IRC log of tagmem on 2010-02-18

Timestamps are in UTC.

18:00:57 [RRSAgent]
RRSAgent has joined #tagmem
18:00:57 [RRSAgent]
logging to
18:00:59 [trackbot]
RRSAgent, make logs public
18:01:01 [trackbot]
Zakim, this will be TAG
18:01:02 [trackbot]
Meeting: Technical Architecture Group Teleconference
18:01:02 [trackbot]
Date: 18 February 2010
18:01:03 [Zakim]
Zakim has joined #tagmem
18:01:22 [DanC]
Zakim, this will be tag
18:01:28 [Zakim]
ok, DanC, I see TAG_Weekly()1:00PM already started
18:01:47 [Zakim]
18:01:49 [Zakim]
18:01:54 [Ashok]
Ashok has joined #tagmem
18:02:23 [Zakim]
18:03:13 [Zakim]
18:03:13 [johnk]
johnk has joined #tagmem
18:03:18 [noah]
zakim, [IBMCambridge] is me
18:03:18 [Zakim]
+noah; got it
18:03:26 [noah]
zakim, who is here?
18:03:26 [Zakim]
On the phone I see Raman, DanC, Jonathan_Rees, Ashok_Malhotra, noah
18:03:27 [Zakim]
On IRC I see johnk, Ashok, Zakim, RRSAgent, masinter, noah, raman, jar, htt, DanC, ht, trackbot
18:03:30 [DanC]
scribe: DanC
18:03:47 [DanC]
Topic: Convene, review agenda
18:04:00 [DanC]
Regrets: Dan Appelquist, Tim Berners-Lee
18:04:33 [DanC]
+1 approve
18:04:45 [htt]
zakim, please call ht-781
18:04:45 [Zakim]
ok, htt; the call is being made
18:04:46 [Zakim]
18:04:46 [Zakim]
18:04:53 [DanC]
chair: noah
18:05:09 [htt]
zakim, ht is me
18:05:09 [Zakim]
+htt; got it
18:05:28 [jar]
+1 approve
18:05:29 [DanC]
RESOLVED to approve
18:05:35 [htt]
zakim, please mute me
18:05:35 [Zakim]
htt should now be muted
18:06:14 [DanC]
NM points out a few admin items (see agenda)
18:06:30 [DanC]
JAR: ftf prep material due date?
18:07:03 [DanC]
18:07:03 [trackbot]
ACTION-391 -- Noah Mendelsohn to prepare March 2010 ftf agenda -- due 2010-03-08 -- OPEN
18:07:03 [trackbot]
18:08:07 [jar]
agenda input by the 8th, reading material the 15th
18:08:09 [DanC]
ACTION-391: reading material due 15 March
18:08:09 [trackbot]
ACTION-391 Prepare March 2010 ftf agenda notes added
18:08:34 [DanC]
18:09:54 [DanC]
18:09:54 [trackbot]
ACTION-332 -- Dan Connolly to note that the HTML 5 spec has a proposed design for mixing in SVG and MathML, which is said to be the scope of IsSUE-33 mixedUIXMLNamespace-33 -- due 2010-02-25 -- PENDINGREVIEW
18:09:54 [trackbot]
18:09:57 [noah]
18:10:04 [noah]
zakim, who is here?
18:10:04 [Zakim]
On the phone I see Raman, DanC, Jonathan_Rees, Ashok_Malhotra, noah, John_Kemp, htt (muted)
18:10:06 [Zakim]
On IRC I see johnk, Ashok, Zakim, RRSAgent, masinter, noah, raman, jar, htt, DanC, ht, trackbot
18:11:37 [noah]
zakim, who is here?
18:11:37 [Zakim]
On the phone I see Raman, DanC, Jonathan_Rees, Ashok_Malhotra, noah, John_Kemp, htt (muted)
18:11:39 [Zakim]
On IRC I see johnk, Ashok, Zakim, RRSAgent, masinter, noah, raman, jar, htt, DanC, ht, trackbot
18:11:49 [DanC]
DanC notes the agenda is due at T-2 weeks, 10 March.
