IRC log of waf on 2008-06-05

Timestamps are in UTC.

10:02:05 [RRSAgent]

RRSAgent has joined #waf

10:02:05 [RRSAgent]

logging to http://www.w3.org/2008/06/05-waf-irc

10:02:22 [Zakim]

+Art_Barstow

10:02:46 [arve]

I'm having some trouble calling in

10:03:02 [MikeSmith]

Zakim, code?

10:03:02 [Zakim]

the conference code is 9231 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), MikeSmith

10:03:07 [arve]

as in, it doesn't seem to set me up

10:03:19 [Zakim]

+[IPcaller]

10:03:24 [Zakim]

+Arve

10:03:27 [MikeSmith]

Zakim, [IP is me

10:03:27 [Zakim]

+MikeSmith; got it

10:03:49 [marcos]

marcos has joined #waf

10:03:52 [ArtB]

Date: 5 June 2008

10:04:06 [ArtB]

Agenda: http://lists.w3.org/Archives/Member/member-appformats/2008Jun/0000.html

10:04:10 [ArtB]

Chair: Art

10:04:15 [ArtB]

Scribe: Art

10:04:21 [ArtB]

ScribeNick: ArtB

10:04:30 [ArtB]

Regrets: Claudio

10:04:34 [Zakim]

+[IPcaller]

10:04:56 [marcos]

zakim, IPCaller is me

10:04:56 [Zakim]

+marcos; got it

10:05:05 [ArtB]

Present: Art, Arve, Thomas, Arve, Marcos

10:05:37 [marcos]

zakim, who is here?

10:05:37 [Zakim]

On the phone I see +44.782.590.aaaa, Thomas, Art_Barstow, MikeSmith, Arve, marcos

10:05:40 [Zakim]

On IRC I see marcos, RRSAgent, Zakim, BenW, ArtB, Lachy, tlr, trackbot, arve, MikeSmith, heycam, blassey_, shepazu, anne, Hixie, hendry, mikko

10:05:56 [ArtB]

Present+ Ben

10:06:15 [ArtB]

Topic: Review Agenda

10:06:18 [ArtB]

AB: http://lists.w3.org/Archives/Member/member-appformats/2008Jun/0000.html

10:06:25 [ArtB]

... above is today's agenda

10:06:32 [marcos]

zakim, +44.782.590.aaaa is BenW

10:06:32 [Zakim]

+BenW; got it

10:06:37 [ArtB]

... Any change requests for the agenda?

10:06:47 [ArtB]

[none]

10:06:55 [ArtB]

Topic: Digital Signatures

10:07:07 [ArtB]

AB: lastest ED is http://dev.w3.org/2006/waf/widgets-digsig/

10:07:27 [ArtB]

ABe: I have a specific question

10:07:57 [ArtB]

... when establishing a root cert, can the SSL root cert be re-used

10:08:12 [ArtB]

... thus vendors don't have to have to separate root certs

10:08:27 [tlr]

q+

10:08:33 [ArtB]

MC: I know Verisign sells a variety of certs

10:08:41 [ArtB]

... and one is for code signing

10:08:56 [ArtB]

... Y! is the only vendor that is doing signing

10:09:09 [ArtB]

... I can look at what they are doing and report back

10:09:23 [ArtB]

... Benoit has also done some work in this area

10:09:43 [ArtB]

TLR: with XML Sign would use X509

10:10:06 [claudio]

claudio has joined #waf

10:10:17 [ArtB]

... a) will Widget engine reuse certs

10:10:50 [marcos]

Vista side bar: We might want to have a look at http://blog.eqinox.net/jed/articles/1707.aspx

10:11:04 [marcos]

(Benoit sent me that link)

10:11:08 [ArtB]

... b) the question is whether there might be reservations from the CAs; we should probably talk to them

10:11:31 [ArtB]

... I believe code signing certs to be more expensive

10:11:52 [ArtB]

... it may make sense to keep them separate but at the end of the day it's a policy decision

10:12:18 [ArtB]

AB: decision on behalf of the widget engine vendor?

10:12:27 [ArtB]

TLR: yes but the CA too

10:13:27 [ArtB]

... the decision is independent of whether or not XML Sig is used

10:13:31 [marcos]

To quote Yahoo: "If you sign your Widget with a code-signing certificate issued by VeriSign, we can also verify the authenticity of the certificate itself. We intend to support more certificate authorities in future releases."

