See also: IRC log
<renato> "morning" all
<assadarat> Hi all
<Ashok> Morning!
rigo?
<scribe> ScribeNick: tlr
renato: welcome all
... agenda on the wiki ...
... review wiki activity ...
... liaison ...
... upcoming events ...
... anything else?
ashok: are you thinking of doing phone calls on regular basis?
renato: yes, if there is enough activity and demand, then will have regular call
<scribe> Agenda: http://www.w3.org/Policy/pling/wiki/2008-04-16
renato: use cases, standards,
other groups, interesting cases
... that's been documented, a bunch of people have been adding
...
... hasn't been much new very recently ...
... still looking for more use cases ...
... interesting to work out, who is using policies, what are
the issues ...
... 21 policy-related specs listed ...
... quite a list of initiatives ...
... decide how to continue work, capture information ...
... any more analysis we want to do ...
... look in depth at policy standards, map into use cases
...
... that's something we should be looking at ...
... would like to get feeling about what we should focus on
...
... floor's open ...
HannesT: one comment, two-fold --
use cases, many interesting ...
... but often don't require standardized mechanism ...
... more convenient from deployment point of view not to
standardize ...
... stuff looking nice on paper, but suffers from lack of use
cases that critically need standardized work ...
... other comment about setup of this (and similar) groups is
that things are very research-driven ...
... that's nice, too, but doesn't really help to get deployment
...
... abstract focus or usefulness for deployment?
renato: want to get as many
industrial-strength use cases and experience as we can
... obviously, much work going on in research ...
... maybe Marco wants to comment on policies in the commercial
world
marco: focus in understanding how
some of the R&D can be applied in solutions and standards
efforts ...
... that has been the angle I was coming from ...
... interesting use cases that require standards etc ...
... could be interesting to understand enterprise complexity
driven use cases ...
... major issues of coordinating policies consistently
...
... would expect to get more use cases, real world constraints
on that ....
... R&D and commercial perspectives ...
Ashok: using WS-Policy,
extensively in web services products
... has started to become quite popular and prevalent ...
... difficulty is that it's really not a very good
specification ....
... lots of things that it doesn't speak about, lots of holes
in it ...
... what to do as follow-up?
... try and start other standards activity to fill those
holes?
... or what?
renato: who's "we" here
ashok: working for Oracle, also
involved with other companies
... do interops -- Oracle, MS, IBM, BEA ...
... all of these are using WS-Policy within their products
...
marco: interesting; federated
services and idm, or also for enterprise / organizational
purposes?
... e.g., access control
... what's the range
ashok; not using ws-policy to control access to data
scribe: ws-policy not quite right
for that ...
... there, using things like XACML ...
... what we are using WS-Policy for, very specifically
...
... using it to specify, basically, three things ...
... security, reliability, ...
hannesT: business application
ashok: important use case to specify security policy
marco: capturing what you said and exposing it further
Ashok: can do
HannesT: ... internally use
formal policies ....
... no standardized interface -- typically, policies are simple
...
... raises the question what is really used ...
... implementing things is one story, using them is yet another
one ...
Ashok: why do we require
standard?
... when I as an Oracle client want to work with MS server
...
... have to be able to write policy for server ...
... if we have standard representation, can feed to server
...
... and configure clients to work with that server
marco: agree -- framework -- not
necessarily new standard as outcom
... one of major problems is not deployment of policies, but
come to integrated view ...
... consistent behavior of policies ...
... not so common in federated IDM ..
... but in big organizations, there's so many deployments of
policy enforcement and decision points ...
... integrated view whether policies are implementing business
objectives is usefu ....
hannest: was at the workshop; one
crucial problem is that applications we have currently aren't
standardized
... difficult to make automated reasoning over behavior
...
... don't want to formalize everything; separate issue
...
... exploring use cases better is interesting; looking forward
to Ashok's writeup
<Zakim> peterd, you wanted to explore gaps
peterd: there are some gaps; do
think a useful exercise would be along the lines of what ITU
did with IDM 18 months ago
... assess specs that we have now ...
... wiki is not yet thorough enumeration ...
... put them in taxonomy
... federated policy fabrics ...
<rigo> ack
<Zakim> rigo, you wanted to encourage to write the concern up
rigo: hannes, can you write up
your concern?
... policy languages seem hip, lots of organizations starting
new things ...
... silos and islands ...
... need another module for doing this and that ....
