18:00:57 RRSAgent has joined #tagmem 18:00:57 logging to http://www.w3.org/2010/02/18-tagmem-irc 18:00:59 RRSAgent, make logs public 18:01:01 Zakim, this will be TAG 18:01:02 Meeting: Technical Architecture Group Teleconference 18:01:02 Date: 18 February 2010 18:01:03 Zakim has joined #tagmem 18:01:22 Zakim, this will be tag 18:01:28 ok, DanC, I see TAG_Weekly()1:00PM already started 18:01:47 +DanC 18:01:49 +Jonathan_Rees 18:01:54 Ashok has joined #tagmem 18:02:23 +Ashok_Malhotra 18:03:13 +[IBMCambridge] 18:03:13 johnk has joined #tagmem 18:03:18 zakim, [IBMCambridge] is me 18:03:18 +noah; got it 18:03:26 zakim, who is here? 18:03:26 On the phone I see Raman, DanC, Jonathan_Rees, Ashok_Malhotra, noah 18:03:27 On IRC I see johnk, Ashok, Zakim, RRSAgent, masinter, noah, raman, jar, htt, DanC, ht, trackbot 18:03:30 scribe: DanC 18:03:47 Topic: Convene, review agenda 18:04:00 Regrets: Dan Appelquist, Tim Berners-Lee 18:04:33 +1 approve http://www.w3.org/2001/tag/2010/02/11-minutes 18:04:45 zakim, please call ht-781 18:04:45 ok, htt; the call is being made 18:04:46 +John_Kemp 18:04:46 +Ht 18:04:53 chair: noah 18:05:09 zakim, ht is me 18:05:09 +htt; got it 18:05:28 +1 approve 18:05:29 RESOLVED to approve http://www.w3.org/2001/tag/2010/02/11-minutes 18:05:35 zakim, please mute me 18:05:35 htt should now be muted 18:06:14 NM points out a few admin items (see agenda) 18:06:30 JAR: ftf prep material due date? 18:07:03 action-391? 18:07:03 ACTION-391 -- Noah Mendelsohn to prepare March 2010 ftf agenda -- due 2010-03-08 -- OPEN 18:07:03 http://www.w3.org/2001/tag/group/track/actions/391 18:08:07 agenda input by the 8th, reading material the 15th 18:08:09 ACTION-391: reading material due 15 March 18:08:09 ACTION-391 Prepare March 2010 ftf agenda notes added 18:08:34 q+ 18:09:54 action-332? 18:09:54 ACTION-332 -- Dan Connolly to note that the HTML 5 spec has a proposed design for mixing in SVG and MathML, which is said to be the scope of IsSUE-33 mixedUIXMLNamespace-33 -- due 2010-02-25 -- PENDINGREVIEW 18:09:54 http://www.w3.org/2001/tag/group/track/actions/332 18:09:57 q? 18:10:04 zakim, who is here? 18:10:04 On the phone I see Raman, DanC, Jonathan_Rees, Ashok_Malhotra, noah, John_Kemp, htt (muted) 18:10:06 On IRC I see johnk, Ashok, Zakim, RRSAgent, masinter, noah, raman, jar, htt, DanC, ht, trackbot 18:11:37 zakim, who is here? 18:11:37 On the phone I see Raman, DanC, Jonathan_Rees, Ashok_Malhotra, noah, John_Kemp, htt (muted) 18:11:39 On IRC I see johnk, Ashok, Zakim, RRSAgent, masinter, noah, raman, jar, htt, DanC, ht, trackbot 18:11:49 DanC notes the agenda is due at T-2 weeks, 10 March. 18:12:49 Topic: version indicators, esp in HTML 5 18:13:02 issue-41? 18:13:02 ISSUE-41 -- What are good practices for designing extensible languages and for handling versioning? -- OPEN 18:13:02 http://www.w3.org/2001/tag/group/track/issues/41 18:13:09 Actually, the topic is specifically Larry's proposal 18:13:11 action-388? 18:13:11 ACTION-388 -- Jonathan Rees to take a look at LMM's doctype/versioning proposal http://lists.w3.org/Archives/Public/public-html/2010Jan/0015.html -- due 2010-02-11 -- PENDINGREVIEW 18:13:11 http://www.w3.org/2001/tag/group/track/actions/388 18:13:30 +Larry 18:14:12 close action-388 18:14:12 ACTION-388 Take a look at LMM's doctype/versioning proposal http://lists.w3.org/Archives/Public/public-html/2010Jan/0015.html closed 18:14:45 NM notes "HTML WG chair has requested that the TAG and HTML WG coordinate scheduling of work on this" 18:14:55 (quoting from the agenda) 18:15:24 Larry email: http://lists.w3.org/Archives/Public/www-tag/2010Feb/0140.html 18:15:50 http://lists.w3.org/Archives/Public/www-tag/2010Feb/0143.html 18:17:10 DC: We already did polyglot documents to my satisfaction, and I believe Henry's, no? 18:17:26 nm: 1. Engage as TAG re polyglot docs? 18:17:43 LMM: while yes, part of the issue of polyglot documents has been dealt with... 18:18:03 q+ ht to separate the two issues 18:18:19 LM: This would make more polylot docs 18:18:25 DC: I'm aware of that 18:18:27 ... there are documents that are conforming XHTML that have doctypes that the HTML 5 spec prohibits (or shuns) 18:18:39 ack danc 18:18:43 LM: The browswers have to accept them, but not label them conforming 18:18:46 q? 18:18:48 ack next 18:18:49 ht, you wanted to separate the two issues 18:19:59 HT: for [various?] reasons... I think the place to pursue this is around the media type. [something like that] 18:20:44 s/. [something like that]/, version indicator and conformant document issues/ 18:22:00 (polyglot document issue? help? is there actually such an issue?) 