16:49:39 RRSAgent has joined #tagmem 16:49:39 logging to http://www.w3.org/2008/08/28-tagmem-irc 16:49:49 Zakim has joined #tagmem 16:49:58 zakim, this will be tag 16:49:58 ok, Stuart; I see TAG_Weekly()1:00PM scheduled to start in 11 minutes 16:50:17 raman has joined #tagmem 16:52:58 jar has joined #tagmem 16:53:17 TAG_Weekly()1:00PM has now started 16:53:24 +TimBL 16:54:43 +??P2 16:55:12 zakim, ??p is me 16:55:12 +Stuart; got it 16:56:56 + +1.617.452.aaaa 16:57:12 scribenick: noah 16:57:21 scribe: Noah Mendelsohn 16:57:24 zakim, + is jar 16:57:24 +jar; got it 16:57:44 Meeting: W3C TAG Teleconference of 28 August 2008 16:57:50 chair: Stuart Williams 16:57:53 +DanC.a 16:57:57 date: 28 August 2008 16:58:31 zakim, who is on the phone? 16:58:31 On the phone I see TimBL, Stuart, jar, DanC.a 16:59:03 agenda: http://www.w3.org/2001/tag/2008/08/28-agenda 16:59:22 zakim, please call ht-781 16:59:22 ok, ht; the call is being made 16:59:22 +1 approve http://www.w3.org/2008/07/24-tagmem-minutes 16:59:23 +Ht 16:59:37 +[IBMCambridge] 16:59:39 +Raman 16:59:40 Norm has joined #tagmem 16:59:50 zakim, [IBMCambridge] is me 16:59:50 +noah; got it 17:00:40 topic: Approval of minutes of previous minutes 17:01:02 +Norm 17:01:05 SW: Proposal to approve minutes of 24 July 2008 at http://www.w3.org/2008/07/24-tagmem-minutes . Any objections? 17:01:07 Silence. 17:01:20 RESOLUTION: The minutes of 24 July 2008 at http://www.w3.org/2008/07/24-tagmem-minutes are approved. 17:01:24 topic: Future meetings 17:01:30 Ashok has joined #tagmem 17:01:55 +Ashok_Malhotra 17:02:05 SW: Next telecon will be in one week on 4 Sept. 17:02:08 DC: I can scribe. 17:02:40 NM: I am at risk for 4 Sept. In all day meetings. Will see if I can slip away. 17:03:02 topic: Reviews of other groups' work 17:03:35 SW: We have 4 requests for review: 1) content transformation guildlines, citing our work on generic resources. Anyone else noticed that request? 17:03:53 NW: I have not, but I will try and answer next week. 17:04:27 ACTION: Norm to review "Content Transformation Guidelines" and suggest whether the TAG should provide an official comment 17:04:27 Sorry, couldn't find user - Norm 17:04:56 SW: 2) CURIE syntax is in last call. They are aware of our prior comments, did not explicitly invite us, but are being very helpful in stretching the review period, etc. Anyone want to comment? 17:05:37 (I looked at noah's comments; I don't recall anything critical) 17:06:10 NM: I sent a note on my own behalf at http://lists.w3.org/Archives/Public/www-tag/2008Aug/0006.html 17:06:24 NM: Was to www-tag and some members of the CURIE group. 17:06:26 what about xml datatype specifications for curies? 17:07:45 ACTION: Noah to coordinate response to CURIE last call (with help from Ashok) 17:07:45 Created ACTION-170 - Coordinate response to CURIE last call (with help from Ashok) [on Noah Mendelsohn - due 2008-09-04]. 17:07:47 DaveO has joined #tagmem 17:07:53 SW: Note Henry has had interest in the past. 17:08:07 HT: I'll check syntax. 17:08:23 + +1.250.629.aabb 17:08:24 I will try to contribute to Noah's effort - I have had an exchange with the RDFa folks around CURIEs 17:08:42 (does anybody know if RDFa ended up using CURIEs in href?) 17:08:42 zakim, +1.250.629.aabb is DaveO 17:08:42 +DaveO; got it 17:11:15 SW: We need to think about contributing to discussions of Web Service activity recharterin 17:11:47 q+ jar to say POWDER WG has asked me for my comments 17:16:30 ACTION DanC: coordinate response regarding WS-* inquiry from PLH 17:16:30 Created ACTION-171 - Coordinate response regarding WS-* inquiry from PLH [on Dan Connolly - due 2008-09-04]. 17:16:59 i will 17:17:07 topic: Technical Plenary 17:17:11 SW: Who will be there? 