IRC log of waf on 2008-01-30

Timestamps are in UTC.

20:01:59 [RRSAgent]

RRSAgent has joined #waf

20:01:59 [RRSAgent]

logging to http://www.w3.org/2008/01/30-waf-irc

20:02:01 [trackbot-ng]

RRSAgent, make logs member

20:02:01 [Zakim]

Zakim has joined #waf

20:02:03 [trackbot-ng]

Zakim, this will be WAF

20:02:03 [Zakim]

ok, trackbot-ng; I see IA_WAF()3:00PM scheduled to start 2 minutes ago

20:02:04 [trackbot-ng]

Meeting: Web Application Formats Working Group Teleconference

20:02:04 [trackbot-ng]

Date: 30 January 2008

20:02:25 [ArtB]

Chair: Art

20:02:31 [ArtB]

Scribe: Art

20:02:37 [ArtB]

ScribeNick: ArtB

20:02:48 [ArtB]

Agenda: http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0305.html

20:03:21 [Zakim]

IA_WAF()3:00PM has now started

20:03:28 [Zakim]

+ +1.781.993.aaaa

20:03:30 [tlr]

zakim, call thomas-781

20:03:30 [Zakim]

ok, tlr; the call is being made

20:03:32 [Zakim]

+Thomas

20:03:37 [ArtB]

zakim, aaaa is ArtB

20:03:37 [Zakim]

+ArtB; got it

20:03:50 [shepazu]

shepazu has joined #waf

20:04:12 [dorchard]

dorchard has joined #waf

20:04:55 [sicking]

sicking has joined #waf

20:05:05 [Zakim]

+Dave_Orchard

20:05:20 [Zakim]

+[Mozilla]

20:05:25 [sicking]

Zakim, mozilla is me

20:05:25 [Zakim]

+sicking; got it

20:06:57 [anne]

Zakim, passcode?

20:06:57 [Zakim]

the conference code is 9231 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), anne

20:07:28 [Zakim]

+??P11

20:07:52 [ArtB]

Present: Art, Anne, Dave, Thomas, Jonas, Hixie (IRC)

20:08:01 [ArtB]

Topic: Review Agenda

20:08:10 [ArtB]

AB: reserve 5 mins for AOB

20:08:29 [ArtB]

Topic: Requirements and UCs

20:08:52 [tlr]

tlr has changed the topic to: http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0236.html

20:08:57 [tlr]

argh

20:09:12 [tlr]

tlr has changed the topic to: http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0305.html

20:09:19 [tlr]

sorry

20:09:23 [tlr]

zakim, I am thomas

20:09:23 [Zakim]

ok, tlr, I now associate you with Thomas

20:09:24 [tlr]

zakim, mute me

20:09:24 [Zakim]

Thomas should now be muted

20:10:51 [ArtB]

AB: no comments on 2, 5, 7, 8, 11

20:11:07 [ArtB]

AB: comments on 1, 3, 4, 6, 9, 10, 12

20:11:31 [ArtB]

AB: not sure about #13

20:11:38 [ArtB]

JS: I made comments on #13

20:11:53 [ArtB]

AvK: I've addressed those comments

20:12:52 [ArtB]

AB: propose we record agreement on 2, 5, 7, 8, 11 and 13

20:12:54 [ArtB]

AB: OK?

20:13:05 [ArtB]

DO: not sure everyone has reviewed them

20:14:04 [ArtB]

AB: we've had two weeks now and in this agenda and the last I asked people to submit comments in advance of the meeting

20:14:49 [ArtB]

JS: I didn't receive many replies, mostly from Art

20:14:52 [dorchard]

DO: I'm worried that people have reviewed some of the requirements and their conversations are focused on those, not on all.

20:15:13 [ArtB]

AB: propose we recored agreement on 2, 5, 7, 8, 11 and 13

20:15:21 [dorchard]

DO: so the concern is that the absence of discussion isn't consensus.

