14:01:25 RRSAgent has joined #tagmem 14:01:25 logging to http://www.w3.org/2009/12/08-tagmem-irc 14:02:02 timbl has joined #tagmem 14:02:07 agenda + Metadata Architecture (HTTP Semantics): The use of HTTP Redirection 14:02:14 agenda + Web Application Architecture 14:02:23 agenda + HTML 5 review: (contentTypeOverride-24), (errorHandling-20) 14:02:32 agenda + (genericResources-53): Generic resources 14:02:40 RRSAgent, pointer? 14:02:40 See http://www.w3.org/2009/12/08-tagmem-irc#T14-02-40 14:04:03 masinter has joined #tagmem 14:04:25 agenda? 14:05:26 Chair: Noah 14:05:33 Scribe: JohnK 14:05:40 ScribeNick: johnk 14:06:15 next agendum 14:07:02 Present: Noah Mendelsohn, Tim Berners-Lee, Henry Thompson, Ashok Malhotra, Larry Masinter, John Kemp 14:07:10 Zakim, this will be tag 14:07:10 "tag" matches TAG_(AWWSW)9:00AM, and TAG_f2f()8:30AM, DanC_ 14:07:16 Zakim, room for 4? 14:07:17 ok, DanC_; conference Team_(tagmem)14:07Z scheduled with code 26631 (CONF1) for 60 minutes until 1507Z 14:07:27 TOPIC: Convene, review agenda 14:07:51 Thomas: we're missing a phone here, working on getting one. Should be a few mins. Sorry. 14:07:59 s/Thomas:/Thomas,/ 14:08:08 Regrets: TV Raman 14:10:44 trackbot-ng, start telcon 14:10:46 RRSAgent, make logs public 14:10:48 Zakim, this will be TAG 14:10:49 ok, trackbot, I see TAG_f2f()8:30AM already started 14:10:49 Meeting: Technical Architecture Group Teleconference 14:10:50 Date: 08 December 2009 14:10:54 +[MIT-G449] 14:11:01 zakim, call thomas-781 14:11:01 ok, tlr; the call is being made 14:11:02 +Thomas 14:11:43 Zakim, take up item 2 14:11:43 agendum 2. "Web Application Architecture: Security, Policy" taken up [from DanC_] 14:12:02 TOPIC: Web Application Architecture: Security and Policy 14:12:23 NM: (connects us with TLR) 14:12:42 Ashok has joined #tagmem 14:12:44 DanC_ has changed the topic to: http://www.w3.org/2001/tag/2009/12/08-agenda#Security 14:13:03 TLR: there was a well-attended session at TPAC on Web Security 14:13:19 TLR: strict transport security paypal proposal 14:13:26 TLR: XSS discussion 14:13:40 -> http://www.w3.org/Security/wiki/Strict_Transport_Security strict transport security wiki topic 14:13:44 TLR: next steps for Origin header draft 14:13:49 q? 14:14:04 TLR: no formal minutes available, however 14:14:20 q+ to ask which AD is shepherding the Origin draft 14:14:22 TLR: have the impression that Origin draft is moving forward in IETF 14:14:34 TLR: HTTP state WG is "under review" 14:14:55 (I saw a draft charter re cookies, I think; where did I see that? ...) 14:15:14 ietf mailing list 14:15:21 TLR: sense is that group should do two deliverables: - one documenting current state, another more normative 14:15:30 -> http://lists.w3.org/Archives/Public/public-web-security/ public-web-security archive 14:15:39 FWIW, I recommend that TAG members willing to deal with the traffic subscribe to the mailing list. I find it to be interesting/worthwhile. 14:15:53 News on http-state http://www.ietf.org/mail-archive/web/apps-discuss/current/msg01182.html 14:16:03 q? 14:16:08 HTTP-STATE WG charter finished IETF review and IESG Evaluation, and waiting on a few edits & input responses 14:16:12 TLR: fairly happy with state of affairs 14:16:25 q+ to ask for a bit of intro on the strict transport/paypal stuff 14:16:35 DC: has an area director stepped forward to shepherd the Origin draft? 14:16:59 TLR: I believe so 14:17:26 ( "Lisa" == Lisa Dusseault , as in http://www.ietf.org/iesg/members.html ) 14:17:51 LMM: haven't heard a positive direction on Origin yet 14:18:54 some of the mics appear to be on mute 14:18:54 q+ to mention personal feedback from Mark Miller 14:19:24 ack danc 14:19:24 DanC_, you wanted to ask which AD is shepherding the Origin draft 14:19:53 ack noah 14:19:53 noah, you wanted to ask for a bit of intro on the strict transport/paypal stuff 14:19:56 http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html 14:20:04 NM: what is strict transport security about? 14:20:22 TLR: let a site declare that it wants to use HTTPS even if it sees an HTTP link 14:20:44 http://www.w3.org/Security/wiki/Strict_Transport_Security -> http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html 14:21:00 "draft specification proposed by Jeff Hodges (=JeffH, Paypal.com), Adam Barth (UC Berkeley), Collin Jackson (CMU-SV). " 14:21:26 2.2 Strict Transport Security Policy Summary 14:21:26 The characteristics of the Strict Transport Security policy, as applied to some given web site, known as a STS Server, is summarized as follows: 14:21:26 1. 14:21:26 Insecure ("http") connections to a STS Server are redirected by the STS Server to be secure connections ("https"). 14:21:26 2. 14:21:28 The UA terminates, without user recourse, any secure transport connection attempts upon any and all errors, including those caused by a site wielding self-signed certificates. 14:21:33 3. 14:21:35 UAs transform insecure URI references to a STS Server into secure URI references before dereferencing them. 14:22:09 Miller's note about "origin:" header being harmful http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0035.html 14:22:17 TLR: limits DNS corruption and MITM attack 14:22:37 jar has joined #tagmem 14:22:48 q? 14:23:15 LMM: what are future plans for organizing web security in some way? 14:23:32 more microphone mayhem... 14:24:41 TLR: TPAC tried to coerce volunteers to get involved in review 14:24:58 TLR: usual problem: how do we recruit volunteers? 14:25:28 LMM: is there some possibility for a "formal" security board - a way of being able to sign up more consistently? 14:25:40 TLR: use the chairs of the security WGs, but we don't have critical mass 14:25:55 TLR: create a TAG-like body, focused on security? 14:26:39 HT: I had a conversation with Mark Miller at TPAC - he was heartened by the meeting 14:27:16 HT: disagreements are purely technical 14:27:31 q? 14:27:37 ack next 14:27:38 ht, you wanted to mention personal feedback from Mark Miller 14:28:35 TLR: skillful chairing has contributed to the positive movements 14:28:35 +1 to the value of face-to-face meetings, in these points, btw 14:28:51 LMM: keep this as a topic to review periodically 14:29:27 LMM: too early to decide on a formal structure, but would encourage some thought about a process for improving security review 14:29:51 NM: anything specific for us to follow up on? 14:30:05 I'm gonna close this in a minute unless anybody objects: 14:30:07 ACTION-323? 14:30:07 ACTION-323 -- Dan Connolly to as Thomas for a report form the security BOF -- due 2009-12-08 -- PENDINGREVIEW 14:30:07 http://www.w3.org/2001/tag/group/track/actions/323 14:30:11 NM: any specific specifications? 14:30:53 q+ 14:30:59 q+ 14:31:06 (I'm glad Noah is persuing getting actions if we're to keep this on our agenda. LMM seems to be pursuing a process point, which is not the TAG's mandate, so I'm OK if nothing comes of it.) 14:31:21 origin header -- is it in, is it out, is it dead, is it shipping? 14:31:36 ack next 14:31:44 (tlr, do you want to be here when we talk about confused deputy?) 14:32:18 IRI spoofing -- who has the responsibility for insuring that user agents don't depend on showing the user a IRI and expecting them to distinguish 14:32:27 (where's the list tlr is reading? I don't see websockets on http://www.w3.org/Security/wiki/Main_Page ) 14:32:29 TLR: XHR, CORS, HTML5, WebSockets... encourages LMM to add his short list 14:32:41 I said "I think websockets should go on there, too" 14:33:41 johnk: Add Uniform Messaging to the list 14:33:42 JK: asks about Uniform Messaging Policy proposal 14:33:58 ack next 14:34:32 XHR has a last call that closes in a week. 14:34:43 q+ 14:35:26 TLR: XHR documents current usage and is in LC 14:35:41 http://www.w3.org/TR/2009/WD-XMLHttpRequest-20091119/ 14:36:03 LC for XHR ends on 15 December 14:36:10 JK: XHR and UMP both have XHR-like APIs, and seem to be related 14:36:24 tlr: XHR assumes SOP 14:36:46 DanC: the XHR whose LC is 15 Dec is async with one that takes on UM, right? [tlr said right] 14:36:54 JK: and UMP allows cross-origin with opt-out from SOP 14:37:13 ACTION johnk to review XHR and UMP together and provide comments to TAG as relevant 14:37:13 Sorry, couldn't find user - johnk 14:37:23 trackbot, status? 14:37:27 ACTION John to review XHR and UMP together and provide comments to TAG as relevant 14:37:27 Created ACTION-340 - Review XHR and UMP together and provide comments to TAG as relevant [on John Kemp - due 2009-12-15]. 