PLING Teleconference

11 Feb 2009

See also: IRC log


Rigo Wenning, Giles Hogben, Hannes Tschofenig, Thomas Roessler, Ashok Malhotra, Renato Iannella, Jan Schallaböck, Carine Bournez
Marco Cassa-Mont
Renato Iannella
Rigo Wenning


 Topic 1: PrimeLife Requirements Document published

Introduction by Carine Bournez


CB: goal is to get requirements for next generation policies

CB: got use cases and derived requirements from it
... high level requirements, some are low level
... some about expressivity and some about data types like location
... some access control requirements, some trust requirements
... some data handling
... can't put them all in a bag, some are related
... future version may sort it differently, had no consensus yet on how to sort

CB: Goal of the project is to design a language, this document is a basis and we'll see how many of those requirements can be achieved

HT: what has changed that new requirements are needed
... no solutions for the IETF requirements, or solutions not deployed...
... in charge of services are not really keen on deploying

CB: orthogonal prob to design of the language in PrimeLife
... some prototypes of services in PrimeLife that will use the language
... there is no promise that people will use it if there is no social pressure to use privacy languages

<tlr> (looking at http://www.ietf.org/rfc/rfc3693.txt, geopriv requirements...)

CB: if there is no pressure on Social networks, they will not use it

HT: only privacy or also ACL

CB: need is not always obvious for service providers

tlr: document looks at several classes of policies
... not understanding differences between that access and dynamic description of the accessing party is
... more striking requirement go outside policy language and relate how policy is managed
... geopriv is ex for data handling, there is a requirement that policy must be revocable ..
... we know that revocation lists do not work in deployment
... general requirement of data handling policies combination with access control
... parties of decision may enter into agreement
... bunch of requirements are fairly generic, that are all over the place
... one requirement that is less standard is the delegation one
... delegate some portion of policy to third party, trust third party
... grant this additional party the right to grant authorization
... will spend a significant amount of resources there

HT: where do you get requirements from? We had lots of those documents done in IETF and only 1% of those requirements turn out to be used

CB: we have collected use cases, each use case contains actions
... those actions create requirements

tlr: encourage to give feedback from those who have implemented policy languages

HT: recently in Google thing had some privacy in it. Google doesn't require any standardized approach. Very nice for them
... they can just do instead of standardizing first

CB: user facing some config and preference when entering service, user has to understand those options in order to make the right choice
... see flickr case with the wrong license, person did not understand the meaning of the option
... important that the user knows what serivice and option means
... intent is not matching always the service intent

HT: User interface aspect is very important

CB: not only UI, but also a kind of normalized interface and semantics
... currently user interface has to learn for every service where the options are and what they mean
... all the actors have to share the way to express preferences

JanS: also cross platform mesh up
... lot of services define their own policies and trouble is to find the common cut across those policies
... this is the policy I want to express that every service must understand

HT: User experience needs to be unified
... on access control, languages are similar in an abstract, but devil in detail, location, presence etc

JanS: confirm this problem
... first need to approve all those service, want to do cross domain aggregation and this doesn't work

tlr: haven't tried latitude
... match common patterns to our requirements, most of it will match
... so does the silo approach still make sense or should the preferences be exchangeable between services?
... lot of interesting stuff still ahead.

JanS: collecting, play around and test...
... my approach too

RI: browsing over general principle
... should be semantically equivalent

<tlr> rigo: semantic equivalence...

<tlr> ... this is not meant to be limiting

<tlr> ... the goal here is (and was) not to limit this policy language by P3P semantics

<tlr> ... but having P3P semantics there as some subset

<tlr> ... want at least the expressivity of P3P

<tlr> ... maybe use P3P data in prototypes,

<tlr> ... use as hints on privacy practices

<tlr> ... real world advantage

<tlr> renato: that's fine

<tlr> rigo: not meant to limit the minds

<tlr> ... believe me, the primelife folks wouldn't let me limit them to something like that

<tlr> renato: have a past life in DRM page

<tlr> ... MPEG 21 requirements and all that

<tlr> ... it just seemed that when you have a whole list

<tlr> ... you get a language that might solve all requirements

<tlr> ... but might be over complex

<tlr> ... prioritizing?

<tlr> rigo: feedback -- it's too complex

<tlr> giles: there needs to be some brutal surgery

<Giles> I didn't say surgery....

