See also: IRC log
<trackbot-ng> Date: 30 January 2008
<scribe> Scribe: Art
<scribe> ScribeNick: ArtB
AB: reserve 5 mins for AOB
<tlr> argh
<tlr> sorry
AB: no comments on 2, 5, 7, 8,
11
... comments on 1, 3, 4, 6, 9, 10, 12
... not sure about #13
JS: I made comments on #13
AvK: I've addressed those comments
AB: propose we record agreement
on 2, 5, 7, 8, 11 and 13
... OK?
DO: not sure everyone has reviewed them
AB: we've had two weeks now and in this agenda and the last I asked people to submit comments in advance of the meeting
JS: I didn't receive many replies, mostly from Art
<dorchard> DO: I'm worried that people have reviewed some of the requirements and their conversations are focused on those, not on all.
AB: propose we recored agreement on 2, 5, 7, 8, 11 and 13
<dorchard> DO: so the concern is that the absence of discussion isn't consensus.
AB: any objections?
TR: I want to remove #13 since it has been changed
DO: wonder about #5; think it was bundled in other conversations
JS: Jon may have had a counter-proposal for #5
DO: I don't object to the others but not #5
TR: I have some concenrs about #5 too but mostly editorial
<sicking> http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0250.html
AB: propose we record agreement on 2, 7, 8, 11
<sicking> contains feedback to 5
<Hixie> could i ask a quick process question? what happens if we can't get consensus on these requirements?
<tlr> I *think* number 5 means "mechanism MUST apply to any media type". If that's the case, that's great, but I'd like the text to read that way
AB: any objections to that proposal?
[No objections]
RESOLUTION: requirements 2, 7, 8, 11 have agreement
AB: then we keep trying to get consensus
<anne> "then we keep trying to get consensus" was a reply from Art to Hixie's question
<Hixie> so i could block progress indefinitely by simply never allowing consensus to form?
TR: I'm looking at a Jan 22 version
AvK: I don't want to revise
requirements text; I don't want to do this
... now but via e-mail
AB: I don't think we are getting closure via e-mail
TR: re 1.1., authentication isn't the issue but Authorization is
<tlr> Some servers authorize any requests that can reach the server.
TR: also have a problem with the last paragraph in 1.1 but I can take that to e-mail
<tlr> "Although anyone..." includes somewhat inaccurate diagnosis of current state; happy to take that to e-mail
<scribe> ACTION: Thomas submit an input for requirement 1.1 [recorded in http://www.w3.org/2008/01/30-waf-minutes.html#action01]
<trackbot-ng> Created ACTION-158 - Submit an input for requirement 1.1 [on Thomas Roessler - due 2008-02-06].
<tlr> "Should not be possible to issue..." -- motivate with UPNP
TR: I can supply an input for 1.2
<Hixie> due feb 6th?
<Hixie> that's a week from now!
<scribe> ACTION: Thomas submit an input for requirement 1.2 [recorded in http://www.w3.org/2008/01/30-waf-minutes.html#action02]
<trackbot-ng> Created ACTION-159 - Submit an input for requirement 1.2 [on Thomas Roessler - due 2008-02-06].
DO: re 1.2, I thought the Atom people had objected to that requirement
<tlr> DO: atom folks objected against that one?
<tlr> hixie, that's the default due date
<tlr> this one needs to say "should not be possible to issue unauthorized cross-site POST"...
JS: I think we need to qualify 1.2
[missed JS' explicit proposal to append a qualification to 1.2]
<Hixie> wait now we're arguing about the precise _wording_ of these requirements?!
<Hixie> good lord
<anne> What was minuted above about me is not true. I said that I don't want to be the author of the requirements. I'm fine with editing. I also objected to discussing the requirement text and discussing comments on requirements already posted to the mailing list.
<Hixie> i also object to discussing the requirements at this point
<Hixie> it's months past the time to discuss requirements
<dorchard> It should not be possible to cross site non-safe operations priort to an authorization check performed.
<Hixie> all we're doing is delaying the specs that depend on this
<anne> I'd also like to point out that I can't actually edit the document while being on the call and that all detailed sugestions have not at all been minuted! It would be much better if people actually e-mail the list.
<anne> So all tlr's comments are lost.