14:38:06 q+ 14:38:21 http://www.w3.org/Security/wiki/HTML5 has an answer to NM's Q 14:38:25 q- 14:38:49 (and that's just the *trivial* list of likely relevant lists) 14:38:56 s/relevant lists/relevant sections/ 14:39:30 NM: any TAG members willing to look at this security wiki and take any other actions regarding the items listed there? 14:39:43 Zakim, pick a victim 14:39:43 Not knowing who is chairing or who scribed recently, I propose Thomas 14:40:10 q+ 14:40:41 TLR: HTML5 security policies are worthy of review! 14:40:51 TLR: we don't know what we don't know 14:40:52 q+ 14:41:28 TLR: possibility of a workshop around these items 14:41:35 NM: rough guess about when that might happen? 14:41:48 TLR: probably a few months out 14:41:52 . ACTION: noah to let the TAG know about any upcoming HTML 5 security workshop 14:42:07 ACTION: noah to follow up with Thomas about security review activities for HTML5 14:42:07 Created ACTION-341 - Follow up with Thomas about security review activities for HTML5 [on Noah Mendelsohn - due 2009-12-15]. 14:42:14 q? 14:42:18 q- 14:42:20 ack next 14:42:23 ack next 14:43:11 http://www.w3.org/Security/wiki/Talk:HTML5 14:43:53 DC: do "sandboxed iframes" work as well as they could or are there possible improvements? 14:44:07 q+ 14:44:07 (seems like no-one knows the specifics well-enough) 14:44:13 ack noah 14:45:00 TBL: permeability of iframe boundary has been in flux during our work on tabulator... 14:45:37 at least 100 messages on sandboxed iframes in http://lists.w3.org/Archives/Public/public-web-security/2009Dec/thread.html 14:45:55 TBL: is this in research phase, or fairly solid in browsers? 14:46:10 TLR: (thinks still research phase) 14:46:39 LMM: lots of messages on sandboxed iframes this week, so situation is still evolving 14:48:05 NM: (reviews the agenda item) 14:49:01 close action-321 14:49:01 ACTION-321 lightly edit TAG input to DAP WG per 8 Oct and tell Noah closed 14:49:05 close action-318 14:49:05 ACTION-318 Send note to Device APIs and Policy (DAP) Working Group on behalf of the TAG closed 14:49:16 DC: can I close actions? 14:49:20 close action-323 14:49:20 ACTION-323 As Thomas for a report form the security BOF closed 14:50:02 LMM: I would be happy if there were an interest group for tracking these issues 14:50:38 q? 14:50:52 (encouragement heard, but not going to happen this year. ;-) 14:51:10 LMM: part of web arch is security, and it probably requires more attention than the TAG is able to give it 14:51:51 NM: TAG still has a role, and I'm not sure if a W3C mechanism to track all of these things outside W3C is useful 14:51:59 q+ 14:52:00 NM: what problem does IG solve? 14:52:15 DC: possibility of a workshop is a good start 14:52:53 I just added uniform messaging to the security wiki FYI 14:53:00 q- 14:53:22 ACTION Noah January 15th ask the TAG again about more formally tracking security issues in HTML5 14:53:22 Created ACTION-342 - January 15th ask the TAG again about more formally tracking security issues in HTML5 [on Noah Mendelsohn - due 2009-12-15]. 14:53:42 ack next 14:54:04 AM: read the UMP draft, which speaks about 2 actors 14:54:21 jar, CORS and UM are closely enough linked that I'd prefer to keep them together 14:54:35 q+ to ask how to get security review/help on IRI spoofing (as an example of something that doesn't fit into current framework) 14:54:35 AM: does UMP extend to multiple actors? 14:55:01 (I'd like to see an explanation of how UM generalizes to multiple parties) 14:55:12 JAR: yes 14:57:10 action-340: to include an explanation of how UM generalizes to multiple parties 14:57:10 ACTION-340 Review XHR and UMP together and provide comments to TAG as relevant notes added 14:57:52 LMM: in last IETF, long discussion about non-ASCII chars in IRIs and related security issues 14:58:28 LMM: possibility of constructing IRIs that the user cannot really tell whether they represent what the user is actually trying to do 14:58:42 LMM: this is not a security mechanism, but there is a security issue there 14:59:44 http://www.w3.org/Security/wiki/Trusted_User_Interface#IDN_Spoofing 14:59:47 NM: is the current group of the group working around the web security wiki looking at issues such as the one Larry describes? 14:59:52 TLR: not specifically, no 15:00:01 (I too think Singer wrote that bit) 15:00:57 q? 15:01:09 NM: next steps? 15:01:38 NM: should someone from TAG work with the community around this wiki to frame the issues? 15:02:30 LMM: would like to make normative references from various specs. to something relevant for web security 15:02:38 LMM: a wiki is not enough 15:03:16 DC: we have IRIEverywhere issue - can we track the relevant security portion under that? 15:04:40 NM: HTML5 tells user agents what to do; should perhaps be giving advice about, for example, IRIs that might confuse the user dangerously 15:04:46 thanks Thomas 15:04:56 -Thomas 15:05:10 Everyone says "Thank you Thomas" 15:06:07 DC: there's an opportunity to engage the people involved in this wiki... but not sure how/whether we will declare victory 15:06:26 TLR, thank you >so< much for taking the time to join us. It was very, very useful! 15:07:06 JLR: mentions pet names: that one should never trust the names given to you by anyone else 15:07:53 JLR: you get to designate your own name, rather than blindly accepting the name given you by a server 15:08:18 DC: I visit 10000 web pages a day, can't give them all pet names 15:08:30 JLR: solution is proposed, but isn't yet usable perhaps? 15:08:47 NM: when about to click on a link, I should know what I'm clicking on 15:08:57 (tracker, note we're discussing ISSUE-27 IRIEverywhere-27 ) 15:09:15 NM: if a page contains 50 links (to images for example), should I get to choose whether I want to access all 50 of them? 15:09:35 NM: associate my own pet name with a given URI? 15:09:43 TBL: what's the process? 15:10:14 JAR: the point is that it makes it possible for the user to discriminate 15:10:43 NM: the user can be confused, but only the first time - when they make the pet name association 15:11:07 TBL: system should protect you from confusing your pet names 15:11:34 JAR: overall constraint is exactly that - to make it more difficult to confuse the user with names 15:13:32 DC: can you (JAR) post to www-tag about pet names? 15:13:41 LMM: how about IRI list instead? 15:13:57 note that petnames were discussed and even speced *extensively* in the WSC WG. Implementers wouldn't have any of that. 15:14:05 ACTION: jonathan discuss petname application to IRI spoofing in public-iri and www-tag 15:14:05 Created ACTION-343 - Discuss petname application to IRI spoofing in public-iri and www-tag [on Jonathan Rees - due 2009-12-15]. 15:14:15 HTML5, WebSockets, XHR, CORS 15:16:56 action-343? 15:16:56 ACTION-343 -- Larry Masinter to discuss petname application to IRI spoofing in public-iri and www-tag -- due 2009-12-15 -- OPEN 15:16:56 http://www.w3.org/2001/tag/group/track/actions/343 15:18:29 NM: WebSockets is moving fast... 15:19:09 LMM: wanted to noted the IETF meeting on HyBi 15:19:26 http://dev.w3.org/html5/websockets/ 15:19:30 LMM: two groups - one documenting current practice on long-polling et al with HTTP 15:19:37 http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol 15:19:37 LMM: and another discussing WebSockets 15:20:07 LMM: result, I believe, was that WG forming would focus on WebSockets 15:21:18 NM: how about CORS? 15:21:40 ACTION-331 ? 15:21:40 ACTION-331 -- Dan Connolly to consider ways to track the 'confused deputy problem' issue in webapps/cors -- due 2009-11-24 -- PENDINGREVIEW 15:21:41 http://www.w3.org/2001/tag/group/track/actions/331 15:22:08 http://www.w3.org/2008/webapps/track/issues/108 15:22:16 DC: TPAC goal achieved 15:22:42 DC: Mark Miller took the ball, resulting in the UMP proposal: http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html 15:25:11 DanC: what's critically different between UniformRequest and XMLHTTPRequest is that no cookies go out; it's not clear to me why that's more secure 15:25:18 NM: Note that uniform messaging looks at the Javascript level just like XHR, except that you "new" a different object to start. 15:25:34 ... if you want to do something different, you have to put your credential/permission elsewhere 15:25:37 JK: there are two parts to the spec: 15:25:39 HT: yes, you put it in your code 15:25:51 DanC: but who is "you"? the server? the client? the attacker? 