19:18:01 RRSAgent has joined #waf 19:18:01 logging to http://www.w3.org/2008/02/27-waf-irc 19:18:07 Zakim has joined #waf 19:18:18 zakim, this will be waf 19:18:18 ok, tlr; I see IA_WAF()3:00PM scheduled to start in 42 minutes 19:27:34 ArtB has joined #waf 19:55:18 Hi TLR! 19:58:22 Jonas said he would invite some Moz people to our call 20:00:32 Does MikeSmith still work for the W3C :-)? Haven't seen him very much but Boston and Tokyo time zones are very favorable :-(. 20:00:43 s/are/are not/ 20:00:55 He was on a conf call yesterday. 20:01:14 k 20:01:18 I suspect it might be time to adjust the call time to accomodate him, though. 20:02:20 he agree to this time, IIRC 20:02:33 oh well 20:03:32 IA_WAF()3:00PM has now started 20:03:38 +Art_Barstow 20:03:39 +[Mozilla] 20:03:45 zakim, call thomas-781 20:03:45 ok, tlr; the call is being made 20:03:47 +Thomas 20:03:59 sicking has joined #waf 20:04:16 ArtB has joined #waf 20:04:33 zakim, I am thomas 20:04:33 ok, tlr, I now associate you with Thomas 20:04:35 zakim, mute me 20:04:35 Thomas should now be muted 20:05:28 Meeting: WAF WG Access Control Voice Conf 20:06:01 Date: 27 Feb 2008 20:06:08 Agenda: http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0276.html 20:06:13 zakim, unmute me 20:06:13 Thomas should no longer be muted 20:06:14 Chair: Art 20:06:17 zakim, who is on the phone? 20:06:17 On the phone I see [Mozilla], Art_Barstow, Thomas 20:06:21 Scribe: Art 20:06:28 Scribe: tlr 20:06:55 art: jonas, anybody else coming? 20:06:59 sicking: nope 20:07:11 art: let's go ahead 20:07:17 topic: cookies 20:07:34 art: think everybody understands positions of various people 20:07:40 ... take as opportunity to talk about what the problem is ... 20:07:45 ... next steps ... 20:07:50 ... let me try to summon Hixie ... 20:07:59 tlr: expecting anne? 20:08:03 art: he has a personal conflict 20:09:14 art: let's talk a bit 20:09:20 jonas: need to hear from sec people at other browser vendors 20:09:31 ... mozilla won't move alone ... 20:09:45 ... if we're the only ones who have the concerns, maybe others can move ahead without us ... 20:09:53 art: can follow up with maciej and see if willing to provide input 20:10:01 ... about what safari team thinks ... 20:10:06 ... had ms participation at some point .. 20:10:09 ... dropped off ... 20:10:16 ... making note to contact them ... 20:11:03 tlr: would be curious to understand more precisely what the landscape looks like 20:11:07 ... i.e., shipping plans? 20:11:20 jonas: if we can't send cookies for now, but still follow spec, we'll ship that ... 20:12:11 ACTION: Barstow contact IE and Safari teams about their plans for AC4CSR 20:12:11 Created ACTION-172 - Contact IE and Safari teams about their plans for AC4CSR [on Arthur Barstow - due 2008-03-05]. 20:12:41 i am not near a phone 20:12:43 wassup? 20:13:46 tlr: I think if not sending cookies and auth headers, we need a handover protocol 20:13:50 ... and that's a larger design space .. 20:13:58 ... talk to OAuth people e.g. 20:14:04 ... skeptical that that could happen within FF3 time frame 20:14:09 jonas: we're out of time for FF3 20:14:22 art: identity server sounds like one of the main use cases, basically IDP 20:14:35 jonas: want to look into oauth 20:14:56 ... maybe look into openid ... 20:15:07 tlr: I'm skeptical about openid for this use case 20:15:11 ... that's a different discussion ... 20:15:18 jonas: the bouncing around design is the point 20:15:20 tlr; yes 20:15:27 jonas: we had security concerns about openid 20:15:31 .. haven't looked into oauth ... 20:15:44 ... they could suffer similar worries as access-control ... 20:16:17 tlr: sounds like a workshop situation 20:16:23 art: sounds like a good idea 20:16:29 ... if I can help, by all means ... 20:16:38 ... sounds like center of gravity are probably US West Coast ... 20:16:57 jonas: would want to hear from security folks at other UAs 20:17:04 ... don't personally agree with the concerns here ... 20:17:23 ... if other vendors think the spec is sound, then don't necessarily need to change ... 20:17:35 art: along those lines, was wondering about original architecture, as applied to VB world 20:17:44 ... obviously, have made fairly substantial changes to the model ... 20:17:53 ... but part borrowed from them ... 20:17:55 jonas: same concerns there 20:18:03 ... concern is with normal GET ... 20:19:26 tlr: ambient authorization was where this once started, indeed 20:19:42 jonas: would have the same concerns with the plain VB spec 20:20:39 art: millions of pages served that way? 20:21:10 tlr: think VoiceXML is *the* industry standard for voice stuff 20:21:20 ... operations in a more constrained environment ... 20:21:24 art: our model more open 20:21:43 ... btw, my IRC connection is dead ... 20:22:08 ... anyway, where do we go from here? 20:22:23 jonas: solution I'd be happy with & be able to implement ... 20:22:30 ... for ff3 - don't want the no-cookies way ... 20:22:38 ... other option is to do what normal HTTP auth does, to ask the user ... 20:22:48 ... I think that that would be a doable solution ... 20:25:20 tlr: *very* skeptic about the ask user approach for this 20:25:31 jonas: requirement was "user needs to approve request" 20:26:02 ... not necessarily a pop-up ... 