18:12:49 [DanC]
Topic: version indicators, esp in HTML 5
18:13:02 [DanC]
18:13:02 [trackbot]
ISSUE-41 -- What are good practices for designing extensible languages and for handling versioning? -- OPEN
18:13:02 [trackbot]
18:13:09 [noah]
Actually, the topic is specifically Larry's proposal
18:13:11 [DanC]
18:13:11 [trackbot]
ACTION-388 -- Jonathan Rees to take a look at LMM's doctype/versioning proposal -- due 2010-02-11 -- PENDINGREVIEW
18:13:11 [trackbot]
18:13:30 [Zakim]
18:14:12 [DanC]
close action-388
18:14:12 [trackbot]
ACTION-388 Take a look at LMM's doctype/versioning proposal closed
18:14:45 [DanC]
NM notes "HTML WG chair has requested that the TAG and HTML WG coordinate scheduling of work on this"
18:14:55 [DanC]
(quoting from the agenda)
18:15:24 [noah]
Larry email:
18:15:50 [noah]
18:17:10 [noah]
DC: We already did polyglot documents to my satisfaction, and I believe Henry's, no?
18:17:26 [jar]
nm: 1. Engage as TAG re polyglot docs?
18:17:43 [DanC]
LMM: while yes, part of the issue of polyglot documents has been dealt with...
18:18:03 [htt]
q+ ht to separate the two issues
18:18:19 [noah]
LM: This would make more polylot docs
18:18:25 [noah]
DC: I'm aware of that
18:18:27 [DanC]
... there are documents that are conforming XHTML that have doctypes that the HTML 5 spec prohibits (or shuns)
18:18:39 [DanC]
ack danc
18:18:43 [noah]
LM: The browswers have to accept them, but not label them conforming
18:18:46 [noah]
18:18:48 [noah]
ack next
18:18:49 [Zakim]
ht, you wanted to separate the two issues
18:19:59 [DanC]
HT: for [various?] reasons... I think the place to pursue this is around the media type. [something like that]
18:20:44 [htt]
s/. [something like that]/, version indicator and conformant document issues/
18:22:00 [DanC]
(polyglot document issue? help? is there actually such an issue?)
18:22:03 [jar]
ht: Polyglot docs is a red herring in this discussion
18:22:08 [noah]
From our agenda for today: This relates to Larry Masinter's HTML WG ACTION - 172, which is associated with HTML WG ISSUE - 4: HTML Versioning and DOCTYPEs and HTML WG ISSUE - 84: Should spec discourage use of "legacy" doctypes? (HTML WG chair has requested that the TAG and HTML WG coordinate scheduling of work on this)
18:22:36 [DanC]
18:22:48 [noah]
ack next
18:23:00 [noah]
DC: Is there a polyglot doc issue?
18:23:07 [noah]
NM: On the TAG side or HTML?
18:23:09 [noah]
DC: Either.\
18:23:15 [noah]
18:23:32 [noah]
HT: It was an HTML issue, we discussed in Santa Clara, and Ian Hickson made a change.
18:24:12 [noah]
18:24:42 [DanC]
-> Make it clear that serving polyglot documents as text/htm...
18:27:16 [DanC]
18:27:54 [DanC]
^ part of a thread on Backward-compatibility of text/html media type (ACTION-334, ACTION-364)
18:28:21 [DanC]
HT: last time I looked into this, what the HTML 5 spec said about MIME types and DTDs wasn't acceptable
18:29:45 [noah]
HT: See my email at
18:29:55 [DanC]
18:29:55 [trackbot]
ACTION-364 -- Dan Connolly to ask HTML WG team contacts to make a change proposal re issue-53 mediatypereg informed by HT's analysis and today's discussion -- due 2010-02-18 -- OPEN
18:29:55 [trackbot]
18:30:14 [DanC]
HT: looking at the 15 Feb version, I see lots of changes w.r.t. last time I looked...
18:31:01 [noah]
Dan, is the phrase "informed by HT's analysis" a reference to 2010Feb/0008?
