Widgets F2F Meeting

25 Feb 2009


See also: IRC log


Art, Andy, Claudio, Ivan, Fabrice, Rainer, Mark, David, Arve, Benoit, Marcos, Mike(IRC), Josh(IRC), Billy, Mohammed, Josh




<ArtB> ScribeNick: ArtB

<scribe> Scribe: Art

Date: 25 Feb 2009

<content> tags?

AB: what is the status Ivan?

Ivan: I considere that closed in that the modes can be used to address my use cases

Focus & widgets management; by Marcin

AB: not clear if this info was more FYI or formal comments for the LCWD

Arve: I think this is more informational i.e. this is how Access addresess window modes

MC: right; the QVGA proposal for example isn't something we want to do

Arve: the methods in his email are mostly covered in our A&E spec

AB: do we need to follow-up?

Arve: there are no questions there
... if he feels strongly about his model being reflected in our model, he should make specific proposals for the Editor

AB: I think that is a reasonable proposal

<scribe> ACTION: Marcos respond to Marcin and ask him to make specific proposals if he has any [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action01]

<trackbot> Created ACTION-302 - Respond to Marcin and ask him to make specific proposals if he has any [on Marcos Caceres - due 2009-03-04].

Window Modes

MP: want to discuss what goes into the P&C based on our consensus from yesterday

AB: yesterday's minutes are: http://www.w3.org/2009/02/24-wam-minutes.html

Arve: not sure we will know until the new specs are available to review

MP: re width and height property; in some cases you may want to use a different values depending on the mode
... what goes in the modes spec?

MC: just the definitions of the 4 modes

[ Arve sketches a "live" proposal of the syntax ... ]

[ Marcos to drop in IRC this proposal ... ]

<Marcos> <viewport

<Marcos> mode = "one of the modes"

<Marcos> width = "csspx"

<Marcos> height = "csspx"

<Marcos> min-height = "csspx"

<Marcos> min-width = "csspx"

<Marcos> max-height = "csspx"

<Marcos> max-width = "csspx"

<Marcos> resize = "true|false"

<Marcos> ...

<Marcos> />

MP: the definitions of the modes spec will then define what these mean?

Arve: yes, that's the idea

BS: how does one define a widget that works for both mobile and desktop?

Arve: would define two veiwports

MP: but some modes don't use height and width

Arve: then for some modes they wouldn't be needed

AB: or ignored if present

BS: what about orientation of the device?

Arve: that's handled by CSS
... if a widget doesn't fit in a viewport e.g. on a mobile, the UA could provide zoom

<timeless> so, a WUA is required to provide zoom?

<arve> timeless: no

Arve: we go with CSS pixels in the spec
... with the expectation that eventually UAs will likely do some zooming

AB: Mark, are you asking for some details about what goes in the P&C spec and the other two new specs proposed?

MP: I understand what goes into the two new proposed specs but not clear about what goes in P&C

<scribe> ACTION: Marcos report back to the WG ASAP regarding your ability to be the Editor of the two new specs proposed and discussed on Feb 24 [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action02]

<trackbot> Created ACTION-303 - Report back to the WG ASAP regarding your ability to be the Editor of the two new specs proposed and discussed on Feb 24 [on Marcos Caceres - due 2009-03-04].

MC: I wonder if some of the attributes proposed above can be handled by CSS

Arve: what if an imple doesn't support CSS

AB: I think we've hit the point of dimminishing returns on this

MC: give us a week and we'll put forward a proposal

Proposal for a "Settings" View Mode; Benoit

<Marcos> http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0248.html

BS: in my email I enumerate various modes we need
... Settings is one mode we need but we haven't discussed
... think the developer would want a consistent and convenient way to define/modify settings

MC: I'm warming to this idea a little
... e.g. could right-click and get to this info

Arve: I disagree vehemently
... this is ultimately about being able to display some specified content in a specific way
... your solution implies pointing at a completely diff document or firing some event or allowing the WUA to genearte a UA based on a scheme with some prefs

BS: If I build a widget want a config view for it

Arve: how is that diff than any other state?
... how is settings different than refresh, for example

[ MC demos Dashboard and the "I" key used to get to the widget's settings ... ]

MC: can imagine using some of the new CSS3 Modules e.g. Transforms (2d, 3d), Transitions, etc.

DR: something like Fring service isn't useful until it is configured

Arve; well that's a broken service

DR: my point is there is a use case for using a widget's settings without first instantiating the widget

Arve: this seems more about a widget being able to handle online or offline

AB: I'm not seeing a lot of support for this
... One way fwd - after the two new specs are out and P&C spec updated to reflect the new specs, then Benoit can submit a proposal if his use case can't be addressed

BS: yes, that's OK with me
... I did want to discuss this mode and we've done that

AB: any other topics related to Window Modes?

[ None ]

<access> Element

AB: what's the best place to start?

MP: we should start with MC's latest e-mail

AB: here is MP's 2nd proposal: http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0505.html
... MC then responded on Feb 22 with: http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0517.html

MP: the semantics of the network attribute is not clear
... want author to be able to enumerate the white-listed hosts
... However, there are some use cases where that list will not be know in advance e.g. a RSS reader
... We need an "escape" mechanism for these use cases

[ We review strawman proposal by Arve ... ]

<arve> element security optional

<arve> element access multiple

<arve> element "protocol" multiple

<arve> cdata

<arve> element "host" multiple

<arve> cdata

<arve> element "port" multiple

<arve> cdata

<arve> element "path" multiple

<arve> cdata

<arve> element "content"

<arve> attribute "plugin" value = "yes|no"

Arve: the idea is a widget would be restricted to those access methods that are explicit in the config file

MP: BONDI has done some related work but using a URI with pattern matching
... VF would like to move that functionality from BONDI spec to W3C spec

<anne> arve, btw, why not just have <origin>

<Marcos> what do you mean by it?