17:17:14 raman: yes 17:17:15 DO: No. 17:17:22 TBL: yes 17:17:29 HT: Thurs and Friday 17:17:51 TVR: Yes 17:17:53 NW: Yes 17:17:58 SKW: Trying to decide 17:18:15 AM: Yes 17:18:21 JT: No 17:18:25 DanC: yes 17:18:28 DC: Yes 17:18:34 s/JT/JAR/ 17:19:18 XHTML2 re CURIEs 17:19:44 TVR: The XHTML Group is meeting. Might be a chance to sync up on CURIE. I personally don't have concerns, but other TAG members may have concerns. 17:20:06 SW: If you know of other working groups with whom we should meet, please let me know. 17:20:15 topic: Agenda development for upcoming F2F meeting 17:20:54 SW: We have already decided that tagSoupIntegration-54 is a high priority, and we have at least tentatively proposed 1/2 of our time on that. At my request, Raman sketched a proposed agenda. 17:21:04 SW: We need to discuss that proposal. 17:21:09 q? 17:21:17 SW: We also have a day and a half on other things. 17:21:57 q? 17:22:16 DO: I would still like to finalize passwords in the clear and versioning compatibility strategies. Would hope to have drafts in a week or so. 17:22:23 q+ to mention self describing Web on agenda 17:22:35 ack jar 17:22:35 jar, you wanted to say POWDER WG has asked me for my comments 17:23:20 JAR: (going back to previous discussion) Someone on the POWDER group asked me to look at their specs, which I think are in Last Call. 17:23:30 TVR: I don't see a TAG issue wrt/ POWDER. 17:23:48 ack noah 17:23:48 noah, you wanted to mention self describing Web on agenda 17:24:53 NM: 2 things pending... 17:25:01 ... the figure... ndw is helping on that... 17:25:17 ... and then a story about RDFa... 17:25:25 ... I've run into a disconnect 17:25:33 Which specs -- rdfa? 17:25:42 did you have a disconnect on,nm? 17:26:00 (I don't understand the follow-your-nose story for RDFa yet either) 17:27:21 q+ 17:27:36 q- 17:27:37 ack tim 17:28:50 Sometimes HTML behavior for RDF things is defined on XHTML and then doen in HTML by analogy 17:29:21 NM: I would be very grateful if some TAG members could look over the recent email thread on M12N and help me figure out where the story's gone wrong? 17:29:36 q+ to talk about Raman's draft for the agenda 17:30:12 TVR: I don't think we can address all of the key issues, so I picked 4 that I thought were clearly above the threshold regarding important. 17:30:53 TVR: I think we also need to look at bigger issues. So, in the first 1 1/2 I propose that we address that, and then address the 4 other issues in light of that, then wrap up in last session in context of big picture. 17:30:56 ack noah 17:30:56 noah, you wanted to talk about Raman's draft for the agenda 17:31:53 q+ to suggest PLH be allowed to influence the TAG f2f agenda here 17:32:57 noah: one of the things we should be thinking about is an organised 'story' for coexistence (HTML, XHTML...) 17:33:12 brb 17:33:24 NM: I would be disappoinetd was all we did was to noodle on technical subissues ... maybe we should look at the high er level and explain how to deal wit h the fork 17:33:31 I'd be dissapointed if all we did was to noodle on selected technical issues. 17:33:41 ... for users who need to chose XHTML and HTML5 17:33:57 q? 17:34:00 q? 17:34:35 ack timbl 17:34:35 timbl, you wanted to suggest PLH be allowed to influence the TAG f2f agenda here 17:35:42 TBL: Philippe le Hegaret (sp?) is trying to focus in part on the social issues around this, and I think we need to do that too. 17:36:31 q+ to recall Raman's observation wrt Tim's point 17:37:00 TBL: I think that brainstorming about the rift in the community might be the biggest thing we could do. 17:37:06 q? 17:37:14 (Noah) That's exactly what I was saying. 17:37:28 ack ht 17:37:29 ht, you wanted to recall Raman's observation wrt Tim's point 17:37:47 TVR: I need to have my mind changed about the possibility that the XHTML track is in some sense dead. 17:38:07 HT: To some degree, +1. 