IRC log of waf on 2008-02-27

Timestamps are in UTC.

19:18:01 [RRSAgent]

RRSAgent has joined #waf

19:18:01 [RRSAgent]

logging to http://www.w3.org/2008/02/27-waf-irc

19:18:07 [Zakim]

Zakim has joined #waf

19:18:18 [tlr]

zakim, this will be waf

19:18:18 [Zakim]

ok, tlr; I see IA_WAF()3:00PM scheduled to start in 42 minutes

19:27:34 [ArtB]

ArtB has joined #waf

19:55:18 [ArtB]

Hi TLR!

19:58:22 [ArtB]

Jonas said he would invite some Moz people to our call

20:00:32 [ArtB]

Does MikeSmith still work for the W3C :-)? Haven't seen him very much but Boston and Tokyo time zones are very favorable :-(.

20:00:43 [ArtB]

s/are/are not/

20:00:55 [tlr]

He was on a conf call yesterday.

20:01:14 [ArtB]

k

20:01:18 [tlr]

I suspect it might be time to adjust the call time to accomodate him, though.

20:02:20 [ArtB]

he agree to this time, IIRC

20:02:33 [tlr]

oh well

20:03:32 [Zakim]

IA_WAF()3:00PM has now started

20:03:38 [Zakim]

+Art_Barstow

20:03:39 [Zakim]

+[Mozilla]

20:03:45 [tlr]

zakim, call thomas-781

20:03:45 [Zakim]

ok, tlr; the call is being made

20:03:47 [Zakim]

+Thomas

20:03:59 [sicking]

sicking has joined #waf

20:04:16 [ArtB]

ArtB has joined #waf

20:04:33 [tlr]

zakim, I am thomas

20:04:33 [Zakim]

ok, tlr, I now associate you with Thomas

20:04:35 [tlr]

zakim, mute me

20:04:35 [Zakim]

Thomas should now be muted

20:05:28 [ArtB]

Meeting: WAF WG Access Control Voice Conf

20:06:01 [ArtB]

Date: 27 Feb 2008

20:06:08 [ArtB]

Agenda: http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0276.html

20:06:13 [tlr]

zakim, unmute me

20:06:13 [Zakim]

Thomas should no longer be muted

20:06:14 [ArtB]

Chair: Art

20:06:17 [tlr]

zakim, who is on the phone?

20:06:17 [Zakim]

On the phone I see [Mozilla], Art_Barstow, Thomas

20:06:21 [ArtB]

Scribe: Art

20:06:28 [tlr]

Scribe: tlr

20:06:55 [tlr]

art: jonas, anybody else coming?

20:06:59 [tlr]

sicking: nope

20:07:11 [tlr]

art: let's go ahead

20:07:17 [tlr]

topic: cookies

20:07:34 [tlr]

art: think everybody understands positions of various people

20:07:40 [tlr]

... take as opportunity to talk about what the problem is ...

20:07:45 [tlr]

... next steps ...

20:07:50 [tlr]

... let me try to summon Hixie ...

20:07:59 [tlr]

tlr: expecting anne?

20:08:03 [tlr]

art: he has a personal conflict

20:09:14 [tlr]

art: let's talk a bit

20:09:20 [tlr]

jonas: need to hear from sec people at other browser vendors

20:09:31 [tlr]

... mozilla won't move alone ...

20:09:45 [tlr]

... if we're the only ones who have the concerns, maybe others can move ahead without us ...

20:09:53 [tlr]

art: can follow up with maciej and see if willing to provide input

20:10:01 [tlr]

... about what safari team thinks ...

20:10:06 [tlr]

... had ms participation at some point ..

20:10:09 [tlr]

... dropped off ...

20:10:16 [tlr]

... making note to contact them ...

20:11:03 [tlr]

tlr: would be curious to understand more precisely what the landscape looks like

20:11:07 [tlr]

... i.e., shipping plans?

20:11:20 [tlr]

jonas: if we can't send cookies for now, but still follow spec, we'll ship that ...

20:12:11 [ArtB]

ACTION: Barstow contact IE and Safari teams about their plans for AC4CSR

20:12:11 [trackbot-ng]

Created ACTION-172 - Contact IE and Safari teams about their plans for AC4CSR [on Arthur Barstow - due 2008-03-05].

20:12:41 [Hixie]

i am not near a phone

20:12:43 [Hixie]

wassup?

20:13:46 [tlr]

tlr: I think if not sending cookies and auth headers, we need a handover protocol

20:13:50 [tlr]

... and that's a larger design space ..

20:13:58 [tlr]

... talk to OAuth people e.g.