<anne> arve, every other spec on the planet is moving towards that, since you have the host,port,scheme tuple you might as well tag along

<Marcos> anne

<arve> anne: mind joining the call and explaining it?

<anne> (it's just syntax so I don't think worth it)

<Marcos> <widget> <origin uri="http://microsoft.com"> ?

<anne> that's worth it*

<anne> <security> <origin>http://example.org:81/</origin> rather than putting scheme, host and port into separate elements

<timeless> the strawman looks like it's likely to fail

<arve> anne: got URI schemes for ssh, telnet, xmpp, raw sockets, udp?

Arve: with widgets, there isn't really an origin

<timeless> arve: there is a bad one for ssh and telnet

MC: that's one reason we need a different URI scheme for widgets

<Marcos> anne, can I take over microsoft?

<Marcos> see my example above?

<arve> protocol: https ; host: google.com, yahoo.com, ask.com; path: search/

MC: need to also specify subdomains

<Marcos> MC: FWIW, this is like an inverse of CORS

MP: having multiple hosts associated with a single scheme and path is problematic

<arve> Reverse the two strings given for the request host and the host specified for the directive (directive host). Do a case-insensitive character by character comparison of the strings. If a mismatch is found before the end of the directive host string is reached, and the last two characters in the directive host string are not the character sequence '.*', consider the request host to not be a match. If there are characters left to parse in the request host, and the last

<arve> characters of the directive host were the wildcard sequence '.*' consider the host a match.

Arve: I'm not totally opposed to a URI scheme

MC: what proposal is that?

Arve: the one from Anne above
... with a few modification

<arve> element uri multiple

<Marcos> Anne, do you still have any funky syntax in CORS for selecting subdomains (i.e., *.example.com) ?

<arve> . attribute src

[ Arve begins a new strawman proposal ... ]

<arve> <network><access><uri src="http://www.google.com/"/></access></network>

Arve: need wildcards on path and subdomains

<anne> Marcos, no, just origins

<arve> *.google.com

<arve> google.com

<Marcos> so, nothing like what arve has above

<Marcos> right anne

<Marcos> you gave up on that

<anne> is there a document that outlines what this security proposal is proposed to solve?

MP: BONDI allows wildcards in subdomains and paths

<Marcos> Anne, it's for cross domain request.

<Marcos> as perfomed when no origin is available

<arve> <path>/cats</path>

<arve> thus, the widget can access all of

<arve> /cats/siamese.html

<arve> /cats/

<arve> /catsoup

<anne> Marcos, does it affect e.g. <iframe>?

<Marcos> (HTML5 "origin" of a widget will be a widget specific URI (e.g., widget://bla;1231-123

<anne> Marcos, because in that case <path> restrictions are pointless

<anne> Marcos, why is there even restrictions on cross domain requests and not just a http(s) boolean?

<Marcos> we are proposing <domain uri="*"/> meaning allow all domains (and supported URI schemes) and <domain uri="uri"/>

MP: how would this deal with subdomain?

MC: they would have to be added

<Marcos> Anne, because we think that authors should declare which domains they need to access

<Marcos> and we don't want to restrict this to http

<anne> Marcos, but why do you think authors need to do that?

<anne> Marcos, also, what APIs do you have that go beyond HTTP(S)?

AB: let's try to regroup and determine where we have agreement and document those issues with no agreement

<Marcos> Anne, Q1. they probably don't. Q2. none :)

MP: subdomains is still open
... it would be good if we could synch with BONDI and their deadline is March 9
... want to get alignment if at all possible

MC: so what exactly is the usage?
... how does it interact with sec policy?

Arve: don't want widgets to be a vessel for attacking remote web sites

<Marcos> Anne... please see minutes now re q1

<anne> Marcos, great solution to a non-problem then, lol

Arve: thus may want to restrict some sites

MP: want author to practice least privs principle
... want other parties e.g. user, widget distributor, etc. to be able to examine the host list
... I can then look at widget before I sign it

<Marcos> Anne, so that's Q1 above

<Marcos> so there is use cases

Arve: want to limit a set of subdomain possibly

<arve> ssh://foo.net/

MC: the very first version of the spec had something like this

AB: so where are we?

MC: I think we should use URIs
... learn from CORS experience

MP: we could limit the schemes for v1

MC: we can leave it to the WUA to handle what ever schemes it can

<arve> Use-case restrictions URI lead to:

<arve> what if I want unrestricted access to http, but restricted access for xmpp

AB: I think we're going to continue to go around in circles if we don't have some agreed requirements

MP: how long will it take to get agreement?

MC: depends on how fancy pants we want to get

AB: sounds like there is an action for MC and Arve to submit a concrete proposal

Arve: we did send a proposal once
... but it needs some updating

[ Arve searches the mail list archive for his previous proposal ... ]

<arve> http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0332.html

RH: also can have a web server on a SIM card

<scribe> ACTION: Marcos will make a hybrid proposal and send it the mail list [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action03]

<trackbot> Created ACTION-304 - Will make a hybrid proposal and send it the mail list [on Marcos Caceres - due 2009-03-04].

MC: do we need the access element?

