15:37:26 RRSAgent has joined #tagmem 15:37:26 logging to http://www.w3.org/2007/07/02-tagmem-irc 15:46:09 Norm, DanC -- can you read www-tag online OK? My browser is hanging. . . 15:48:44 Yes, works fine for me, ht 15:50:01 Nope, still stuck -- nslookup lists.w3.org is 128.30.52.16 for me -- you too? 15:50:38 Stuart has joined #tagmem 15:51:55 Yep, for me too, ht 15:52:32 Stuart, can you see www-tag OK? Specifically, http://lists.w3.org/Archives/Public/www-tag/2007Jun/ ? 15:54:39 DanC has changed the topic to: TAG 2 July http://www.w3.org/2001/tag/tag-weekly scribe: Raman 15:58:08 TAG_Weekly()12:00PM has now started 15:58:15 +Rhys 15:58:30 Rhys has joined #tagmem 15:58:36 +??P2 15:58:39 -Rhys 15:58:40 +Rhys 15:58:55 zakim, ??p2 is me 15:58:55 +Stuart; got it 16:00:55 +DanC 16:02:26 zakim, please call ht-781 16:02:26 ok, ht; the call is being made 16:02:29 +Ht 16:03:18 (reviewing agenda, it occurs to me that for "Enabling Read Access..." , it would have been nice to have that in the same meeting as passwords-in-the-clear, in that they're security-related. ) 16:03:19 +TimBL 16:04:43 scribenick: Rhys 16:05:01 Topic: Convene 16:05:18 +Norm 16:05:19 Stuart reviews the agenda and claims it could be a short meeting 16:05:45 DC: Confirms he can scribe for next week 16:06:13 Stuart asks for AOB and requests agenda items for next week 16:06:35 DC: Do you send the agenda at end of day on Friday? 16:06:45 SW: Yes 16:06:53 DC: Would be good to have additional time 16:07:02 SW: We'll talk off line 16:07:14 SW: Proposese that last week's minutes are ok 16:07:36 s/sese/ses/ 16:07:39 timbl_ has joined #tagmem 16:07:39 SW: Proposes minutes - hearing no objections, resolved to accept 16:07:44 +Raman 16:08:06 Topic: Review request for Enabling Read Access for Web Resources 16:08:06 raman has joined #tagmem 16:08:11 DanC has changed the topic to: TAG 2 July http://www.w3.org/2001/tag/tag-weekly scribe: Rhys 16:09:31 -> http://lists.w3.org/Archives/Public/public-appformats/2007May/0060.html No path in access item, etc. Tim Berners-Lee (Monday, 21 May) 16:10:00 http://lists.w3.org/Archives/Public/www-tag/2007Jun/0145.html 16:12:00 DC: Thinks that lack of distinction between resource and representations is not a problem 16:12:09 HT: Thinks it might be 16:13:14 (it's not a problem that shows up in the way software behaves, that is.) 16:13:43 q+ 16:14:02 ack timbl 16:14:31 TBL: You write a script to access data from behind a firewall and it can do it because its a browser 16:15:13 HT: Help me out with this example. I download a page from a known site A. Script on that page accesses a document somewhere else 16:15:51 HT: Right now, the same domain access rules doesn't allow that. 16:16:39 HT: Seems that this opens up a hole that causes me to loose protection. Right now, no resources can be accessed that are outside a site 16:17:07 TBL: This is not to prevent damage to your machine. 16:17:32 DC: Tim can you acknowledge that Henry's example causes increased risk? 16:18:49 DC: Script changes on site A to grab data from a 'bad' site B. Right now that can't happen. But if this spec is adopted, site B can simply define that the resource can be used by anyone and the cross domain protection is lost. 16:19:27 TBL: The main reason for the cross domain restriction was to protect information behind firewalls 16:20:01 HT: Then I accept that this specification does have that effect 16:20:31 DC: It may be that that was the original motivation, but there is a side effect that the restriction would help in the case where a site has been compromised 16:21:11 TBL: but then if the site is compromised it could do anything it wants, and there are other mechanisms that could be employed by the 'bad guys' 16:21:15 XSS is the common acronym for Cross Site Scripting 16:21:23 HT: It's called cross site scripting 16:21:27 which is what the cross-domain restriction prevents 16:21:52 (I find http://en.wikipedia.org/wiki/Cross-site_scripting ; the first hit I found was http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0240 ) 16:22:12 HT: I just searched and found a discussion about whether or not the restriction should be maintained for xmlhttprequest 16:22:50 NW: I think that TBL is correct. The danger is that a script can get information from confidential sites. 