... filling gaps doesn't really require new language, maybe
just plug things together ...
hannes: most of issues aren't lack of technical functionality, but lack of deployment incentive
<renato> renato: just dropped out - redialling now....
rigo: yes, ,that's a concern. At some point of time, have to see why deployment inentive isn't sufficient
hannes: will post thoughts
<renato> renato: BACK
renato: the more we can document
and capture gaps and experiences, one of the roles of this
group is to discuss holes and issues ...
... lots of policy issues with social networks, facebook,
flickr ...
hannest: actually not allowed to
put people photos online without explicit consent
... real-life policy; people don't realize ...
renato: yeah... Virgin Mobile
case used photo for advertising ...
... need model release before posting on billboard ...
... in some cases, simply a matter of making implicit
assumptions explicit ...
... if someone sees a photo on facebook, download it ...
... facebook has some privacy settings ...
... when photo leaves facebook compound, can do as you like
...
hannest: would be nice to attach
policies to photos
... can accomplish using creative commons ...
... sth similar for location in IETF ...
... attach flags to location information ...
... do I allow to redistribute location ...
... already too complicated ...
renato: use cases, wiki
<Zakim> Rigo, you wanted to talk about the relation to law
renato: will put virgin mobile scenario in use case
rigo: renato, there's speaker
queue on irc
... first of all, hannes, problem in the virgin case was that
there was cc license ...
... now the courts are seeking argumentation to prohibit the
use ...
... because it was unexpected ...
... a bit behind; have 10 cases floating around ...
... where people are unaware of risks in using photos ...
... photos of people, etc ...
... other cases where finality of data was extended ..
... using video surveillance to deal with dog excrement on
shoes (and carpet) ...
... one of the cases that Piero reported is that, if people
would realize the audience they are sending things to, they
would behave differently ...
... (a) how do I manage governance of my data in backend
...
... (b) what can I do to help users realize what they are
doing? ...
... separate things; both in scope here
hannes: would be interesting to
see these examples ...
... mostly dealing with social networks ...
... analysis how things could help ...
... came across use case in Germany recently ...
... StudiVZ - students and scool kids ...
... teacher evaluation ...
... no accountability for person doing evaluation ...
<Giles> ratemyteacher.co.uk
<Giles> teachers leave as a result...
hannes: went to court, is still
there ...
... will send uri
giles: one of the biggest issues
with photos on social network sites is ...
... tagging -- you can now tag photos with somebody else's
profile on facebook ...
... put their e-mail address in the tag ...
... no policy / way of saying "i don't want people to tag
photos with my profile" ...
... issue of policies on social networks is bigger problem
...
... no export format for profiles ...
... no way to export access preferences either ...
<peterd> dataportability group is looking at suggestions for profile representation normalizations
hannes: ...
giles: could be sticky policies
hannes: they encourage people to
say whatever they want, no real identity behind ...
... practical limitations ...
giles: in sth like facebook, only
friends can acces sdata ...
... they recently changed it so you have granular control
...
... who can access which fields ...
... you can't export that information, however ...
... lock-in with facebook ...
... google pushing OpenSocial API ...
marco: same for linkedIn
giles: whole issue of exporting
access control policies, delegating them
... if you look at open mashup apis ...
... we have a group that works on Web 2 security ...
... big issue is that you can't send your access control
preferences transitively through set of services ...
tlr: do we know to what extent the granular policy interfaces are used, at facebook?
<rigo> tr: extension of facebook, have you any idea how many people are changing settings in their profile?
giles: will find out
renato: anybody else?
marco: maybe we should create a new page that collects issues
<rigo> who will create those pages?
<rigo> MC: create page with OpenIssues
<scribe> ACTION: renato to start issues list [recorded in http://www.w3.org/2008/04/16-pling-minutes.html#action01]
<rigo> call it OpenIssues
giles: some more comments
...
... can't remember who it was -- somebody mentioned what ITU
has been doing in terms of idm ...
... doing survey of policy languages owuld be extremely useful
...
... having that as a public directory would be very interesting
...
... useful piece of work ...
... also, some more use cases ...
... from ENISA perspective, have been working a lot on
authentication policies ...
... describe what is high/low/medium level of authentication
...
... conditions that are required to issue authentication tokens
...
... maybe could write something there ...
... also, found on level of human-readable security policies
...
... there is need for standard way to express them ...
<scribe> ... ongoing initiative to collect best practices for security policies ...
UNKNOWN_SPEAKER: can download or
collect security policies / practices from many different
companies ...
... figure out what are best practices ...