18:22:03 ht: Polyglot docs is a red herring in this discussion 18:22:08 From our agenda for today: This relates to Larry Masinter's HTML WG ACTION - 172, which is associated with HTML WG ISSUE - 4: HTML Versioning and DOCTYPEs and HTML WG ISSUE - 84: Should spec discourage use of "legacy" doctypes? (HTML WG chair has requested that the TAG and HTML WG coordinate scheduling of work on this) 18:22:36 q+ 18:22:48 ack next 18:23:00 DC: Is there a polyglot doc issue? 18:23:07 NM: On the TAG side or HTML? 18:23:09 DC: Either.\ 18:23:15 ] 18:23:32 HT: It was an HTML issue, we discussed in Santa Clara, and Ian Hickson made a change. 18:24:12 q? 18:24:42 -> http://www.w3.org/Bugs/Public/show_bug.cgi?id=8154 Make it clear that serving polyglot documents as text/htm... 18:27:16 http://lists.w3.org/Archives/Public/www-tag/2010Feb/0008.html 18:27:54 ^ part of a thread on Backward-compatibility of text/html media type (ACTION-334, ACTION-364) 18:28:21 HT: last time I looked into this, what the HTML 5 spec said about MIME types and DTDs wasn't acceptable 18:29:45 HT: See my email at http://lists.w3.org/Archives/Public/www-tag/2010Feb/0008.html 18:29:55 action-364? 18:29:55 ACTION-364 -- Dan Connolly to ask HTML WG team contacts to make a change proposal re issue-53 mediatypereg informed by HT's analysis and today's discussion -- due 2010-02-18 -- OPEN 18:29:55 http://www.w3.org/2001/tag/group/track/actions/364 18:30:14 HT: looking at the 15 Feb version, I see lots of changes w.r.t. last time I looked... 18:31:01 Dan, is the phrase "informed by HT's analysis" a reference to 2010Feb/0008? 18:31:46 HT: (looking at HTML spec) What happened to all the text that was there on DOCTYPEs a few weeks ago? 18:32:01 Can we have a link to the latest, please? 18:32:20 HT: Seems to have gone back to status quo ante. 18:32:23 HT: it seems to have gone back to "you can't have any[?] DOCTYPE" 18:33:22 from /html/wg/ I get to http://dev.w3.org/html5/spec/ dated 18 February 2010 18:33:44 Is it this section: http://dev.w3.org/html5/spec/syntax.html#the-doctype ? 18:33:57 -> http://dev.w3.org/html5/spec/syntax.html#the-doctype 8.1.1 The DOCTYPE 18:33:58 HT: Most of what I commented on is no longer here. 18:35:12 HT: Ah, where my email refered to 7.2.5.4, now reference 8.2.5.4 18:35:13 8.2.5.4 The "initial" insertion mode "obsolete permitted DOCTYPE" 18:35:29 HT: Looks like there has been at least some response to some of my comments. This could be a change for the better. I need to read it. 18:35:43 DC: Is this a description of conforming documents or browser behavior? 18:35:58 HT: That's the key question, as Noah also mentioned in (some email?) 18:36:46 pretty much all of 8.2 is in the "Highlight UA text" style 18:37:55 NM: I read 9.1 as saying XHMTL doctypes are not constrained. 18:37:59 HT: I >think< so. 18:38:05 LM: So, it's a polyglot issue. 18:38:15 DC: Not my Polyglot issue. 18:38:28 DC: OT 18:38:39 DC: It's about well formed. 18:38:41 http://lists.w3.org/Archives/Public/www-tag/2010Feb/0057.html is NM's message about conformant document 18:38:56 how many well-formed XML/XHTML documents are also valid HTML? 18:39:17 johnk has joined #tagmem 18:39:26 all? some? only those that use more than 17 elements? 18:40:25 DC: as long as I can write HTML 5 documents that are XML-well-formed, my requirements are met. 18:40:32 q? 18:40:48 NM: Next steps? 18:40:53 action-364? 