10:02:05 RRSAgent has joined #waf 10:02:05 logging to http://www.w3.org/2008/06/05-waf-irc 10:02:22 +Art_Barstow 10:02:46 I'm having some trouble calling in 10:03:02 Zakim, code? 10:03:02 the conference code is 9231 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), MikeSmith 10:03:07 as in, it doesn't seem to set me up 10:03:19 +[IPcaller] 10:03:24 +Arve 10:03:27 Zakim, [IP is me 10:03:27 +MikeSmith; got it 10:03:49 marcos has joined #waf 10:03:52 Date: 5 June 2008 10:04:06 Agenda: http://lists.w3.org/Archives/Member/member-appformats/2008Jun/0000.html 10:04:10 Chair: Art 10:04:15 Scribe: Art 10:04:21 ScribeNick: ArtB 10:04:30 Regrets: Claudio 10:04:34 +[IPcaller] 10:04:56 zakim, IPCaller is me 10:04:56 +marcos; got it 10:05:05 Present: Art, Arve, Thomas, Arve, Marcos 10:05:37 zakim, who is here? 10:05:37 On the phone I see +44.782.590.aaaa, Thomas, Art_Barstow, MikeSmith, Arve, marcos 10:05:40 On IRC I see marcos, RRSAgent, Zakim, BenW, ArtB, Lachy, tlr, trackbot, arve, MikeSmith, heycam, blassey_, shepazu, anne, Hixie, hendry, mikko 10:05:56 Present+ Ben 10:06:15 Topic: Review Agenda 10:06:18 AB: http://lists.w3.org/Archives/Member/member-appformats/2008Jun/0000.html 10:06:25 ... above is today's agenda 10:06:32 zakim, +44.782.590.aaaa is BenW 10:06:32 +BenW; got it 10:06:37 ... Any change requests for the agenda? 10:06:47 [none] 10:06:55 Topic: Digital Signatures 10:07:07 AB: lastest ED is http://dev.w3.org/2006/waf/widgets-digsig/ 10:07:27 ABe: I have a specific question 10:07:57 ... when establishing a root cert, can the SSL root cert be re-used 10:08:12 ... thus vendors don't have to have to separate root certs 10:08:27 q+ 10:08:33 MC: I know Verisign sells a variety of certs 10:08:41 ... and one is for code signing 10:08:56 ... Y! is the only vendor that is doing signing 10:09:09 ... I can look at what they are doing and report back 10:09:23 ... Benoit has also done some work in this area 10:09:43 TLR: with XML Sign would use X509 10:10:06 claudio has joined #waf 10:10:17 ... a) will Widget engine reuse certs 10:10:50 Vista side bar: We might want to have a look at http://blog.eqinox.net/jed/articles/1707.aspx 10:11:04 (Benoit sent me that link) 10:11:08 ... b) the question is whether there might be reservations from the CAs; we should probably talk to them 10:11:31 ... I believe code signing certs to be more expensive 10:11:52 ... it may make sense to keep them separate but at the end of the day it's a policy decision 10:12:18 AB: decision on behalf of the widget engine vendor? 10:12:27 TLR: yes but the CA too 10:13:27 ... the decision is independent of whether or not XML Sig is used 10:13:31 To quote Yahoo: "If you sign your Widget with a code-signing certificate issued by VeriSign, we can also verify the authenticity of the certificate itself. We intend to support more certificate authorities in future releases." 10:14:30 TLR: yes, a web server cert can be taken over thus it makes sense from a security perspective for them to use a separate code-signing cert 10:14:48 ... different uses cases really 10:15:10 ABe: OK, this discussion was helpful 10:15:23 ... I think we may have more questions later 10:16:01 AB: with the proviso I'm not an expert in this area, it's not clear we need to mandate anything 10:16:26 TLR: we may want to say code-signing certs are mandatory 10:16:46 Another interesting link: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2015994&SiteID=1 10:16:49 ... but it could create some interop problems 10:17:42 ... For a code-signing cert, may want a different type of validation for the party that does the signing 10:18:39 ... CAs may not want certs intended for TLS being re-used for widgets 10:19:02 TLR: we really should get a CA or two at the table to discuss this 10:20:18 AB: which security-related WGs can we contact? 10:20:39 TLR: Philip Halam-Baker from Versigin is one person 10:20:53 ... there are other CAs represented in these groups 10:21:26 ... Art could send an e-mail to the AC reps of the CAs 10:21:46 ... mobile people are doing related work 10:22:05 BW: our security guy is active in OMTP and made a related proposal 10:22:51 s/other CAs represented in these groups/... GoDaddy is a W3C member company with a CA business as well .../ 10:22:53 AB: can we get that proposal? 10:23:21 ACTION Worthington see if VF's signing input to OMTP can be shared with WAF 10:23:21 Created ACTION-181 - See if VF's signing input to OMTP can be shared with WAF [on Ben Worthington - due 2008-06-12]. 