Arve: prefer encapsulating it in a network element

<timeless> so, i think the tupppling in arve's proposal is likely to result in messes

<timeless> but other than that, i'm not sure what to say

<timeless> and i think someone already raised the issue of tuppling messes in the context of allow access to all https but limited http

[ Marcos adds Note to the Reader to P&C spec about <access> being a WIP ; checks-in new version ]

BONDI Update by David Rogers

DR: first the so-called Turin Rules

<scribe> ScribeNick: Marcos

David: all contributions will be under RF, if not, they are not submitted to the w3c.
... contributions that cannot be traced to an author or origin, will not be submitted (it must be possible to trace it back to being RF)
... we have made sure that members are clear on RF requirements.
... OMTP members must make it clear where there are IPR claims....

David describes the "OMTP - BONDI IPR PRINCIPLES"

David: if you have any legal questions, please contact the w3c legal team
... update on Bondi

<ArtB> ScribeNick: ArtB

DR: OMTP release 1.0 RefImpl
... based on Windows Mobile
... by RI in this context we mean an example of the implementation of our specs
... The RI is helping to drive the specs
... using an interative model
... We have "code fests"

AB: who has contributed code?

DR: Aplix, BONDI staff
... some operators have also contributed

MC: the author is embedded in every source file

AB: what is the licensing?
... and does every file have an identical license?

DR: I'll come back to the licensing
... Opera joined OMTP
... and LiMo Foundation has endorsed BONDI specs

AB: what does that really mean in terms of devices shipping BONDI implementations?

MP: LiMo devices that implement web runtimes should implement BONDI specs

AB: is there an expectation LiMo will take the RI code?

MC: no; its a Windows implementation

<arve> http://www.opera.com/press/releases/2009/02/16/

Arve: Opera has been a member of LiMo since Feb 16

MP: there is some overlap of members between LiMo and OMTP

DR: at MWC some operators clearly endorsed BONDI e.g. AT&T

MC: what is the exact relationship between W3C widget specs and BONDI widget specs

DR: we think W3C is the right place to create widget specs

MC: are BONDI specs Royalty-Free?

MP: I don't know

DR: let me come back to the licensing question

AB: still not clear to me about the relationship between W3C widget specs and BONDI widget specs

MP: one thing we are focusing on is policy

MC: I've heard BONDI has resolved all of the open issues W3C has in its specs
... I've also heard you have good uptake

Arve: my concern is regarding device APIs and security models

MP: BONDI has defined a set of device APIs
... we use <feature> from P&C to hook into those APIs

DR: later today I will post to public-webapps pointers to our Candidate specs

AB: which version of the P&C spec has been implemented in the RI?

MP: not sure

AB: did BONDI create a Widgets P&C spec?

DR: no

AB: did BONDI create a Widgets DigSig spec?

DR: no
... we reference P&C and DigSig now; but do not currently reference A&E

AB: you have created some deltas of the P&C spec right?

MP: yes. For example we added a new element because P&C's <access> does not meet our requirements

DR: I think a delta doc makes sense

Arve: on March 9 BONDI will ship 1.0, right?

DR: yes

Arve: doesn't that tie W3C's hand?

DR: no. We want to get the specs synched.

AB: what happens starting on March 10? Will BONDI members start shipping implementations of the RI?

MP: on March 10, VF will begin asking vendors to implement the BONDI specs

MC: but this is going to lead to fragmentation
... these implemenations will not be the same as implemenations based on the eventual Recommendation of W3C's widgets specs

MP: OMTP is only interested in mobile use cases
... thus we don't necessarily care about additional use cases that go beyond mobile

MC: so it appears then that to meet your requirements it will lead to more fragmentation

DR: we've done a lot of work related to security

CV: we are participating in both orgs
... the W3C's mobile web initiative hasn't really been that successful
... and some players in the market are taking advantage of this
... Want the W3C to create the infrastructure

MC: I don't understand why the W3C should continue its work

MP: I dont' think there is any desire to create overlapping specs
... BONDI can't wait forever for W3C to complete their work

AB: ultimately it is a business decision regarding whether one should ship an implementation of the W3C's widgets specs + BONDI specs as of March 10
... people understand the risks

Arve: I think it is short-sighted to only look at this from the mobile perspective

DR: OMTP intends to continue active participation in W3C
... we want to put our device APIs into the W3C

AB: is it then the case that on March 10, you expect BONDI to start implementing your device APIs and to start shipping such implemenations?

DR: not sure March 10 is the right date but yes, that is my expectation

Arve: I would like to see OMTP/BONDI commit resources for Editing API specs like File I/O
... requirements first of course; but follow up with spec contributions too
... It sounds like this is going to lead some fragmentation in the mobile space

MC: so now that we've continued discussion I'm seeing more of an "embrace and extend" model

DR: re licensing - Apache 2.0
... that is for the BONDI RI

New Work related to the Device API and Security Workshop

AB: WS report http://www.w3.org/2008/security-ws/report
... the report identifies 6 potential work areas and assigns priorities to each
... what is BONDI's position re work split for the 4 High priority items?
... which of the 6 items are in scope for BONDI?

MP: depends on what you mean by in scope

AB: which areas are actively in spec work?

DR: Concrete APIs
... Policy Description
... Policy Management is of interest

AB: what do you expect to push into the W3C?

MP: that not a useful question because we don't use that list

DR: we expect to submit some APIs
... and of course policy description

AB: and what is your pref for where that work is done?