18:40:53 ACTION-364 -- Dan Connolly to ask HTML WG team contacts to make a change proposal re issue-53 mediatypereg informed by HT's analysis and today's discussion -- due 2010-02-18 -- OPEN 18:40:53 http://www.w3.org/2001/tag/group/track/actions/364 18:40:57 DC: I have an action to get with team contacts 18:41:36 http://www.w3.org/html/wg/tracker/actions/172 18:42:10 (er... 172 is an action, not an issue) 18:43:52 ("issue of document vs processor conformance"... that's not an acknowledged HTML WG issue, AFAIK) 18:44:30 n.b. Larry's proposal goes beyond the media type issue - tries to make a point about gratuitous incompatibility 18:44:53 noodling... "to the extent that the HTML versioning issue (4) overlaps with the media type issue (53) , we're still interested" where 53 is short for http://www.w3.org/html/wg/tracker/issues/53 18:45:24 NM: does setting expectations that we'll have something as a group around our ftf sound right? 18:45:26 HT: yes 18:46:13 HT: consider "there's a constellation of issues around the doctype, version indicators, and the media type ..." 18:46:49 LMM: I think that's coming at it from the wrong end... "there's some damage done to HTML and for [scribe lost track... 18:46:56 LMM: if something's bad for 3 reasons, we don't need to file 3 different issues one for each reason 18:47:57 LMM: dropping the DOCTYPE is bad for 3 reasons: (1) mime type (2) polyglot (3) ... 18:48:26 DC: "polyglot" doesn't work for me when talking about DOCTYPES. can we call it "XML workflows" 18:48:33 TVR: probably not effectively 18:48:43 LMM: dropping the DOCTYPE is bad for 3 reasons: (1) mime type (2) polyglot (3) definition of what conforms 18:50:13 perhaps "dropping the public and system identifier from the DOCTYPE..." 18:50:34 DanC: I think dropping the doctype is a good idea... 18:51:03 So, something such as "The current status of DOCTYPE statements, in the HTML and XHTML syntax sections, and in the HTML processor section, cause problems in at least three areas: the interpretation of the text/html media type; document workflows which use PUBLIC and/or SYSTEM identifiers; the general question of how to determine what the spec. says with respect to what are conformant documents; the use of DOCTYPEs as version identifiers 18:51:37 "The TAG is still working to pull together input in this area -- we hope to have something to say by the end of our March f2f 18:51:57 s/three areas/four areas/ 18:53:22 DanC: DOCTYPEs are wrong almost all the time. it's a waste of bytes; provided _dis_information most of the time 18:53:47 LMM: [could you help me record your reply, Larry?] 18:54:27 18:54:59 I thought TV's observation about is a good one: it's making the W3C's 1999 XHTML mistake all over again 18:55:14 LMM: ... a suggestion was to put the editor's notion of document type in a comment; that's non-sensical w.r.t. saving bytes 18:56:01 That is, just because we think we would all be better off if everyone used , we shouldn't say "only that is allowed" 18:56:07 +1 something such as... 18:56:12 You mean: disallowing doctypes is like requiring end tags - both change good documents into bad ones? 18:56:26 ah yes, that if you are concerned about DOCTYPE being a waste of bytes and useless to consumers: DOCTYPE on the web is probably leftover from a XML workflow that then turned into a HTML workflow, and by the time it hits the browser, sure it's useless, but doesn't mean it wasn't useful during the XML workflow, which is the workflow that needs to know what a valid document is anyway 18:56:42 ACTION Noah: update HTML WG co-chairs along the lines of ... DOCTYPE... workflow... media type.. 18:56:42 Created ACTION-393 - Update HTML WG co-chairs along the lines of ... DOCTYPE... workflow... media type.. [on Noah Mendelsohn - due 2010-02-25]. 18:57:39 Topic: changes to 2.7 of Metadata in URIs to cover the "Google Calendar" case 18:57:46 action-278? 