15:26:01 i) that an HTTP response header can be sent saying that the server opts-out of SOP 15:26:04 JAR: the code is the attacker... 15:26:16 ... if he doesn't have permission, he can't do anything dangerous. 15:26:24 q+ to talk about credential/permission 15:26:27 ii) the UA uses a new XHR that doesn't send cookies 15:26:40 q+ to ask about community reaction to uniform messaging draft 15:26:50 q- 15:26:59 meaning any "credentials" are i) not site-specific ii) not sent implicitly 15:27:02 ack me 15:27:02 DanC_, you wanted to talk about credential/permission 15:27:45 DC: some concerns about the terminology regarding 'permission' sent as editorial comments 15:27:45 on permission and such http://lists.w3.org/Archives/Public/www-archive/2009Dec/0021.html 15:28:52 JAR: proof of permission? 15:28:52 "proof of permission" would be good; maybe I'll suggest that in email to the editors 15:28:52 ack next 15:28:56 noah, you wanted to ask about community reaction to uniform messaging draft 15:29:19 -[MIT-G449] 15:29:21 TAG_f2f()8:30AM has ended 15:29:21 Attendees were [MIT-G449], Thomas 15:32:31 DC: it's good that CORS has an issue open on confused deputy and can hopefully resolve the issue with the help of this spec 15:33:09 DC: how, for example, does this impact sandboxed iframes, for example? 15:34:44 ACTION Jonathan to alert TAG chair when CORS and/or UMP goes to LC 15:34:44 Created ACTION-344 - Alert TAG chair when CORS and/or UMP goes to LC [on Jonathan Rees - due 2009-12-15]. 15:34:54 s/and can hopefully resolve the issue with the help of this spec/so the WG has to choose UM or not before going to LC/ 15:35:09 close action-321 15:35:09 ACTION-321 lightly edit TAG input to DAP WG per 8 Oct and tell Noah closed 15:35:15 action-331? 15:35:15 ACTION-331 -- Dan Connolly to consider ways to track the 'confused deputy problem' issue in webapps/cors -- due 2009-11-24 -- PENDINGREVIEW 15:35:15 http://www.w3.org/2001/tag/group/track/actions/331 15:35:20 close action-331 15:35:20 ACTION-331 Consider ways to track the 'confused deputy problem' issue in webapps/cors closed 15:35:50 tlr has left #tagmem 15:36:02 agenda + widget: URI scheme [Larry] 15:36:48 Zakim, remind us in 13 minutes to resume 15:36:49 ok, DanC_ 15:37:07 Zakim, agenda? 15:37:07 I see 9 items remaining on the agenda: 15:37:09 1. Convene, review agenda [from DanC_] 15:37:10 3. Metadata Architecture: ISSUE-63: Metadata Architecture for the Web [from DanC_] 15:37:13 4. Web Application Architecture [from DanC_] 15:37:14 5. Metadata Architecture: ISSUE-63: Metadata Architecture for the Web [from DanC_] 15:37:16 6. Metadata Architecture (HTTP Semantics): The use of HTTP Redirection [from DanC_] 15:37:18 7. Web Application Architecture [from DanC_] 15:37:19 8. HTML 5 review: (contentTypeOverride-24), (errorHandling-20) [from DanC_] 15:37:20 9. (genericResources-53): Generic resources [from DanC_] 15:37:21 10. widget: URI scheme [from Larry via DanC_] 15:46:56 jar has joined #tagmem 15:49:48 DanC_, you asked to be reminded at this time to resume 15:54:21 Zakim, take up item 1 15:54:21 agendum 1. "Convene, review agenda" taken up [from DanC_] 15:57:55 johnk has joined #tagmem 15:58:14 NM: we discussed 3 big items (linked in agenda) before the summer 15:58:23 DanC_ has changed the topic to: http://www.w3.org/2001/tag/2009/12/08-agenda#Convene 15:58:33 NM: later moved to closely study HTML5 15:59:38 NM: is there something bigger than the sum of the parts (ie. action items) similar to webarch that we want to do beyond review of detailed actions? 15:59:46 q+ 16:00:22 AM: as we begin talking about web apps, metadata it might become obvious if we want to write something more "overarching" 16:01:09 Present: TBL, JAR, AM, LMM, JK, HT, DC 16:01:32 LMM: we had talked about creating products of long-term value? 16:01:53 NM: such as the "architecture of web applications" 16:02:34 NM: agenda is in service of a set of goals 16:02:53 NM: agenda does reflect those goals 16:03:06 q? 16:03:54 ack danc 16:04:34 TOPIC: Metadata Architecture 16:04:50 ACTION-282 16:05:04 ACTION-282? 16:05:04 ACTION-282 -- Jonathan Rees to draft a finding on metadata architecture. -- due 2009-12-02 -- PENDINGREVIEW 16:05:04 http://www.w3.org/2001/tag/group/track/actions/282 16:05:19 Zakim, take up item 3 16:05:49 agendum 3. "Metadata Architecture: ISSUE-63: Metadata Architecture for the Web" taken up [from DanC_] 16:06:10 s/JLR/JAR/g 16:06:53 JAR: job is to encourage a connected, open Web, and a "global" approach to metadata seems important for that 16:08:13 JAR: is there a related way to understand some of the "puzzles" - RDFa vs. Microdata, XRD/LRDD/Link, related HTTP semantics, ... 16:08:52 JAR: using URIs to "refer" rather than to "locate" 16:09:30 JAR: link rel="canonical", multimedia "bookmarking" and the nature of "authoritative" 16:10:38 Jonathan's draft is at http://www.w3.org/2001/tag/2009/12/metameta.html 16:10:44 (that's what we're reviewing) 16:11:07 TBL: I thought we were doing an overall model of the whole "shebang" - not just philosophical 16:11:30 TBL: includes APIs... 16:11:43 JAR: that seems like an opportunity we have 16:12:24 (I'm not sure I agree with TBL that the AWWSW model is "not philosophical". I'm not sure there any falsifiable claims in it. Maybe around "immutable resources", but I don't see that as a pressing issue.) 16:13:19 AM: we should start from metadata use-cases 16:13:32 AM: these are the situations in which you might want some metadata 16:13:51 AM: then we can say "in situation N, here's what you ought to do..." 16:14:30 JAR: yes, use-cases are very important 16:14:57 q+ 16:15:03 JK: what if someone doesn't acquire metadata in the way you suggest even in a given use-case? 16:15:19 TBL: you can tell them what they would be losing by doing it differently 16:16:05 LMM: in my earlier work, I was taking a narrower perspective on "what is metadata" than I think we have generally taken 16:16:38 LMM: for example, perhaps related to the difference between metadata about information resources vs. metadata about non-information resources? 16:17:14 TBL: metadata is data about documents - one way to narrow this 16:17:38 TBL: another way is via ontology-based approach 16:18:00 TBL: if it's about an information resource, then it's metadata? 16:18:17 LMM: that's the conventional meaning, I think 16:18:38 http://www.e-learningguru.com/articles/metacrap.htm 16:18:57 JAR: that is part of the work we need to do to bound this project 16:21:00 JAR: metadata can come from many different places - a protocol might only get that metadata from one place - "first-party provided" metadata 16:21:37 NM: you're stopping short of discussing the impact of provenance? 16:21:39 JAR: no 16:22:12 NM: difference between we know a claim about something, or whether we know the thing itself 16:22:34 [the metacrap reference is old: Version 1.3: 26 August 2001 -- here's the original http://www.well.com/~doctorow/metacrap.htm ] 16:22:44 NM: there is a difference of trust 16:22:51 TBL: that's not the only way to spin this 16:23:11 NM: is the statement "noah says the wall is brown", or "the wall is brown"? 16:23:26 AM: yes 16:25:32 JAR: most of my draft is a list of questions 16:25:48 JAR: those questions could stimulate actions items - there is a lot of work here 16:26:46 JAR: does metadata have any special role on the web? 16:26:59 TBL: metadata is data about documents 16:27:24 LMM: in the narrow definition, metadata is data about "information resources" 16:27:43 NM: if someone makes a statement about a document, it is clearly metadata 16:28:05 NM: if someone makes a statement such as "I was born on November 3rd" what do we call that statement? 16:28:39 LMM: there are some special properties of documents that make them more interesting in this regard 16:28:45 DC: can you be more specific? 