DR: Web Apps WG

AB: as Chair, I think it will be hard to add so much new work to WebApps

DR: Thomas would like to form a new WG re the policy work items

<tlr> "would like" sounds exaggerated. It looks like a likely path forward.

<tlr> no interest in forcing things on you folks... ;)

AB: when will BONDI be ready to submit the Device API specs to the W3C?

DR: I'm not sure but will find out

AB: perhaps you should send an email to http://lists.w3.org/Archives/Public/public-device-apis/ and state BONDIs interest, plans, roadmap, etc

<tlr> +1 to sending that e-mail

<drogersuk> The other two points that I wanted to mention before the BONDI discussion is closed are: 1) we'd like to be able to offer the reference implementation as an implementation of the W3C spec at some point

<drogersuk> 2) We'll be doing some work on testing and compliance - the BONDI work here will be a superset of everything but could be reused P&C and other specs

Widgets Digital Signatures

<fjh> latest editorial draft

<fjh> http://dev.w3.org/2006/waf/widgets-digsig/

<fjh> review

<fjh> http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0548.html

<fjh> http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0547.html

<tlr> yes

AB: agenda http://www.w3.org/2008/webapps/wiki/WidgetsParisAgenda#Digital_Signature_spec

<fjh> updated editors draft http://dev.w3.org/2006/waf/widgets-digsig/

FH: I suggest I walk thru my recent changes

AB: good

FH: some restructuring
... added namesaces
... added some definitions
... big change is Author and Distributor signatures
... updates should not be treated differently in this spec
... still need to work on algorithms
... XML Sig v1.1 should go to FPWD this week
... some work on the proc model

<mpriestl> I have a few small comments but overall I think this is an excellent update of the document - many thanks Frederick!

FH: recommend we go thru TLR's comments first

AB: let's do that

<tlr> http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0547.html

TR: I'll skip editorial comments

<scribe> ScribeNick: drogersuk

I would like to consider separate filname conventions

for distributor and authors

<fjh> Widget Signature Name:

<fjh> The reserved file name "author-signature.xml"

<fjh> "signature" [0-9]* ".xml"

<discussion on filename conventions>

FJH clarified a point that TLR raised - it was already included in the spec

MC Thomas you have addressed my concerns, could you summarise why it is bad to have <role> attribute for signature in signature.xml?

<fjh> single signature per file, should state that explicitly

TLR There is a basic design decision that there is a single signature per file

TLR You don't want to look at two signatures at the same time

MC We don't want to use filenames as an extensibility mechanism, but I can live with this

<fjh> right now we use file name convention instead of a manifest

<tlr> fjh, +1, that's precisely the problem

MC you are optimising prematurely

<fjh> of course a manifest could be signed, addressing the signature insertion and deletion risk as well

MP There are cases where you may want to be able to find the author signature without processing everything

MC I accept the proposed solution

TLR I do not like using the filename in this way. We have different classes of resources inside the widget package

scribe: same problem as content type discovery
... clearly our solution is not best, a manifest is the best way

<tlr> ... and I'm happy to defer this part of the discussion to a later time

MC I proposed a manifest solution a couple of days ago

scribe: it would be optional
... assigned around the content types
... per file declaration of what the content type is a maybe the role

MP can the manifest discussion go on the mailing list?

<tlr> +1 to Mark

MP I'm happy to review that, we're in no way stuck on using filenames, if there is a valid reason for manifest, let's discuss it asap

TLR in the processing model, we say the distributor signature must countersign the author signature. We validate that

<ArtB> [ discussing TLR's comment "The processing model in 6.2 does not currently enforce the MUST NOT on distributor signatures countersigning each other. I'm having a hunch that that might get abused by malevolent distributors in order to interfere with each other; I therefore suggest that distributorr signatures that countersign each other are a reason for validation failure." ]

we do not validate a distiributor signing another distributor

scribe: I propose that this is invalid to break this case

MP: I agree

MC +1

<fjh> +1

DR: +1

AB: We have consensus here on that point

TLR: editorial on ID-based reference

MP: agreed

FJH: I'll update the draft. I could use some help from Thomas

TLR: I'd be happy to review, but won't commit on sending a proposal

<ArtB> [ TLR's comment "In 4.4, we currently perform a dance around X.509 version numbers. Thinking this through more thoroughly, it worries me that this came up, for the following reason: You need an X.509 v3 extension to express the basic constraints on a certificate. Without the basic constraints extension, it is impossible to distinguish a CA certificate from an end entity certificate. Which in turn suggests that somebody might have inadvertently generated

AB: The group here are happy for you to update the draft

TLR: I propose certificates must be v3 to sign widgets

MP: I need to check internally - but provisionally this looks ok

MC: I'll do the same internally at Opera

FJH: It seems to be right for me

<tlr> RFC 5280 sets a default for v3 certificates that do not have the extension, and that's important.

MC: It is messy supporting the three different standards

TLR: It is important to reference RFC-5280

AB: If we don't get any concerns in the next two weeks then we'll accetp v3

FJH: Let's update to v3 now, then we can revert if issues

AB: We have agreement on that

<ArtB> [ TLR's comment "The current draft has a relatively complex set of interacting signatures, but does not timestamp these at all. I'd *really* like us to mandate a timestamp property on each of the signatures, and demand during validation that the timestamp MUST be in the past. To give just one example, assume a distributor's signing process is found to be broken, but it's not practical to exchange the signature key. Being able to weed out all signatures ma

TLR outlined the point

MP: Vodafone will most likely object to the validation failing if the timestamp is in the future
... correction in the past
... People don't set their date and time in the phone
... This is a problem currently with java
... Unless we demand that we have network time or accurate time on devices we will not be able to live with this
... Defining it in our specification is dangerous for that reason
... What type of timestamp? By the signer?