10:23:41 ACTION Barstow contact the CAs regarding the reuse of TLS certs for Widgets 10:23:41 Created ACTION-182 - Contact the CAs regarding the reuse of TLS certs for Widgets [on Arthur Barstow - due 2008-06-12]. 10:24:59 TLR: GoDaddy is one of the CAs I mentioned that is a member 10:25:12 AB: OK, thanks 10:25:44 s/Topic: Digital Signatures/Topic: reusing TLS certs for Widgets/ 10:26:22 Topic: Digital Signal spec - open issues 10:26:35 AB: http://dev.w3.org/2006/waf/widgets-digsig/ 10:26:46 AB: we have several open issues in the latest ED 10:26:59 ... we can use this an opportunity to get feedback from Thomas 10:27:10 ... would like to understand our plan to address these issues 10:27:36 MC: we have a request to support signatures from multiple people 10:27:50 ... also an open issue regarding certificate chaining 10:28:21 AB: regarding multiple signing, what's the current state? 10:28:40 MC: the only widget engine vendor is Y! and they aren't doing anything here 10:28:47 q+ to comment on mobile browsers and CAs 10:28:58 ... in the mobile world, Java supports multiple signatures 10:29:14 ... I would also like to understand Apple's model 10:29:24 MC: iphone apps 10:30:05 ACTION Barstow investigate Java model for multiple signatures 10:30:05 Created ACTION-183 - Investigate Java model for multiple signatures [on Arthur Barstow - due 2008-06-12]. 10:30:34 AB: where did the signature chain requirement come from? 10:30:51 MC: there is no requirement but it is something XML Signature supports 10:31:25 TLR: yes, could have a list of certs that needs to be walked up 10:31:31 ... more of X509 property 10:31:47 ... could say all intermediate certs need to be there 10:33:12 TLR: it might be best to just have the X.509 cert data be put into the element as a single block 10:33:22 Mc: I agree 10:34:05 AB: is there a follow-up issue/action? 10:34:14 MC: no, we just need to spec the model 10:34:52 AB: the new XML Security WG includes in its Charter a liaison with WAF 10:35:39 TLR: the XML Security Maintenance WG will end at the end of June 10:35:47 ... it is slowly ramping up 10:35:59 zakim, mute benw 10:35:59 BenW should now be muted 10:36:03 :) 10:36:18 ... thus use the Maintenance WG mail list now for communication 10:37:11 AB: are there other issues to discuss today, Marcos? 10:37:22 MC: I think we've covered the main issues 10:37:45 q+ 10:38:12 TLR: two more points 10:38:22 ... 1. should probably add a timestamp 10:38:26 q- 10:38:53 ... 2. regarding transform, it turns out its not well-defined 10:39:02 ... do you have any more clarity? 10:39:13 MC: no; as you say it's not well-defined 10:39:59 TLR: think we need to investigate this more 10:40:18 MC: it would be helpful if I knew exactly what to look for 10:40:58 TLR: perhaps look at the deflate algorithm 10:42:14 MC: are you signing the compressed blob or not 10:43:35 ... for v1 could say you must do it this way; and then for v2 we could add the transform if there is a request for it 10:44:30 TR: Not having the transform sounds like it wants an additional security consideration; happy to provide that. 10:45:35 ACTION: roessler to contribute security considerations for decompression and signature validation 10:45:35 Created ACTION-184 - Contribute security considerations for decompression and signature validation [on Thomas Roessler - due 2008-06-12]. 10:45:43 A 10:46:22 ACTION: Marcos to add timestamp element to widget dig sig spec 10:46:22 Created ACTION-185 - Add timestamp element to widget dig sig spec [on Marcos Caceres - due 2008-06-12]. 10:46:34 Topic: widget: scheme 10:46:58 -Thomas 10:48:05 AB: Marcos made a proposal http://lists.w3.org/Archives/Public/public-appformats/2008May/0088.html 10:48:48 AB: we received lots of comments, even from TBL 10:49:03 MC: I think some people hadn't read the spec yet they commented anyway 10:49:28 ... the proposal to use http scheme just doesn't make sense for our use 10:49:58 ... my proposal says you can use http if you want to 10:50:11 ... but it would mean changing the widget engine architecture 10:50:23 anne has left #waf 10:50:57 anne has joined #waf 10:51:11 ACTION Barstow follow-up the scope issue related to the widget: scheme thread 10:51:11 Created ACTION-186 - Follow-up the scope issue related to the widget: scheme thread [on Arthur Barstow - due 2008-06-12]. 