16:29:22 HT: there's a fundamental difference between representations whose referents are available digitally and those which are not 16:29:33 HT: therefore reasoning about them is different 16:29:49 q+ 16:29:52 q+ 16:29:52 q+ 16:30:01 q+ 16:30:25 ack next 16:31:20 DC: Larry, can you be more specific about the properties of a document that make it more interesting this way? 16:31:21 ack timbl 16:31:53 TBL: AWWW spends a lot of time trying to describe this so it's very important - deal with the Web, you deal with docs. 16:32:16 ack next 16:32:33 the library and digital library community have a long history of establishing "metadata" for items that might appear in a world of managed information, and that this tradition is instructive, helpful, and with available techniques for management, refinement. The general "knowledge management" problem is hard, but the "metadata management" problems are tractable 16:33:01 NM: take a set of measurements and record them 16:33:11 q+ 16:33:30 NM: if I then also record that I took these measurements on a particular date, then that is metadata about the measurements 16:34:00 NM: if you limit only to digital representations, it seems yto me ou lose the historical meaning of metadata 16:34:04 ack next 16:34:19 s/yto me ou/to me you/ 16:34:29 ("I don't want to get hung up on terminology" <-- famous last words. terminology _is_ the problem. Agreeing on terminology is solving the problem.) 16:34:39 LMM: metadata was about "what was in the card catalogue" 16:34:47 let's do terminology after we cover use cases. 16:34:54 no, let's not 16:34:57 LMM: common way to describe that the book in library a was the same book as in library b 16:35:12 let's try out terminology as we discuss use cases, and keep careful eye on which terms comfortably fit and which ones don't. 16:35:41 LMM: Dublin Core was a way of cataloging metadata about documents / IRs 16:35:50 LMM: value is to leverage that work 16:36:04 NM: you don't buy my 'measurements' example? 16:36:10 q? 16:36:15 NM: not scoped only to library usage 16:36:21 ack next 16:36:31 q+ to say "yes" to NM wrt measurements 16:36:55 AM: I think we should ask different questions 16:37:05 there are things that are on the boundary ... you can treat them as "information resources" or not 16:37:08 AM: what could *we* write that would be useful here? 16:37:16 (http://en.wikipedia.org/wiki/Metadata is disappointing in that it doesn't have a history section like most good encyclopedia articles) 16:37:26 q? 16:37:30 ack next 16:37:32 ht, you wanted to say "yes" to NM wrt measurements 16:38:11 DC: I think you should split the screen 16:38:35 HT: yes, Noah, your example is within "metadata" scope 16:39:18 HT: I think DC is useful for any set of digital data 16:39:33 s/DC/Metadata/ 16:39:48 s/DC/Dublin Core/ 16:39:53 right... 16:40:29 s/Metadata is/Dublin Core is/ 16:40:50 JAR: back to document... 16:41:06 JAR: not a lot of standardization 16:41:27 JAR: poor incentives for creating explicit metadata 16:42:19 q+ to talk about automatically added metadata in practical workflows 16:42:43 JAR: difficult to deploy - why? 16:42:50 JAR: difficult to validate 16:44:45 JAR: it doesn't feel that all of these things are adequately connected - it doesn't feel like a "Web" 16:44:58 (the mismatch betwen CiteULike and Amazon ... I wonder how many man-hours a day that costs the world. Sounds a lot like what LMM was talking about for library metadata in the 1st place... "how do you know it's the same book?") 16:46:51 HT: host-meta is data about a set of resources 16:47:23 ...((∀ metadata. ∃ ways of disrupting discussions like this:(on metadata) 1) Widening -- "ah, but what about data in general?" 2) Splitting hairs "If authorship of the data is metadata, is the author's address? or is that data about a person and so not metadata?" 3) Considering time-variance: "But isn't it not just a question of the metadata now, but how the metadata has changed over time"? 4) Let's see what happens when we look "Metadata" up in the 16:47:23 dictionary. 5) .. in wikipedia... 6) Do we really have an agreement on a definition of "metadata"? )) 16:48:16 LMM: there's a question about metadata when related to statements made about a person 16:49:12 TBL: lots of people are not doing metadata when they are making statements of identity 16:49:46 TBL: different people assigning different names to the same thing 16:50:22 TBL: let's not expand the scope of "Metatdata" to the semantic web in general; e.g. co-reference... different people assigning different names to the same thing ... let's not try to tackle that. 16:50:32 TBL: people, music, place names, countries (and other administrative areas) all have metadata needs 16:50:42 TBL: we shouldn't focus only on authors 16:50:51 Noah_phone has joined #tagmem 16:51:07 JAR: does RDF "nose-following" a metadata use-case? 16:51:21 s/does/is/ 16:51:26 Q? 16:52:21 LMM: metadata has a data model, a vocab, a serialization, and method of association (linking/embedding) 16:52:29 -> http://lists.w3.org/Archives/Public/www-tag/2009Jul/0153.html Framing an Architecture for Metadata on the Web 16:52:31 Noah_phone has joined #tagmem 16:52:33 LMM was talking about that ^ 16:52:39 RDF nose-following is a technical solution for many of these problems, coupled with the stitched-together quilt of grass-roots ontologies. 16:52:51 From Wikipedia: 16:52:52 JAR: what are interesting cases that deal with metadata? 16:52:58 metainformation) is "data about data", of any sort in any media. Metadata is text, voice, or image that describes what the audience wants or needs to see or experience. The audience could be a person, group, or software program. 16:53:57 q+ 16:54:00 LMM: if we have a framework for metadata, we can use this to explore the specific cases and see how/if it applies 16:54:01 The above is Wikipedia def of metadata. Consonant with my assumptions. 16:54:28 q+ to see if now is a good time to bring up the "cultural difference" between Host-Meta/XRD and POWDER/RDF 16:55:14 JAR: that suggests a matrix between your framework items (LMM - see earlier list) and the uses documented in my draft 16:56:53 Noah_phone has joined #tagmem 16:58:15 JAR: (describes examples listed in linked document) 16:59:51 note http://tools.ietf.org/html/draft-reschke-rfc2731bis-05 17:00:10 JAR: is anything different since RDF/Dublin Core? 17:00:33 JAR: (references Metadata Activity statement) 17:00:51 http://dublincore.org/documents/2008/08/04/dc-html/ 17:01:17 metadata activity statement: http://www.w3.org/Metadata/Activity 17:02:52 NM: ADJOURN 17:27:37 timbl has joined #tagmem 17:41:06 Noah_phone_ has joined #tagmem 17:55:32 johnk has joined #tagmem 17:58:31 jar has joined #tagmem 18:01:47 timbl has joined #tagmem 18:13:02 Ashok has joined #tagmem 18:13:48 masinter has joined #tagmem 18:16:18 noah has joined #tagmem 18:21:09 http://gov2.net.au/files/2009/12/Draft-Government-2-0-Report-release.pdf 18:21:54 Zakim, agenda? 18:21:54 I see 9 items remaining on the agenda: 18:21:55 1. Convene, review agenda [from DanC_] 18:21:56 3. Metadata Architecture: ISSUE-63: Metadata Architecture for the Web [from DanC_] 18:21:59 4. Web Application Architecture [from DanC_] 18:22:01 5. Metadata Architecture: ISSUE-63: Metadata Architecture for the Web [from DanC_] 18:22:03 6. Metadata Architecture (HTTP Semantics): The use of HTTP Redirection [from DanC_] 18:22:05 7. Web Application Architecture [from DanC_] 18:22:06 8. HTML 5 review: (contentTypeOverride-24), (errorHandling-20) [from DanC_] 18:22:07 9. (genericResources-53): Generic resources [from DanC_] 18:22:08 10. widget: URI scheme [from Larry via DanC_] 18:22:26 jar, http://gov2.net.au/about/draftreport/#rec6 18:22:53 that's wierd. 18:24:16 TAG_f2f()8:30AM has now started 18:24:24 +Raman 18:24:29 +[MIT-G449] 18:25:06 -------------------------- 18:25:10 scribenick: timbl 18:25:34 just a sec while I sync the agenda 18:25:39 Zakim, clear agenda 18:25:39 agenda cleared 18:26:09 agenda+ Convene, review agenda 18:26:09 agenda+ Web Application Architecture: Security, Policy 18:26:09 agenda+ Metadata Architecture: ISSUE-62 (UniformAccessToMetadata-62): Uniform Access to Metadata 18:26:09 agenda+ Web Application Architecture 18:26:09 agenda+ Metadata Architecture: ISSUE-63: Metadata Architecture for the Web 18:26:10 agenda+ Metadata Architecture (HTTP Semantics): ISSUE-57 (HttpRedirections-57): The use of HTTP Redirection 18:26:12 agenda+ ISSUE-53 (genericResources-53): Generic resources 18:26:14 agenda+ HTML 5 review: ISSUE-20 (errorHandling-20): What should specifications say about error handling? 18:26:27 Noah: We have to Web App Arch slots, one now and one for the same time tomorrow. 