20:14:04 [tlr]

... skeptical that that could happen within FF3 time frame

20:14:09 [tlr]

jonas: we're out of time for FF3

20:14:22 [tlr]

art: identity server sounds like one of the main use cases, basically IDP

20:14:35 [tlr]

jonas: want to look into oauth

20:14:56 [tlr]

... maybe look into openid ...

20:15:07 [tlr]

tlr: I'm skeptical about openid for this use case

20:15:11 [tlr]

... that's a different discussion ...

20:15:18 [tlr]

jonas: the bouncing around design is the point

20:15:20 [tlr]

tlr; yes

20:15:27 [tlr]

jonas: we had security concerns about openid

20:15:31 [tlr]

.. haven't looked into oauth ...

20:15:44 [tlr]

... they could suffer similar worries as access-control ...

20:16:17 [tlr]

tlr: sounds like a workshop situation

20:16:23 [tlr]

art: sounds like a good idea

20:16:29 [tlr]

... if I can help, by all means ...

20:16:38 [tlr]

... sounds like center of gravity are probably US West Coast ...

20:16:57 [tlr]

jonas: would want to hear from security folks at other UAs

20:17:04 [tlr]

... don't personally agree with the concerns here ...

20:17:23 [tlr]

... if other vendors think the spec is sound, then don't necessarily need to change ...

20:17:35 [tlr]

art: along those lines, was wondering about original architecture, as applied to VB world

20:17:44 [tlr]

... obviously, have made fairly substantial changes to the model ...

20:17:53 [tlr]

... but part borrowed from them ...

20:17:55 [tlr]

jonas: same concerns there

20:18:03 [tlr]

... concern is with normal GET ...

20:19:26 [tlr]

tlr: ambient authorization was where this once started, indeed

20:19:42 [tlr]

jonas: would have the same concerns with the plain VB spec

20:20:39 [tlr]

art: millions of pages served that way?

20:21:10 [tlr]

tlr: think VoiceXML is *the* industry standard for voice stuff

20:21:20 [tlr]

... operations in a more constrained environment ...

20:21:24 [tlr]

art: our model more open

20:21:43 [tlr]

... btw, my IRC connection is dead ...

20:22:08 [tlr]

... anyway, where do we go from here?

20:22:23 [tlr]

jonas: solution I'd be happy with & be able to implement ...

20:22:30 [tlr]

... for ff3 - don't want the no-cookies way ...

20:22:38 [tlr]

... other option is to do what normal HTTP auth does, to ask the user ...

20:22:48 [tlr]

... I think that that would be a doable solution ...

20:25:20 [tlr]

tlr: *very* skeptic about the ask user approach for this

20:25:31 [tlr]

jonas: requirement was "user needs to approve request"

20:26:02 [tlr]

... not necessarily a pop-up ...

20:26:07 [tlr]

... if browser needs to ask the user ...

20:26:10 [tlr]

... we're stuck there ...

20:26:16 [tlr]

... but yes, I want to hear from Johnath ...

20:27:46 [tlr]

tlr: if you want a useful user interaction, explain in terms that people understand

20:27:56 [tlr]

.. and that gets you very close to flickr authorization style experiences ...

20:28:12 [tlr]

... where effectively you want the collaboration of both sites to do the authorization step ...

20:28:22 [tlr]

... and that in turn suggests looking at the vairous bounce people around protocols ...

20:28:46 [tlr]

jonas: would argue that current protocol bounces user around

20:28:53 [tlr]

... just haven't standardized how bouncing sould happen ...

20:28:55 [tlr]

s/sould/should/

20:28:59 [tlr]

... that might be our problem ...

20:29:06 [tlr]

... should probably design a protocol around that ...

20:29:13 [tlr]

... target site should be the one that's responsible ...

20:29:22 [tlr]

... shouldn't include site in allow list unless previously asked user ...

20:29:59 [tlr]

tlr: I think we're edigng more and more toward a server-side decision model

20:30:10 [tlr]

... which means the current model doesn't really fit ...

20:30:16 [tlr]

jonas: probably don't need whitelist language we have

20:30:21 [tlr]

... probably just yes/no answer ...

20:30:36 [tlr]

tlr: in a way, like what Tyler and Mark were describing

20:31:09 [tlr]

... my advice (and it's nothing more) would be to drop from FF3 ...

20:31:22 [tlr]

jonas: unless we do something about asking the user

20:31:27 [tlr]

... don't think we can get everybody to agree to that

20:31:32 [tlr]

... want to keep working on the thread that I started

20:31:39 [tlr]

... try to explain better what people think of it

20:31:46 [tlr]

... expecting a no, if that's what I get, pull implementation

20:32:08 [tlr]

tlr: assuming you need to pull, who would need to be involved from Mozo?