10:51:15 http://lists.w3.org/Archives/Public/public-appformats/2008May/0140.html 10:52:10 My proposal was: http://widgetengine:port/instanceID/package.wgt/path/to/resource 10:52:11 q+ to chime in 10:52:43 AB: I think we've done a good job of keeping the TAG informed 10:53:16 ... but if they don't read the spec and understand our use cases we need to consider that in our disposition of their comments 10:53:30 MS: we do indeed need to include the TAG in such discussions 10:53:48 ... we must get approval eventually from the Director 10:54:15 ... thus I recommend we seriously consider any comment from the Director 10:54:34 q+ 10:54:34 MC: I responded to Tim's email 10:54:46 ... the ball is in his court now; he hasn't responded 10:55:34 MS: I don't think we need to go out of our way to ask Tim to respond, at least not at this point 10:56:00 ... If he feels strongly about it he surely will let us know and we will have to deal with it 10:56:25 q+ to comment on the TAG discussion 10:56:30 ABe: I think most of the comments were from people that didn't understand our use case 10:56:33 tlr- 10:56:43 q- tlr 10:56:55 ... perhaps we should separately write up our UCs and Reqs 10:57:29 The req: http://dev.w3.org/2006/waf/widgets-reqs/#r5.-addressing 10:57:31 AB: I agree with Arve 10:57:39 ... Marcos do we have related requirements 10:57:57 MC: yes, we do have a requirement 10:58:17 ACTION: expand requirement number 5 to be more descriptive 10:58:17 Sorry, couldn't find user - expand 10:58:28 ACTION: Marcos to expand requirement number 5 to be more descriptive 10:58:28 Created ACTION-187 - Expand requirement number 5 to be more descriptive [on Marcos Caceres - due 2008-06-12]. 10:59:13 AB: do we want to continue this topic next week? 10:59:21 MC: no I don't think so 10:59:39 ... I think we just need to document the usage better 11:00:05 ... unless someone wants to use http: 11:00:16 ABe: no I don't think so 11:00:43 ... http: scheme isn't appropriate for the Widget engine where orgin isn't necessarily a Web site 11:01:19 ... I don't think we should http: for things it was not intended for 11:01:26 ... I do NOT want to use http: 11:01:48 AB: I support Arve's position as our continued working model 11:01:55 ... others? 11:02:03 MC: I'll abstain on this 11:02:19 ... it would add a lot of complexity; too much I think 11:02:26 ... certainly not for v1 11:03:11 Topic: Web Apps Charter update 11:03:21 AB: any new news Mike? 11:03:30 MS: I don't have any new news to share 11:03:44 ... hope to have something by next VC 11:04:00 AB: we are currently working with an Expired Charter 11:04:06 MS: yes, I know 11:04:17 Topic: Next F2F Meeting 11:04:30 AB: last week we agreed it would be in Sept 11:04:40 ... but that was a conflict for Marcos 11:04:52 AB: new proposal: August 26-28 in Turino 11:05:04 AB: any objections? 11:05:09 ABe: OK with me 11:05:15 MC: OK with me 11:05:22 ... and thanks all for changing the date 11:05:30 zakim, unmute benw 11:05:30 BenW should no longer be muted 11:06:18 RESOLUTION our next Widgets f2f meeting will be August 26-28 in Turino hosted by Telecom Italia 11:06:36 AB: Meeting Adjourned 11:06:41 -BenW 11:06:53 -Art_Barstow 11:06:57 -MikeSmith 11:07:11 rrsagent, make logs public 11:07:17 rrsagent, make minutes 11:07:17 I have made the request to generate http://www.w3.org/2008/06/05-waf-minutes.html ArtB 11:08:01 -Arve 11:08:02 -marcos 11:08:04 IA_WAF(widgets)6:00AM has ended 11:08:06 Attendees were Thomas, Art_Barstow, Arve, MikeSmith, marcos, BenW 11:08:14 Meeting: Widgets Voice Conference 11:08:20 rrsagent, make minutes 11:08:20 I have made the request to generate http://www.w3.org/2008/06/05-waf-minutes.html ArtB 11:09:45 s/RESOLUTION our/RESOLUTION: our/ 11:09:50 rrsagent, make minutes 11:09:50 I have made the request to generate http://www.w3.org/2008/06/05-waf-minutes.html ArtB 11:27:56 ArtB: you remember that Sunava has promised some feedback by June 6? 11:30:08 zakim, bye 11:30:08 Zakim has left #waf 11:30:13 rrsagent, bye 11:30:13 I see 4 open action items saved in http://www.w3.org/2008/06/05-waf-actions.rdf : 11:30:13 ACTION: roessler to contribute security considerations for decompression and signature validation [1] 11:30:13 recorded in http://www.w3.org/2008/06/05-waf-irc#T10-45-35 11:30:13 ACTION: Marcos to add timestamp element to widget dig sig spec [2] 11:30:13 recorded in http://www.w3.org/2008/06/05-waf-irc#T10-46-22 11:30:13 ACTION: expand requirement number 5 to be more descriptive [3] 11:30:13 recorded in http://www.w3.org/2008/06/05-waf-irc#T10-58-17 11:30:13 ACTION: Marcos to expand requirement number 5 to be more descriptive [4] 11:30:13 recorded in http://www.w3.org/2008/06/05-waf-irc#T10-58-28