18:26:29 Zakim, close item 1 18:26:29 agendum 1, Convene, review agenda, closed 18:26:30 I see 7 items remaining on the agenda; the next one is 18:26:31 2. Web Application Architecture: Security, Policy [from DanC_] 18:26:35 Zakim, close item 3 18:26:35 I see a speaker queue remaining and respectfully decline to close this agendum, DanC_ 18:26:39 q? 18:26:42 queue= 18:26:45 Zakim, close item 3 18:26:45 agendum 3, Metadata Architecture: ISSUE-62 (UniformAccessToMetadata-62): Uniform Access to Metadata, closed 18:26:47 I see 6 items remaining on the agenda; the next one is 18:26:48 2. Web Application Architecture: Security, Policy [from DanC_] 18:26:53 Raman: I can't make tomorrow morning PST 18:27:30 Raman: I can make 15:00-17:00 EST 18:27:50 Noah: Philippe Le Hégaret has offered to join us. 18:28:03 s/Le/le/ 18:28:16 raman has joined #tagmem 18:28:24 http://www.w3.org/2001/tag/tag-weekly#Applicatio 18:28:35 Zakim, take up intem 4 18:28:35 I don't understand 'take up intem 4', DanC_ 18:28:40 Zakim, take up item 4 18:28:40 agendum 4. "Web Application Architecture" taken up [from DanC_] 18:28:59 http://www.w3.org/2001/tag/doc/content-to-apps.html 18:29:09 http://www.w3.org/2001/tag/2009/09/webAppsTOC-20090921 18:29:25 Noah: That is the thing which Ashok et al did, This is what JAR did 18:29:52 Ashok: Most of this talks about how the web staretd as a web of documents, and is now turning into a web of apps. 18:30:17 ... That is useful stuff, but we wanted to extract the issues engendered by this fundamental shift. 18:30:48 ... John,, None of us looked at Web IDL -- we didn't have the knowledge 18:31:10 ... One question is, how to capture state. This is complicated. 18:31:46 ... There is HTML5 work split out into Storing Client-Side State, as two specs, one SQL-based, and the other keyword/value based. 18:31:48 DanC_ has changed the topic to: http://www.w3.org/2001/tag/2009/12/08-agenda#Applicatio 18:32:29 ... You send in data from the user, and the app by its nature has lots of data. It has to be protected: it has to have policies about its access. 18:32:32 q? 18:32:46 ... The third on which Larry put up is atht the Web i snow more complex. 18:33:10 ... It has different sorts of user agent, different URI schemes, and so on. What does this imply? 18:34:12 ... SO those were are main pints, plus the UMP stuff -- how UMP extends to multiple agents. (Uniform Messaging) [seee required reqding] 18:34:49 ... The trouble is, you are going to make a request of an app, and the app is in fact behind many appliances. The appliances can communicate. WHat do we do about this data being secure, protected? 18:34:58 q+ to wonder who trusts which code 18:35:32 http://www.w3.org/2001/tag/2009/09/webAppsTOC-20090921 18:36:27 Masinter: My intent , I thought, was to elaborate some of these points 18:36:34 ... into paragraphs. 18:36:57 q? 18:37:00 q? 18:37:00 ack timbl 18:37:01 timbl, you wanted to wonder who trusts which code 18:37:28 Masinter: Other bits still need to be done. 18:38:42 q+ 18:38:44 q+ to talk about device APIs permissions 18:39:49 q+ to answer tbl: yes, the state of the art is (a) "installed stuff", including extensions and MacOS widgets and phone apps (b) remote code, e.g. scripts in web pages you visit 18:40:15 q+ to note that code for an application might come from multiple un-trusting (of each other) elements 18:40:22 ack me 18:40:22 DanC_, you wanted to answer tbl: yes, the state of the art is (a) "installed stuff", including extensions and MacOS widgets and phone apps (b) remote code, e.g. scripts in web 18:40:26 ... pages you visit 18:40:29 Tim: Some times with the application be downloaded by the user and installed and trusted, making the security situation surely much simpler? 18:40:36 q? 18:40:42 ... Like wiht an installed desktop app or a iPhone app 18:41:03 ht has joined #tagmem 18:41:14 DanC: There are two design centers. The installed code, and the web site script case. But they are starting to overlap in smae cases. 18:41:15 q+ to ask TBL about gmail 18:41:49 ack next 18:41:50 noah, you wanted to talk about device APIs permissions 18:42:01 TimBL: Like running Mac mail and a web version of it whioch try to be the same iiterface. 18:42:52 Noah: If I am a smart user, then I expect there are bounds to what I have trusted it to do, and those boudns are being stretched, like with gelolocation. The stickiness of the policy is where this happnes. Does the permisssion stick? 18:42:59 (speaking of letting my browser run javascript, after reading crockford's writings, I installed noscript immediately. It's fairly painful, but the alternative is to turn my computer over to anybody on the internet who wants to use it for whatever purpose they see fit and blame it on me.) 18:43:51 ... A huge barrier to getting people to move apps to the web, it asks anew whether it can have your location, which is frustrating. Maybe a longer term storage of the preferences would help. 18:44:23 TimBL: I am surprised if these thingsare not rememberde by web site 18:44:36 Ashok: Where would that be stored? On the client or servre? 18:44:59 Noah: Not relevant 18:46:26 q? 18:46:36 DanC: In fact a Firefiox extension can change that from local to remote 18:46:48 q? 18:47:35 John: A comon trust model is this origin-basde thing -- a package which is verified as coming from an origin. 18:48:11 .. Another commontrust model is like iGoogle -- Google gadgets are assembled onto a home page for you, but Google has vetted the code: Google is the thing which you trust 18:48:48 q? 18:48:52 ack johnk 18:48:52 johnk, you wanted to note that code for an application might come from multiple un-trusting (of each other) elements 18:49:05 ack ht 18:49:05 ht, you wanted to ask TBL about gmail 18:49:10 ... There is a third possibility we hadn't even counted about, where the client is making the mashup and assembling things from multiple sources which may not trust each oither. A more dynamic situation. This involves cross-site scripting. 18:49:25 q+ to ask if anybody knows the state of the art in maybe cultural anthropology about how many brand names we can trust: mom, dad, my school, my town, my country, visa, mastercard, and visa... maybe 50? 18:50:18 q+ 18:50:24 Henry: Normal users do not really understand the distinction. 18:50:36 TimBL: They know whether they have installed an iphone app 18:50:57 Noah: GMail on the gPhone is really a web abb which behaves like an app. 18:50:58 q? 18:51:28 zaki, close the queue 18:51:33 Ashok: It looks as though there are just two cases, downloded [installed] app and web app. There could be a third situation. 18:51:35 zakim, close the queue 18:51:35 ok, noah, the speaker queue is closed 18:51:48 Henry: No, th consumer woul dnot ditinguish. 18:52:06 (a) The "WebApps" working group is working on something like Adobe AIR -- something that uses web technology for building traditional applications, where the fact that it's using web technology is pretty much irrelevant to the end user experience. 18:52:10 (b) I want to see if we can separate the conversation between mechanisms for providing security, vs. the different kind of user models. of course they don't match, and getting them to match -- is that in scope for this ? 18:52:55 JAR: The problem of getting the user to connect them is them user programming system. 18:52:57 q? 18:53:00 q+ 18:53:00 ack 18:53:10 q? 18:53:14 ack next 18:53:15 DanC_, you wanted to ask if anybody knows the state of the art in maybe cultural anthropology about how many brand names we can trust: mom, dad, my school, my town, my country, 18:53:17 ... visa, mastercard, and visa... maybe 50? 18:54:11 DanC: What is the state of the art in what we can trust? 18:54:38 HT: People trust a lot. 18:54:39 ack masinter 18:55:15 LM: There are people working on web apps more like adobe air, which is like installing an applicatin bevcause it gets the same privilges. 18:55:18 q? 18:55:18 q? 18:55:26 LMM mentioned Adobe Air, Microsoft silverlight is another 18:55:39 ... distributed app deployment platform 18:55:50 Noah: There is a widget spec which allows you to make an installable thing. 18:56:15 Masinter: Note that Web Application can be used for either animal. 