TLR: Yes

MP: The timestamp is a statement of when the author 'says' they signed it
... Author's will set timestamps to make sure they get installed

correction: authors

MP: Do you see a use case for an expires and a timestamp?

TLR: I agree about the phones point
... This is a good argument against the MUST
... Having expiration is useful as well
... The two cover separate parts of the problem

<fjh> current signature properties draft

<fjh> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/Overview.html

TLR: expiration limits the impact in the future
... the timestamp helps you with which sequence signatures happened
... perhaps before some event
... when the package was signed can be critically important <DR: this is for forensics purposes>
... and incident handling / reaction

<Marcos> +q

<Marcos> -q

<TLR ran over the points again>

<Marcos> +q should <timestamp> be added to XML Dig Sig 1.1 instead of widgets dig sig?

<Marcos> +q to should <timestamp> be added to XML Dig Sig 1.1 instead of widgets dig sig?

<fjh> good question marcos

<Zakim> Thomas, you wanted to note that SHOULD with wall-clock is fine if Opera don't enforce upon validation

MP: I support Frederick's suggestion which was to recommend the use of timestamp and expires as best practices rather than mandating them
... a recommendation is good enough here

MC: This timestamp element sounds pretty general. Shouldn't this go in the XML DigSig Spec? Having said that I agree with Mark's comments

<tlr> I think it's fine for this to go into the signature properties document, with a "SHOULD use" in the widget signature spec.

FJH: There is some merit in what Marcos just said
... You might want to comment on that Thomas
... let's discuss that

<Marcos> +q

TLR: I don't have any deep thoughts on new timestamps... I'm fine with having a should
... It becomes unlikely that best practices get implemented

MC: We want to avoid using new elements where possible
... our preference is to profile 1.1

MP: I would support roughly what marcos said. We should reference the properties
... role, expires and timestamp

<ArtB> ACTION: Frederick check XMl Sig 1.1 re role, expires, etc. properties [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action04]

<trackbot> Created ACTION-305 - Check XMl Sig 1.1 re role, expires, etc. properties [on Frederick Hirsch - due 2009-03-04].

MP: but I would defer to the XML DigSig group

FJH: I agree with Mark
... TLR if could you write down that use case it would really help

<fjh> +1 to additional hash agl

AB: That closes the discussion then. TLR would you like to discuss hash algorithms and revocation?
... Let's discuss both. Firstly hash algorithm

<ArtB> [ TLR's comment "I wonder whether we should be keeping an additional hash algorithm in reserve, too. (That's a question that needs to go back to the XML Security WG.)" ]

FJH: I agree we need a second hash algorithm

TLR: Not having a second hash algorithm that is outside the SHA family is an issue

<tlr> I suspect consensus about hash algorithms is easier than on the PK ones.

FJH: We require some time and thought to get to where we want to be

MP: On algorithms, on the digest algorithm I agree with TLR
... we have to be aware that in 5.2 Digest Algorithms, we support additional methods

FJH: The validation needs to better match the generation requirements, I will look at that

<ArtB> [ TLR's comment "I'm worried that we don't say anything about revocation of signatures. I'd like to revisit why this is the case, and whether there's anything we can do about it." ]

<fjh> suggest, we should not profile but should mention best practice of certificate

<fjh> validtion and revocation checking

<Marcos> -q

TLR: <discusses complexities of revocation>

<fjh> identify signature versus certifcate revocation

<tlr> can live with

MP: Some of the stuff is policy dependent so is probably correctly left out of the specification

FJH: I agree with Mark. I think we decided not to do a complete profile of the XML DigSig spec within this spec

TLR: I can live with what Mark and Frederick said about revocation
... if we have a unique identifier for each signature, then we can store metadata about specific signatures

<fjh> so signature identifier could be another signature property?

TLR: there may be several signatures over time from the same signer

<tlr> yes

AB: Mandatory algorithms

FJH: I'd like to mention something first
... I changed requirement 6.1 5c from MUST to MAY
... the ds:KeyInfo element MAY be included

MP: I have one question related to this
... we're relying on certificates - I'll go back and check this
... I think what you've changed is correct, but I just want to check it

<fjh> If a ds:KeyInfo element is present then it MUST conform to the [XMLDSIG11] specification. If present then any certificate chain SHOULD be validated and any CRL or OCSP information may be used as appropriate [RFC5280]..

FJH: I just wanted to highlight this

<fjh> also

<fjh> The ds:KeyInfo element MAY be included and MAY include certificate, CRL and/or OCSP information. If so, it MUST be compliant with the [XMLDSIG11] specification. If certificates are used they MUST conform to the mandatory certificate format.

AB: OK so let's go to mandatory algorithms

<fjh> sections on generation and validation

AB: First Mark's point

<tlr> +1 to mark on that point

MP: I'd like to thankyou for the restructuring work, it has moved this on a huge amount, thankyou
... I have some small editorials I will send via email

<fjh> http://dev.w3.org/2006/waf/widgets-digsig/#signature-valiation

MP: one point here: section 6.2

<fjh> +1 re install statement

<fjh> I mean +1 mark

<tlr> "not install" is probably the wrong category, yes

MP outlined issues on installations on different platforms

<fjh> proposal - If Widget Signature Validation fails for any reason the application must be informed of the failure and possibly the reason for failure.