10:14:30 [ArtB]

TLR: yes, a web server cert can be taken over thus it makes sense from a security perspective for them to use a separate code-signing cert

10:14:48 [ArtB]

... different uses cases really

10:15:10 [ArtB]

ABe: OK, this discussion was helpful

10:15:23 [ArtB]

... I think we may have more questions later

10:16:01 [ArtB]

AB: with the proviso I'm not an expert in this area, it's not clear we need to mandate anything

10:16:26 [ArtB]

TLR: we may want to say code-signing certs are mandatory

10:16:46 [marcos]

Another interesting link: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2015994&SiteID=1

10:16:49 [ArtB]

... but it could create some interop problems

10:17:42 [ArtB]

... For a code-signing cert, may want a different type of validation for the party that does the signing

10:18:39 [ArtB]

... CAs may not want certs intended for TLS being re-used for widgets

10:19:02 [ArtB]

TLR: we really should get a CA or two at the table to discuss this

10:20:18 [ArtB]

AB: which security-related WGs can we contact?

10:20:39 [ArtB]

TLR: Philip Halam-Baker from Versigin is one person

10:20:53 [ArtB]

... there are other CAs represented in these groups

10:21:26 [ArtB]

... Art could send an e-mail to the AC reps of the CAs

10:21:46 [ArtB]

... mobile people are doing related work

10:22:05 [ArtB]

BW: our security guy is active in OMTP and made a related proposal

10:22:51 [tlr]

s/other CAs represented in these groups/... GoDaddy is a W3C member company with a CA business as well .../

10:22:53 [ArtB]

AB: can we get that proposal?

10:23:21 [ArtB]

ACTION Worthington see if VF's signing input to OMTP can be shared with WAF

10:23:21 [trackbot]

Created ACTION-181 - See if VF's signing input to OMTP can be shared with WAF [on Ben Worthington - due 2008-06-12].

10:23:41 [ArtB]

ACTION Barstow contact the CAs regarding the reuse of TLS certs for Widgets

10:23:41 [trackbot]

Created ACTION-182 - Contact the CAs regarding the reuse of TLS certs for Widgets [on Arthur Barstow - due 2008-06-12].

10:24:59 [ArtB]

TLR: GoDaddy is one of the CAs I mentioned that is a member

10:25:12 [ArtB]

AB: OK, thanks

10:25:44 [ArtB]

s/Topic: Digital Signatures/Topic: reusing TLS certs for Widgets/

10:26:22 [ArtB]

Topic: Digital Signal spec - open issues

10:26:35 [ArtB]

AB: http://dev.w3.org/2006/waf/widgets-digsig/

10:26:46 [ArtB]

AB: we have several open issues in the latest ED

10:26:59 [ArtB]

... we can use this an opportunity to get feedback from Thomas

10:27:10 [ArtB]

... would like to understand our plan to address these issues

10:27:36 [ArtB]

MC: we have a request to support signatures from multiple people

10:27:50 [ArtB]

... also an open issue regarding certificate chaining

10:28:21 [ArtB]

AB: regarding multiple signing, what's the current state?

10:28:40 [ArtB]

MC: the only widget engine vendor is Y! and they aren't doing anything here

10:28:47 [MikeSmith]

q+ to comment on mobile browsers and CAs

10:28:58 [ArtB]

... in the mobile world, Java supports multiple signatures

10:29:14 [ArtB]

... I would also like to understand Apple's model

10:29:24 [marcos]

MC: iphone apps

10:30:05 [ArtB]

ACTION Barstow investigate Java model for multiple signatures

10:30:05 [trackbot]

Created ACTION-183 - Investigate Java model for multiple signatures [on Arthur Barstow - due 2008-06-12].

10:30:34 [ArtB]

AB: where did the signature chain requirement come from?

10:30:51 [ArtB]

MC: there is no requirement but it is something XML Signature supports

10:31:25 [ArtB]

TLR: yes, could have a list of certs that needs to be walked up

10:31:31 [ArtB]

... more of X509 property

10:31:47 [ArtB]

... could say all intermediate certs need to be there

10:33:12 [marcos]

TLR: it might be best to just have the X.509 cert data be put into the <x509data> element as a single block

10:33:22 [marcos]

Mc: I agree

10:34:05 [ArtB]

AB: is there a follow-up issue/action?

10:34:14 [ArtB]

MC: no, we just need to spec the model

10:34:52 [ArtB]

AB: the new XML Security WG includes in its Charter a liaison with WAF

10:35:39 [ArtB]

TLR: the XML Security Maintenance WG will end at the end of June

10:35:47 [ArtB]

... it is slowly ramping up

10:35:59 [marcos]

zakim, mute benw

10:35:59 [Zakim]

BenW should now be muted

10:36:03 [marcos]

:)

10:36:18 [ArtB]

... thus use the Maintenance WG mail list now for communication

10:37:11 [ArtB]

AB: are there other issues to discuss today, Marcos?

