W3C

- DRAFT -

TAG Weekly

10 Apr 2008

Agenda

See also: IRC log

Attendees

Present
Regrets
Raman
Chair
Stuart Williams
Scribe
David Orchard, dorchard

Contents


 

 

<Stuart> Scribe: David Orchard

<DanC> when we get to tagSoup, help me remeber to bring up http://lists.w3.org/Archives/Public/public-html/2008Apr/0205.html Supporting MathML and SVG in text/html, and related topics " we actively want to make sure that

<DanC> people can't willy nilly extend the language without coordination with

<DanC> anyone interested in the development of the language"

<DanC> scribenick: DanC

Convene

-> http://www.w3.org/2001/tag/2008/04/03-minutes minutes 3 Apr

SKW: propose to approve

HT: minutes 3 Apr should show my regrets

RESOLUTION: to approve, noting HT's regrets are recorded elsewhere

PROPOSED: to meet again 17 Apr, DanC to scribe, regrets Noah

regrets 24 apr from SKW, TBL, ...

SKW: propose to cancel 24 Apr tag meeting and meet again...

<Ashok> And me!

SKW: 1 May

NM: I offer to scribe 1 May

Issue XMLVersioning-41 (ISSUE-41)

action-16?

<trackbot-ng> ACTION-16 -- David Orchard to incorporate the NVDL text into the findings. -- due 2008-05-15 -- OPEN

<trackbot-ng> http://www.w3.org/2001/tag/group/track/actions/16

<scribe> continues

action-38?

<trackbot-ng> ACTION-38 -- Norman Walsh to review the XML part again -- due 2008-02-14 -- PENDINGREVIEW

<trackbot-ng> http://www.w3.org/2001/tag/group/track/actions/38

NDW: material there is outside my expertise

<Stuart> http://lists.w3.org/Archives/Public/www-tag/2008Feb/0080

close action-38

<trackbot-ng> ACTION-38 review the XML part again closed

action-107?

<trackbot-ng> ACTION-107 -- Dan Connolly to review compatibility-strategies section 3 (soon) and 5 for May/Bristol -- due 2008-05-15 -- OPEN

<trackbot-ng> http://www.w3.org/2001/tag/group/track/actions/107

current draft is 28 March

action 107 continues

action-108?

<trackbot-ng> ACTION-108 -- Ashok Malhotra to review compatibility-strategies section 2, 4 a week after DO signals review -- due 2008-04-04 -- OPEN

<trackbot-ng> http://www.w3.org/2001/tag/group/track/actions/108

AM: yes, started, still expect to do it

SKW: Raman's review is at risk

<scribe> scribe: dorchard

<scribe> scribenick: dorchard

<DanC> DO: the 28 Mar draft incorporates comments to that point; since then, Marc D. has sent a bunch of detailed comments

<DanC> close action-111

<trackbot-ng> ACTION-111 Revise version of compatibility strategies document by next telecon (13 march) closed

action-112?

<trackbot-ng> ACTION-112 -- Noah Mendelsohn to review compatibility strategies section 2 due 2008-04-04 -- due 2008-04-04 -- OPEN

<trackbot-ng> http://www.w3.org/2001/tag/group/track/actions/112

<DanC> action-112?

<trackbot-ng> ACTION-112 -- Noah Mendelsohn to review compatibility strategies section 2 due 2008-04-04 -- due 2008-05-15 -- OPEN

<trackbot-ng> http://www.w3.org/2001/tag/group/track/actions/112

Noah signs up for later date..

raman/danc brought up css versioning

<DanC> CSS versioning: exemplary? exceptional?

discussion about what was the interesting issue..

<DanC> [css3-namespace] Last call comments from XHTML2 WG

noah: features are being introduced where the difference is greater than it was..

<DanC> (quite a long thread in http://lists.w3.org/Archives/Public/public-xhtml2/2008Mar/thread.html )

<noah> I also said that CSS was highlighted as an example of a language in which 1) there is no explicit version marker and 2) there is a default interpretation in earlier versions of features that become explicit later (I think that's right)

<DanC> yes, noah, I think David Baron makes that point pretty well

<noah> Then, as you said Dave: until now, as new features introduced have in some sense represented "modest" changes, whereas now a version is contemplated in which some of the new features will be in some sense "more incompatible" than would have been common before.

<Stuart> trackbot-ng, status

<scribe> ACTION: David to ask raman what he thinks should be done wrt css versioning [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action01]

<trackbot-ng> Created ACTION-133 - Ask raman what he thinks should be done wrt css versioning [on David Orchard - due 2008-04-17].