18:56:51 I propose the following working terminology for use in the TAG: 18:57:03 Masinter: We have mechanisms for provideing security -- and user perception -- and we know they don't match. But that we knew. 18:57:17 Web Application -> A zero-install application accessed by doing HTTP GET of the main page (which in turn tends to use Javascript) 18:57:37 Masinter: To tackle it, we would have to understand the [ingerent] user models of security. I am not sure we are ready to deal with them. 18:57:39 W3C Widget -> An installable application built of Web technologies per http://www.w3.org/TR/2009/CR-widgets-20091201/ 18:57:41 q+ 18:58:09 lmm: are we ready to take on the "user model" 18:58:20 I prefer "zero-install" and "installed". 18:58:37 -1 don't like Noah's "Web Application" definitation 18:58:51 Noah: I propose we use "Web Application" to mean a zero-install application. 18:59:12 q+ 18:59:30 So I hear three categories: functionality running in the browser on the [AJAX] platform or, maybe, on browser plugins, e.g. Flash; functionality runninng on other metal-installed distributed deployment platformsl, e.g. Silverlight; and Widgets, which are installed but run on the [AJAX] platform 18:59:43 the line between these two things are blurry, and it's not clear that making categories is useful 19:00:12 q+ to underline _three_ categories 19:01:13 DC: Running is not the same as getting: when you run, you allow all kinds of privileges, e.g. to write all over your disk 19:01:26 why is it useful to make these categories when they are aspects of technology decisions with many variables which don't correspond to these categories, and users have trouble distinguishing too 19:02:23 Noah: We have 45 minutes . We have no suture work inthe web apps area. 19:02:40 .. . We can let this go and go back to the table of contents. 19:02:41 s/suture work/future work scheduled/ 19:02:49 s/inthe/in the/ 19:02:54 zakim, open the queue 19:02:54 ok, noah, the speaker queue is open 19:02:56 (fwiw, we do have actions in the webapps area/product, though they're mostly about security http://www.w3.org/2001/tag/group/track/products/7 ) 19:03:04 q+ to underline _three_ categories 19:03:26 q+ to argue against premature categories as per above 19:03:46 q+ to note that installable iPhone apps are, in may respects, sandboxed 19:04:44 ack ht 19:04:44 ht, you wanted to underline _three_ categories 19:05:05 (I stipulate that we _need_ to manage storage; I still don't _want_ to 1/2 ;-) 19:05:42 TimBL: Users need to be ablel to see which applicatiosn are taking up the space on their phone, and a good UI would let a user manage that and decide which apps to let go in order to instal another when the device i sffull 19:06:09 q? 19:06:13 Henry: Look at Silverlight aps -- they don't fall well into Noah's two categories. 19:06:32 q+ to note that there is probably no useful distinction to be made between widget and "web app" 19:07:34 E.g OpenStreetMap: 3.46G [x] Uses location [ ] use contacts [remove] 19:08:13 q+ separate functionality from implementation technologies 19:08:38 ("open standard" is orthogonal to most of the technical issues we've been talking about, no?) 19:08:48 plugins i) get access to platform APIs below the browser ii) get to "violate" the SOP 19:08:52 ack masinter 19:08:52 masinter, you wanted to argue against premature categories as per above 19:08:59 it's very hard to participate in this discussion via the phone 19:10:19 q? 19:10:35 q+ to emphasise DC's point which I scribed above 19:11:26 ack next 19:11:27 noah, you wanted to note that installable iPhone apps are, in may respects, sandboxed 19:12:23 ((∀ webapp. ∃ ways of disrupting discussions like this:(on webapp) 1) Widening -- "ah, but what about apps in general?" 2) Splitting hairs "If authorship of the data is webapp, is the author's address? or is that data about a person and so not metadata?" 3) Considering time-variance: "But isn't it not just a question of the webapp now, but how the webapp has changed over time"? 4) Let's see what happens when we look "webapp" up in the dictionary. 5) .. i 19:12:23 wikipedia... 6) Do we really have an agreement on a definition of "webapp"? )) 19:12:47 Raman: If you ahve a native client plugin installed, yo can run them locally as apps 19:12:54 (yeah... native-client goes one way, and phonegap goes the other) 19:13:15 Noah: I think the web app cass I was talking about is fairly well isolated. 19:13:19 q? 19:13:23 ... Limited access to oethr clients, etc 19:13:39 q+ to try to get "native-client goes one way, and phonegap" in a TOC or TODO list or something 19:13:49 Raman: The browser sandbox is getting richer .. so the sandboxing is getting more powerful, so the line is blurring. 19:14:34 ack next 19:14:35 johnk, you wanted to note that there is probably no useful distinction to be made between widget and "web app" 19:14:36 ... Like web and internet being pervasive.. The net is one more part of the computer. 19:15:21 John: I don't think there is a useful distinuction between "widget" and "webapp". One poaaible distinction would be if you have separate decisions to make as to whether you will download it and whether you will run it. 19:15:27 q+ to note that W3C Widgets share things like device access APIs with Javascript apps running in the browser 19:15:44 q+ 19:16:06 ... IO am not sure it is a usefuldistinction. 19:16:08 ack ht 19:16:08 ht, you wanted to emphasise DC's point which I scribed above 19:16:30 q+ about making arbitrary decisions like trust levels etc. 19:16:43 q+ to talk about making arbitrary decisions like trust levels etc. 19:17:25 Henry: Categories are valuable 19:17:38 Henry: Desktop apps can do anything 19:17:40 ack next 19:17:41 DanC_, you wanted to try to get "native-client goes one way, and phonegap" in a TOC or TODO list or something 19:18:00 Noah: Phone apps can opnly run in theor own memory, not communicate one to the ohter. 19:18:35 DanC: Phonegap lallows you to write HTML and JS and deploy it as an application. 19:19:58 DanC: NativeClient allwo syou to download machine object code. 19:20:10 These are existing technologies 19:20:20 q? 19:20:41 These are existing, concrete technologies that we could use to explain concepts to people. 19:22:22 masinter` has joined #tagmem 19:23:41 (IE's trust categories are, in a distant way, similar to noscript's trusted site lists and petnames.) 19:24:28 TimBL: Maybe making up distinctions as a design point, then defining the properties of tehm (like IE did with levels of trusted sites in the past say) so that you can then prove what sorts of functionality you can get from applications in each category. Not observing a distinction but inventing one. 19:24:33 ack next 19:24:34 noah, you wanted to note that W3C Widgets share things like device access APIs with Javascript apps running in the browser 19:25:16 raman has joined #tagmem 19:25:22 Noah: I am convinced by th epoitn that proprietaryness is not an *architectural* concern. 19:25:27 q+ to prompt for "what are we trying to promote/prevent?" 19:25:58 ... However, there things we W3C are responsable for as we are not respobsible for silverlight or Flash. these are the AJAX technologies. 19:26:13 ... We additionally have the widget work. With W3C Widget packaging. 19:26:31 ... I am told phonegap may converge with widgets. 19:26:43 q+ to note "phonegap converge with w3c widget work" as perhaps something we're trying to promote 19:26:51 ... I think the policy model will be shared by thoe two models. 19:27:13 ... Foor example the geolocation API can be used from eithethr type of application. 19:27:27 ... I think that the policy issues are interesting in both cases. 19:28:36 q? 19:28:42 Raman: Also it is our responability to make sure all bits of tech work on eth web whether or not they come from W3C. 19:29:32 q+ 19:29:50 ack next 19:29:58 q- 19:30:22 Ashok: If you use a webapp, the danger is that you will give it data. It might sell that data. 19:30:39 Noah: Same for iPhone apps. 19:30:46 q? 19:31:00 Ashok: You will need difefrent types of protection mechanisms, differen ttypes of policies. 19:31:14 ... I was talking at lunch to Lalana Kagal, whoi is a policy person. 19:31:27 http://people.csail.mit.edu/lkagal/ 19:31:38 ... She felt that the note we sent out about policy [@@link] wasn't strong enough. 19:31:41 action-318? 19:31:41 ACTION-318 -- Noah Mendelsohn to send note to Device APIs and Policy (DAP) Working Group on behalf of the TAG -- due 2009-11-20 -- CLOSED 19:31:41 http://www.w3.org/2001/tag/group/track/actions/318 19:32:03 ... She wouldliek something stronger,. with an outline of arcitecture and outline of protection mechanisms. 