17:54:34 RRSAgent has joined #tagmem 17:54:34 logging to http://www.w3.org/2008/01/10-tagmem-irc 17:54:45 zakim, this will be TAG 17:54:45 ok, Stuart; I see TAG_Weekly()1:00PM scheduled to start in 6 minutes 17:56:42 raman has joined #tagmem 17:59:20 Noah has joined #tagmem 17:59:25 TAG_Weekly()1:00PM has now started 17:59:33 +Stuart 18:00:14 zakim, please call ht-781 18:00:14 ok, ht; the call is being made 18:00:15 +Ht 18:01:37 +DanC 18:01:41 +Raman 18:02:16 +jar 18:02:24 Scribe: DanC 18:02:38 Chair: Stuart 18:02:39 +Norm 18:02:43 Meeting: TAG teleconference 18:02:50 +TimBL 18:03:04 agenda + Convene 18:03:08 Zakim, take up item 1 18:03:08 agendum 1. "Convene" taken up [from DanC] 18:03:15 +[IBMCambridge] 18:03:15 agenda + Issue binaryXML-30 (ISSUE-30) 18:03:21 agenda + Review of "Access Control for Cross-site Requests" 18:03:29 agenda + 'ping' attribute 18:03:34 timbl has joined #tagmem 18:03:35 zakim, [IBMCambridge] is me 18:03:35 +Noah; got it 18:03:35 agenda + Overdue Action items 18:03:41 agenda + Any other business?? 18:03:44 Zakim, who's on the phone? 18:03:44 On the phone I see Stuart, Ht (muted), DanC, Raman, jar, Norm, TimBL, Noah 18:04:02 SKW: I see regrets TBL 24 Jan 18:04:16 close ACTION-76 18:04:16 ACTION-76 Put a bow on the Nov TAG ftf meeing record with photos in TAG blog closed 18:04:27 close ACTION-28 18:04:27 ACTION-28 draft a blog item for review and, pending creation of a TAG blog mechanism, post it. closed 18:04:29 q+ to mention agenda link 18:04:39 -> http://www.w3.org/2001/tag/2007/12/13-minutes minutes 13 Dec 18:04:40 ack ht 18:04:40 ht, you wanted to mention agenda link 18:05:08 ack henry 18:05:09 HT: I added some links to http://www.w3.org/2001/tag/ ... to rolling agenda and FTF page 18:05:22 RESOLVED: to approve minutes 13 Dec 18:05:33 Next Telcon: Propose 17th January 2008; Chair: Stuart; Scribe DaveO 18:06:16 Zakim, next item 18:06:16 agendum 2. "Issue binaryXML-30 (ISSUE-30)" taken up [from DanC] 18:06:38 ack ht 18:06:46 -> http://lists.w3.org/Archives/Public/www-tag/2007Dec/0094 Re: TAG input to EXI WG on Efficient XML Interchange and EXI Measurements [ White 20 Dec ] 18:07:39 HT: read it a while ago... my memory says the discussion is in a terminal state 18:08:17 . ACTION: Henry review [new documents?] 18:08:25 trackbot-ng, status 18:08:38 . ACTION: Henry S. review [new documents?] 18:08:52 . ACTION: ht review [new documents?] 18:09:46 ACTION: ht review EXI WDs since 20 Dec 18:09:46 Created ACTION-93 - Review EXI WDs since 20 Dec [on Henry S. Thompson - due 2008-01-17]. 18:10:02 Zakim, take up item ping 18:10:02 agendum 4. "'ping' attribute" taken up [from DanC] 18:10:13 zakim, who is here? 18:10:13 On the phone I see Stuart, Ht (muted), DanC, Raman, jar, Norm, TimBL, Noah 18:10:15 On IRC I see timbl, Noah, raman, RRSAgent, Zakim, jar, Stuart, Norm, DanC, ht, trackbot-ng 18:12:13 SKW summarizes HTML 5 ping attribute 18:12:25 DC: main use case is auditing advertisement links 18:12:35 q+ 18:12:50 I'm moved by Roy's arguments against that it's a bad idea. 18:12:53 TVR: what I know is mostly what was summarized... as to opinion... feels like feature creep 18:12:58 ack Dan 18:14:07 DC: my understanding is that the link auditing is widely practiced, using opaque javascript stuff, and that this is more declarative, which might allow you to turn it off easier. so I can see some benefit to a ping attribute, but I probably wouldn't miss it if it went away 18:14:56 NM: I'm sympathetic to several of the points here... the declarative win... RF suggesting the use case hasn't been studied sufficiently[?]... 