18:31:46 [noah]
HT: (looking at HTML spec) What happened to all the text that was there on DOCTYPEs a few weeks ago?
18:32:01 [noah]
Can we have a link to the latest, please?
18:32:20 [noah]
HT: Seems to have gone back to status quo ante.
18:32:23 [DanC]
HT: it seems to have gone back to "you can't have any[?] DOCTYPE"
18:33:22 [DanC]
from /html/wg/ I get to dated 18 February 2010
18:33:44 [noah]
Is it this section: ?
18:33:57 [DanC]
-> 8.1.1 The DOCTYPE
18:33:58 [noah]
HT: Most of what I commented on is no longer here.
18:35:12 [noah]
HT: Ah, where my email refered to, now reference
18:35:13 [DanC] The "initial" insertion mode "obsolete permitted DOCTYPE"
18:35:29 [noah]
HT: Looks like there has been at least some response to some of my comments. This could be a change for the better. I need to read it.
18:35:43 [noah]
DC: Is this a description of conforming documents or browser behavior?
18:35:58 [noah]
HT: That's the key question, as Noah also mentioned in (some email?)
18:36:46 [DanC]
pretty much all of 8.2 is in the "Highlight UA text" style
18:37:55 [noah]
NM: I read 9.1 as saying XHMTL doctypes are not constrained.
18:37:59 [noah]
HT: I >think< so.
18:38:05 [noah]
LM: So, it's a polyglot issue.
18:38:15 [noah]
DC: Not my Polyglot issue.
18:38:28 [noah]
18:38:39 [noah]
DC: It's about well formed.
18:38:41 [htt] is NM's message about conformant document
18:38:56 [masinter]
how many well-formed XML/XHTML documents are also valid HTML?
18:39:17 [johnk]
johnk has joined #tagmem
18:39:26 [masinter]
all? some? only those that use more than 17 elements?
18:40:25 [DanC]
DC: as long as I can write HTML 5 documents that are XML-well-formed, my requirements are met.
18:40:32 [noah]
18:40:48 [noah]
NM: Next steps?
18:40:53 [DanC]
18:40:53 [trackbot]
ACTION-364 -- Dan Connolly to ask HTML WG team contacts to make a change proposal re issue-53 mediatypereg informed by HT's analysis and today's discussion -- due 2010-02-18 -- OPEN
18:40:53 [trackbot]
18:40:57 [noah]
DC: I have an action to get with team contacts
18:41:36 [noah]
18:42:10 [DanC]
(er... 172 is an action, not an issue)
18:43:52 [DanC]
("issue of document vs processor conformance"... that's not an acknowledged HTML WG issue, AFAIK)
18:44:30 [jar]
n.b. Larry's proposal goes beyond the media type issue - tries to make a point about gratuitous incompatibility
18:44:53 [DanC]
noodling... "to the extent that the HTML versioning issue (4) overlaps with the media type issue (53) , we're still interested" where 53 is short for
18:45:24 [DanC]
NM: does setting expectations that we'll have something as a group around our ftf sound right?
18:45:26 [DanC]
HT: yes
18:46:13 [DanC]
HT: consider "there's a constellation of issues around the doctype, version indicators, and the media type ..."
18:46:49 [DanC]
LMM: I think that's coming at it from the wrong end... "there's some damage done to HTML and for [scribe lost track...
18:46:56 [jar]
LMM: if something's bad for 3 reasons, we don't need to file 3 different issues one for each reason
18:47:57 [DanC]
LMM: dropping the DOCTYPE is bad for 3 reasons: (1) mime type (2) polyglot (3) ...
18:48:26 [DanC]
DC: "polyglot" doesn't work for me when talking about DOCTYPES. can we call it "XML workflows"
18:48:33 [DanC]
TVR: probably not effectively
18:48:43 [DanC]
LMM: dropping the DOCTYPE is bad for 3 reasons: (1) mime type (2) polyglot (3) definition of what conforms
18:50:13 [DanC]
perhaps "dropping the public and system identifier from the DOCTYPE..."