17:38:16 -DaveO 17:38:30 TimBL: The scoial issues here in the various communities are realuy impoprtant and we must understand them before we prevaracate technically. 17:38:42 +DaveO 17:38:46 HT: I think the question of "is there a saleable solution" as opposed to "is there a solution" is worth some of our time. 17:39:31 q? 17:39:56 HT: It's worth noting that, while we didn't have much actual impact, is that we did some work on not just the technology but also the practicality of rolling out ARIA. 17:40:06 SW: Should we rebuild the agenda. 17:40:27 TVR: Suggest we keep the agenda, but base the technical discussion on where we are. 17:40:30 s/ARIA/our preferred solution wrt ARIA/ 17:40:32 zakim, who is talking 17:40:32 I don't understand 'who is talking', noah 17:40:36 zakim, who is talking? 17:40:56 noah, listening for 10 seconds I heard sound from the following: Stuart (80%), noah (49%), Raman (40%), Ht (9%) 17:44:35 q? 17:44:45 NM: We should take the agenda as tentative, but give ourselves permission to rearrange the schedule based on insights from the first session. 17:45:11 TVR: I'd go further -- if the first session doesn't yield clarity, we should punt on the rest. 17:46:35 TBL: From both the social and technical point of view, we want to understand the potential damage of each way of going forward. I would be happy to devote the time to prove that we can "fix the fork", which means diving deep to find and tackle the insupperable issues in achieving that. 17:47:45 Norm has joined #tagmem 17:47:54 SW: My inclination is to go ahead with the agenda more or less as Raman has suggested, with a degree of flexibility to adapt. 17:47:59 NM: That sounds fine to me. 17:48:36 TVR: Yes, as long as people understand that the proposal is not to first discuss high level issues and then to have a disconnected discussion of the technical bits. 17:52:08 -Norm 17:54:45 PLH woudl be happy^H^H^H^H^H^Hprepared to go if it would help, in that he beleives in communication 17:58:24 -DaveO 17:58:58 +DaveO 18:01:01 HT, there is a flight leaving at around 19:30 getting in to LHR at 10:30 next day via washington 18:01:07 I may take it 18:01:20 topic: XRI's 18:02:20 SW: We had a catchup meetings with some of the XRI chairs. My perception is that they are quite happy with the nature of the dialog. They suggest focus on 4 topics: the scheme; persistence requirements; metadata discovery requirements. 18:02:38 [[ 18:02:39 Threads of discussion: 18:02:39 * Schemes 18:02:39 * Persistence/URN Requirements 18:02:39 * Determination of persistence by inspection (subschemes) 18:02:39 * Metadata discovery mechanisms (data and metadata) 18:02:41 ]] 18:03:03 SW: I think the ball was in their court to do the initial writing, but there's probably an implicit need for us to ramp up effort on URNS and registries. 18:03:38 HT: Have had some trouble cranking up on this. Will let you know later this week what I propose to do. 18:03:54 (review what? ) 18:04:00 SW: If we take the trouble to do this, it will help us to be sure that our perspective on the story is clearly articulated. 18:04:42 JAR: I will be glad to help Henry with his work in the area of URNs, registries, etc. 18:05:17 topic: Passwords in the clear 18:05:52 SW: Dave, I think are you done with your action items? There was also email discussions. 18:06:03 ack me 18:06:09 DO: I've been pretty much 'offline' over the summer, just getting back up to speed. 18:06:33 http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-02.txt 18:06:53 DC: Talked to Thomas Roessler. Ignoring the bits about digest, it seems to mostly say: "use SSL". 18:07:07 DC: I'm beginning to wonder why I pushed us to do this in the first place. 18:07:31 (noah) I've always shared that reservation about that work in this space. It's not clear to me that we really know what we're trying to prohibit and when. 18:08:01 SW: Are we trying to address the concern that a naive user doesn't understand the risk, especially if the same password is used in multiple contexts. 