18:17:08 +Dave_Orchard 18:18:59 DanC: some, e.g. JR, object to doing POST on behalf of a user who just followed a link, which is widely understood to be a safe operation 18:19:17 ("hyperlink auditing requires use of unsafe HTTP method" ISSUE-1 PINGPOST http://www.w3.org/html/wg/tracker/issues/1 ) 18:20:07 TBL: use of POST is coherent in that GET might be cached and not update a counter. 18:20:49 (DanC is not convinced; it's not like the world comes to a halt if the counter doesn't get updated some small percentage of the time; the advertising industry will come up with estimates and norms to compensate.) 18:22:01 I think Tim's point is a good one, and more general than caching -- GET should be repeatable w/o serious consequence, but using GET for the ping attr value would seem to contradict that, particularly in the advertising logging case. . . 18:22:14 I wonder what other things one get a user to do by making them ping a location as an attack 18:22:37 "When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs." -- http://www.w3.org/html/wg/html5/#hyperlink0 18:22:58 DO: I gather the design in the spec doesn't meet real-world advertising network requirements. 18:23:31 SKW reminds us that we re-opened issue whenToUseGet-7 for this issue. (ISSUE-7) 18:24:43 q+ 18:25:30 ack Norm 18:25:30 ack norm 18:26:57 NDW: I also don't find any of the existing use cases compelling; I don't see why advertisers would stop using scripts that work for them 18:29:20 discussion of communication from the TAG to the HTML WG shows less than a critical mass just yet. 18:29:42 (issue 7 remains open) 18:30:08 q+ 18:30:31 ack danc 18:32:40 DO: isn't there a requirements issue about this ping attribute? 18:33:03 DanC: I'm not sure... checking... no, it looks like not. (http://www.w3.org/html/wg/tracker/issues/open ) 18:34:54 TVR: perhaps www-tag hasn't been invited to discuss this sufficiently 18:36:20 . ACTION: Noah invite discussion of HTML 5 ping attribute in www-tag after some review by tag members 18:36:49 ACTION: Noah invite discussion of HTML 5 ping attribute in www-tag after some review by tag members. (html WG mailing list is public-html@w3.org ) 18:36:49 Created ACTION-94 - Invite discussion of HTML 5 ping attribute in www-tag after some review by tag members. (html WG mailing list is public-html@w3.org ) [on Noah Mendelsohn - due 2008-01-17]. 18:37:41 NM: OK, yes, I'll bcc public-html and note that I've done so in order to avoid cross-posting 18:37:42 I will bcc: public-html, and note in the body of the email that I have done so. 18:38:02 Zakim, close this item 18:38:02 agendum 4 closed 18:38:03 I see 4 items remaining on the agenda; the next one is 18:38:04 2. Issue binaryXML-30 (ISSUE-30) [from DanC] 18:38:17 Zakim, take up item 3 18:38:17 agendum 3. "Review of "Access Control for Cross-site Requests"" taken up [from DanC] 18:38:30 Zakim, close item 2 18:38:30 agendum 2, Issue binaryXML-30 (ISSUE-30), closed 18:38:31 I see 3 items remaining on the agenda; the next one is 18:38:32 3. Review of "Access Control for Cross-site Requests" [from DanC] 18:39:32 SKW: Dave and I have sent comments on our own behalf and gotten some responses from the editor... 18:39:51 DO: the WebApp WG was chartered Nov 2005; the access control deliverable has come up since then... 18:40:16 ... the access control work started in [?another wg]. WebApp was originally chartered to work on XBL2 and the like... 18:40:47 s/?other wg/VoiceBrowser WG/ I think. 18:40:48 ... the AC hasn't been notified, nor has any requirements document been produced. 