<tlr> rigo: language design will see cuttning

<tlr> giles, in that case I heard you wrong

<tlr> giles: doesn't fall into trap of making solutions into requirements

<tlr> ... that's good

<tlr> giles: looking at SN use case

<tlr> ... there is one use case missing

<tlr> ... "browsing profiles"

<tlr> ... also, policies based on reputation of contacts

<tlr> giles: also, "anonymous credentials" -- how's that a use case?

<tlr> ... not a solution?

<tlr> rigo: send mail?

<tlr> giles: corporate security policies -- relates to privacy through trust policies, or relevant otherwise?

AM: wondering they had looked at security languages, trust languages, rather than starting over again
... if there is something they could start with it could be quicker

CB: we have not explored security area at all
... we may still look into it.

GH: you do have a section on security language

AM: suggestion to help you as a starting point

CB: we have explored requirements, but not the languages
... the same for anon credentials, because they think we can achieve more features with anon credentials, but this is a bad thing to do
... not chosing solution beforehand

<scribe> ACTION: Giles and Ashok to send their comments on the requirements document to the public pling lists [recorded in http://www.w3.org/2009/02/11-pling-minutes.html#action01]

RI: I was supposed to pester media annotations.
... looking to the use case requirements document that they just released
... realised that they have no use case for rights information
... they seem to agree to my comments, but nothing happend

RW: please send me email so I can address that internally

RI: haven't given me enough information so that I could do a useful comment

<scribe> ACTION: Renato to send summary of media annotations WG exchanges to PLING list and Rigo for further W3C action [recorded in http://www.w3.org/2009/02/11-pling-minutes.html#action02]

RI: all other actions are done


Actions from the W3C Social Networks Workshop (see Report)

UNKNOWN_SPEAKER: inform PLING of possible P3P extensions for social networks
... it is good that we get more and more request

CB: in follow up to the WS there is a discussion for an XG on Social networks
... public discussions in public-social-webtalk@w3.org
... encourage participating there

RI: issues are so huge that the XG would take years to resolve them

CB: if the charter is too big, please tell them

RI: did already send email


all other items are standard

should add updates to the wiki


JanS: preparing empirical research in services, still half a year to go before getting results

tlr: WS in Dec in London, bunch of people talked about APIs,
... typical use case is location on mobile device
... webapp that access caller book
... interest in mobile community to use html, javascript, xml as cross platform application development platform
... what kind of security policies are used for this: question for the WS
... it started being based on XACML, than moved elsewhere, some opportunity to standardize
... but a move to exchange these policies, not yet another access control language

<tlr> http://www.w3.org/2008/security-ws/report

tlr: but some framework on how to exchange policy information between those devices
... feedback welcome

RI: no comments for thomas
... ODRL version 2, new draft will be out in 2 weeks
... concordia?

tlr: not currently following

RI: conferences?

tlr: PrivacyOS in Berlin on 1-3 April

<tlr> http://www.privacyos.eu/

RI: next call will be 11 March

next call double check the time

Summary of Action Items

[NEW] ACTION: Giles and Ashok to send their comments on the requirements document to the public pling lists [recorded in http://www.w3.org/2009/02/11-pling-minutes.html#action01]
[NEW] ACTION: Renato to send summary of media annotations WG exchanges to PLING list and Rigo for further W3C action [recorded in http://www.w3.org/2009/02/11-pling-minutes.html#action02]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.133 (CVS log)
$Date: 2009/02/11 14:28:34 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.133  of Date: 2008/01/18 18:48:51  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Found ScribeNick: rigo
Found Scribe: rigo
Inferring ScribeNick: rigo
Default Present: +30281039aaaa, Rigo, Giles, +358.504.87aabb, Hannes, Thomas, Ashok_Malhotra, Renato, Jan, Carine
Present: +30281039aaaa Rigo Giles +358.504.87aabb Hannes Thomas Ashok_Malhotra Renato Jan Carine

WARNING: No meeting title found!
You should specify the meeting title like this:
<dbooth> Meeting: Weekly Baking Club Meeting

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Got date from IRC log name: 11 Feb 2009
Guessing minutes URL: http://www.w3.org/2009/02/11-pling-minutes.html
People with action items: ashok giles renato
[End of scribe.perl diagnostic output]