20:01:59 <RRSAgent> RRSAgent has joined #waf
20:01:59 <RRSAgent> logging to http://www.w3.org/2008/01/30-waf-irc
20:02:01 <trackbot-ng> RRSAgent, make logs member
20:02:01 <Zakim> Zakim has joined #waf
20:02:03 <trackbot-ng> Zakim, this will be WAF
20:02:03 <Zakim> ok, trackbot-ng; I see IA_WAF()3:00PM scheduled to start 2 minutes ago
20:02:04 <trackbot-ng> Meeting: Web Application Formats Working Group Teleconference
20:02:04 <trackbot-ng> Date: 30 January 2008
20:02:25 <ArtB> Chair: Art
20:02:31 <ArtB> Scribe: Art
20:02:37 <ArtB> ScribeNick: ArtB
20:02:48 <ArtB> Agenda: http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0305.html
20:03:21 <Zakim> IA_WAF()3:00PM has now started
20:03:28 <Zakim> + +1.781.993.aaaa
20:03:30 <tlr> zakim, call thomas-781
20:03:30 <Zakim> ok, tlr; the call is being made
20:03:32 <Zakim> +Thomas
20:03:37 <ArtB> zakim, aaaa is ArtB
20:03:37 <Zakim> +ArtB; got it
20:03:50 <shepazu> shepazu has joined #waf
20:04:12 <dorchard> dorchard has joined #waf
20:04:55 <sicking> sicking has joined #waf
20:05:05 <Zakim> +Dave_Orchard
20:05:20 <Zakim> +[Mozilla]
20:05:25 <sicking> Zakim, mozilla is me
20:05:25 <Zakim> +sicking; got it
20:06:57 <anne> Zakim, passcode?
20:06:57 <Zakim> the conference code is 9231 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), anne
20:07:28 <Zakim> +??P11
20:07:52 <ArtB> Present: Art, Anne, Dave, Thomas, Jonas, Hixie (IRC)
20:08:01 <ArtB> Topic: Review Agenda
20:08:10 <ArtB> AB: reserve 5 mins for AOB
20:08:29 <ArtB> Topic: Requirements and UCs
20:08:52 <tlr> tlr has changed the topic to: http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0236.html
20:08:57 <tlr> argh
20:09:12 <tlr> tlr has changed the topic to: http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0305.html
20:09:19 <tlr> sorry
20:09:23 <tlr> zakim, I am thomas
20:09:23 <Zakim> ok, tlr, I now associate you with Thomas
20:09:24 <tlr> zakim, mute me
20:09:24 <Zakim> Thomas should now be muted
20:10:51 <ArtB> AB: no comments on 2, 5, 7, 8, 11
20:11:07 <ArtB> AB: comments on 1, 3, 4, 6, 9, 10, 12
20:11:31 <ArtB> AB: not sure about #13
20:11:38 <ArtB> JS: I made comments on #13
20:11:53 <ArtB> AvK: I've addressed those comments
20:12:52 <ArtB> AB: propose we record agreement on 2, 5, 7, 8, 11 and 13
20:12:54 <ArtB> AB: OK?
20:13:05 <ArtB> DO: not sure everyone has reviewed them
20:14:04 <ArtB> AB: we've had two weeks now and in this agenda and the last I asked people to submit comments in advance of the meeting
20:14:49 <ArtB> JS: I didn't receive many replies, mostly from Art
20:14:52 <dorchard> DO: I'm worried that people have reviewed some of the requirements and their conversations are focused on those, not on all.
20:15:13 <ArtB> AB: propose we recored agreement on 2, 5, 7, 8, 11 and 13
20:15:21 <dorchard> DO: so the concern is that the absence of discussion isn't consensus.
20:15:34 <tlr> zakim, unmute me
20:15:34 <Zakim> Thomas should no longer be muted
20:15:40 <ArtB> AB: any objections?
20:15:51 <ArtB> TR: I want to remove #13 since it has been removed
20:16:00 <tlr> s/removed/changed/
20:16:17 <ArtB> DO: wonder about #5; think it was bundled in other conversations
20:16:31 <tlr> q+
20:16:53 <ArtB> JS: Jon may have had a counter-proposal for #5
20:17:27 <ArtB> DO: I don't object to the others but not #5
20:17:54 <ArtB> TR: I have some concenrs about #5 too but mostly editorial
20:18:21 <sicking> http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0250.html
20:18:22 <ArtB> AB: propose we record agreement on 2, 7, 8, 11
20:18:28 <sicking> contains feedback to 5
20:18:30 <Hixie> could i ask a quick process question? what happens if we can't get consensus on these requirements?