20:32:15 [tlr]

... in a workshop, e.g. ...

20:32:56 [tlr]

... xx Snyder

20:33:00 [tlr]

... Brendan ?? ...

20:33:11 [tlr]

s/... xx/Jonas: xx/

20:33:16 [tlr]

... basically the folks cced on my e-mail

20:33:54 [tlr]

art: seeing how to move work forward

20:33:59 [tlr]

... whatever way makes sense ...

20:34:05 [tlr]

... think concern that Jonas raised is legitimate ...

20:34:08 [tlr]

... and understandable ...

20:34:17 [tlr]

... will go ahead and contact Apple and Ms and see if they're willing

20:34:20 [tlr]

... to provide input ...

20:34:35 [tlr]

...ma ybe can get somebody from opera in addition to AvK to

20:34:38 [tlr]

... provide input

20:35:01 [tlr]

tlr: Yngve; he was having misgivings i think

20:36:08 [tlr]

art: going to try to get review from MS and other security folks

20:37:32 [tlr]

tlr: note that most useful discussion might be to look at models

20:37:51 [tlr]

art: news on charter, also re access-control?

20:37:56 [tlr]

tlr: not in the loop on chartering discussions

20:38:16 [tlr]

... I think one question we hear here is what scope access-control work

20:38:29 [tlr]

... should have, and whether webapps charter should blcok on that

20:38:38 [tlr]

... I don't know answer to the first question, but would speculate second one is "no"

20:38:46 [tlr]

art: yeah, we seem to have lost the FF3 driver

20:38:49 [tlr]

... let's pull people together

20:38:57 [tlr]

... disadvantage is that things could drag on for longer than we like

20:39:03 [tlr]

... consequence of bringing things into committee before

20:39:05 [tlr]

... implemented

20:39:26 [tlr]

tlr: there could be existing things or mixtures of these that could be

20:39:31 [tlr]

... quicker to specify

20:39:38 [tlr]

art: mash-ups running into this

20:39:47 [tlr]

jonas: use own server as proxy

20:40:25 [tlr]

tlr: yeah... lots ask for user name and password now

20:40:31 [tlr]

... flickr api is the other way ...

20:40:42 [tlr]

jonas: that's why I liked the with-cookie approach

20:40:51 [tlr]

... better in some ways, but not good enough

20:41:01 [tlr]

... think whatever we do should integrate with whatever is out there today

20:41:06 [tlr]

... current spec doesn't cover authorization

20:41:11 [tlr]

... use latest greatst -- which is good

20:41:34 [tlr]

art: one last question for jonas -- seems like moz position not likely to change?

20:41:38 [tlr]

jonas: yep

20:41:43 [tlr]

art: thanks for taking the time

20:41:49 [tlr]

... will follow up with other vendors ...

20:41:55 [tlr]

... hope to get some useful information ...

20:42:19 [tlr]

... if there's anything I can do to help workshopping things, please say

20:42:44 [tlr]

rrsagent, make record public

20:42:48 [tlr]

rrsagent, please draft minutes

20:42:48 [RRSAgent]

I have made the request to generate http://www.w3.org/2008/02/27-waf-minutes.html tlr

20:43:25 [tlr]

art: let's suspend phone conferences till we need one

20:43:30 [tlr]

tlr: I'll stick around on IRC

20:43:32 [tlr]

jonas: agre

20:43:34 [tlr]

s/agre/agree/

20:43:52 [tlr]

rrsagent, please draft minutes

20:43:52 [RRSAgent]

I have made the request to generate http://www.w3.org/2008/02/27-waf-minutes.html tlr

20:43:54 [Zakim]

-Art_Barstow

20:43:56 [Zakim]

-[Mozilla]

20:44:00 [Zakim]

-Thomas

20:44:01 [Zakim]

IA_WAF()3:00PM has ended

20:44:02 [Zakim]

Attendees were Art_Barstow, [Mozilla], Thomas

20:55:44 [ArtB]

ArtB has joined #waf

21:03:43 [ArtB]

yes BR = Best Regards :)

21:18:16 [anne]

anne has joined #waf

21:19:43 [anne]

sorry i couldn't attend, as i said, family stuff

21:20:43 [ArtB]

yes, I remembered that

21:20:53 [ArtB]

Jonas, here's a short article on OAuth: http://www.25hoursaday.com/weblog/2007/09/12/OAuthStandardizingAuthenticationAndAuthorizationForWebAPIs.aspx

22:21:37 [Zakim]

Zakim has left #waf

23:23:42 [marcos_]

marcos_ has joined #waf