AB: we can delete 1.2; we could assign someone to "champion it"
<dorchard> Proposal: It should not be possible to perform cross-site non-safe (in HTTP, POST/PUT/DELETE) operations prior to an authorization check being performed
DO: I made a proposal
osal #2
<anne> (I'm not trying to attack the minutetaker fwiw, just saying that this doesn't really work.)
DO: I made proposal #2
<tlr> tlr: let's go with DO's rpoposal, modulo minor wordsmithing on list
TR: I can live with David's #2 proposal modulo some word smitthing
<tlr> close ACTION-159
<trackbot-ng> ACTION-159 Submit an input for requirement 1.2 closed
JS: I'm OK with David's #2 proposal
<Hixie> i do not agree with that proposal
<Hixie> because i do not believe we should be discussing this in the first place
Hixie, if you want to participate in this meeting please join the voice conference
<Hixie> i do not have access to a phone here
<Hixie> (literally the closest phone to here is about 35 minutes away)
AB: can you make the sub-bullet's numbered?
AvK: if you send me an e-mail requesting so
<scribe> ACTION: barstow submit a request to get the subbullets numbered [recorded in http://www.w3.org/2008/01/30-waf-minutes.html#action03]
<trackbot-ng> Created ACTION-160 - Submit a request to get the subbullets numbered [on Arthur Barstow - due 2008-02-06].
TR: I think there are typical
configs that require root privs
... should be worded in a positive way rather than
negative
... We need to know the capabilities that are needed for the
policy deployer
... As worded, it doesn't help us at all.
... Also wonder if this is for XML only content or other
content too
<sicking> sorry on, phone
AB: Jonas, any comments I think you are the author
JS: I can come up with a proposal; hope we don't get a bunch of additional feedback
DO: yes, "typical" here is too open
<scribe> ACTION: Jonas submit a proposal for req #3 [recorded in http://www.w3.org/2008/01/30-waf-minutes.html#action04]
<trackbot-ng> Created ACTION-161 - Submit a proposal for req #3 [on Jonas Sicking - due 2008-02-06].
<tlr> same applies to 4
AvK: I made a mistake in my response to TR and I will follow-up on e-mail
TR: this also talks about
"typical"
... prefer to have it worded in a positive way rather than a
list of negative things
DO: I tend to agree with TR
<tlr> avk: I agree that req 4 is about XML stuff, won't propose new text
AB: is anyone willing to champion
this requirement?
... we could delete it
JS: we could change "typical" to Apache
TR: not clear what the real req is
DO: agree this req is not clear
AvK: why do we need to be so precise?
DO: we will continue to have ambiguity if the reqs aren't clear
<tlr> as phrased, I think it means "to be able to authorize cross-origin access to the content of an XML file that's served, it should be sufficient to be able to write to that XML file"
<tlr> If that's not what it means, I'd like to understand *what* it means.
JS: I can propose a rewording I think will be helpful
<dorchard> right, tlr, I think that's close..
<sicking> Must able to deploy support for cross-site GET requests without having to use server-side scripting (such as PHP, ASP, or CGI) on IIS and Apache.
JS: no, that's not quite right Thomas
TR: we need an e-mail discussion
on this
... again, think the negative list is a good way to write the
requirement
AvK: but that would lead to specifying a solution
JS: I don't want to force people to have to write programs to use this stuff
<dorchard> So, Thomas, you want something like: Must able to deploy support for cross-site GET requests by modifying the content of the resource or HTTP Headers.
<tlr> dorchard, right
<tlr> maybe the right answer also involves something about these things possibly being static.
<scribe> ACTION: Jonas start an e-mail thread about req #4 [recorded in http://www.w3.org/2008/01/30-waf-minutes.html#action05]
<trackbot-ng> Created ACTION-162 - Start an e-mail thread about req #4 [on Jonas Sicking - due 2008-02-06].
<tlr> I'm just very worried about "shouldn't need to program", as I might need to program in certain deployments.
<dorchard> I have to drop off for about 5 minutes before lunch disappears.
TR: needs clarification of
wording
... "on a per-resource basis" can be mis-leading
<tlr> "It should be possible to configure distinct cross-site authorization policies for different target resources that reside within the same origin"
<tlr> sth like that
AB: Jonas, are you OK with that?