16:23:11 NW: It wasn't a vector for viruses, it was a vector for identity theft. 16:23:54 HT: Ok, so in that case I understand. Is it apparent that this is the case from the spec? 16:24:34 RL: I don't think that the motivation is clear from the spec, nor is the mechanism 16:24:36 q+ to sy that the sec needs a summary of the attack in th eintro 16:24:46 SW:There is a section in the spec where this might live 16:24:55 ack tim 16:24:55 timbl_, you wanted to sy that the sec needs a summary of the attack in th eintro 16:24:59 (re "that's not a TAG comment per se", I'm increasingly of the opinion that the TAG is, while perhaps not presently filled with security experts, in the best position to deal with security issues in W3C specs, as they tend to be cross-WG issues) 16:25:15 HT: I think that my concern is not a TAG concern, but is one that I may respond with 16:25:21 q+ 16:25:30 ack danc 16:25:49 TBL: I think that the introduction does need explanation of the attacks that are being condsidered 16:26:41 DC: You may ask, but they may not respond because typically people don't document the things against which they are providing protection 16:26:55 SW: Is it worth asking? 16:27:13 DC: I'd like to see it, but I'm not sure they'll provide it. 16:27:53 SW: I was expecting something different. It seemed the other way around. 16:28:06 q+ to note that pubic must be a very large proportion and should be optimzed for 16:28:10 SW: It was a better design than I expected 16:28:12 ack tim 16:28:12 timbl_, you wanted to note that pubic must be a very large proportion and should be optimzed for 16:28:59 TBL: The document has a mechanism that says scripts from a particular set of domains can access content 16:29:15 Content-Access-Control: allow * 16:29:17 TBL: I've been thinking about what it means for public documents. 16:29:30 HT: The access should be * shouldn't it? 16:29:33 q+ to ask if any HTTP headers are in this design 16:29:45 TBL: People know what I think about PIs 16:30:16 TBL: I think the HTTP system is superior. A test would be to ask the W3C webmaster to implement it. 16:30:25 HT: I think it's bizzarre 16:30:28 ack danc 16:30:28 DanC, you wanted to ask if any HTTP headers are in this design 16:30:49 DC: Is there an HTTP header 16:31:05 q+ to 2nd DC in part 16:31:06 DC: The name is much too long. 16:31:45 TBL: I will ask the W3C webmaster to put this on every W3C public document. 16:33:07 SW: Aside from Rhys' comments, I noted two other comments. Header name too long, and request to explain why the mechanism is secure 16:33:44 HT: I think TBL is right and that it needs to be in the introduction. 16:33:57 DC: But there is text in the introduction about this 16:34:19 ("threat model" is the term of art, I think) 16:34:30 TBL: That doesn't explain the particular situation covered by the spec 16:35:14 q? 16:35:15 HT: I would not be happy if the header name were to be just CAC, rather than Content-Access-Control 16:35:19 ack ht 16:35:19 ht, you wanted to 2nd DC in part 16:35:38 DC:There is a critical difference between requests that fit into one packet and those that need more 16:36:02 HT: But we're only talking about responses here 16:36:34 TBL: From the point of view of the IETF community, could we point to something about the volume of HTTP traffic? 16:36:57 TBL: Could be traffic implications and cost, for people who pay for their traffic 16:37:18 DC: TE (transfer encoding) is a precedent for short names 16:37:48 SW: seems as though the point I made on feedback fell apart. Can someone summarise? 16:38:02 TBL: Do we have consensus that the intro could do with explanation 16:38:07 Generally - Yes 16:38:49 DC: I'll follow up with comments on the header thing 16:38:52 (one in RDF?") 16:39:27 HT: We now have two ways of making assertions about sets of URIs in two different ways. One is regular expression-like and one uses RDF 16:39:33 (ah... overlap with POWDER. quite.) 