FJH: I agree with these points you are making

MP: I agree with your approach FJH
... In multiple digital signatures with one passing and one failing, there are different things to do, but that is getting into policy

<Marcos> MC: me too

TLR: A signature verifier could just return a boolean the way it is currently written
... there is no understanding of what trust anchors there are
... I would like to see it covered
... there must be a policy in place

FJH: I can try and do some wording, I think you're right Thomas

MP: I agree it could be drawn out more, happy to help on this

<tlr> ACTION: thomas to say something about trust anchors in the beginning of 6.2 [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action05]

<trackbot> Created ACTION-306 - Say something about trust anchors in the beginning of 6.2 [on Thomas Roessler - due 2009-03-04].

<fjh> no

AB: Work split and step 4 and step 5...

MC: I removed anything about handling responses and deferred it to widgets digsig spec

<ArtB> [ Step #4 is: http://dev.w3.org/2006/waf/widgets/#step-4--locate-digital-signatures-for-th ]

MC: where do we put author signature?

<mpriestl> fjh, I don't think we need any

MP: It doesn't really matter

fjh: Policy issue

MP: no need change anything in widget digsig
... Find all signatures in package, then process in accordance with
... widget digsig

AB: step 4 and 5 have been simplified

MP: the last sentence in step 5 says a UA must process...
... it should be possible for the UA to jump out of the list if it has enough information to make a policy decision

<fjh> http://dev.w3.org/2006/waf/widgets/#step-4--locate-digital-signatures-for-th

MP: I might only be interested in the Nokia signature

<fjh> note need to change section 4 for author signatures

MP: It makes sense to process in order, then skip out

<fjh> http://dev.w3.org/2006/waf/widgets/#digital-signatures

MP: slight rewording plus a MAY on the author signature

<Marcos> MC: I added "Search at the root of the widget for any file whose file name field case insensitively matches author-signature.xml. If found, add this file entry to the signatures list."

JS: My concern is that there is a revoked signature there
... I'd like people to consider it
... even if they are interested in something else

MP: You can define reasons for revocation if you want and there are different things you may want to do.
... In some cases you may want to consider the status of more than one signature. We wouldn't stop you doing that - the UA and the policy determines when this happens

<timeless> soudns ok

FJH: Are we planning to address policy at some point?
... we need a note in the packaging spec

MP: The processing is dependent on your policy and we don't define what that is

<fjh> need to add statement that processing depends on policy

DR: This comes back to our discussion on new work items - for example security policy type issues

AB: So right now we don't have a draft charter for that working group yet

<tlr> yes

FJH: Which is why we need to outline the concerns now before that group is there

<Marcos> MC: As an aside, in the PC spec, I added the following text "Search at the root of the widget for any file whose file name field case insensitively matches the naming convention for the author's digital signature (i.e., author-signature.xml). If found, add the matching file entry to the end of the signatures list."

MC: the processing part in step 4

MP: This is sort of what we need, let's take it offline though

RH: If we have the author at the end of the list, we can't step out of the processing

MC clarified how you could do this

<fjh> no

AB: Let's cover issue #81
... OK, schedule firast


MP: We've addressed most of the comments
... I think we're ready once the updates are complete, we're ready to go to the next WD. Next stage would be LCWD
... Fundamentals have not changed and I think we're all agreed on and it would be great to get to last call

FJH: I need to make some changes and include the comments, I'd like to reference the FCWD from XML DigSig this week
... Other than that, then I don't see why not
... Properties stuff would mean doc would need delaying

TLR: We have some different options - perhaps we could put an editors note in the widget signatures document saying what will be included

FJH: This could solve the properties issue

<tlr> it's not pretty, but it's probably easiest

AB: We have agreement on that route
... 4-5 weeks from now we could have a LCWD

TLR: Let's take this offline

<Benoit> I understand 19th march for the last WD --- 16 april for LC --- 14 may RC

<tlr> +1 to taking this offline

<fjh> +1 to taking this offline

AB: Last thing on the list is mandatory algorithms

TLR: Think about EC and DSA
... no consensus in the security group yet

MP: We would prefer the spec to be finished rather than have drawn out discussions
... there are unclear IPR issues around ECDSA
... we haven't been able to check on that
... the reasons for rejecting DSASHA-256 are not very strong from the XML SG

TLR: The FIPS standard is done, it is waiting for the US Secretary of Commerce to sign it... however there is no Secretary of Commerce appointed yet

FJH: Need to know who can live with EC or DSA

DR: Suggest raising as an action
... I can circulate for feedback in OMTP

Arve: There is not much real world use of EC
... I would like to understand if and why it is necessary now and not at some later stage

MC: We want to future proof as much as possible

<ArtB> ACTION: Marcos determine Opera's position on elliptic curve re Widgets DigSig spec [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action06]

<trackbot> Created ACTION-307 - Determine Opera's position on elliptic curve re Widgets DigSig spec [on Marcos Caceres - due 2009-03-04].

<ArtB> ACTION: David determine Opera's position on elliptic curve re Widgets DigSig spec [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action07]

<trackbot> Sorry, amibiguous username (more than one match) - David

<trackbot> Try using a different identifier, such as family name or username (eg. dorchard, drogers)

<tlr> ACTION: rogers to determine OMTP's position on EC re Widgets DigSig spec [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action08]

<trackbot> Created ACTION-308 - Determine OMTP's position on EC re Widgets DigSig spec [on David Rogers - due 2009-03-04].