20:15:34 [tlr]

zakim, unmute me

20:15:34 [Zakim]

Thomas should no longer be muted

20:15:40 [ArtB]

AB: any objections?

20:15:51 [ArtB]

TR: I want to remove #13 since it has been removed

20:16:00 [tlr]

s/removed/changed/

20:16:17 [ArtB]

DO: wonder about #5; think it was bundled in other conversations

20:16:31 [tlr]

q+

20:16:53 [ArtB]

JS: Jon may have had a counter-proposal for #5

20:17:27 [ArtB]

DO: I don't object to the others but not #5

20:17:54 [ArtB]

TR: I have some concenrs about #5 too but mostly editorial

20:18:21 [sicking]

http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0250.html

20:18:22 [ArtB]

AB: propose we record agreement on 2, 7, 8, 11

20:18:28 [sicking]

contains feedback to 5

20:18:30 [Hixie]

could i ask a quick process question? what happens if we can't get consensus on these requirements?

20:18:33 [tlr]

I *think* number 5 means "mechanism MUST apply to any media type". If that's the case, that's great, but I'd like the text to read that way

20:18:44 [ArtB]

AB: any objections to that proposal?

20:18:48 [ArtB]

[No objections]

20:19:19 [ArtB]

RESOLUTION: requirements 2, 7, 8, 11 have agreement

20:19:37 [ArtB]

AB: then we keep trying to get consensus

20:19:49 [ArtB]

Topic: Requirement #1

20:20:07 [anne]

"then we keep trying to get consensus" was a reply from Art to Hixie's question

20:20:09 [Hixie]

so i could block progress indefinitely by simply never allowing consensus to form?

20:21:12 [ArtB]

TR: I'm looking at a Jan 22 version

20:22:08 [ArtB]

AvK: I don't want to revise requirements text; I don't want to do this

20:24:24 [ArtB]

... now but via e-mail

20:24:38 [ArtB]

AB: I don't think we are getting closure via e-mail

20:25:32 [ArtB]

TR: re 1.1., authentication isn't the issue but Authorization is

20:25:53 [tlr]

Some servers authorize any requests that can reach the server.

20:27:44 [ArtB]

TR: also have a problem with the last paragraph in 1.1 but I can take that to e-mail

20:27:46 [tlr]

"Although anyone..." includes somewhat inaccurate diagnosis of current state; happy to take that to e-mail

20:27:57 [ArtB]

ACTION: Thomas submit an input for requirement 1.1

20:27:58 [trackbot-ng]

Created ACTION-158 - Submit an input for requirement 1.1 [on Thomas Roessler - due 2008-02-06].

20:28:07 [tlr]

"Should not be possible to issue..." -- motivate with UPNP

20:28:21 [ArtB]

TR: I can supply an input for 1.2

20:28:27 [Hixie]

due feb 6th?

20:28:30 [Hixie]

that's a week from now!

20:28:36 [ArtB]

ACTION: Thomas submit an input for requirement 1.2

20:28:37 [trackbot-ng]

Created ACTION-159 - Submit an input for requirement 1.2 [on Thomas Roessler - due 2008-02-06].

20:28:59 [ArtB]

DO: re 1.2, I thought the Atom people had objected to that requirement

20:29:02 [tlr]

DO: atom folks objected against that one?

20:29:04 [tlr]

q+

20:29:09 [tlr]

hixie, that's the default due date

20:29:40 [tlr]

this one needs to say "should not be possible to issue unauthorized cross-site POST"...

20:29:45 [ArtB]

JS: I think we need to qualify 1.2

20:30:12 [ArtB]

[missed JS' explicit proposal to append a qualification to 1.2]

20:30:59 [Hixie]

wait now we're arguing about the precise _wording_ of these requirements?!

20:31:11 [Hixie]

good lord

20:31:55 [anne]

What was minuted above about me is not true. I said that I don't want to be the author of the requirements. I'm fine with editing. I also objected to discussing the requirement text and discussing comments on requirements already posted to the mailing list.