19:32:20 I'm thinking that the difference between "Web Application" and "Widget" is mainly one that "Widget" has yet another security sandbox, namely "the local machine", but that otherwise the issues about sandboxing, protection, policy, access control, identity, denial of service and resource management, are mainly the same. 19:32:40 ... It just said "You have to have a policy" Nothing in what kind, where ienforced, etc .. they next layer of the architecture. 19:33:30 q? 19:33:33 ack next 19:33:35 DanC_, you wanted to prompt for "what are we trying to promote/prevent?" and to note "phonegap converge with w3c widget work" as perhaps something we're trying to promote 19:33:47 DanC: What are we trying to promote? to prevent? 19:34:01 ... Maybe we should promote the converence o fphonegap and w3c widget work. 19:34:05 problem making ajax crawlable http://lists.w3.org/Archives/Public/www-tag/2009Dec/0030.html 19:34:19 I would be willing to take an action to investigate Phonegap/W3C Widget convergence plans 19:35:04 I think your distinction is interesting, Larry (re: which sandbox is used) and definitely, the issues you raise re protection et al are correct 19:35:35 ... Also I wrote an email abotu thei sidea about akingAJX space crawlabel .. a mapping from a URI with an AJAX hash in it to a URI withou a AJAX hash in it 19:36:10 q+ to say that the bit Dan talked about with server/client URI aliasing is exactly the sort of thing I'd like to see us explore, perahps in an Arch of Web Apps. Tried to say it at last F2F, Dan said it better 19:38:04 DanC: There is a question then as to whether the original URI should be the one without the has or the one with 19:38:23 ... There si a really broken idea of having a standradrd mapping from any URI with a hash to any URI without. 19:38:25 ack masinter 19:38:34 (the point I'm trying to make is about squatting; i.e. who gets to choose which names) 19:38:37 s/to any/to the equivalent/ 19:38:59 Masinter: Mainly the same except a widget as a security domain which is the local machine. 19:39:26 ... We might be advantaged by not making the distinction at all. 19:39:29 ack next 19:39:30 noah, you wanted to say that the bit Dan talked about with server/client URI aliasing is exactly the sort of thing I'd like to see us explore, perahps in an Arch of Web Apps. 19:39:35 ... Tried to say it at last F2F, Dan said it better 19:39:41 q+ to mention access controlled user data as a communication model 19:40:11 . ACTION noah to investigate Phonegap/W3C Widget convergence plans 19:40:19 ACTION Noah to ionvetigate possible convergence of phonegap and w3C widgets, by January 30 19:40:19 Created ACTION-345 - Ionvetigate possible convergence of phonegap and w3C widgets, by January 30 [on Noah Mendelsohn - due 2009-12-15]. 19:40:29 action-345 due 30 jan 19:40:29 ACTION-345 Ionvetigate possible convergence of phonegap and w3C widgets, by January 30 due date now 30 jan 19:40:34 action-345? 19:40:34 ACTION-345 -- Noah Mendelsohn to ionvetigate possible convergence of phonegap and w3C widgets, by January 30 -- due 2009-01-30 -- OPEN 19:40:34 http://www.w3.org/2001/tag/group/track/actions/345 19:40:41 b 19:41:14 action-345? 19:41:14 ACTION-345 -- Noah Mendelsohn to ionvetigate possible convergence of phonegap and w3C widgets -- due 2010-01-30 -- OPEN 19:41:14 http://www.w3.org/2001/tag/group/track/actions/345 19:41:37 action-345? 19:41:38 ACTION-345 -- Noah Mendelsohn to investigate possible convergence of phonegap and w3C widgets -- due 2010-01-30 -- OPEN 19:41:38 http://www.w3.org/2001/tag/group/track/actions/345 19:43:48 Noah: About this trickery between client-side and server-side URIs .. the Google maps URIs are neat -- the sever generates a map with URIs, but the javascript knows how tro generate permalinks to panned versions of teh map which will work when you use them on the server 19:44:09 ... This is a really useful idiom. We should promote it. 19:44:11 q+ to ask about addressbar updating 19:44:58 q? 19:45:03 .. In fact , is the code were really trusted, the the URI bar woul dchange in real time as one pans anyway. 19:45:09 zakim, close the queue 19:45:09 ok, noah, the speaker queue is closed 19:45:20 TimBL: A Firefox extension is trusted like that, so Tabulator can do that with URIs 19:45:31 q+ to note the w3c widget spec has a list of install-time capabilities (or does it?) 19:46:09 q+ to say "who do you trust" when you perform an action 19:46:12 Zakim, what did I queue myself to say? 19:46:12 I don't understand your question, DanC_. 19:46:15 q- 19:46:28 q? 19:46:31 q= DanC, Henry 19:46:41 ack me 19:46:41 DanC_, you wanted to ask about addressbar updating 19:48:56 Henry: A taxonomy or enumeration of who your are trusting when you perform which gestures would be interesting. 19:49:39 ... When you are doing a GET then you are trusting the browser implementation to not do anything as a result of that get. But when yo install something, you are trusting the source of the code your install. 19:51:23 DanC: Browsing isn't safe. When you do a GET, in fact you can load a script which can do a POST. Which is broken. 19:51:50 Zakim, remind us in 25 minutes to resume 19:51:50 ok, DanC_ 19:51:59 [ADJOURNED to XX:15] 19:52:10 TAG_f2f()8:30AM has ended 19:52:10 Attendees were Raman, [MIT-G449] 20:16:51 DanC_, you asked to be reminded at this time to resume 20:20:22 TAG_f2f()8:30AM has now started 20:20:24 +[MIT-G449] 20:20:52 Zakim, who's on the phone? 20:20:52 On the phone I see [MIT-G449] 20:21:18 Zakim, which item? 20:21:21 agendum 4. "Web Application Architecture" has been taken up, DanC_ 20:23:08 agenda + Open govt. data news bits and pieces 20:23:38 ______________________ 20:24:07 Zakim, close item 4 20:24:07 agendum 4, Web Application Architecture, closed 20:24:08 I see 6 items remaining on the agenda; the next one is 20:24:09 2. Web Application Architecture: Security, Policy [from DanC_] 20:24:34 Zakim, close item 2 20:24:34 agendum 2, Web Application Architecture: Security, Policy, closed 20:24:35 I see 5 items remaining on the agenda; the next one is 20:24:37 5. Metadata Architecture: ISSUE-63: Metadata Architecture for the Web [from DanC_] 20:24:49 Zakim, take up item 8 20:24:49 agendum 8. "HTML 5 review: ISSUE-20 (errorHandling-20): What should specifications say about error handling?" taken up [from DanC_] 20:25:32 We start without John for te moment. 20:26:28 John arrioves 20:26:56 Noah: This item is a combination of error handling and content override 20:27:20 action-308? 20:27:20 ACTION-308 -- John Kemp to propose updates to Authoritative Metadata and Self-Describing Web to acknowledge the reality of sniffing -- due 2009-12-25 -- OPEN 20:27:20 http://www.w3.org/2001/tag/group/track/actions/308 20:28:12 action-309? 20:28:12 ACTION-309 -- Henry S. Thompson to henry to bring back proposed TAG pushback on sniffing and HTTP bis draft http://trac.tools.ietf.org/wg/httpbis/trac/export/663/draft-ietf-httpbis/latest/p3-payload.html, or his recommendation that we leave it alone -- due 2009-11-26 -- PENDINGREVIEW 20:28:12 http://www.w3.org/2001/tag/group/track/actions/309 20:28:13 action-309? 20:28:13 ACTION-309 -- Henry S. Thompson to henry to bring back proposed TAG pushback on sniffing and HTTP bis draft http://trac.tools.ietf.org/wg/httpbis/trac/export/663/draft-ietf-httpbis/latest/p3-payload.html, or his recommendation that we leave it alone -- due 2009-11-26 -- PENDINGREVIEW 20:28:17 http://www.w3.org/2001/tag/group/track/actions/309 20:29:31 Henry: I attempetd in this email to get everyone up to speed. Section 3.2.1 of HTTP-bis is where we left our valiant hero. 20:30:04 ... This has all stablized, and this is *all* the draft currently say about sniffing, and nothing else. 20:32:53 TimBL; When the spec says "[the receiver] MAY assume that it is application/octet-stream" then that does of course say much. It is a stream of bytes. 20:34:03 q+ to say that focus on security is too narrow 20:35:30 q? 20:35:55 Henry: It is crucial that they say that you should not override the given media type. 20:36:06 johnk has joined #tagmem 20:38:31 Masinter: In the abath draft, the introductory text is all about incorrectly labelled resources 20:38:44 http://tools.ietf.org/html/draft-abarth-mime-sniff-03 20:38:51 s/abath/abarth/ 20:39:16 masinter: Does it say you shoul doverride tjhe content-type 20:39:39 Henry: It is careful about priv escalation bit that is *all* it is careful with 20:42:39 Henry: We don't want to say "Authoritative metadata or death" 20:43:09 +1 phrase it in terms of "risks of misrepresentation" 20:43:15 Noah: Any agent which interprets dat ain a way inconsistent with the content-type risks draing incorrect conclusions. 