<ArtB> ACTION: Rogers determine OMTP's position on elliptic curve re Widgets DigSig spec [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action09]

<trackbot> Created ACTION-309 - Determine OMTP's position on elliptic curve re Widgets DigSig spec [on David Rogers - due 2009-03-04].

<tlr> ACTION-308: duplicate of ACTION-309

<trackbot> ACTION-308 Determine OMTP's position on EC re Widgets DigSig spec notes added

<tlr> ACTION-308 closed

<trackbot> ACTION-308 Determine OMTP's position on EC re Widgets DigSig spec closed

FJH: I'd like to understand where we are with this

TLR: We need the feedback on the document that is being published tomorrow

<fjh> Please review XML Siganature 1.1 working draft, algorithms and give feedback!

AB: Thanks for joining guys and particularly Frederick for updating the spec

FJH: Thanks to everyone for their comments

<ArtB> ScribeNick: ArtB

Media type declarations; MIME; etc.

AB: looking at the agenda, Marcos
... Is the <type> element still something we need to discuss or drop?

MC: drop it
... we want to talk about the <media> element proposal
... http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0491.html
... Larry Masinter submitted some comments
... LM: http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0459.html
... No, LM's response is: http://lists.w3.org/Archives/Public/public-pkg-uri-scheme/2009Feb/0003.html

[ Marcos displays a strawman proposal of the <manifest> element ... ]

<Marcos> <manifest xmlns="">

<Marcos> <media path="" type=""/>

<Marcos> <media ext="space delimited list" type=""/>

<Marcos> </manifest>

Arve: are path and extension mutually exclusive for a given element?

<Marcos> <media path="styles/" ext="php" type="text/css" />

<Marcos> <media path="styles/mystyle" type="text/css" />

<arve> [ foo.css, bar, baz ]

<Marcos> <media path="styles/" ext="php" type="text/css;charset=utf8" />

<arve> [bar, baz] = text/html, foo.css = text/css

<Marcos> <media path="styles/" type="text/css" /> <media path="styles/foo.css" type="text/css" />

<Marcos> <media path="foo/" ext="php" type="text/css" /> <media path="foo/bar/" type="" />

<Marcos> where type="" = unknown, so sniff

AB: any comments about this proposal?

Arve: looks pretty solid

<Marcos> <media path="styles/" type="text/css" /> <media path="styles/" type="text/html" />, where the second overrides the first

AB: so the precedence is what?

MC: last one is the winner

<arve> /home/user/foo/

<arve> foo

<Marcos> how would this work with xml:base

<Marcos> ?

AB: does this proposal address the issues LM raised?

MC: some of them
... it encorporates some of his concerns

<arve> I quite like type="application/uberml+xml;charset=UTF-7"

MC: he agreed we don't need to include every file in the ZIP
... for example, we could just target one folder
... who wins in the conflict of manifest versus config file
... I like config file wins
... this proposal does not conflict with HTML5's cache manifest
... that is completely different use case

AB: good
... what is the processing model?

MC: I will define it in a separate new spec - it will not be in the P&C spec

AB: when will it be used

MC: one use case is when a user wants to save a widget and the WUA can slurp up all of the files for a widget

AB: is Opera convinced we need this for v1.0?

MC: no, not necessarily. 2.0 could be OK
... It has been requested by several people including TLR, LM and Adam Barth

Arve: I'm not convinced we need it
... sure Save As Widgets is neat but not sure we need a spec to cover the use case

AB: what's the relationship between this proposal and the issue Adam Barth raised?
... i.e. http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0264.html

MC: Adam proposed something like this so indeed my proposal addresses his concerns

AB: has Adam responded to this proposal?

MC: no, not yet

AB: do you anticipate proponents of this functionality pushing for this element to be added to P&C spec?

MC: not sure

AB: so here is where I think we are with this:
... A number of people have suggested we need to address this issue e.g. file extension to MIME type mapping
... we are in general agreement
... But we don't think it needs to be specified in the P&C spec
... We are willing to define this functionality in a separate spec
... And probably not in the Widget spec series

DR: think the P&C spec needs to specify a UI format e.g. HTML

MC: the P&C spec is agnostic - it just specifies the config file and the package format

Arve: the reality is most of the implemenations will be compatible with each other and implement a superset of P&C + DigSig + A&E + ...

MC: P&C does not define a "Widget User Agent" just a UA that can process the config file and ZIP format

DR: we want any widget that will run anywhere
... think we're going to get that widgets that can't be run e.g. only contains a DLL
... we want the W3C to define Widget User Agent

Arve: the W3C hasn't defined what a Web page is

MC: to be accurate, we should replace the <widget> element with <package> element

AB: we should go back to the FPWD as that title is probably more accurate than the current one

Arve: my expectation is that a WUA will be able to handle HTML
... but I don't think that should be mandatory

MC: the original title was "Web Applications Packaging Format"!

CV: I don't think we can replace Widgets at this point

MC: In hindsight I think we should not have switched to the name Widget
... I can put the old WUA dependency information into an Informative appendix if people think that would be useful

AB: we aren't seriously considering changing the title of the P&C spec, right?

MC: no

Arve: no

DR: still then, where is Widget User Agent defined

AB: I'm mostly indifferent but it does not belong in the P&C spec

DR: so how do we solve this problem?

<drogersuk> we are at serious risk of market fragmentation

MC: one approach as I mentioned is to add an informative note to the P&C spec

AB: why doesn't OMTP define WUA as it sees fit?

DR: that leads to fragmenation

MC: we can recommend specific MIME types but we can't mandate them
... for example the widget i.e. package could contain Flash
... are you willing to write text that covers your concern?

