41 [Stuart]
RRSAgent make log public
17:38:55 [Norm]
rrsagent, make logs public
17:38:58 [Norm]
17:39:39 [Rhys]
I still can't access that URI
17:40:00 [Rhys]
Bingo !
17:41:32 [Stuart]
17:41:40 [Stuart]
17:41:54 [Stuart]
which gets the URI's of action item right
17:44:14 [Zakim]
17:44:15 [Zakim]
17:49:16 [Zakim]
disconnecting the lone participant, DanC, in TAG_Weekly()12:00PM
17:49:19 [Zakim]
TAG_Weekly()12:00PM has ended
17:49:20 [Zakim]
Attendees were Rhys, Stuart, DanC, Ht, TimBL, Norm, Raman, Dave_Orchard
18:02:36 [timbl]
timbl has joined #tagmem
18:22:27 [Norm]
Norm has joined #tagmem
18:32:23 [timbl]
timbl has joined #tagmem
18:33:36 [Norm]
Norm has joined #tagmem
20:20:09 [timbl]
timbl has joined #tagmem
20:22:17 [Zakim]
Zakim has left #tagmem