18:41:22 ... so a lot of the comments on the design are motivated by different implicit requirements 18:41:55 q+ 18:41:58 ... there hasn't been a community requirements discussion 18:42:46 DO: it's a bit awkward to collaborate on this work, because it comes up just occasionally between weeks of discussion of XBL2 etc. 18:43:30 DO: my main comments: (1) the browser is effectively a policy enforcement point (PEP). Why? It seems to me that the PEP can be moved to the server side. cf work by Tyler 18:44:19 TimBL: oh really? how? 18:44:43 DO: let's not get into the details of that just now; Tyler has proposed a number of designs to meet the server-side-move requirement 18:45:35 DO: comment (2) specifying it with an algorithm is awkward; I'd rather see definitions that could be met by lots of algorithms 18:46:10 DO: comment (3) they've introduced an authorization request... a GET with a Method-check header [?] 18:47:03 ... the access control spec is silent on the body of the reply to that request [?]. this seems architecturally problematic. [scribe missed some details... involving SOAP must-understand...] 18:47:54 ... [something about HEAD and OPTIONS... ] 18:48:28 ack timbl 18:48:34 ack timb 18:48:42 q+ to point to Jon Ferraiolo's comments which support DO 18:49:37 TBL: Dave, your point on social process around implicit requirements is well made 18:49:41 q+ to comment a little on interations with WG 18:50:46 TBL: re moving the PEP to the server side... I'm skeptical... my discussion with some mozilla developers convinced me that the browser has to enforce these policies in order to protect the user [?] 18:52:12 DO: much of this browser sandbox stuff is obscure; a colleague of mine at BEA is an expert in related security work but is struggling to get up to speed in this context 18:52:15 ack ht 18:52:16 ht, you wanted to point to Jon Ferraiolo's comments which support DO 18:52:33 http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0108.html 18:52:42 q+ about question about whether domains are relevant or just a publci flag. 18:52:47 TVR: [somebody else; darn; scribe forgot already] sent comments that support DO's position about obscurity of browser sandbox model 18:54:03 q+ to say that what I learned at the W3C security workshop is that the browser sandbox models are many and changing and obscure on purpose 18:54:45 HT: I'm sympathetic to the difficulty of writing this access control spec while the browser sandbox model is obscure 18:55:14 ack s 18:55:14 Stuart, you wanted to comment a little on interations with WG 18:55:16 ... where one would expect to write "change from X to Y" the spec has to say "change from whatever it is to Y" 18:56:18 DanC, here are the links for my action way higher up: http://www.w3.org/TR/exi-primer, http://www.w3.org/TR/exi-best-practices 18:56:26 SKW: the editor is quite responsive, but it's not clear to what extent the WG has considered our comments 18:56:35 noted, ht 18:58:05 -Ht 18:58:13 +Ht 19:00:28 q+ to say that doing things declaratively is more than editorially 19:00:47 s/editorially/editorial/ 19:01:29 ack danc 19:01:29 DanC, you wanted to say that what I learned at the W3C security workshop is that the browser sandbox models are many and changing and obscure on purpose 19:01:32 ack DanC 19:02:44 ack noah 19:02:44 Noah, you wanted to say that doing things declaratively is more than editorially 19:04:11 There are comments about the way the WG has behaved, the way the document is written, and the protocol. These should be clearly separately articulated. 19:04:51 q+ 19:05:31 ack Stuart 19:05:55 aren't we saying: a proper technical review requires an expression of the criteria against which to evaluate it - and this means comprehensive requirements and use cases? so tell us what you're trying to do, then we can review? 19:06:19 (as much as I don't like algorithms either, I haven't heard "more than editorial" substantiated.) 