20:18:33 <tlr> I *think* number 5 means "mechanism MUST apply to any media type". If that's the case, that's great, but I'd like the text to read that way
20:18:44 <ArtB> AB: any objections to that proposal?
20:18:48 <ArtB> [No objections]
20:19:19 <ArtB> RESOLUTION: requirements 2, 7, 8, 11 have agreement
20:19:37 <ArtB> AB: then we keep trying to get consensus
20:19:49 <ArtB> Topic: Requirement #1
20:20:07 <anne> "then we keep trying to get consensus" was a reply from Art to Hixie's question
20:20:09 <Hixie> so i could block progress indefinitely by simply never allowing consensus to form?
20:21:12 <ArtB> TR: I'm looking at a Jan 22 version
20:22:08 <ArtB> AvK: I don't want to revise requirements text; I don't want to do this
20:24:24 <ArtB> ... now but via e-mail
20:24:38 <ArtB> AB: I don't think we are getting closure via e-mail 
20:25:32 <ArtB> TR: re 1.1., authentication isn't the issue but Authorization is
20:25:53 <tlr> Some servers authorize any requests that can reach the server.
20:27:44 <ArtB> TR: also have a problem with the last paragraph in 1.1 but I can take that to e-mail
20:27:46 <tlr> "Although anyone..." includes somewhat inaccurate diagnosis of current state; happy to take that to e-mail
20:27:57 <ArtB> ACTION: Thomas submit an input for requirement 1.1
20:27:58 <trackbot-ng> Created ACTION-158 - Submit an input for requirement 1.1 [on Thomas Roessler - due 2008-02-06].
20:28:07 <tlr> "Should not be possible to issue..." -- motivate with UPNP
20:28:21 <ArtB> TR: I can supply an input for 1.2
20:28:27 <Hixie> due feb 6th?
20:28:30 <Hixie> that's a week from now!
20:28:36 <ArtB> ACTION: Thomas submit an input for requirement 1.2
20:28:37 <trackbot-ng> Created ACTION-159 - Submit an input for requirement 1.2 [on Thomas Roessler - due 2008-02-06].
20:28:59 <ArtB> DO: re 1.2, I thought the Atom people had objected to that requirement
20:29:02 <tlr> DO: atom folks objected against that one?
20:29:04 <tlr> q+
20:29:09 <tlr> hixie, that's the default due date
20:29:40 <tlr> this one needs to say "should not be possible to issue unauthorized cross-site POST"...
20:29:45 <ArtB> JS: I think we need to qualify 1.2
20:30:12 <ArtB> [missed JS' explicit proposal to append a qualification to 1.2]
20:30:59 <Hixie> wait now we're arguing about the precise _wording_ of these requirements?!
20:31:11 <Hixie> good lord
20:31:55 <anne> What was minuted above about me is not true. I said that I don't want to be the author of the requirements. I'm fine with editing. I also objected to discussing the requirement text and discussing comments on requirements already posted to the mailing list.
20:32:20 <Hixie> i also object to discussing the requirements at this point
20:32:28 <Hixie> it's months past the time to discuss requirements
20:32:31 <dorchard> It should not be possible to cross site non-safe operations priort to an authorization check performed.
20:33:02 <Hixie> all we're doing is delaying the specs that depend on this
20:33:48 <anne> I'd also like to point out that I can't actually edit the document while being on the call and that all detailed sugestions have not at all been minuted! It would be much better if people actually e-mail the list.
20:34:24 <anne> So all tlr's comments are lost.
20:34:32 <ArtB> AB: we can delete 1.2; we could assign someone to "champion it"
20:34:45 <dorchard> Proposal: It should not be possible to perform cross-site non-safe (in HTTP, POST/PUT/DELETE) operations prior to an authorization check being performed
20:34:45 <ArtB> DO: I made a proposal
20:35:35 <ArtB> osal #2
20:35:35 <anne> (I'm not trying to attack the minutetaker fwiw, just saying that this doesn't really work.)
20:36:12 <ArtB> DO: I made proposal #2
20:36:50 <tlr> tlr: let's go with DO's rpoposal, modulo minor wordsmithing on list
20:36:54 <ArtB> TR: I can live with David's #2 proposal modulo some word smitthing
20:36:58 <tlr> close ACTION-159
20:36:58 <trackbot-ng> ACTION-159 Submit an input for requirement 1.2 closed
20:37:09 <ArtB> JS: I'm OK with David's #2 proposal
20:37:15 <Hixie> i do not agree with that proposal
20:37:23 <Hixie> because i do not believe we should be discussing this in the first place
20:38:33 <ArtB> Hixie, if you want to participate in this meeting please join the voice conference
20:38:44 <Hixie> i do not have access to a phone here
20:39:00 <Hixie> (literally the closest phone to here is about 35 minutes away)
20:40:16 <ArtB> AB: can you make the sub-bullet's numbered?