<DanC> (

<DanC> From: Dominique Hazael-Massieux <dom@w3.org>

<DanC> To: w3c-tools <w3c-tools@w3.org>

<DanC> Subject: Tracker nicks can now be edited on the Web

<DanC> Date: Tue, 18 Mar 2008 16:41:47 +0100 (10:41 CDT)

<DanC> http://www.w3.org/2005/MWI/BPWG/Group/track/users

<DanC> )

passwords in the clear 52

Dave posted summary of responses.

discussion about how digest is actually done including nonces...

<Zakim> noah, you wanted to talk about some security sometimes being better than none

noah: what about the security where it's just a server under a desk..

danc: their point is that is training people to do the wrong thing..

noah: so I need to buy a cert?

danc: no, self-signed certs don't cost

<noah> OK

<scribe> ACTION: david to ask security context about the exact breakage of digest [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action02]

<trackbot-ng> Created ACTION-134 - Ask security context about the exact breakage of digest [on David Orchard - due 2008-04-17].

<Ashok> Hal Lockhart -- BEA Security expert

should I say MUST not or SHOULD not send passwords in the clear?

<DanC> I think the differenence between MUST NOT and SHOULD NOT isn't that significant; I think SHOULD NOT is ok, but let's not celebrate the exceptions

<timbl_> must works for me, in the sense of "must for you to comply with this"

<timbl_> If you don't want to conform then on your head be it

http://lists.w3.org/Archives/Public/public-usable-authentication/2008Feb/0002.html

<Stuart> The counter arguement such as it is comes/came from John Cowan in a thread based at: http://lists.w3.org/Archives/Public/www-tag/2006Nov/0085

Always use SSL or some equivalent security - there is no provision

in web browsers that allows passwords to be exchanged securely

without SSL. Not even hashing.

<DanC> true, "never acceptable" is pretty much synonymous with MUST NOT; then the question is: is this guy the only relevant constituency?

<DanC> I guess MUST is simpler; I'd only go with SHOULD NOT if we didn't celebrate the exceptions at all.

noah: you could do SHOULD NOT then say note: the exceptional cases are truly exceptional..

<DanC> "2119" doesn't occur in http://www.w3.org/2001/tag/doc/passwordsInTheClear-52

<Zakim> DanC, you wanted to note wikipedia on digest as a representation of popular understanding http://en.wikipedia.org/wiki/Digest_access_authentication

noah: you could say "we use rfc 2119 terminology, when we say must that means how to establish security on the web".

<Zakim> ht, you wanted to say we could try again

ht, ashok like must not

stuart calls the question.

<DanC> (tone? why ask about the tone? I think the proposal is clearer in terms of words)

stuart: do people approve a change in the tone of the finding to be a must not exchange passwords in the clear as well as saying it's a MUST to be secure..

<timbl_> Proposed: The document should say that passwords in the clear MUST not be used.

<DanC> +1

<Stuart> +1

<timbl_> +1

<Norm> +1

+1

<timbl_> you will, zakim, you will

<Ashok> +1

<ht> +1

<noah> +1

<Ashok> Please capitalize NOT

<scribe> ACTION: david to make the change to passwords MUST NOT be sent in the clear [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action03]

<trackbot-ng> Created ACTION-135 - Make the change to passwords MUST NOT be sent in the clear [on David Orchard - due 2008-04-17].

<timbl_> "Digest authentication is widely acknowledged to be the best available Internet standard for this purpose. " -- http://www.eweek.com/c/a/Past-Reviews/IE-Apache-Clash-on-Web-Standard/

<DanC> (I'd like to understand the problems with digest better, but I'm not sure the community should wait for me to get clued in, so perhaps silence about digest is best.)

<Stuart> That purpose being?

<DanC> (PHB at least has come around from the "it has to be perfectly secure before we deploy anything" POV.)

<ht> I just got dropped -- the traditional you lose after one hour bug

http://lists.w3.org/Archives/Public/public-usable-authentication/2008Feb/0004.html

Finally, I think you should also warn about incorrect use of SSL/TLS,

specifically the incorrect method, still applied (at least by default)

in several major sites, of sending unprotected login forms, and

invoking SSL/TLS only upon submission, to encrypt the password -

<DanC> (the drupal community seems to see digest support as a goal http://drupal.org/node/160202 . they seem to be weighing dev costs without any reference to security deficiencies.)

consensus to do the warning SSL/TLS..

<timbl_> "or developers who want to build truly interoperable secure Web applications, the only available option is to encrypt all data between a Web client and server using SSL (Secure Sockets Layer) and to fall back to basic authentication. This is a secure option, but digest authentication is a valuable middle ground between almost no security (what unencrypted basic authentication provides) and complete SSL encryption, with its considerable CPU overhead, more complex

Issue passwordsInTheClear-52 (ISSUE-52)

<timbl_> ibid.

Issue tagSoupIntegration-54 (ISSUE-54)

<DanC> action-7?