18:57:46 ACTION-278 -- Jonathan Rees to draft changes to 2.7 of Metadata in URIs to cover the "Google Calendar" case -- due 2010-02-07 -- PENDINGREVIEW 18:57:46 http://www.w3.org/2001/tag/group/track/actions/278 18:57:49 My cheat sheet for this action http://www.w3.org/2001/tag/2010/02/action-278-notes.txt 18:57:57 It used to be that HTML spec was actually useful for XML workflows, and these kinds of changes, which didn't give significant value to the XML workflow use cases, were harmful to a community not well-represented 18:57:58 q+ 18:58:23 Proposal: http://lists.w3.org/Archives/Public/www-tag/2010Feb/0074.html 18:58:53 NM: Dan said something about "that doesn't look all that different from tyler's" ... 18:59:13 ... a difference is: tyler's says "user agents MUST NOT ..." and I am careful to not say that 18:59:13 Actually, you said one bit of mine didn't look that different from one bit of his. 19:00:31 JAR: ... not sure I'm done thinking this thru... advocacy... [scribe fails to capture] 19:01:05 q+ 19:01:09 2 cases: google calendar, csrf defense 19:01:55 NM: the problem I'm seeing is tyler is saying the web should have been carefully designed so that URIs are treated carefully and not spread... [scribe bandwidth exceeded] 19:02:45 TVR: this same argument was made against REST and use of params in the arg... 19:03:06 ... people said "it's too fragile; don't call us if it breaks" but [now it's expected] 19:03:11 q? 19:03:14 ack next 19:03:18 ack DanC 19:03:48 DanC: all tyler has said is "don't do things that the user hasn't asked you [the user agent] to do" 19:03:53 From Tyler: 19:03:54 A user-agent 19:03:54 MUST NOT disclose representations or URIs, unless either explicitly 19:03:54 instructed to do so by the user or as legitimately directed to by 19:03:54 presented content. Since the user may wish to keep this information 19:03:54 confidential, the user-agent must not assume it can be revealed to 19:03:56 third-parties. 19:05:14 DanC: all that says is "don't do things that the user hasn't told you to do" 19:05:16 This would require software to not do things that used to be presumed valid. Imposing such requirements needs a stronger justification than this one use case. 19:05:32 "Everything that isn't mandatory is forbidden" is a bad design rule. 19:05:42 NM: have I explictly told my web browser which parts of the disk to store my URLs? 19:05:44 is it valid for a browser to automatically send the Referer HTTP header? 19:06:52 q? 19:08:38 NM: I don't see that we have standing to say when a wide variety of software conforms, retrospectively 19:09:11 DanC: we can just observe that the community has this rule; when it's broken, people get pissed off 19:09:15 JAR: We could redraft. 19:09:17 NM: that's a big difference... 19:09:22 NM: That would be great. Who will do it? 19:09:32 Did JAR respond that he would? Didn't hear. 19:09:36 no 19:09:42 OK 19:09:44 we left it in "we should" state for now 19:09:48 OK 19:09:56 JAR: in the other case [scribe falls behind] 19:10:36 If the finding gives only grudging acceptance of unguessable URIs, that leaves the CSRF casee in the cold 19:10:40 s/casee/ 19:10:43 q+ to talk about word unguessable 19:10:44 q+ 19:11:05 JAR: to effectively defend against CSRF... 19:11:16 ... you have to embrace the unguessable URI pattern 19:11:27 DC: For every page? 19:11:42 JAR: well, every page that involves authority... 19:11:43 ack next 19:11:44 noah, you wanted to talk about word unguessable 19:11:53 ... any page that may have confidential information a bit 19:12:46 NM: the main thing the finding is trying to say is not really about guessing a URI, but that by looking at a URI, you shouldn't be able to get confidential from it 19:13:05 If you believe unguessable URIs are important for defense, the finding needs to embrace them wholeheartedly, not grudgingly 19:13:09 JAR: I don't think anybody argues against that... 19:13:15 NM: but that's all the finding said... 19:13:16 Is this right? HTTP has authentication methods, but using them is awkward. So people are looking for other ways of doing authentication, and one of those ways is suceptable to CSRF. Rather than trying to fix HTTP authentication, people are trying to patch this alternative so that it isn't as suceptable 19:13:20 JAR: the finding said "confidential" 19:13:33 [scribe isn't sure he's following well now] 19:14:17 it's not just awkwardness, masinter ; the HTTP auth mechanisms are still ambient authority [I think] 19:14:53 NM: [an example... taxes or something... scribe neglected to get it] 19:15:27 q? 19:15:47 NM: so where do you see the disagreement? 