20:40:26 <ArtB> AvK: if you send me an e-mail requesting so
20:40:45 <ArtB> ACTION: barstow submit a request to get the subbullets numbered
20:40:45 <trackbot-ng> Created ACTION-160 - Submit a request to get the subbullets numbered [on Arthur Barstow - due 2008-02-06].
20:41:04 <ArtB> Topic: Requirement 3
20:42:05 <ArtB> TR: I think there are typical configs that require root privs
20:42:19 <ArtB> ... should be worded in a positive way rather than negative
20:42:52 <ArtB> ... We need to know the capabilities that are needed for the policy deployer
20:43:06 <ArtB> ... As worded, it doesn't help us at all.
20:43:33 <ArtB> ... Also wonder if this is for XML only content or other content too
20:43:52 <sicking> sorry on, phone
20:43:59 <tlr> zakim, unmute sicking
20:43:59 <Zakim> sicking was not muted, tlr
20:45:01 <ArtB> AB: Jonas, any comments I think you are the author
20:45:46 <ArtB> JS: I can come up with a proposal; hope we don't get a bunch of additional feedback
20:46:00 <ArtB> DO: yes, "typical" here is too open
20:46:20 <ArtB> ACTION: Jonas submit a proposal for req #3
20:46:20 <trackbot-ng> Created ACTION-161 - Submit a proposal for req #3 [on Jonas Sicking - due 2008-02-06].
20:46:26 <tlr> same applies to 4
20:46:34 <ArtB> Topic: Requirement #4
20:48:15 <ArtB> AvK: I made a mistake in my response to TR and I will follow-up on e-mail
20:48:50 <ArtB> TR: this also talks about "typical" 
20:48:52 <Lachy> Lachy has joined #waf
20:49:19 <Lachy> Lachy has joined #waf
20:49:21 <ArtB> ... prefer to have it worded in a positive way rather than a list of negative things
20:49:32 <ArtB> DO: I tend to agree with TR
20:50:06 <tlr> avk: I agree that req 4 is about XML stuff, won't propose new text
20:50:29 <ArtB> AB: is anyone willing to champion this requirement?
20:50:58 <ArtB> ... we could delete it
20:51:23 <ArtB> JS: we could change "typical" to Apache
20:51:46 <ArtB> TR: not clear what the real req is
20:52:26 <ArtB> DO: agree this req is not clear
20:52:42 <ArtB> AvK: why do we need to be so precise?
20:53:06 <ArtB> DO: we will continue to have ambiguity if the reqs aren't clear
20:53:16 <tlr> as phrased, I think it means "to be able to authorize cross-origin access to the content of an XML file that's served, it should be sufficient to be able to write to that XML file"
20:53:25 <tlr> If that's not what it means, I'd like to understand *what* it means.
20:53:29 <ArtB> JS: I can propose a rewording I think will be helpful
20:53:42 <dorchard> right, tlr, I think that's close..
20:53:53 <sicking> Must able to deploy support for cross-site GET requests without having to use server-side scripting (such as PHP, ASP, or CGI) on IIS and Apache. 
20:54:21 <ArtB> JS: no, that's not quite right Thomas
20:54:50 <ArtB> TR: we need an e-mail discussion on this
20:57:53 <ArtB> TR: again, think the negative list is a good way to write the requirement
20:58:08 <ArtB> AvK: but that would lead to specifying a solution
20:58:34 <ArtB> JS: I don't want to force people to have to write programs to use this stuff
20:59:03 <dorchard> So, Thomas, you want something like: Must able to deploy support for cross-site GET requests by modifying the content of the resource or HTTP Headers.
20:59:12 <tlr> dorchard, right
20:59:29 <tlr> maybe the right answer also involves something about these things possibly being static.
20:59:29 <ArtB> ACTION: Jonas start an e-mail thread about req #4
20:59:29 <trackbot-ng> Created ACTION-162 - Start an e-mail thread about req #4 [on Jonas Sicking - due 2008-02-06].
20:59:38 <ArtB> Topic: Requirement #6
20:59:40 <tlr> I'm just very worried about "shouldn't need to program", as I might need to program in certain deployments.