20:43:37 s/draing/drawing/ 20:43:46 s/ dat / data / 20:43:56 s/ain/in. 20:43:58 Masinter: I am reluctant to ask the HTTPbis group to say ore thanthey think is in scope. 20:43:59 s/ain/in/ 20:44:41 Masinter: We might recommend changes to the mine-sniffing document. 20:44:43 +1 getting the HTTPbis spec to cite the MIME sniffing draft 20:44:50 ... As that is where the main analysis. 20:48:23 +Raman 20:48:25 -Raman 20:48:25 +Raman 20:50:37 JAR: No "no security escalation" idea is one thing to keep. 20:52:03 ... CAn we isolate other principles? 20:52:18 DanC: Like "If a lot of people do it then itmust be right' :-/ 20:52:29 Henry: They did go agains IE6 20:52:57 JAR: Error correction case, whether the given content type does not make the document valuid 20:53:41 -Raman 20:53:54 +Raman 20:53:55 -Raman 20:53:55 +Raman 20:54:13 We've gone mute 20:57:06 [misssed HT] 20:57:52 Noah: Say what yuo want about existing servers -- but in many cases the user agent cannot distinguish betwen an error case and in fact a correct deployment. 20:59:32 ... JAR gave a counterexample, if the bits are not legal for the advertized type, then you have more reason to try error recovery. 20:59:46 Masinter: I think apple mail clients sniff too. 21:00:11 JAR: Should we change the MIME registries? 21:00:36 http://www.noahdemo.com/rte/Metadata/broken_text.xml 21:01:26 Serves as text/plain, first bytes look like XML, but in fact is not well formed. Renders fine in Firefox, breaks in IE6 21:01:27 No, that's not what I asked. What I asked was, does anyone know if barth et al. considered updating lots of mime type registrations, INSTEAD of writing a sniffing RFC? 21:01:40 Updating mime type regs to say what? 21:02:22 To say whatever the barth sniffing rfc draft says. 21:03:06 Henry: I wonder whether they are just rewriting things which could not be text plain documents. 21:05:38 ... If the first bit is a unicode Byte Order Mark, then you treat it as text/plain, and if none of the forst N bytes are binarym then you must stick with text/plain 21:08:05 ... If the first bytes of the resource match a magic number the see the table. 21:08:43 q+ to object to trapping HTML as "scriptable" earcly on when it is not necessarily. 21:09:34 Henry: You can promote text/plain to application/postscript 21:09:35 q- 21:09:43 TimBL: you can do denial of servce wiht PS, no? 21:10:00 Masinter: Apple promise PS 21:10:19 ^G ^G ^G 21:10:37 BM^G^G^G 21:11:20 ack timbl 21:11:20 timbl, you wanted to object to trapping HTML as "scriptable" earcly on when it is not necessarily. 21:11:25 Henry: you can promote to zip or image 21:11:51 TBL: I'm constantly frustrated by the way my machine and its software deals with scriptable things... 21:12:11 ... it keeps warning me about HTML files downloaded from the Internet or in email... 21:12:33 ... given that a lot of HTML doesn't have script in it, this idea that "HTML is scriptable" worries me. 21:13:22 TBL: the machine goes to so much trouble to keep track of where things came from; can't it use a non-scripting viewer? Why does it assume that the document is dangerous rather than the viewing app? 21:13:30 q+ to note content security policy 21:13:36 q? 21:13:56 FWIW, I'd like to gradually evolve this discussion to next steps. 21:14:02 JK: but isn't the point to get interoperability between apps that are going to do this [?] anyway? 21:14:22 q+ to project the web apps product to show what actions we have 21:14:32 ack me 21:14:32 DanC_, you wanted to note content security policy and to project the web apps product to show what actions we have 21:14:58 q+ to clarify my attitude to mime-sniff 21:15:00 DanC: The idea of a non-scripting viewer is intersting. 21:15:28 q+ to speculate that the right model might be: warn on script 21:16:13 ... The content-providers have this problem as people contribute HTML which should not have scripts in, and no one notices. 21:16:33 http://lists.w3.org/Archives/Public/www-tag/2009Dec/0063.html 21:16:40 http://www.w3.org/Security/wiki/Content_Security_Policy 21:16:42 ... There is a proposal to add a feature to "please ignore all scripts in this.. it is our stuff but we are not sure about it". 21:16:46 http://people.mozilla.org/~bsterne/content-security-policy/ 21:17:09 https://wiki.mozilla.org/Security/CSP/Spec 21:17:31 http://www.w3.org/2001/tag/group/track/agenda 21:18:44 q? 21:18:51 ack next 21:18:52 ht, you wanted to clarify my attitude to mime-sniff 21:19:43 Henry: Parentheticalkly, my own university allows me to publish by submitting an HTML body which wraps it by a wrapper I have no control over. 21:19:56 ... e.g. scripts 21:20:07 Noah_phone has joined #tagmem 21:20:44 Henry: About the "LCD problem of tarring all HTML with the same brush. I don't think the current situation is the one we want to be in, but the current draft is the best for the given situation. 21:21:40 ... This barth-hixie draft rules out the worst of the bad behavior, and documents the existing behaviour, so they should be encouraged, but so should the HTTP-bis folks, to comment on thhe bets bits of the draft. 21:21:47 s/bets/best/ 21:22:12 ... We need to both warn of the risks and identify the necessity. 21:22:18 John: Why in HTTP? 21:22:32 Henry: because it is the HTTP spec which specifies the content-type 21:23:19 q+ to rephrase my concern 21:23:39 DanC, no the HTTP bis spec is not a big PR option -- but it is a reference to which people will fall back in their arguents. 21:23:59 Henry: I will still be arguing for "should"s in there 21:24:44 John: What about modularity of specifications 21:25:50 q+ to reply wrt "recipient" language 21:26:00 q? 21:28:52 ack noah 21:28:52 noah, you wanted to speculate that the right model might be: warn on script 21:28:55 Henry: They changed the spe to licence sniffing but did not say that if you do that you get burned. 21:29:00 ack johnk 21:29:00 johnk, you wanted to rephrase my concern 21:29:08 q- ht 21:29:15 Noah: Tim brought up the idea of a non-scripting viewer. 21:29:46 ... But we to just show the data with no script running is not always what we want. 21:32:19 q? 21:34:54 action-309? 21:34:54 ACTION-309 -- Henry S. Thompson to henry draft input to HTTP bis draft re sniffing based on 8 Dec discussion -- due 2009-12-09 -- PENDINGREVIEW 21:34:54 http://www.w3.org/2001/tag/group/track/actions/309 21:35:24 action-309? 21:35:24 ACTION-309 -- Henry S. Thompson to draft input to HTTP bis draft re sniffing based on 8 Dec discussion -- due 2009-12-09 -- OPEN 21:35:24 http://www.w3.org/2001/tag/group/track/actions/309 21:36:32 Topic: Admin: Upcoming Teleconferences ... 21:36:46 NM: tag election ongoing... 21:36:51 HT: ends 9 Jan 21:37:00 NM: 4 candidates for 2 slots 21:37:25 NM: reminder: TAG meeting 17th-19th March 2010, MIT, Cambridge, MA, USA 21:37:41 NM: inclined to not schedule next ftf until election done, OK? 21:37:49 [agreement by silence] 21:38:43 discussion of timing of upcoming TAG ftf w.r.t. AC meeting... 21:40:14 someone suggests 24-26 Mar, Wed-Fri of the week of the AC meeting 21:40:36 better for 2 people, worse for 1 21:43:53 ACTION Dan: collect March 2010 W3C Team day info 21:43:53 Created ACTION-346 - Collect March 2010 W3C Team day info [on Dan Connolly - due 2009-12-15]. 21:47:53 http://www.rfc-editor.org/rfc/rfc2046.txt 21:50:36 Topic: ISSUE-50 (URNsAndRegistries-50) 21:50:47 issue-50? 21:50:47 ISSUE-50 -- URIs, URNs, "location independent" naming systems and associated registries for naming on the Web -- OPEN 21:50:47 http://www.w3.org/2001/tag/group/track/issues/50 21:52:04 -Raman 21:52:11 -[MIT-G449] 21:52:13 TAG_f2f()8:30AM has ended 21:52:13 Attendees were [MIT-G449], Raman 21:55:10 ACTION-121 due 1 Mar 2010 21:55:10 ACTION-121 HT to draft TAG input to review of draft ARK RFC due date now 1 Mar 2010 21:55:19 action-33 due 1 Mar 2010 21:55:19 ACTION-33 revise naming challenges story in response to Dec 2008 F2F discussion due date now 1 Mar 2010 21:56:06 ADJOURN (for today) 21:56:14 RRSAgent, draft minutes 21:56:14 I have made the request to generate http://www.w3.org/2009/12/08-tagmem-minutes.html DanC_ 22:58:11 jar has joined #tagmem 23:45:43 timbl has joined #tagmem