16:40:02 q+ To argue the importaance of NOT using full regexp, but prefixes where possible 16:40:14 HT: If these are a compact syntax and an expanded syntax for the same thing, it would be better if they were compatible 16:40:26 DC: Should ask POWDER WG to review the spec. 16:41:18 q? 16:41:27 TBL: POWDER is tackling the general question. So asking WAF to ask POWDER to provide a simple form of the expressions could be one approach 16:41:46 HT: What about asking WAF to use POWDER 16:42:36 ack tim 16:42:36 timbl_, you wanted to argue the importaance of NOT using full regexp, but prefixes where possible 16:42:44 TBL: I've thought about putting the POWDER approach into code. Whenever you access a URI, you need to check whether it is covered by rules like this 16:43:05 TBL: Have wondered about asking POWDER about constraints based on prefices 16:43:35 TBL: For this, the domain names are the wrong way around 16:43:51 TVR: You need the java package name approach 16:44:20 TBL: Yes, if the check was against the reversed domain name as a prefix 16:44:36 TVR: This would be ok as long as you don't treat the URI as simply a string 16:45:12 s/asking WAF to use POWDER/asking WAF to use POWDER to define the semantics of their patterns/ 16:45:41 TBL: When you do something like this then it can speed up the look ups 16:46:01 SW: Reminds me that they don't default to port 80 if there is no port specified 16:46:11 TBL: Seems like a bug to me 16:46:55 SW: Seemed to be a thread encouraging commonality between POWDER methods and the set of access items 16:47:25 HT: How about the TAG sending a message to the two working groups pointing out the overlap 16:47:33 TBL: Usually it needs more than that 16:47:45 SW: Do you have a proposal Tim? 16:48:27 TBL: Well, I suppose we could respond by asking them to come back with a consistent architecture with POWDER 16:49:34 It ISNT access control 16:49:46 It is declaring stuff public 16:49:49 TBL: I don't think it should be called access control, either. It doesn't prevent access 16:50:02 SW: Well it does, but it's client side 16:50:30 TBL: It's more like access policy than access control. It's defined by a site that is giving the material away anyway 16:51:04 HT: Also, browsers don't have to implement this spec. Access control feels more like server side 16:51:41 SW: So I have introduction including more explanation, Dan has already written to them about the header length, 16:52:25 ACTION: Stuart to write to the chairs of the working groups about the overlap 16:52:25 Created ACTION-3 - Write to the chairs of the working groups about the overlap [on Stuart Williams - due 2007-07-09]. 16:53:03 HT: Would like to see a draft before it goes. Silence means assent 16:54:18 RL: Other comment was that the only normative part seemed to be within the algorithm rather than also being in some normative explanation 16:54:45 Topic: httpRange-14 16:55:01 SW: Energetic thread on our list about terminology 16:55:48 q+ wrt the matter at hand 16:55:59 q+ to comment on the matter at hand 16:56:06 ack ht 16:56:06 ht, you wanted to comment on the matter at hand 16:57:07 HT: Noah's recent contribution goes to the heart of the matter and I think progress is being made 16:57:17 wanted to add wrt to the value of an accurate record (ie. email trail) 16:57:24 DC: I think there could be value in discussion 16:57:38 TBL: I think that a lot of the discussion is terminology not architecture 16:58:47 q? 16:59:36 TBL: Access as an english word doesn't imply that it has to be used against resources as opposed to representations 17:00:08 HT: I read access as meaning that if you can access it you have got your hands on it. 17:00:19 TBL and DC disagree about this 17:00:28 FWIW to my mind access in some sense is to provoke a response (from the resource). 17:00:35 s/disagree/disagree with HT/ 17:00:46 q+ 17:01:06 q+ to note that people typically use derefernce to mean GET 17:01:22 TBL: Can we think of a better word than access? In any case, we just have to define a particular vocabulary 17:02:13 HT: I understand. In this case, we don't use access a lot, we use dereference more. Does dereferencing a URI mean getting your hands on something? 