19:16:12 ack next 19:16:38 JAR: (a) the finding says don't put confidential info in URIs (b) CSRF defense requires the use of unguessable URIs, i.e. confidential info in the URI (c) hence the finding argues against state-of-the-art defense against CSRF 19:17:17 LMM: picking up on somthing Roy F. said about origin... 19:17:42 ... HTTP has authentication methods, but using them is awkward. So people are looking for other ways of doing authentication... e.g. not doing a username/password on every request... 19:18:11 ... and one of the ones they've selected is vulnerable to CSRF... 19:18:19 NM: I tried to say: I agree that if you want URIs to be secret, it's probably good/essential that they be unguessable. But... I don't think the converse is true: there are lots of good reasons for making unguessable URIs that aren't otherwise secret. I.e. where the URIs don't have to be protected, but the mappings from things like bank account numbers need to be. 19:18:22 q? 19:18:36 ... so perhaps we should step back and look at why we picked this method? 19:18:43 -htt 19:19:29 DC: Useful that you said "it was awkward to type uid/pwd on every request" 19:19:47 DC: If you did challenge/resp with password on every request, would it seal the CSRF hole? 19:19:56 JAR: Don't think so -- don't know. 19:20:37 DC: You'd ask for page, server would give nonce. (should have been in http...but anyway...maybe MD5 auth). You take the number and password, hash, and return. 19:20:47 JAR: How do I know password isn't wielded by attacker. 19:20:56 JK: You need an account with each site? 19:21:34 JK: each *site* needs an "account" with each other site 19:21:35 i thought we agreed not to use the C-word... 19:21:42 origin identifies, it doesn't authenticate 19:22:51 with "secret unguessable URIs", the URI is a "bearer token" - the bearer of the URI is authorized, regardless of identity 19:24:07 +1 to JohnK 19:24:43 q? 19:25:44 q? 19:26:00 can the bank allow a third-party site to ask the UA to send the cookie to the bank? 19:26:20 (set of notes? where?) 19:30:28 trackbot, status? 19:30:50 ACTION - John to compare Noah and Tyler's proposals on this subject 19:30:50 Sorry, couldn't find user - - 19:30:57 -Raman 19:31:04 ACTION - johnk to compare Noah and Tyler's proposals on this subject 19:31:04 Sorry, couldn't find user - - 19:31:09 ACTION: John to compare Noah and Tyler's proposals on this subject 19:31:09 Created ACTION-394 - Compare Noah and Tyler's proposals on this subject [on John Kemp - due 2010-02-25]. 19:31:35 -Ashok_Malhotra 19:31:43 -DanC 19:31:44 -John_Kemp 19:31:54 We are adjourned -- please start working on F2F input 19:31:59 -noah 19:32:01 -Larry 19:32:04 -Jonathan_Rees 19:32:05 TAG_Weekly()1:00PM has ended 19:32:07 Attendees were Raman, DanC, Jonathan_Rees, Ashok_Malhotra, noah, John_Kemp, htt, Larry 21:35:08 Zakim has left #tagmem 21:53:11 RRSAgent, draft minutes 21:53:11 I have made the request to generate http://www.w3.org/2010/02/18-tagmem-minutes.html DanC 21:53:29 RRSAgent, make logs public 21:53:30 RRSAgent, draft minutes 21:53:30 I have made the request to generate http://www.w3.org/2010/02/18-tagmem-minutes.html DanC 21:57:12 Agenda: http://lists.w3.org/Archives/Public/www-tag/2010Feb/0139.html 22:04:18 ScribeOptions: -noembedDiagnostics 22:04:28 ScribeOptions: final 22:04:31 RRSAgent, draft minutes 22:04:31 I have made the request to generate http://www.w3.org/2010/02/18-tagmem-minutes.html DanC 22:04:58 ScribeOptions: -noEmbedDiagnostics 22:05:05 s/ScribeOptions: -noembedDiagnostics// 22:05:12 ScribeOptions: -final 22:05:14 RRSAgent, draft minutes 22:05:14 I have made the request to generate http://www.w3.org/2010/02/18-tagmem-minutes.html DanC 22:57:26 johnk has joined #tagmem