20:26:07 ... if browser needs to ask the user ... 20:26:10 ... we're stuck there ... 20:26:16 ... but yes, I want to hear from Johnath ... 20:27:46 tlr: if you want a useful user interaction, explain in terms that people understand 20:27:56 .. and that gets you very close to flickr authorization style experiences ... 20:28:12 ... where effectively you want the collaboration of both sites to do the authorization step ... 20:28:22 ... and that in turn suggests looking at the vairous bounce people around protocols ... 20:28:46 jonas: would argue that current protocol bounces user around 20:28:53 ... just haven't standardized how bouncing sould happen ... 20:28:55 s/sould/should/ 20:28:59 ... that might be our problem ... 20:29:06 ... should probably design a protocol around that ... 20:29:13 ... target site should be the one that's responsible ... 20:29:22 ... shouldn't include site in allow list unless previously asked user ... 20:29:59 tlr: I think we're edigng more and more toward a server-side decision model 20:30:10 ... which means the current model doesn't really fit ... 20:30:16 jonas: probably don't need whitelist language we have 20:30:21 ... probably just yes/no answer ... 20:30:36 tlr: in a way, like what Tyler and Mark were describing 20:31:09 ... my advice (and it's nothing more) would be to drop from FF3 ... 20:31:22 jonas: unless we do something about asking the user 20:31:27 ... don't think we can get everybody to agree to that 20:31:32 ... want to keep working on the thread that I started 20:31:39 ... try to explain better what people think of it 20:31:46 ... expecting a no, if that's what I get, pull implementation 20:32:08 tlr: assuming you need to pull, who would need to be involved from Mozo? 20:32:15 ... in a workshop, e.g. ... 20:32:56 ... xx Snyder 20:33:00 ... Brendan ?? ... 20:33:11 s/... xx/Jonas: xx/ 20:33:16 ... basically the folks cced on my e-mail 20:33:54 art: seeing how to move work forward 20:33:59 ... whatever way makes sense ... 20:34:05 ... think concern that Jonas raised is legitimate ... 20:34:08 ... and understandable ... 20:34:17 ... will go ahead and contact Apple and Ms and see if they're willing 20:34:20 ... to provide input ... 20:34:35 ...ma ybe can get somebody from opera in addition to AvK to 20:34:38 ... provide input 20:35:01 tlr: Yngve; he was having misgivings i think 20:36:08 art: going to try to get review from MS and other security folks 20:37:32 tlr: note that most useful discussion might be to look at models 20:37:51 art: news on charter, also re access-control? 20:37:56 tlr: not in the loop on chartering discussions 20:38:16 ... I think one question we hear here is what scope access-control work 20:38:29 ... should have, and whether webapps charter should blcok on that 20:38:38 ... I don't know answer to the first question, but would speculate second one is "no" 20:38:46 art: yeah, we seem to have lost the FF3 driver 20:38:49 ... let's pull people together 20:38:57 ... disadvantage is that things could drag on for longer than we like 20:39:03 ... consequence of bringing things into committee before 20:39:05 ... implemented 20:39:26 tlr: there could be existing things or mixtures of these that could be 20:39:31 ... quicker to specify 20:39:38 art: mash-ups running into this 20:39:47 jonas: use own server as proxy 20:40:25 tlr: yeah... lots ask for user name and password now 20:40:31 ... flickr api is the other way ... 20:40:42 jonas: that's why I liked the with-cookie approach 20:40:51 ... better in some ways, but not good enough 20:41:01 ... think whatever we do should integrate with whatever is out there today 20:41:06 ... current spec doesn't cover authorization 20:41:11 ... use latest greatst -- which is good 20:41:34 art: one last question for jonas -- seems like moz position not likely to change? 20:41:38 jonas: yep 20:41:43 art: thanks for taking the time 20:41:49 ... will follow up with other vendors ... 20:41:55 ... hope to get some useful information ... 20:42:19 ... if there's anything I can do to help workshopping things, please say 20:42:44 rrsagent, make record public 20:42:48 rrsagent, please draft minutes 20:42:48 I have made the request to generate http://www.w3.org/2008/02/27-waf-minutes.html tlr 20:43:25 art: let's suspend phone conferences till we need one 20:43:30 tlr: I'll stick around on IRC 20:43:32 jonas: agre 20:43:34 s/agre/agree/ 20:43:52 rrsagent, please draft minutes 20:43:52 I have made the request to generate http://www.w3.org/2008/02/27-waf-minutes.html tlr 20:43:54 -Art_Barstow 20:43:56 -[Mozilla] 20:44:00 -Thomas 20:44:01 IA_WAF()3:00PM has ended 20:44:02 Attendees were Art_Barstow, [Mozilla], Thomas 20:55:44 ArtB has joined #waf 21:03:43 yes BR = Best Regards :) 21:18:16 anne has joined #waf 21:19:43 sorry i couldn't attend, as i said, family stuff 21:20:43 yes, I remembered that 21:20:53 Jonas, here's a short article on OAuth: http://www.25hoursaday.com/weblog/2007/09/12/OAuthStandardizingAuthenticationAndAuthorizationForWebAPIs.aspx 22:21:37 Zakim has left #waf 23:23:42 marcos_ has joined #waf