18:50:34 [DanC]
DanC: I think dropping the doctype is a good idea...
18:51:03 [htt]
So, something such as "The current status of DOCTYPE statements, in the HTML and XHTML syntax sections, and in the HTML processor section, cause problems in at least three areas: the interpretation of the text/html media type; document workflows which use PUBLIC and/or SYSTEM identifiers; the general question of how to determine what the spec. says with respect to what are conformant documents; the use of DOCTYPEs as version identifiers
18:51:37 [htt]
"The TAG is still working to pull together input in this area -- we hope to have something to say by the end of our March f2f
18:51:57 [htt]
s/three areas/four areas/
18:53:22 [DanC]
DanC: DOCTYPEs are wrong almost all the time. it's a waste of bytes; provided _dis_information most of the time
18:53:47 [DanC]
LMM: [could you help me record your reply, Larry?]
18:54:27 [htt]
18:54:59 [htt]
I thought TV's observation about <!DOCTYPE HTML> is a good one: it's making the W3C's 1999 XHTML mistake all over again
18:55:14 [DanC]
LMM: ... a suggestion was to put the editor's notion of document type in a comment; that's non-sensical w.r.t. saving bytes
18:56:01 [htt]
That is, just because we think we would all be better off if everyone used <!DOCTYPE HTML>, we shouldn't say "only that is allowed"
18:56:07 [DanC]
+1 something such as...
18:56:12 [jar]
You mean: disallowing doctypes is like requiring end tags - both change good documents into bad ones?
18:56:26 [masinter]
ah yes, that if you are concerned about DOCTYPE being a waste of bytes and useless to consumers: DOCTYPE on the web is probably leftover from a XML workflow that then turned into a HTML workflow, and by the time it hits the browser, sure it's useless, but doesn't mean it wasn't useful during the XML workflow, which is the workflow that needs to know what a valid document is anyway
18:56:42 [DanC]
ACTION Noah: update HTML WG co-chairs along the lines of ... DOCTYPE... workflow... media type..
18:56:42 [trackbot]
Created ACTION-393 - Update HTML WG co-chairs along the lines of ... DOCTYPE... workflow... media type.. [on Noah Mendelsohn - due 2010-02-25].
18:57:39 [DanC]
Topic: changes to 2.7 of Metadata in URIs to cover the "Google Calendar" case
18:57:46 [DanC]
18:57:46 [trackbot]
ACTION-278 -- Jonathan Rees to draft changes to 2.7 of Metadata in URIs to cover the "Google Calendar" case -- due 2010-02-07 -- PENDINGREVIEW
18:57:46 [trackbot]
18:57:49 [jar]
My cheat sheet for this action
18:57:57 [masinter]
It used to be that HTML spec was actually useful for XML workflows, and these kinds of changes, which didn't give significant value to the XML workflow use cases, were harmful to a community not well-represented
18:57:58 [noah]
18:58:23 [noah]
18:58:53 [DanC]
NM: Dan said something about "that doesn't look all that different from tyler's" ...
18:59:13 [DanC]
... a difference is: tyler's says "user agents MUST NOT ..." and I am careful to not say that
18:59:13 [noah]
Actually, you said one bit of mine didn't look that different from one bit of his.
19:00:31 [DanC]
JAR: ... not sure I'm done thinking this thru... advocacy... [scribe fails to capture]
19:01:05 [DanC]
19:01:09 [jar]
2 cases: google calendar, csrf defense
19:01:55 [DanC]
NM: the problem I'm seeing is tyler is saying the web should have been carefully designed so that URIs are treated carefully and not spread... [scribe bandwidth exceeded]
19:02:45 [DanC]
TVR: this same argument was made against REST and use of params in the arg...