10:37:22 [ArtB]

MC: I think we've covered the main issues

10:37:45 [tlr]

q+

10:38:12 [ArtB]

TLR: two more points

10:38:22 [ArtB]

... 1. should probably add a timestamp

10:38:26 [MikeSmith]

q-

10:38:53 [ArtB]

... 2. regarding transform, it turns out its not well-defined

10:39:02 [ArtB]

... do you have any more clarity?

10:39:13 [ArtB]

MC: no; as you say it's not well-defined

10:39:59 [ArtB]

TLR: think we need to investigate this more

10:40:18 [ArtB]

MC: it would be helpful if I knew exactly what to look for

10:40:58 [ArtB]

TLR: perhaps look at the deflate algorithm

10:42:14 [ArtB]

MC: are you signing the compressed blob or not

10:43:35 [ArtB]

... for v1 could say you must do it this way; and then for v2 we could add the transform if there is a request for it

10:44:30 [tlr]

TR: Not having the transform sounds like it wants an additional security consideration; happy to provide that.

10:45:35 [tlr]

ACTION: roessler to contribute security considerations for decompression and signature validation

10:45:35 [trackbot]

Created ACTION-184 - Contribute security considerations for decompression and signature validation [on Thomas Roessler - due 2008-06-12].

10:45:43 [marcos]

A

10:46:22 [marcos]

ACTION: Marcos to add timestamp element to widget dig sig spec

10:46:22 [trackbot]

Created ACTION-185 - Add timestamp element to widget dig sig spec [on Marcos Caceres - due 2008-06-12].

10:46:34 [ArtB]

Topic: widget: scheme

10:46:58 [Zakim]

-Thomas

10:48:05 [ArtB]

AB: Marcos made a proposal http://lists.w3.org/Archives/Public/public-appformats/2008May/0088.html

10:48:48 [ArtB]

AB: we received lots of comments, even from TBL

10:49:03 [ArtB]

MC: I think some people hadn't read the spec yet they commented anyway

10:49:28 [ArtB]

... the proposal to use http scheme just doesn't make sense for our use

10:49:58 [ArtB]

... my proposal says you can use http if you want to

10:50:11 [ArtB]

... but it would mean changing the widget engine architecture

10:50:23 [anne]

anne has left #waf

10:50:57 [anne]

anne has joined #waf

10:51:11 [ArtB]

ACTION Barstow follow-up the scope issue related to the widget: scheme thread

10:51:11 [trackbot]

Created ACTION-186 - Follow-up the scope issue related to the widget: scheme thread [on Arthur Barstow - due 2008-06-12].

10:51:15 [marcos]

http://lists.w3.org/Archives/Public/public-appformats/2008May/0140.html

10:52:10 [marcos]

My proposal was: http://widgetengine:port/instanceID/package.wgt/path/to/resource

10:52:11 [MikeSmith]

q+ to chime in

10:52:43 [ArtB]

AB: I think we've done a good job of keeping the TAG informed

10:53:16 [ArtB]

... but if they don't read the spec and understand our use cases we need to consider that in our disposition of their comments

10:53:30 [ArtB]

MS: we do indeed need to include the TAG in such discussions

10:53:48 [ArtB]

... we must get approval eventually from the Director

10:54:15 [ArtB]

... thus I recommend we seriously consider any comment from the Director

10:54:34 [arve]

q+

10:54:34 [ArtB]

MC: I responded to Tim's email

10:54:46 [ArtB]

... the ball is in his court now; he hasn't responded

10:55:34 [ArtB]

MS: I don't think we need to go out of our way to ask Tim to respond, at least not at this point

10:56:00 [ArtB]

... If he feels strongly about it he surely will let us know and we will have to deal with it

10:56:25 [MikeSmith]

q+ to comment on the TAG discussion

10:56:30 [ArtB]

ABe: I think most of the comments were from people that didn't understand our use case

10:56:33 [MikeSmith]

tlr-

10:56:43 [MikeSmith]

q- tlr

10:56:55 [ArtB]

... perhaps we should separately write up our UCs and Reqs

10:57:29 [marcos]

The req: http://dev.w3.org/2006/waf/widgets-reqs/#r5.-addressing

10:57:31 [ArtB]

AB: I agree with Arve

10:57:39 [ArtB]

... Marcos do we have related requirements

10:57:57 [ArtB]

MC: yes, we do have a requirement

10:58:17 [marcos]

ACTION: expand requirement number 5 to be more descriptive

10:58:17 [trackbot]

Sorry, couldn't find user - expand

10:58:28 [trackbot]

Created ACTION-187 - Expand requirement number 5 to be more descriptive [on Marcos Caceres - due 2008-06-12].