19:08:30 Here's an example of a more declarative approach to a similar spec. problem (allow/deny from apache2): http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html 19:08:33 +DOrchard 19:08:40 -Dave_Orchard 19:08:56 q+ to point to apache2 and leave 19:10:06 q- ht 19:10:14 -Ht 19:13:09 q+ 19:14:07 q+ to talk about role of TAG 19:14:26 ack danc 19:14:36 dorchard has joined #tagmem 19:15:50 ack noah 19:15:50 Noah, you wanted to talk about role of TAG 19:19:57 q+ 19:19:59 q? 19:20:02 q+ 19:20:02 Fropm TAG charter: 19:20:03 The mission of the TAG is stewardship of the Web architecture. There are three aspects to this mission: 19:20:03 1. to document and build consensus around principles of Web architecture and to interpret and clarify these principles when necessary; 19:20:03 2. to resolve issues involving general Web architecture brought to the TAG; 19:20:03 3. to help coordinate cross-technology architecture developments inside and outside W3C. 19:20:09 ack dorchard 19:20:54 DO: while much of this is process/editorial, the choice of GET [as opposed to OPTIONs or [forgot]] is technical and architectural 19:21:01 I think that only marginally gives us special status to raise an issue like "the spec your workgroup is doing doesn't have clear requirements, and is more imperative than we think is wise in presenting certain logic" 19:21:20 s/[forgot]/HEAD/ 19:21:31 (pointer to focussed comment?) 19:22:16 I see GET / HEAD / OPTIONS Anne van Kesteren (Friday, 4 January) http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0045.html 19:23:06 interesting... "One of our requirements is that you can simply put a file on the server and have it work." 19:23:11 dorchard has joined #tagmem 19:23:17 http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0092.html 19:23:49 HTTP Method for Authorization Request 19:23:50 The specification uses HTTP GET for the Authorization Request, with the 19:23:50 Method-Check HTTP Request Header. This seems an inappropriate HTTP 19:23:50 Method because the resource identified by the URI is not being 19:23:50 dereferenced, rather the intent is to retrieve either Access-Control 19:23:50 headers or the Processing Instructions. There aren't 19:23:50 in 0092, see "HTTP Method for Authorization Request" 19:23:52 clear requirements that indicate why other HTTP methods such as HEAD or 19:23:54 OPTIONS aren't used instead or in addition to. I think this is closed 19:23:56 issue #7, but I'm not sure. 19:23:58 19:24:00 Authorization Request data 19:24:02 I don't quite follow the details of Stuart and Anne's intereractions on 19:24:04 this topic, but it does seem to me that the response of "Security trumps 19:24:06 purity. Not sure what else to say here." is unhelpful and almost 19:24:08 disrespectful to a very qualified reviewer. Security does not trump 19:24:10 anything, security is all about trade-offs. If it was all about 19:24:13 security, we'd have a very different world including no f2f meetings. I 19:24:14 don't see the specific issue that Stuart raised in the issues list, and 19:24:16 if it is indeed not there, it ought to 19:25:56 in http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0052.html barstow refers to ISSUE-19; I'm struggling to turn ISSUE-19 into a full URI 19:27:02 pphpht. "issue" doesn't occur on http://www.w3.org/2006/appformats/ 19:33:27 -Norm 19:39:06 i need to go, but i'm not on the TAG... bye 19:39:16 -jar 19:39:19 yert... :-) 19:39:30 q+ 19:40:13 ack tim 19:46:11 -Raman 19:46:15 -DOrchard 19:46:17 -Stuart 19:46:26 -Noah 20:10:36 -TimBL 20:15:36 disconnecting the lone participant, DanC, in TAG_Weekly()1:00PM 20:15:38 TAG_Weekly()1:00PM has ended 20:15:40 Attendees were Stuart, Ht, DanC, Raman, jar, Norm, TimBL, Noah, Dave_Orchard, DOrchard 20:22:52 noah2 has joined #tagmem 20:28:41 jar has joined #tagmem 20:28:47 jar has left #tagmem