19:03:06 [DanC]
... people said "it's too fragile; don't call us if it breaks" but [now it's expected]
19:03:11 [noah]
19:03:14 [noah]
ack next
19:03:18 [noah]
ack DanC
19:03:48 [DanC]
DanC: all tyler has said is "don't do things that the user hasn't asked you [the user agent] to do"
19:03:53 [noah]
From Tyler:
19:03:54 [noah]
A user-agent
19:03:54 [noah]
MUST NOT disclose representations or URIs, unless either explicitly
19:03:54 [noah]
instructed to do so by the user or as legitimately directed to by
19:03:54 [noah]
presented content. Since the user may wish to keep this information
19:03:54 [noah]
confidential, the user-agent must not assume it can be revealed to
19:03:56 [noah]
19:05:14 [DanC]
DanC: all that says is "don't do things that the user hasn't told you to do"
19:05:16 [masinter]
This would require software to not do things that used to be presumed valid. Imposing such requirements needs a stronger justification than this one use case.
19:05:32 [masinter]
"Everything that isn't mandatory is forbidden" is a bad design rule.
19:05:42 [DanC]
NM: have I explictly told my web browser which parts of the disk to store my URLs?
19:05:44 [johnk]
is it valid for a browser to automatically send the Referer HTTP header?
19:06:52 [noah]
19:08:38 [DanC]
NM: I don't see that we have standing to say when a wide variety of software conforms, retrospectively
19:09:11 [DanC]
DanC: we can just observe that the community has this rule; when it's broken, people get pissed off
19:09:15 [noah]
JAR: We could redraft.
19:09:17 [DanC]
NM: that's a big difference...
19:09:22 [noah]
NM: That would be great. Who will do it?
19:09:32 [noah]
Did JAR respond that he would? Didn't hear.
19:09:36 [DanC]
19:09:42 [noah]
19:09:44 [DanC]
we left it in "we should" state for now
19:09:48 [noah]
19:09:56 [DanC]
JAR: in the other case [scribe falls behind]
19:10:36 [jar]
If the finding gives only grudging acceptance of unguessable URIs, that leaves the CSRF casee in the cold
19:10:40 [jar]
19:10:43 [noah]
q+ to talk about word unguessable
19:10:44 [masinter]
19:11:05 [DanC]
JAR: to effectively defend against CSRF...
19:11:16 [DanC]
... you have to embrace the unguessable URI pattern
19:11:27 [noah]
DC: For every page?
19:11:42 [DanC]
JAR: well, every page that involves authority...
19:11:43 [noah]
ack next
19:11:44 [Zakim]
noah, you wanted to talk about word unguessable
19:11:53 [DanC]
... any page that may have confidential information a bit
19:12:46 [DanC]
NM: the main thing the finding is trying to say is not really about guessing a URI, but that by looking at a URI, you shouldn't be able to get confidential from it
19:13:05 [jar]
If you believe unguessable URIs are important for defense, the finding needs to embrace them wholeheartedly, not grudgingly
19:13:09 [DanC]
JAR: I don't think anybody argues against that...
19:13:15 [DanC]
NM: but that's all the finding said...
19:13:16 [masinter]
Is this right? HTTP has authentication methods, but using them is awkward. So people are looking for other ways of doing authentication, and one of those ways is suceptable to CSRF. Rather than trying to fix HTTP authentication, people are trying to patch this alternative so that it isn't as suceptable
19:13:20 [DanC]
JAR: the finding said "confidential"
19:13:33 [DanC]
[scribe isn't sure he's following well now]
19:14:17 [DanC]
it's not just awkwardness, masinter ; the HTTP auth mechanisms are still ambient authority [I think]
19:14:53 [DanC]
NM: [an example... taxes or something... scribe neglected to get it]
19:15:27 [noah]
19:15:47 [DanC]
NM: so where do you see the disagreement?
19:16:12 [noah]
ack next
19:16:38 [DanC]
JAR: (a) the finding says don't put confidential info in URIs (b) CSRF defense requires the use of unguessable URIs, i.e. confidential info in the URI (c) hence the finding argues against state-of-the-art defense against CSRF
19:17:17 [DanC]
LMM: picking up on somthing Roy F. said about origin...
19:17:42 [DanC]
... HTTP has authentication methods, but using them is awkward. So people are looking for other ways of doing authentication... e.g. not doing a username/password on every request...