17:02:23 DC: Yes. I think it means HTTP Get 17:02:42 HT: This is stronger than access 17:03:24 (I wish readers of the minutes good luck figuring out what "it" and "this" refer to ;-) 17:03:27 dorchard has joined #tagmem 17:03:34 TBL: I think that access is a good word for the relationship between the resource and the URI 17:04:16 TBL: There are two routines. Look up an object, which dereferences every URI related to an object, and just dereferencing a URI 17:04:35 HT: Dereference relates a URI and a representation of a resource. 17:05:14 q? 17:05:33 HT: I think that I can trace the confusion back to the notion that you can ever access a resource. 17:05:44 zakim, disconnect ht 17:05:44 Ht is being disconnected 17:05:45 -Ht 17:05:58 zakim, please call ht-781 17:05:58 ok, ht; the call is being made 17:06:00 +Ht 17:06:19 I have just sent a link to updates to the versioning finding docs to tag@w3.org 17:06:20 ack s 17:06:20 Stuart, you wanted to note that people typically use derefernce to mean GET 17:06:31 I'd like to talk to them in about ten minutes, I can dial in then. 17:06:49 SW: I noted that dereference is commonly taken as synonymous with HTTP GET, and that seems to be two things. 17:07:15 SW: Dereference is moving to the other end of the pointer and access is any HTTP operation 17:07:24 q? 17:07:39 (yes, "dereference" was a poor choice of words; it's suggestive of identification as much as access.) 17:07:50 HT: That's a legitimate story but is distinct from either of the other two stories. It seems to make dereference weaker than access 17:08:17 TBL: Maybe we should modify the document by removing access? 17:08:43 q? 17:09:00 NW: I recall struggling with this when we were working on the document. We used access because we felt that it was easier to understand 17:09:15 http://images.google.com/images?q=awww&hl=en&client=safari&rls=en&um=1&sa=X&oi=images&ct=title 17:09:19 q+ to suggest the httpRange-14 finding is the next place I want to get this right; filing webarch errata is moderate cost; re-issuing webarchi is high cost 17:09:37 HT: It's also clear that the section the quote comes from (3.1) that it tries to be catholic about schemes and then moves on to HTTP 17:09:48 ack dan 17:09:48 DanC, you wanted to suggest the httpRange-14 finding is the next place I want to get this right; filing webarch errata is moderate cost; re-issuing webarchi is high cost 17:10:31 DC: httpRange-14 is where we have a chance to get this right. I'd rather get this right in this particular finding before we think about updating the webarch document 17:10:56 SW: In which case, the current working title is interesting, because it says Dereferene 17:11:13 s/Deferene/Dereference/ 17:11:48 SW: I think that Pat feels that dereferencing doesn't touch the resource. 17:12:07 HT: I think that dereference doesn't make sense in Pat's world 17:12:26 SW: He also thinks we conflate access and reference 17:12:51 What could we use instead? 17:12:59 DC: We don't actually use reference. The issue may be use of dereference. I don't have a suggested alternative 17:13:32 HT: In Pat's vocabulary, reference is ineffable, it does not imply an operation 17:13:38 q+ so dereference is teh relationship between "foo" and 17:13:52 q+ to say so dereference is teh relationship between "foo" and 17:14:03 HT: In that world, you wouldn't use dereference in the way we do in the Web at all 17:14:39 HT: So the first thing we would need to do is clarify that dereference takes almost none of it's meaning from the sense of reference 17:15:03 q? 17:15:13 HT: Denote would be an alternative to refer 17:15:35 TBL: As a verb, I can refer to something using an identifier 17:16:10 HT: They are related, but are different parts of speech. But they are in the same area of philosophy 17:16:25 TBL: Dereference comes from programming languages 17:17:00 HT: I think Noah's example of memory locations is a really good example. They can be denoted and