<drogersuk> ACTION:rogers OMTP to take Marcos' original text and modify to add the concerns over MIME types [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action10]

MC: note HTML5 doesn't define any dependencies
... although they are implied

# <feature> default; raised by Kai Hendry

AB: what's the status of this?

MC: I've already addressed this
... feature is required at runtime unless explicitly set to optional

<scribe> ACTION: Marcos make sure the <feature> comment by Kai has been addressed [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action11]

<trackbot> Created ACTION-310 - Make sure the <feature> comment by Kai has been addressed [on Marcos Caceres - due 2009-03-04].

<scribe> ACTION: Rogers OMTP to take Marcos' original text and modify to add the concerns over MIME types [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action12]

<trackbot> Created ACTION-311 - OMTP to take Marcos' original text and modify to add the concerns over MIME types [on David Rogers - due 2009-03-04].

<icon> element ISSUE: what if it's a vector and no size is given?

AB: Marcos, what's the status of this?
... http://dev.w3.org/2006/waf/widgets/#the-icon-element

MC: Doug gave me some proposed text and I've added it to the ED

Arve: is this really needed in the spec?
... Seems like its specifying visual behavior of the UA

MC: during the 2nd LC we must do a better job of removing anything that is extaneous to the config file and package format

AB: from the P&C perspective, I don't think this needs to be specified

<preference> element proposal; by Art Barstow

AB: what's the status Marcos?

MC: I've already specified this
... see the latest ED

Arve: I don't agree with MUST in this case
... I can think of some cases were MUST is too strong

[ MC makes a change in the ED to address Arve's comment ]

Arve: how will read-only be handled by the UA implementing the preferences array as defined in the A&E spec?

MC: that array should be read-only

Arve: I'm not sure about that

Ivan: what are the use cases?

<Marcos> for var in preferences {}

Arve: a widget like a RSS reader could have a list of URIs

<arve> for (var key in widget.preferences){ /* ... */ }

Ivan: seems like we don't need two mechanisms here
... How do you get the keys?

MC: we will probably need a keys attribute
... we don't want to build a dependency on HTML5
... we probably also need methods to clear the array

Arve: what if prefs returned generic objects rather than a DOMString?
... not sure we want to go that way

Ivan: I made a proposal on the mail list
... http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0455.html

[ Discussion of Ivan's proposal in the above e-mail ]

[ Marcos adds some related text to Req #28 e.g. some methods needed to support richer Preferences ... ]

AB: Meeting Adjourned

Summary of Action Items

[NEW] ACTION: David determine Opera's position on elliptic curve re Widgets DigSig spec [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action07]
[NEW] ACTION: Frederick check XMl Sig 1.1 re role, expires, etc. properties [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action04]
[NEW] ACTION: Marcos determine Opera's position on elliptic curve re Widgets DigSig spec [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action06]
[NEW] ACTION: Marcos make sure the <feature> comment by Kai has been addressed [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action11]
[NEW] ACTION: Marcos report back to the WG ASAP regarding your ability to be the Editor of the two new specs proposed and discussed on Feb 24 [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action02]
[NEW] ACTION: Marcos respond to Marcin and ask him to make specific proposals if he has any [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action01]
[NEW] ACTION: Marcos will make a hybrid proposal and send it the mail list [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action03]
[NEW] ACTION: Rogers determine OMTP's position on elliptic curve re Widgets DigSig spec [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action09]
[NEW] ACTION: rogers OMTP to take Marcos' original text and modify to add the concerns over MIME types [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action10]
[NEW] ACTION: Rogers OMTP to take Marcos' original text and modify to add the concerns over MIME types [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action12]
[NEW] ACTION: rogers to determine OMTP's position on EC re Widgets DigSig spec [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action08]
[NEW] ACTION: thomas to say something about trust anchors in the beginning of 6.2 [recorded in http://www.w3.org/2009/02/25-wam-minutes.html#action05]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.133 (CVS log)
$Date: 2009/02/25 17:06:19 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.133  of Date: 2008/01/18 18:48:51  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/Settings a View Mode/Proposal for a "Settings" View Mode/
Succeeded: s/<access element>/<access> Element/
Succeeded: s/we an leave/we can leave/
Succeeded: s/rich/fancy pants/
Succeeded: s/don't there/dont' think there/
Succeeded: s/MDR:/DR:/
Succeeded: s/wtf?//
Succeeded: s/we/Opera/
Succeeded: s/yew/yes/
Succeeded: s/TLR/fjh/
Succeeded: s/WUS can/WUA can/
Succeeded: s/it see fit/it sees fit/
WARNING: No scribe lines found matching ScribeNick pattern: <Art> ...
Found ScribeNick: ArtB
Found Scribe: Art
Found ScribeNick: Marcos
Found ScribeNick: ArtB
Found ScribeNick: drogersuk
Found ScribeNick: ArtB
ScribeNicks: ArtB, Marcos, drogersuk
Default Present: +45.29.aaaa, fjh, Thomas, Josh_Soref
Present: Art Andy Claudio Ivan Fabrice Rainer Mark David Arve Benoit Marcos Mike(IRC) Josh(IRC) Billy Mohammed Josh
Agenda: http://www.w3.org/2008/webapps/wiki/WidgetsParisAgenda
Found Date: 25 Feb 2009
Guessing minutes URL: http://www.w3.org/2009/02/25-wam-minutes.html
People with action items: back david frederick marcos omtp report respond rogers thomas

[End of scribe.perl diagnostic output]