20:32:20 [Hixie]

i also object to discussing the requirements at this point

20:32:28 [Hixie]

it's months past the time to discuss requirements

20:32:31 [dorchard]

It should not be possible to cross site non-safe operations priort to an authorization check performed.

20:33:02 [Hixie]

all we're doing is delaying the specs that depend on this

20:33:48 [anne]

I'd also like to point out that I can't actually edit the document while being on the call and that all detailed sugestions have not at all been minuted! It would be much better if people actually e-mail the list.

20:34:24 [anne]

So all tlr's comments are lost.

20:34:32 [ArtB]

AB: we can delete 1.2; we could assign someone to "champion it"

20:34:45 [dorchard]

Proposal: It should not be possible to perform cross-site non-safe (in HTTP, POST/PUT/DELETE) operations prior to an authorization check being performed

20:34:45 [ArtB]

DO: I made a proposal

20:35:35 [ArtB]

osal #2

20:35:35 [anne]

(I'm not trying to attack the minutetaker fwiw, just saying that this doesn't really work.)

20:36:12 [ArtB]

DO: I made proposal #2

20:36:50 [tlr]

tlr: let's go with DO's rpoposal, modulo minor wordsmithing on list

20:36:54 [ArtB]

TR: I can live with David's #2 proposal modulo some word smitthing

20:36:58 [tlr]

close ACTION-159

20:36:58 [trackbot-ng]

ACTION-159 Submit an input for requirement 1.2 closed

20:37:09 [ArtB]

JS: I'm OK with David's #2 proposal

20:37:15 [Hixie]

i do not agree with that proposal

20:37:23 [Hixie]

because i do not believe we should be discussing this in the first place

20:38:33 [ArtB]

Hixie, if you want to participate in this meeting please join the voice conference

20:38:44 [Hixie]

i do not have access to a phone here

20:39:00 [Hixie]

(literally the closest phone to here is about 35 minutes away)

20:40:16 [ArtB]

AB: can you make the sub-bullet's numbered?

20:40:26 [ArtB]

AvK: if you send me an e-mail requesting so

20:40:45 [ArtB]

ACTION: barstow submit a request to get the subbullets numbered

20:40:45 [trackbot-ng]

Created ACTION-160 - Submit a request to get the subbullets numbered [on Arthur Barstow - due 2008-02-06].

20:41:04 [ArtB]

Topic: Requirement 3

20:42:05 [ArtB]

TR: I think there are typical configs that require root privs

20:42:19 [ArtB]

... should be worded in a positive way rather than negative

20:42:52 [ArtB]

... We need to know the capabilities that are needed for the policy deployer

20:43:06 [ArtB]

... As worded, it doesn't help us at all.

20:43:33 [ArtB]

... Also wonder if this is for XML only content or other content too

20:43:52 [sicking]

sorry on, phone

20:43:59 [tlr]

zakim, unmute sicking

20:43:59 [Zakim]

sicking was not muted, tlr

20:45:01 [ArtB]

AB: Jonas, any comments I think you are the author

20:45:46 [ArtB]

JS: I can come up with a proposal; hope we don't get a bunch of additional feedback

20:46:00 [ArtB]

DO: yes, "typical" here is too open

20:46:20 [ArtB]

ACTION: Jonas submit a proposal for req #3

20:46:20 [trackbot-ng]

Created ACTION-161 - Submit a proposal for req #3 [on Jonas Sicking - due 2008-02-06].