19:18:11 [DanC]
... and one of the ones they've selected is vulnerable to CSRF...
19:18:19 [noah]
NM: I tried to say: I agree that if you want URIs to be secret, it's probably good/essential that they be unguessable. But... I don't think the converse is true: there are lots of good reasons for making unguessable URIs that aren't otherwise secret. I.e. where the URIs don't have to be protected, but the mappings from things like bank account numbers need to be.
19:18:22 [noah]
19:18:36 [DanC]
... so perhaps we should step back and look at why we picked this method?
19:18:43 [Zakim]
19:19:29 [noah]
DC: Useful that you said "it was awkward to type uid/pwd on every request"
19:19:47 [noah]
DC: If you did challenge/resp with password on every request, would it seal the CSRF hole?
19:19:56 [noah]
JAR: Don't think so -- don't know.
19:20:37 [noah]
DC: You'd ask for page, server would give nonce. (should have been in http...but anyway...maybe MD5 auth). You take the number and password, hash, and return.
19:20:47 [noah]
JAR: How do I know password isn't wielded by attacker.
19:20:56 [noah]
JK: You need an account with each site?
19:21:34 [johnk]
JK: each *site* needs an "account" with each other site
19:21:35 [jar]
i thought we agreed not to use the C-word...
19:21:42 [johnk]
origin identifies, it doesn't authenticate
19:22:51 [johnk]
with "secret unguessable URIs", the URI is a "bearer token" - the bearer of the URI is authorized, regardless of identity
19:24:07 [Ashok]
+1 to JohnK
19:24:43 [noah]
19:25:44 [noah]
19:26:00 [johnk]
can the bank allow a third-party site to ask the UA to send the cookie to the bank?
19:26:20 [DanC]
(set of notes? where?)
19:30:28 [DanC]
trackbot, status?
19:30:50 [johnk]
ACTION - John to compare Noah and Tyler's proposals on this subject
19:30:50 [trackbot]
Sorry, couldn't find user - -
19:30:57 [Zakim]
19:31:04 [johnk]
ACTION - johnk to compare Noah and Tyler's proposals on this subject
19:31:04 [trackbot]
Sorry, couldn't find user - -
19:31:09 [noah]
ACTION: John to compare Noah and Tyler's proposals on this subject
19:31:09 [trackbot]
Created ACTION-394 - Compare Noah and Tyler's proposals on this subject [on John Kemp - due 2010-02-25].
19:31:35 [Zakim]
19:31:43 [Zakim]
19:31:44 [Zakim]
19:31:54 [noah]
We are adjourned -- please start working on F2F input
19:31:59 [Zakim]
19:32:01 [Zakim]
19:32:04 [Zakim]
19:32:05 [Zakim]
TAG_Weekly()1:00PM has ended
19:32:07 [Zakim]
Attendees were Raman, DanC, Jonathan_Rees, Ashok_Malhotra, noah, John_Kemp, htt, Larry
21:35:08 [Zakim]
Zakim has left #tagmem
21:53:11 [DanC]
RRSAgent, draft minutes
21:53:11 [RRSAgent]
I have made the request to generate DanC
21:53:29 [DanC]
RRSAgent, make logs public
21:53:30 [DanC]
RRSAgent, draft minutes
21:53:30 [RRSAgent]
I have made the request to generate DanC
21:57:12 [DanC]
22:04:18 [DanC]
ScribeOptions: -noembedDiagnostics
22:04:28 [DanC]
ScribeOptions: final
22:04:31 [DanC]
RRSAgent, draft minutes
22:04:31 [RRSAgent]
I have made the request to generate DanC
22:04:58 [DanC]
ScribeOptions: -noEmbedDiagnostics
22:05:05 [DanC]
s/ScribeOptions: -noembedDiagnostics//
22:05:12 [DanC]
ScribeOptions: -final
22:05:14 [DanC]
RRSAgent, draft minutes
22:05:14 [RRSAgent]
I have made the request to generate DanC
22:57:26 [johnk]
johnk has joined #tagmem