dereferenced 17:17:37 I would have said they denote, but they can none-the-less serve as the basis for retrieval 17:17:40 Discussion about the nature of equality 17:18:14 TBL: So we do use dereference in a funny way in the context of the philosphy around denote 17:18:31 TBL: Would making a circles and arrows diagram be helpful 17:19:12 SW: I thought you were making good progress about relating the way we use terms and the way the philosophy of language uses them 17:19:18 SW: Would be good to close that 17:19:21 +Dave_Orchard 17:19:22 Here's a picture that tried to use non-WebArch terminology to try to get clear on all this: http://www.cogsci.ed.ac.uk/~ht/webpropernames/img2.png 17:19:32 HT: I will try and join this thread when I can 17:20:02 HT: The diagram doesn't use web terminology 17:20:16 TBL: I don't want to use this if it doesn't use web terminology 17:21:23 HT: The distinction I think we need to make is between the HTML representation itself and the weather report itself. 17:21:59 HT: The rendered version of the HTML that the browser displays is something that webarch doesn't seem to name 17:22:08 aha... found my diagram... http://www.w3.org/2001/tag/fdesc54/ 17:22:15 HT: That's why I didn't use webarch terminology for the diagram 17:22:20 in particlular http://www.w3.org/2001/tag/fdesc54/slides.html 17:22:21 q+ 17:22:26 q- 17:22:54 ack danc 17:23:02 Dan's picture is the same as the one in WebArch 17:23:38 DC: I have a diagrams from 2003 that might be interesting. 17:24:08 SW: Should we schedule more time for next week and ask Dan to walk through the diagram 17:24:29 General agreement 17:25:15 HT: We have some people away next week 17:25:28 SW: This is the case for several weeks over the summer. 17:25:46 Topic: Versioning finding 17:26:33 DO: Been updating versioning finding. Items from F2F plus comments from individual TAG members. Still a few things to do 17:27:10 DO: One possibility is to discuss this next week, but then I'm gone for several weeks 17:27:40 DC: What's the summary of changes? 17:28:18 DO: Pretty extensive changes throughout the document. Better definitions, stronger material 17:29:23 SW: Happy to schedule 30 mins for next week's call for feedback and discussion. Could be that more time will be needed 17:29:46 DO: Earliest after next week would be mid August. 17:30:27 DC: It's worth doing if the people who had comments that were dealt with can look at the documents 17:30:44 -Dave_Orchard 17:30:46 "http://www.w3.org/2002/09/wbs/34270/summerAvailability2007/results" 17:30:47 (It'll help me if norm and/or stuart will send mail about versioning drafts) 17:31:08 (I'll send mail) 17:31:30 SW: Dan suggested meeting schedule discussion. Results show three weeks in July where we are short by 4 TAG members 17:32:19 SW: Question about having meetings for three weeks over the summer 17:32:39 16 and 23 July and 6 August 17:33:07 TBL: Could just have informal chat on IRC instead or voluntary sessions instead? 17:33:18 23 July, 30 July, and 6 Aug, I htink 17:33:37 DC: Inclined to cancel those three dates 17:33:38 -Raman 17:33:47 -TimBL 17:33:53 SW: I think we'll cancel those three meetings. 17:34:07 SW: Wer 17:34:11 -Ht 17:34:13 -Norm 17:35:31 Propose to cancel 23rd July, 30th July and 6th Aug 17:36:32 I thought we had resolved to cancel them? 17:36:36 s/them?/them/ 17:37:14 http://www.w3.org/2007/07/02-tagmem-irc.txt 17:37:41 RRSAgent make log public 17:38:55 rrsagent, make logs public 17:38:58 :-) 17:39:39 I still can't access that URI 17:40:00 Bingo ! 17:41:32 http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm 17:41:40 --minutes 17:41:54 which gets the URI's of action item right 17:44:14 -Rhys 17:44:15 -Stuart 17:49:16 disconnecting the lone participant, DanC, in TAG_Weekly()12:00PM 17:49:19 TAG_Weekly()12:00PM has ended 17:49:20 Attendees were Rhys, Stuart, DanC, Ht, TimBL, Norm, Raman, Dave_Orchard 18:02:36 timbl has joined #tagmem 18:22:27 Norm has joined #tagmem 18:32:23 timbl has joined #tagmem 18:33:36 Norm has joined #tagmem 20:20:09 timbl has joined #tagmem 20:22:17 Zakim has left #tagmem