20:46:26 [tlr]

same applies to 4

20:46:34 [ArtB]

Topic: Requirement #4

20:48:15 [ArtB]

AvK: I made a mistake in my response to TR and I will follow-up on e-mail

20:48:50 [ArtB]

TR: this also talks about "typical"

20:48:52 [Lachy]

Lachy has joined #waf

20:49:19 [Lachy]

Lachy has joined #waf

20:49:21 [ArtB]

... prefer to have it worded in a positive way rather than a list of negative things

20:49:32 [ArtB]

DO: I tend to agree with TR

20:50:06 [tlr]

avk: I agree that req 4 is about XML stuff, won't propose new text

20:50:29 [ArtB]

AB: is anyone willing to champion this requirement?

20:50:58 [ArtB]

... we could delete it

20:51:23 [ArtB]

JS: we could change "typical" to Apache

20:51:46 [ArtB]

TR: not clear what the real req is

20:52:26 [ArtB]

DO: agree this req is not clear

20:52:42 [ArtB]

AvK: why do we need to be so precise?

20:53:06 [ArtB]

DO: we will continue to have ambiguity if the reqs aren't clear

20:53:16 [tlr]

as phrased, I think it means "to be able to authorize cross-origin access to the content of an XML file that's served, it should be sufficient to be able to write to that XML file"

20:53:25 [tlr]

If that's not what it means, I'd like to understand *what* it means.

20:53:29 [ArtB]

JS: I can propose a rewording I think will be helpful

20:53:42 [dorchard]

right, tlr, I think that's close..

20:53:53 [sicking]

Must able to deploy support for cross-site GET requests without having to use server-side scripting (such as PHP, ASP, or CGI) on IIS and Apache.

20:54:21 [ArtB]

JS: no, that's not quite right Thomas

20:54:50 [ArtB]

TR: we need an e-mail discussion on this

20:57:53 [ArtB]

TR: again, think the negative list is a good way to write the requirement

20:58:08 [ArtB]

AvK: but that would lead to specifying a solution

20:58:34 [ArtB]

JS: I don't want to force people to have to write programs to use this stuff

20:59:03 [dorchard]

So, Thomas, you want something like: Must able to deploy support for cross-site GET requests by modifying the content of the resource or HTTP Headers.

20:59:12 [tlr]

dorchard, right

20:59:29 [tlr]

maybe the right answer also involves something about these things possibly being static.

20:59:29 [ArtB]

ACTION: Jonas start an e-mail thread about req #4

20:59:29 [trackbot-ng]

Created ACTION-162 - Start an e-mail thread about req #4 [on Jonas Sicking - due 2008-02-06].

20:59:38 [ArtB]

Topic: Requirement #6

20:59:40 [tlr]

I'm just very worried about "shouldn't need to program", as I might need to program in certain deployments.

21:00:15 [dorchard]

I have to drop off for about 5 minutes before lunch disappears.

21:00:30 [Zakim]

-Dave_Orchard

21:00:41 [ArtB]

TR: needs clarification of wording

21:01:10 [ArtB]

... "on a per-resource basis" can be mis-leading

21:01:56 [tlr]

"It should be possible to configure distinct cross-site authorization policies for different target resources that reside within the same origin"

21:01:58 [tlr]

sth like that

21:02:23 [ArtB]

AB: Jonas, are you OK with that?

21:02:45 [ArtB]

JS: yes

21:03:00 [ArtB]

AvK: probably

21:03:07 [ArtB]

AB: OK

21:03:21 [ArtB]

AB: propose we go with TR's rewording

21:03:31 [ArtB]

AB: any objections?

21:03:46 [ArtB]

RESOLUTION: Anne will change the wording as Thomas proposed

21:03:58 [ArtB]

Topic: Requirement #9

21:04:37 [ArtB]

TR: I'm uneasy talking about the adminstrator

21:05:00 [ArtB]

... should be able to override auth without changing an entity in an HTTP response

21:05:42 [ArtB]

JS: not exactly

21:05:53 [ArtB]

... there are many solutions to satisfy this

21:06:39 [ArtB]

... the PI requires a deny clause

21:06:51 [DaveO]

DaveO has joined #waf

21:07:20 [Zakim]

+Dave_Orchard

21:07:40 [ArtB]

TR: don't want to change the entity body of the HTTP response

21:09:39 [ArtB]

AB: the first sentence seems like the only "normative" part

21:09:48 [ArtB]

JS: second sentence is normative too

21:10:41 [tlr]

Entity Body is the right one

21:10:46 [sicking]

i'd be ok with "Must not require that the server filters the response body of the resource in order to deny access to all resources on the server"

21:10:56 [tlr]

s/response body/entity body/

21:11:03 [sicking]

or change "filters" to "modify"

21:11:27 [ArtB]

AB: what do you think of that proposal?

