See also: IRC log
<ArtB> Hi TLR!
<ArtB> Jonas said he would invite some Moz people to our call
<ArtB> Does MikeSmith still work for the W3C :-)? Haven't seen him very much but Boston and Tokyo time zones are not very favorable :-(.
<tlr> He was on a conf call yesterday.
<ArtB> k
<tlr> I suspect it might be time to adjust the call time to accomodate him, though.
<ArtB> he agree to this time, IIRC
<tlr> oh well
<ArtB> Date: 27 Feb 2008
<ArtB> Scribe: Art
<tlr> Scribe: tlr
art: jonas, anybody else coming?
sicking: nope
art: let's go ahead
art: think everybody understands
positions of various people
... take as opportunity to talk about what the problem is
...
... next steps ...
... let me try to summon Hixie ...
tlr: expecting anne?
art: he has a personal
conflict
... let's talk a bit
jonas: need to hear from sec
people at other browser vendors
... mozilla won't move alone ...
... if we're the only ones who have the concerns, maybe others
can move ahead without us ...
art: can follow up with maciej
and see if willing to provide input
... about what safari team thinks ...
... had ms participation at some point ..
<scribe> ... dropped off ...
UNKNOWN_SPEAKER: making note to contact them ...
tlr: would be curious to
understand more precisely what the landscape looks like
... i.e., shipping plans?
jonas: if we can't send cookies for now, but still follow spec, we'll ship that ...
<ArtB> ACTION: Barstow contact IE and Safari teams about their plans for AC4CSR [recorded in http://www.w3.org/2008/02/27-waf-minutes.html#action01]
<trackbot-ng> Created ACTION-172 - Contact IE and Safari teams about their plans for AC4CSR [on Arthur Barstow - due 2008-03-05].
<Hixie> i am not near a phone
<Hixie> wassup?
tlr: I think if not sending
cookies and auth headers, we need a handover protocol
... and that's a larger design space ..
... talk to OAuth people e.g.
... skeptical that that could happen within FF3 time frame
jonas: we're out of time for FF3
art: identity server sounds like one of the main use cases, basically IDP
jonas: want to look into
oauth
... maybe look into openid ...
tlr: I'm skeptical about openid
for this use case
... that's a different discussion ...
jonas: the bouncing around design is the point
tlr; yes
jonas: we had security concerns
about openid
... haven't looked into oauth ...
... they could suffer similar worries as access-control ...
tlr: sounds like a workshop situation
art: sounds like a good
idea
... if I can help, by all means ...
... sounds like center of gravity are probably US West Coast
...
jonas: would want to hear from
security folks at other UAs
... don't personally agree with the concerns here ...
... if other vendors think the spec is sound, then don't
necessarily need to change ...
art: along those lines, was
wondering about original architecture, as applied to VB
world
... obviously, have made fairly substantial changes to the
model ...
... but part borrowed from them ...
jonas: same concerns there
... concern is with normal GET ...
tlr: ambient authorization was where this once started, indeed
jonas: would have the same concerns with the plain VB spec
art: millions of pages served that way?
tlr: think VoiceXML is *the*
industry standard for voice stuff
... operations in a more constrained environment ...
art: our model more open
... btw, my IRC connection is dead ...
... anyway, where do we go from here?
jonas: solution I'd be happy with
& be able to implement ...
... for ff3 - don't want the no-cookies way ...
... other option is to do what normal HTTP auth does, to ask
the user ...
... I think that that would be a doable solution ...
tlr: *very* skeptic about the ask user approach for this
jonas: requirement was "user
needs to approve request"
... not necessarily a pop-up ...
... if browser needs to ask the user ...
... we're stuck there ...
... but yes, I want to hear from Johnath ...
tlr: if you want a useful user
interaction, explain in terms that people understand
... and that gets you very close to flickr authorization style
experiences ...
... where effectively you want the collaboration of both sites
to do the authorization step ...
... and that in turn suggests looking at the vairous bounce
people around protocols ...
jonas: would argue that current
protocol bounces user around
... just haven't standardized how bouncing should happen
...
... that might be our problem ...
... should probably design a protocol around that ...
... target site should be the one that's responsible ...
... shouldn't include site in allow list unless previously
asked user ...
tlr: I think we're edigng more
and more toward a server-side decision model
... which means the current model doesn't really fit ...
jonas: probably don't need
whitelist language we have
... probably just yes/no answer ...
tlr: in a way, like what Tyler
and Mark were describing
... my advice (and it's nothing more) would be to drop from FF3
...
jonas: unless we do something
about asking the user
... don't think we can get everybody to agree to that
... want to keep working on the thread that I started
... try to explain better what people think of it
... expecting a no, if that's what I get, pull
implementation
tlr: assuming you need to pull,
who would need to be involved from Mozo?
... in a workshop, e.g. ...
Jonas: xx Snyder
... Brendan ?? ...
... basically the folks cced on my e-mail
art: seeing how to move work
forward
... whatever way makes sense ...
... think concern that Jonas raised is legitimate ...
... and understandable ...
... will go ahead and contact Apple and Ms and see if they're
willing
... to provide input ...
... ma ybe can get somebody from opera in addition to AvK
to
... provide input
tlr: Yngve; he was having misgivings i think
art: going to try to get review from MS and other security folks
tlr: note that most useful discussion might be to look at models
art: news on charter, also re access-control?
tlr: not in the loop on
chartering discussions
... I think one question we hear here is what scope
access-control work
... should have, and whether webapps charter should blcok on
that
... I don't know answer to the first question, but would
speculate second one is "no"
art: yeah, we seem to have lost
the FF3 driver
... let's pull people together
... disadvantage is that things could drag on for longer than
we like
... consequence of bringing things into committee before
... implemented
tlr: there could be existing
things or mixtures of these that could be
... quicker to specify
art: mash-ups running into this
jonas: use own server as proxy
tlr: yeah... lots ask for user
name and password now
... flickr api is the other way ...
jonas: that's why I liked the
with-cookie approach
... better in some ways, but not good enough
... think whatever we do should integrate with whatever is out
there today
... current spec doesn't cover authorization
... use latest greatst -- which is good
art: one last question for jonas -- seems like moz position not likely to change?
jonas: yep
art: thanks for taking the
time
... will follow up with other vendors ...
... hope to get some useful information ...
... if there's anything I can do to help workshopping things,
please say
... let's suspend phone conferences till we need one
tlr: I'll stick around on IRC
jonas: agree
This is scribe.perl Revision: 1.133 of Date: 2008/01/18 18:48:51 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/are/are not/ Succeeded: s/sould/should/ Succeeded: s/... xx/Jonas: xx/ Succeeded: s/agre/agree/ Found Scribe: Art Found Scribe: tlr Inferring ScribeNick: tlr Scribes: Art, tlr WARNING: No "Present: ... " found! Possibly Present: ArtB Art_Barstow Hixie Jonas Mozilla Thomas art joined sicking tlr trackbot-ng waf You can indicate people for the Present list like this: <dbooth> Present: dbooth jonathan mary <dbooth> Present+ amy Agenda: http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0276.html Found Date: 27 Feb 2008 Guessing minutes URL: http://www.w3.org/2008/02/27-waf-minutes.html People with action items: barstow[End of scribe.perl diagnostic output]