JS: yes
AvK: probably
AB: OK
... propose we go with TR's rewording
... any objections?
RESOLUTION: Anne will change the wording as Thomas proposed
TR: I'm uneasy talking about the
adminstrator
... should be able to override auth without changing an entity
in an HTTP response
JS: not exactly
... there are many solutions to satisfy this
... the PI requires a deny clause
TR: don't want to change the entity body of the HTTP response
AB: the first sentence seems like the only "normative" part
JS: second sentence is normative too
<tlr> Entity Body is the right one
<sicking> i'd be ok with "Must not require that the server filters the entity body of the resource in order to deny cross-site access to all resources on the server"
<sicking> or change "filters" to "modify"
AB: what do you think of that proposal?
TR: OK
DO: looks OK but need to think
about it more
... e.g. need to factor in the OPTIONs and non-GET
discusssions
AB: propose we accept JS's new
wording with the 2 substitutions
... any objections?
DO: don't agree to a formal resolution
JS: would like a one week on the review on any reqs that have been changed
DO: I agree
JS: need to get actions done ASAP
AB: agree!
<scribe> ACTION: Anne add Jonas proposed change for Req #9 and add in the 2 substituions he proposed [recorded in http://www.w3.org/2008/01/30-waf-minutes.html#action06]
<trackbot-ng> Created ACTION-163 - Add Jonas proposed change for Req #9 and add in the 2 substituions he proposed [on Anne van Kesteren - due 2008-02-06].
<anne> why didn't we discuss open issues?
<anne> they were also on the agenda
TR: I think we're pretty close on this
<DaveO> Anne, I don't think we are done agenda item #3: Requirements
<anne> ArtB?
<scribe> ACTION: Thomas submit a proposed edit for Req #10 [recorded in http://www.w3.org/2008/01/30-waf-minutes.html#action07]
<trackbot-ng> Created ACTION-164 - Submit a proposed edit for Req #10 [on Thomas Roessler - due 2008-02-06].
TR: issue with requests coming
from other servers
... also issue with IIS
... think we need to say less actually
JS: agree but informative example could be useful
<tlr> req 12: Should be compatible with commonly used HTTP authentication and session management mechanisms
<tlr> (i.e., HTTP authentication and cookies)
<scribe> ACTION: Jonas submit a new proposal for req #12 reflecting Thomas' proposal [recorded in http://www.w3.org/2008/01/30-waf-minutes.html#action08]
<trackbot-ng> Created ACTION-165 - Submit a new proposal for req #12 reflecting Thomas' proposal [on Jonas Sicking - due 2008-02-06].
<sicking> I.e. on an IIS server where authentication and session management is generally done by the server before ASP pages execute this should be doable also for requests coming from cross-site requests. Same thing applies to PHP on Apache.
TR: this needs more review
... it is totally different than it was one week ago
AB: call next week
TR: I cannot attend next week
<DaveO> I can make next week
AB: meet anyhow?
DO: what about Hixie?
AB: let's plan to have a call next week
TR: make sure Mike can be on the call
AB: good point
<scribe> ACTION: barstow make sure Mike Smith can attend next week's call [recorded in http://www.w3.org/2008/01/30-waf-minutes.html#action09]
<trackbot-ng> Created ACTION-166 - Make sure Mike Smith can attend next week's call [on Arthur Barstow - due 2008-02-06].
<Hixie> DaveO: my opinion is that these telecons are a waste of time.
AB: meeting adjourned
This is scribe.perl Revision: 1.133 of Date: 2008/01/18 18:48:51 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/removed/changed/ Succeeded: s/response body/entity body/ Succeeded: s/deny access/deny cross-site access/ Succeeded: s/myabe send an agen// Found Scribe: Art Found ScribeNick: ArtB Default Present: +1.781.993.aaaa, Thomas, ArtB, Dave_Orchard, sicking Present: Art Anne Dave Thomas Jonas Hixie_(IRC) Agenda: http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0305.html Found Date: 30 Jan 2008 Guessing minutes URL: http://www.w3.org/2008/01/30-waf-minutes.html People with action items: anne barstow jonas thomas[End of scribe.perl diagnostic output]