21:11:31 [ArtB]

TR: OK

21:11:34 [tlr]

s/deny access/deny cross-site access/

21:11:56 [ArtB]

DO: looks OK but need to think about it more

21:12:13 [ArtB]

... e.g. need to factor in the OPTIONs and non-GET discusssions

21:12:51 [ArtB]

AB: propose we accept JS's new wording with the 2 substitutions

21:12:57 [ArtB]

AB: any objections?

21:14:19 [ArtB]

DO: don't agree to a formal resolution

21:15:33 [ArtB]

JS: would like a one week on the review on any reqs that have been changed

21:15:49 [ArtB]

DO: I agree

21:16:15 [ArtB]

JS: need to get actions done ASAP

21:16:18 [ArtB]

AB: agree!

21:16:53 [ArtB]

ACTION: Anne add Jonas proposed change for Req #9 and add in the 2 substituions he proposed

21:16:53 [trackbot-ng]

Created ACTION-163 - Add Jonas proposed change for Req #9 and add in the 2 substituions he proposed [on Anne van Kesteren - due 2008-02-06].

21:17:04 [anne]

Zakim, who is making noise?

21:17:08 [ArtB]

Topic: Requirement #10

21:17:14 [Zakim]

anne, listening for 10 seconds I heard sound from the following: ArtB (96%)

21:17:18 [anne]

why didn't we discuss open issues?

21:18:00 [anne]

they were also on the agenda

21:19:02 [ArtB]

TR: I think we're pretty close on this

21:19:03 [DaveO]

Anne, I don't think we are done agenda item #3: Requirements

21:19:04 [anne]

ArtB?

21:20:22 [ArtB]

ACTION: Thomas submit a proposed edit for Req #10

21:20:23 [trackbot-ng]

Created ACTION-164 - Submit a proposed edit for Req #10 [on Thomas Roessler - due 2008-02-06].

21:21:55 [ArtB]

Topic: Requirement #12

21:22:42 [ArtB]

TR: issue with requests coming from other servers

21:22:49 [ArtB]

... also issue with IIS

21:23:03 [ArtB]

... think we need to say less actually

21:23:19 [ArtB]

JS: agree but informative example could be useful

21:24:05 [tlr]

req 12: Should be compatible with commonly used HTTP authentication and session management mechanisms

21:24:34 [tlr]

(i.e., HTTP authentication and cookies)

21:25:06 [ArtB]

ACTION: Jonas submit a new proposal for req #12 reflecting Thomas' proposal

21:25:06 [trackbot-ng]

Created ACTION-165 - Submit a new proposal for req #12 reflecting Thomas' proposal [on Jonas Sicking - due 2008-02-06].

21:25:42 [sicking]

I.e. on an IIS server where authentication and session management is generally done by the server before ASP pages execute this should be doable also for requests coming from cross-site requests. Same thing applies to PHP on Apache.

21:25:49 [ArtB]

Topic: Requirement #13

21:26:00 [ArtB]

TR: this needs more review

21:26:16 [ArtB]

... it is totally different than it was one week ago

21:27:12 [ArtB]

Topic: AOB

21:27:20 [ArtB]

AB: call next week

21:27:38 [ArtB]

TR: I cannot attend next week

21:27:49 [DaveO]

I can make next week

21:28:01 [ArtB]

AB: meet anyhow?