21:00:15 <dorchard> I have to drop off for about 5 minutes before lunch disappears.
21:00:30 <Zakim> -Dave_Orchard
21:00:41 <ArtB> TR: needs clarification of wording
21:01:10 <ArtB> ... "on a per-resource basis" can be mis-leading
21:01:56 <tlr> "It should be possible to configure distinct cross-site authorization policies for different target resources that reside within the same origin"
21:01:58 <tlr> sth like that
21:02:23 <ArtB> AB: Jonas, are you OK with that?
21:02:45 <ArtB> JS: yes
21:03:00 <ArtB> AvK: probably
21:03:07 <ArtB> AB: OK
21:03:21 <ArtB> AB: propose we go with TR's rewording
21:03:31 <ArtB> AB: any objections?
21:03:46 <ArtB> RESOLUTION: Anne will change the wording as Thomas proposed
21:03:58 <ArtB> Topic: Requirement #9
21:04:37 <ArtB> TR: I'm uneasy talking about the adminstrator
21:05:00 <ArtB> ... should be able to override auth without changing an entity in an HTTP response
21:05:42 <ArtB> JS: not exactly
21:05:53 <ArtB> ... there are many solutions to satisfy this
21:06:39 <ArtB> ... the PI requires a deny clause
21:06:51 <DaveO> DaveO has joined #waf
21:07:20 <Zakim> +Dave_Orchard
21:07:40 <ArtB> TR: don't want to change the entity body of the HTTP response
21:09:39 <ArtB> AB: the first sentence seems like the only "normative" part
21:09:48 <ArtB> JS: second sentence is normative too
21:10:41 <tlr> Entity Body is the right one
21:10:46 <sicking> i'd be ok with "Must not require that the server filters the response body of the resource in order to deny access to all resources on the server"
21:10:56 <tlr> s/response body/entity body/
21:11:03 <sicking> or change "filters" to "modify"
21:11:27 <ArtB> AB: what do you think of that proposal?
21:11:31 <ArtB> TR: OK
21:11:34 <tlr> s/deny access/deny cross-site access/
21:11:56 <ArtB> DO: looks OK but need to think about it more
21:12:13 <ArtB> ... e.g. need to factor in the OPTIONs and non-GET discusssions
21:12:51 <ArtB> AB: propose we accept JS's new wording with the 2 substitutions
21:12:57 <ArtB> AB: any objections?
21:14:19 <ArtB> DO: don't agree to a formal resolution
21:15:33 <ArtB> JS: would like a one week on the review on any reqs that have been changed
21:15:49 <ArtB> DO: I agree
21:16:15 <ArtB> JS: need to get actions done ASAP
21:16:18 <ArtB> AB: agree!
21:16:53 <ArtB> ACTION: Anne add Jonas proposed change for Req #9 and add in the 2 substituions he proposed
21:16:53 <trackbot-ng> Created ACTION-163 - Add Jonas proposed change for Req #9 and add in the 2 substituions he proposed [on Anne van Kesteren - due 2008-02-06].
21:17:04 <anne> Zakim, who is making noise?
21:17:08 <ArtB> Topic: Requirement #10
21:17:14 <Zakim> anne, listening for 10 seconds I heard sound from the following: ArtB (96%)
21:17:18 <anne> why didn't we discuss open issues?
21:18:00 <anne> they were also on the agenda
21:19:02 <ArtB> TR: I think we're pretty close on this
21:19:03 <DaveO> Anne, I don't think we are done agenda item #3: Requirements
21:19:04 <anne> ArtB?
21:20:22 <ArtB> ACTION: Thomas submit a proposed edit for Req #10
21:20:23 <trackbot-ng> Created ACTION-164 - Submit a proposed edit for Req #10 [on Thomas Roessler - due 2008-02-06].
21:21:55 <ArtB> Topic: Requirement #12
21:22:42 <ArtB> TR: issue with requests coming from other servers
21:22:49 <ArtB> ... also issue with IIS
21:23:03 <ArtB> ... think we need to say less actually
21:23:19 <ArtB> JS: agree but informative example could be useful
21:24:05 <tlr> req 12: Should be compatible with commonly used HTTP authentication and session management mechanisms
21:24:34 <tlr> (i.e., HTTP authentication and cookies)
21:25:06 <ArtB> ACTION: Jonas submit a new proposal for req #12 reflecting Thomas' proposal
21:25:06 <trackbot-ng> Created ACTION-165 - Submit a new proposal for req #12 reflecting Thomas' proposal [on Jonas Sicking - due 2008-02-06].