<trackbot-ng> ACTION-7 -- Dan Connolly to work with Olivier and Tim to draft a position regarding extensibility of HTML and the role of the validator for consideration by the TAG -- due 2008-03-14 -- OPEN

<trackbot-ng> http://www.w3.org/2001/tag/group/track/actions/7

<Stuart> http://www.w3.org/2001/tag/2008/04/10-agenda

<Stuart> http://lists.w3.org/Archives/Member/tag/2008Apr/0013

discussion about Noah's action 131

<DanC> ("Stuart's P1 proposal" is frustratingly obscure; we're talking about AIRA/HTML integration comments)

<Stuart> "TAG acceptance of a compromise on this occasion should not be regarded as establishing a precedent. Several factors contribute to it being workable: that the WGs involved happen to be active at the same time; that the WG with responsibility for the host language is not having to consider a lot of extension request at the same time; that the ARIA extensions are entirely attribute based - more general element based extensions with more complex content models present

<timbl_> +1

stuart: would the tag find it useful to add the paragraph just posted to Noah's email?

<DanC> I don't agree with "we also suggest

<DanC> that the right medium term answer is for uniform treatment of names and

<DanC> values with colons to be specified for HTML."

<DanC> -- http://lists.w3.org/Archives/Member/tag/2008Apr/0013

<Stuart> So Dan... your suggesting removal of that sentence?

<timbl_> 'we also suggest that the right medium term answer is for uniform treatment of names and

<timbl_> values with colons to be specified for HTML" I agree has been asserted to be incompatibale with old browsers

<ht> http://lists.w3.org/Archives/Public/public-cdf/2008Apr/0000.html

<timbl_> which is werird when colon was supposed to be a name char

<DanC> I might rather just abstain, Stuart. the reason I don't agree is that I think it's a premature conclusion, without looking at enough of the options and state-of-the-art

Tim Berners-Lee said: The idea of using SVG without XML is horrifying."

from http://annevankesteren.nl/2008/04/html5-foreign

<ht> HST notes that NM has left the call. . .

<ht> HST has to leave in the next minute or two

<Ashok> I agree -- +1 to HT and DaveO

henry: I've never liked the aria proposal..

danc: I've been told this a deliverable that has nothing to do with HTML..

<Norm> I agree with Henry

<DanC> where's the request from PF that has such urgency? I'm confused by recent communications from the PF chair, Al Gilman

timbl: this could be a deliverable for xhtml, but then say "this can be used with languages like html"

<Stuart> http://lists.w3.org/Archives/Public/www-tag/2008Apr/0006.html

stuart: they may be encouraging people to use the no namespace approach

<DanC> "First: we need to be clearer about what the deal is as regards the time sequence of the following two milestones: ... " writes Al G. in http://lists.w3.org/Archives/Public/public-html/2008Apr/0192.html

stuart: where no namespace approach equals aria-

henry: needs to go, prefer to wait 1 week noting noah's absence as well.

<ht> I acknowledge that next week is a hard deadline for getting feedback decided on

<Stuart> trackbot-ng, status

<DanC> trackbot-ng, status

<scribe> ACTION: Dan to liaise with michael cooper on their expectations of the TAG [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action04]

<trackbot-ng> Created ACTION-136 - Liaise with michael cooper on their expectations of the TAG [on Dan Connolly - due 2008-04-17].

meeting adjourned

Summary of Action Items

[NEW] ACTION: Dan to liaise with michael cooper on their expectations of the TAG [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action04]
[NEW] ACTION: David to ask raman what he thinks should be done wrt css versioning [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action01]
[NEW] ACTION: david to ask security context about the exact breakage of digest [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action02]
[NEW] ACTION: david to make the change to passwords MUST NOT be sent in the clear [recorded in http://www.w3.org/2008/04/10-tagmem-minutes.html#action03]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.133 (CVS log)
$Date: 2008/04/10 18:30:37 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.133  of Date: 2008/01/18 18:48:51  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/precident/precedent/
Found Scribe: David Orchard
Found ScribeNick: DanC
Found Scribe: dorchard
Inferring ScribeNick: dorchard
Found ScribeNick: dorchard
Scribes: David Orchard, dorchard
ScribeNicks: DanC, dorchard

WARNING: No "Present: ... " found!
Possibly Present: AM Ashok Ashok_Malhotra DO DanC Dave_Orchard From Ht Jonathan NDW NM Noah_Mendelsohn Norm P7 PROPOSED SKW Stuart Subject TimBL To aaaa dorchard henry inserted joined noah scribenick tagmem timbl_ trackbot-ng
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

Regrets: Raman
Agenda: http://www.w3.org/2001/tag/2008/04/10-agenda
WARNING: Date not understood: Tue, 18 Mar 2008 16:41:47 +0100 (10:41 CDT)
Got date from IRC log name: 10 Apr 2008
Guessing minutes URL: http://www.w3.org/2008/04/10-tagmem-minutes.html
People with action items: dan david

[End of scribe.perl diagnostic output]