21:28:10 [ArtB]

DO: what about Hixie?

21:29:09 [tlr]

myabe send an agen

21:29:16 [tlr]

s/myabe send an agen//

21:29:17 [ArtB]

AB: let's plan to have a call next week

21:29:35 [ArtB]

TR: make sure Mike can be on the call

21:29:38 [ArtB]

AB: good point

21:29:50 [ArtB]

ACTION: barstow make sure Mike Smith can attend next week's call

21:29:50 [trackbot-ng]

Created ACTION-166 - Make sure Mike Smith can attend next week's call [on Arthur Barstow - due 2008-02-06].

21:30:04 [Hixie]

DaveO: my opinion is that these telecons are a waste of time.

21:30:07 [ArtB]

AB: meeting adjourned

21:30:13 [Zakim]

-sicking

21:30:14 [Zakim]

-??P11

21:30:14 [Zakim]

-Dave_Orchard

21:30:16 [Zakim]

-ArtB

21:30:17 [Zakim]

-Thomas

21:30:18 [Zakim]

IA_WAF()3:00PM has ended

21:30:20 [Zakim]

Attendees were +1.781.993.aaaa, Thomas, ArtB, Dave_Orchard, sicking

21:30:28 [ArtB]

rrsagent, make logs public

21:30:33 [ArtB]

rrsagent, make minutes

21:30:33 [RRSAgent]

I have made the request to generate http://www.w3.org/2008/01/30-waf-minutes.html ArtB

22:00:29 [ArtB]

excellent!

22:00:53 [ArtB]

zakim, bye

22:00:53 [Zakim]

Zakim has left #waf

22:00:59 [ArtB]

rrsagent, bye

22:00:59 [RRSAgent]

I see 9 open action items saved in http://www.w3.org/2008/01/30-waf-actions.rdf :

22:00:59 [RRSAgent]

ACTION: Thomas submit an input for requirement 1.1 [1]

22:00:59 [RRSAgent]

recorded in http://www.w3.org/2008/01/30-waf-irc#T20-27-57

22:00:59 [RRSAgent]

ACTION: Thomas submit an input for requirement 1.2 [2]

22:00:59 [RRSAgent]

recorded in http://www.w3.org/2008/01/30-waf-irc#T20-28-36

22:00:59 [RRSAgent]

ACTION: barstow submit a request to get the subbullets numbered [3]

22:00:59 [RRSAgent]

recorded in http://www.w3.org/2008/01/30-waf-irc#T20-40-45

22:00:59 [RRSAgent]

ACTION: Jonas submit a proposal for req #3 [4]

22:00:59 [RRSAgent]

recorded in http://www.w3.org/2008/01/30-waf-irc#T20-46-20

22:00:59 [RRSAgent]

ACTION: Jonas start an e-mail thread about req #4 [5]

22:00:59 [RRSAgent]

recorded in http://www.w3.org/2008/01/30-waf-irc#T20-59-29-1

22:00:59 [RRSAgent]

ACTION: Anne add Jonas proposed change for Req #9 and add in the 2 substituions he proposed [6]

22:00:59 [RRSAgent]

recorded in http://www.w3.org/2008/01/30-waf-irc#T21-16-53

22:00:59 [RRSAgent]

ACTION: Thomas submit a proposed edit for Req #10 [7]

22:00:59 [RRSAgent]

recorded in http://www.w3.org/2008/01/30-waf-irc#T21-20-22

22:00:59 [RRSAgent]

ACTION: Jonas submit a new proposal for req #12 reflecting Thomas' proposal [8]

22:00:59 [RRSAgent]

recorded in http://www.w3.org/2008/01/30-waf-irc#T21-25-06

22:00:59 [RRSAgent]

ACTION: barstow make sure Mike Smith can attend next week's call [9]

22:00:59 [RRSAgent]

recorded in http://www.w3.org/2008/01/30-waf-irc#T21-29-50