21:25:42 <sicking> I.e. on an IIS server where authentication and session management is generally done by the server before ASP pages execute this should be doable also for requests coming from cross-site requests. Same thing applies to PHP on Apache. 
21:25:49 <ArtB> Topic: Requirement #13
21:26:00 <ArtB> TR: this needs more review
21:26:16 <ArtB> ... it is totally different than it was one week ago
21:27:12 <ArtB> Topic: AOB
21:27:20 <ArtB> AB: call next week
21:27:38 <ArtB> TR: I cannot attend next week
21:27:49 <DaveO> I can make next week
21:28:01 <ArtB> AB: meet anyhow?
21:28:10 <ArtB> DO: what about Hixie?
21:29:09 <tlr> myabe send an agen
21:29:16 <tlr> s/myabe send an agen//
21:29:17 <ArtB> AB: let's plan to have a call next week
21:29:35 <ArtB> TR: make sure Mike can be on the call
21:29:38 <ArtB> AB: good point
21:29:50 <ArtB> ACTION: barstow make sure Mike Smith can attend next week's call
21:29:50 <trackbot-ng> Created ACTION-166 - Make sure Mike Smith can attend next week's call [on Arthur Barstow - due 2008-02-06].
21:30:04 <Hixie> DaveO: my opinion is that these telecons are a waste of time.
21:30:07 <ArtB> AB: meeting adjourned
21:30:13 <Zakim> -sicking
21:30:14 <Zakim> -??P11
21:30:14 <Zakim> -Dave_Orchard
21:30:16 <Zakim> -ArtB
21:30:17 <Zakim> -Thomas
21:30:18 <Zakim> IA_WAF()3:00PM has ended
21:30:20 <Zakim> Attendees were +1.781.993.aaaa, Thomas, ArtB, Dave_Orchard, sicking
21:30:28 <ArtB> rrsagent, make logs public
21:30:33 <ArtB> rrsagent, make minutes
21:30:33 <RRSAgent> I have made the request to generate http://www.w3.org/2008/01/30-waf-minutes.html ArtB
22:00:29 <ArtB> excellent!
22:00:53 <ArtB> zakim, bye
22:00:53 <Zakim> Zakim has left #waf
22:00:59 <ArtB> rrsagent, bye
22:00:59 <RRSAgent> I see 9 open action items saved in http://www.w3.org/2008/01/30-waf-actions.rdf :
22:00:59 <RRSAgent> ACTION: Thomas submit an input for requirement 1.1 [1]
22:00:59 <RRSAgent>   recorded in http://www.w3.org/2008/01/30-waf-irc#T20-27-57
22:00:59 <RRSAgent> ACTION: Thomas submit an input for requirement 1.2 [2]
22:00:59 <RRSAgent>   recorded in http://www.w3.org/2008/01/30-waf-irc#T20-28-36
22:00:59 <RRSAgent> ACTION: barstow submit a request to get the subbullets numbered [3]
22:00:59 <RRSAgent>   recorded in http://www.w3.org/2008/01/30-waf-irc#T20-40-45
22:00:59 <RRSAgent> ACTION: Jonas submit a proposal for req #3 [4]
22:00:59 <RRSAgent>   recorded in http://www.w3.org/2008/01/30-waf-irc#T20-46-20
22:00:59 <RRSAgent> ACTION: Jonas start an e-mail thread about req #4 [5]
22:00:59 <RRSAgent>   recorded in http://www.w3.org/2008/01/30-waf-irc#T20-59-29-1
22:00:59 <RRSAgent> ACTION: Anne add Jonas proposed change for Req #9 and add in the 2 substituions he proposed [6]
22:00:59 <RRSAgent>   recorded in http://www.w3.org/2008/01/30-waf-irc#T21-16-53
22:00:59 <RRSAgent> ACTION: Thomas submit a proposed edit for Req #10 [7]
22:00:59 <RRSAgent>   recorded in http://www.w3.org/2008/01/30-waf-irc#T21-20-22
22:00:59 <RRSAgent> ACTION: Jonas submit a new proposal for req #12 reflecting Thomas' proposal [8]
22:00:59 <RRSAgent>   recorded in http://www.w3.org/2008/01/30-waf-irc#T21-25-06
22:00:59 <RRSAgent> ACTION: barstow make sure Mike Smith can attend next week's call [9]
22:00:59 <RRSAgent>   recorded in http://www.w3.org/2008/01/30-waf-irc#T21-29-50