18:08:39 DO: One concern from security context WG has been to discourage pwds in the clear or even short pwds at all. 18:10:20 (yes, cache pollution increases the risk of phishing) 18:10:35 (a great reference on DNS cache pollution: http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html ) 18:12:14 NM: Some time ago we talked about the many Web pages that are themselves not SSL-protected, but that use Javascript to encrypt. Am I right that in the face of DNS cache polution, I could wind up giving my password to a malicious site? 18:12:22 DO: Sounds like a risk to me. 18:12:34 TVR: Classic man in the middle attack, what's surprising? 18:12:44 (re man-in-the-middle, https's reliance on dns has always given me the willies. see http://www.waterken.com/dev/YURL/httpsy/ for a good idea, though it never got far.) 18:12:45 NM: Yes, but it's a very common idiom on the Web, and we didn't tell the story. 18:12:52 SW: Do we reset? Punt? 18:13:07 DO: No, I still believe in doing a finding that tells how to do secure interactions using pwds. 18:13:28 who was the original client for this finding? 18:13:31 DO: Experts like Dan know what to worry about; novices don't. 18:14:30 (noah) Yes, Dan, but with HTTPS the certificate check should give you a crosscheck if the cache has been compromised. The problem is that, if the password prompt form is http: not https:, you don't get that protection. 18:14:48 DC: I think it comes down to recommending TLS, doesn't it? 18:15:14 NM: Are you saying TLS is the right answer, or just that we should shoot right. 18:16:03 DC: I think the interesting case is proxying. 18:16:07 q+ to ask a silly question 18:16:13 ack ht 18:16:13 ht, you wanted to ask a silly question 18:16:15 NM: Gee, I'm suprised, I thought that was the problem case for TLS. 18:17:32 HT: Every time we try to say MUST, we can't avoid the partially validity of peoples' arguments to the contrary. The thing that really kills it for me, is when the security folks said digest isn't good enough. My feeling is that digest seems so much better than today's common practice, I wonder if we should push back on that. 18:18:07 (TLS is more available than digest, in lots of practical ways.) 18:18:13 HT: If we say what you shouldn't do, we need to say what you should. Problem is: what works for the security "geeks" isn't available in practice, and what's available in practice doesn't pass muster with the security folks. 18:18:14 answer to my question above: Mary Ellen Zurko of IBM. 18:19:10 how about a finding that says that We Are Stuck? more like an academic report - this is what we learned. (throwing this out as opion in answer to stuart's question what should we do) 18:19:18 s/opion/option/ 18:19:20 Noah, if the bad guy can poison your DNS, he can fake the whole certificate path 18:19:21 DO: Intereseting, we could explore the question: promote digest, explaining its risks, vs. doing no finding at all. We could work with the security community on that. 18:19:23 I said, roughly, we could say to the security guys -- either we just say "DOn't use PW in the clear" and leave it at that, or we say hnothing 18:19:36 If they said "nothing", then fine, we're done, no finding 18:20:04 s/hnothing/nothing/ 18:20:25 TVR: Are documents like this suitable as TAG findings given that the issues keep changing? We could have frozen last year, and probably would not have anticipated the cache polution issue that Noah just mentioned. 18:20:53 How about renaming the finding to "How to do Secure Authentication"? 18:20:57 TVR: I feel somewhat the same about the versioning work, by the way. It has the characteristic that we keep finding new stories that need to be told. 18:21:03 DC: What are you recommending? 