... there is no standard way to express these; would be useful
to have one ....
<rigo> this is kind of P3P for Security Policies
hannest: ITU-T IDM study -- what
specifically did they do?
... that applies to policy space?
giles: they started with write-up
what's out there
... extended that
... uri in a sec
<scribe> ACTION: Giles to circulate ITU-T URI one of deliverables was gap analysis [recorded in http://www.w3.org/2008/04/16-pling-minutes.html#action02]
hanenst: gap analysis means
comparing things
... what did they compare to what?
giles: have to check
<rigo> and to send also the extended list from ENISA with GAP analysis
giles: there was a status quo
description document, then requirements
... have to check ...
peterd: there was ucr document
that was mapped into gap analysis
... gap analysis had lots of things there, lots of things
missing ...
<Giles> http://wiki.enisa.europa.eu/index.php?title=Electronic_Identity_Directory
peterd: telecommunications infrastructure heaviness ...
hannest: look at these
cases?
... sometimes, gaps are artificial ...
... due to artificial requirements ...
peterd: a bit of both
giles uri above is the description of the idm standards
scribe: doesn't include requirements ...
<peterd> http://www.itu.int/ITU-T/studygroups/com17/fgidm/
hannest: is link going to be in minutes?
renato: irc log will become minutes
rigo: will transform minutes into readable form
hannest: good luck
renato: would like to move on to
item 2
... anything else about current activity?
renato: goal is to help other
projects / groups / communities to share info more
broadly
... share information about policy activities ...
... four informations listed here
... JTC1/SC27 WG5?
<rigo> tlr: some email exchange and will follow up further
tlr: some initial e-mail exchange, need to follow up further
renato: will follow up, see
whether we can progress
... primelife?
rigo: start-up phase
... will be a bit till it contributes ...
... hope that project deliverables can be contributed to PLING
...
... would encourage us to accept that ...
renato: prime was succesful,
would be happy to have link to that group
... concordia?
tlr: umh... not remembering anything in particular re liaison
peterd: major interop event at RSA, WS-Trust, etc
renato: keep on agenda
... next one was picos
... on marco
... anything else that we should be aware of?
hannest: some work in the
communications future program at MIT
... maybe useful to drop them a note
... can get in touch with person who is organizing this
... have to drop off now
... anything else?
peterd: there was some SIP policy
work going on at IETF, don't know about disposition most
recently
... will try and post to the list later today ...
renato: if there's more, send to
list
... we're getting close to time ...
renato: WWW 2008 next week in
Beijing
... panel on policy-aware web there
... see www.www2008..org ...
... also, will give lightning talk at W3C AC meeting ...
... quick overview of what's going on ...
... also, planning to have f2f at technical plenary week in
OCtober ...
<rigo> it will be in Mandelieu
renato: any other events worth noting?
<rigo> TPAC in October: http://www.w3.org/2008/10/TPAC/
renato: if there are relevant things, please add to list and wik
<rigo> 20 October - 24 October 2008
<boabjohn> Good time here!
renato: note that we've got people from all corners of the globe; insight into useful times
<Ashok> I suggest we use this time!
rigo; 8am Eastern probably a good slot
renato: any feelings about every forthnight or every month?
rigo: once a month largely sufficient at the moment
giles: ack
<rigo> ACTION: Rigo to schedule the next call in May [recorded in http://www.w3.org/2008/04/16-pling-minutes.html#action03]
<renato> bye
<boabjohn> Is this being recorded?
<rigo> no audio recording, but you'll get the minutes
<boabjohn> No worries...any advantage to audio?
<rigo> and Thomas has minuted verbatim, so the raw minutes are like a recording
<boabjohn> Ha! Amazing...does he contract his services?
<rigo> boabjohn, :)
<rigo> W3C has considered audio-recording but it is complex, technically and policy wise
<boabjohn> Cheers from the bottom up.
This is scribe.perl Revision: 1.133 of Date: 2008/01/18 18:48:51 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/standad/standard/ Succeeded: s/... anything else?// Succeeded: s/we there/web there/ Found ScribeNick: tlr Inferring Scribes: tlr Present: HannesTschoefenig WARNING: Fewer than 3 people found for Present list! WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting Agenda: http://www.w3.org/Policy/pling/wiki/2008-04-16 Got date from IRC log name: 16 Apr 2008 Guessing minutes URL: http://www.w3.org/2008/04/16-pling-minutes.html People with action items: giles renato rigo[End of scribe.perl diagnostic output]