10:59:13 [ArtB]

AB: do we want to continue this topic next week?

10:59:21 [ArtB]

MC: no I don't think so

10:59:39 [ArtB]

... I think we just need to document the usage better

11:00:05 [ArtB]

... unless someone wants to use http:

11:00:16 [ArtB]

ABe: no I don't think so

11:00:43 [ArtB]

... http: scheme isn't appropriate for the Widget engine where orgin isn't necessarily a Web site

11:01:19 [ArtB]

... I don't think we should http: for things it was not intended for

11:01:26 [ArtB]

... I do NOT want to use http:

11:01:48 [ArtB]

AB: I support Arve's position as our continued working model

11:01:55 [ArtB]

... others?

11:02:03 [ArtB]

MC: I'll abstain on this

11:02:19 [ArtB]

... it would add a lot of complexity; too much I think

11:02:26 [ArtB]

... certainly not for v1

11:03:11 [ArtB]

Topic: Web Apps Charter update

11:03:21 [ArtB]

AB: any new news Mike?

11:03:30 [ArtB]

MS: I don't have any new news to share

11:03:44 [ArtB]

... hope to have something by next VC

11:04:00 [ArtB]

AB: we are currently working with an Expired Charter

11:04:06 [ArtB]

MS: yes, I know

11:04:17 [ArtB]

Topic: Next F2F Meeting

11:04:30 [ArtB]

AB: last week we agreed it would be in Sept

11:04:40 [ArtB]

... but that was a conflict for Marcos

11:04:52 [ArtB]

AB: new proposal: August 26-28 in Turino

11:05:04 [ArtB]

AB: any objections?

11:05:09 [ArtB]

ABe: OK with me

11:05:15 [ArtB]

MC: OK with me

11:05:22 [ArtB]

... and thanks all for changing the date

11:05:30 [marcos]

zakim, unmute benw

11:05:30 [Zakim]

BenW should no longer be muted

11:06:18 [ArtB]

RESOLUTION our next Widgets f2f meeting will be August 26-28 in Turino hosted by Telecom Italia

11:06:36 [ArtB]

AB: Meeting Adjourned

11:06:41 [Zakim]

-BenW

11:06:53 [Zakim]

-Art_Barstow

11:06:57 [Zakim]

-MikeSmith

11:07:11 [ArtB]

rrsagent, make logs public

11:07:17 [ArtB]

rrsagent, make minutes

11:07:17 [RRSAgent]

I have made the request to generate http://www.w3.org/2008/06/05-waf-minutes.html ArtB

11:08:01 [Zakim]

-Arve

11:08:02 [Zakim]

-marcos

11:08:04 [Zakim]

IA_WAF(widgets)6:00AM has ended

11:08:06 [Zakim]

Attendees were Thomas, Art_Barstow, Arve, MikeSmith, marcos, BenW

11:08:14 [ArtB]

Meeting: Widgets Voice Conference

11:08:20 [ArtB]

rrsagent, make minutes

11:08:20 [RRSAgent]

I have made the request to generate http://www.w3.org/2008/06/05-waf-minutes.html ArtB

11:09:45 [ArtB]

s/RESOLUTION our/RESOLUTION: our/

11:09:50 [ArtB]

rrsagent, make minutes

11:09:50 [RRSAgent]

I have made the request to generate http://www.w3.org/2008/06/05-waf-minutes.html ArtB

11:27:56 [MikeSmith]

ArtB: you remember that Sunava has promised some feedback by June 6?

11:30:08 [ArtB]

zakim, bye

11:30:08 [Zakim]

Zakim has left #waf

11:30:13 [ArtB]

rrsagent, bye

11:30:13 [RRSAgent]

I see 4 open action items saved in http://www.w3.org/2008/06/05-waf-actions.rdf :

11:30:13 [RRSAgent]

ACTION: roessler to contribute security considerations for decompression and signature validation [1]

11:30:13 [RRSAgent]

recorded in http://www.w3.org/2008/06/05-waf-irc#T10-45-35

11:30:13 [RRSAgent]

ACTION: Marcos to add timestamp element to widget dig sig spec [2]

11:30:13 [RRSAgent]

recorded in http://www.w3.org/2008/06/05-waf-irc#T10-46-22

11:30:13 [RRSAgent]

ACTION: expand requirement number 5 to be more descriptive [3]

11:30:13 [RRSAgent]

recorded in http://www.w3.org/2008/06/05-waf-irc#T10-58-17

11:30:13 [RRSAgent]

ACTION: Marcos to expand requirement number 5 to be more descriptive [4]

11:30:13 [RRSAgent]

recorded in http://www.w3.org/2008/06/05-waf-irc#T10-58-28