18:21:27 TVR: We should reconsider what a TAG finding is. Should allow ourselves to publish things that we know will change. 18:21:40 SW: They already are like that. The problem is articulating what we have consensus on right now. 18:22:24 "Don't send PW in the clear. ROT13 is only a bit better, Digest is quite a lot better, but, above all, DON'T send PW in the clear" 18:22:32 That's my candidate for the finding 18:23:34 DO: I think we need to reflect consensus in the moment, but I have no problem with either errata or major revisions later. 18:24:08 a "here is what we learned" memo is another possible alternative to "no finding" and "here is the truth" 18:24:12 SW: We'll revisit at the face to face. 18:24:30 jar++ 18:24:41 topic: contentTypeOverride-24 18:24:44 Hold that thought, Jonathan! 18:25:11 SW: Dan, would you remind us of the motivation. 18:25:51 DC: E.g. in the latest IE8 beta there's the authoritative=true, and also the content type sniffing rules in HTML 5 18:26:09 TBL: Looking for pointers. 18:26:13 HT: In the agenda 18:26:49 "authoritative=true" is so sad in a way! 18:27:18 http://www.w3.org/QA/2008/07/life_without_mime_type_sniffin 18:27:23 it should be "true=true" 18:27:30 HT: I learned some things preparing for today's call. Turns out the main issue, I hadn't noticed, is what you do with things that are served text/plain. The other thing I hadn't noticed is that many servers default to text/plain when they don't know what else to do. 18:27:34 TBL: Yes. 18:27:38 (hmm... I'm not so sure text/plain is the main thing; I seem to recall hixie saying html5 always says to treat text/plain as text/plain.) 18:27:46 HT: I just didn't know that. Maybe everyone else has known this all along. 18:28:01 TVR: It's evolved over time. Servers started doing this, then browsers started sniffing. 18:28:25 Norm has joined #tagmem 18:28:51 TBL: In part came from trying to serve things like README files from Unix, and in that case text/plain is a good guess. Not serving any content-type seems like a plausible approach suggested by ???/ 18:29:06 Roy Fielding 18:29:15 HT: You can do that only in newer Apache. On the broader issue, I see no consensus. 18:29:25 Norm has joined #tagmem 18:29:58 http://www.w3.org/QA/2008/07/life_without_mime_type_sniffin 18:30:03 DC: I think our finding makes us look silly. We should perhaps update the finding to reflect the current state of the art. 18:30:21 ****SCRIBE NOTE TO SELF: Fix reference to Roy above 18:30:36 yes 18:30:49 SW: Do we want to reopen contentTypeOverride-24 to potentially reconsider our position? 18:31:08 TBL: I'm happy to reopen it. I would not include the part about reconsidering our position. 18:31:21 SW: Didn't mean to imply we would be predisposed to change our position. 18:31:29 HT: Let's just reopen the issue. Period. 18:31:41 SW: Anyone opposed reopenning the issue? 18:31:43 SILENCE. 18:31:47 SW: Abstain? 18:31:50 SILENCE. 18:31:57 RESOLUTION: Issue contentTypeOverride-24 is reopenned. 18:32:04 -Ashok_Malhotra 18:32:20 -jar 18:32:22 ACTION: Henry to craft a message to www-tag announcing reopenning of contentTypeOverride-24 ( 18:32:22 Created ACTION-172 - Craft a message to www-tag announcing reopenning of contentTypeOverride-24 ( [on Henry S. Thompson - due 2008-09-04]. 18:32:33 SW: We are adjourned. 18:32:38 -DaveO 18:32:39 -Ht 18:32:44 -noah 18:33:07 -Stuart 18:33:16 -Raman 18:33:27 -TimBL 18:38:27 disconnecting the lone participant, DanC.a, in TAG_Weekly()1:00PM 18:38:30 TAG_Weekly()1:00PM has ended 18:38:31 Attendees were TimBL, Stuart, +1.617.452.aaaa, jar, DanC.a, Ht, Raman, noah, Norm, Ashok_Malhotra, DaveO 19:01:21 jar has joined #tagmem 19:04:36 ht has joined #tagmem 20:29:22 Zakim has left #tagmem 21:31:17 noah has joined #tagmem 21:42:10 timbl has left #tagmem 22:47:03 noah has joined #tagmem