IRC log of dap on 2010-02-24

Timestamps are in UTC.

14:22:06 [RRSAgent]
RRSAgent has joined #dap
14:22:06 [RRSAgent]
logging to http://www.w3.org/2010/02/24-dap-irc
14:22:08 [trackbot]
RRSAgent, make logs world
14:22:08 [Zakim]
Zakim has joined #dap
14:22:10 [trackbot]
Zakim, this will be DAP
14:22:10 [Zakim]
ok, trackbot; I see UW_DAP()10:00AM scheduled to start in 38 minutes
14:22:11 [trackbot]
Meeting: Device APIs and Policy Working Group Teleconference
14:22:11 [trackbot]
Date: 24 February 2010
14:25:02 [fjh]
Chair: Robin_Berjon, Frederick_Hirsch
14:26:49 [fjh]
Agenda: http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0138.html
14:35:49 [Dzung_Tran]
Dzung_Tran has joined #dap
14:35:58 [Dzung_Tran]
Present+ Dzung_Tran
14:36:11 [fjh]
Present+ Robin_Berjon, Frederick_Hirsch
14:46:45 [fjh]
Topic: Welcome, agenda review, scribe selection
14:46:59 [fjh]
pls Note any additions or changes to agenda
14:47:08 [fjh]
Select scribe: http://www.w3.org/2009/dap/victims-list.html
14:48:58 [fjh]
Regrets: Marcin_Hanclik
14:53:33 [Zakim]
UW_DAP()10:00AM has now started
14:53:35 [Zakim]
+ +39.011.228.aaaa
14:53:51 [marengo]
marengo has joined #dap
14:54:29 [fjh]
zakim, aaaa is marengo
14:54:29 [Zakim]
+marengo; got it
14:54:46 [jmarting_TEF]
Present+ Jesus_Martin
14:54:52 [marengo]
Present+ Marco_Marengo
14:54:56 [marengo]
Zakim, mute me
14:54:56 [Zakim]
sorry, marengo, muting is not permitted when only one person is present
14:55:27 [jmarting_TEF]
I kindly would like to ask Mr Chairman if I can join this call
14:55:30 [arve]
new name, new scribe, I see :-)
14:55:40 [Zakim]
+ +0472369aabb
14:55:41 [Zakim]
- +0472369aabb
14:55:41 [Zakim]
+ +0472369aabb
14:56:01 [maxf]
zakim, aabb is me
14:56:01 [Zakim]
+maxf; got it
14:56:05 [maxf]
(I think)
14:56:10 [Zakim]
+[IPcaller]
14:56:33 [marengo]
Zakim, mute me
14:56:33 [Zakim]
marengo should now be muted
14:56:39 [Zakim]
+[IPcaller.a]
14:56:47 [fjh]
zakim, [IPcaller.a]
14:56:47 [Zakim]
I don't understand '[IPcaller.a]', fjh
14:56:55 [fjh]
zakim, [IPcaller.a] is fjh
14:56:55 [Zakim]
+fjh; got it
14:57:00 [fjh]
zakim, who is here?
14:57:00 [Zakim]
On the phone I see marengo (muted), maxf, [IPcaller], fjh
14:57:00 [arve]
zakim, who is making noise?
14:57:01 [Zakim]
On IRC I see marengo, Dzung_Tran, Zakim, RRSAgent, fjh, jmarting_TEF, arve, tlr, maxf, Marcos, ilkka, trackbot, dom
14:57:11 [Zakim]
arve, listening for 10 seconds I heard sound from the following: [IPcaller] (11%), fjh (19%)
14:57:23 [fjh]
zakim, [IPcaller] is arve
14:57:23 [Zakim]
+arve; got it
14:57:24 [AnssiK]
AnssiK has joined #dap
14:58:14 [maxf]
Present +Max Froumentin
14:58:21 [arve]
Present+ Arve Bersvendsen
14:58:24 [maxf]
Present + Max Froumentin
14:58:35 [maxf]
Present+ Max Froumentin
14:58:51 [Zakim]
+ +035850486aacc
14:58:59 [AnssiK]
zakim, aacc is me
14:58:59 [Zakim]
+AnssiK; got it
14:59:01 [Zakim]
+??P32
14:59:20 [darobin]
darobin has joined #dap
14:59:31 [fjh]
zakim, P32 is drogers
14:59:31 [Zakim]
sorry, fjh, I do not recognize a party named 'P32'
14:59:37 [drogersuk]
drogersuk has joined #dap
14:59:53 [drogersuk]
present+ David_Rogers
15:00:01 [fjh]
zakim, ??P32 is drogers
15:00:01 [Zakim]
+drogers; got it
15:00:02 [AnssiK]
Present+ Anssi_Kostiainen
15:00:08 [fjh]
zakim, who is here?
15:00:08 [Zakim]
On the phone I see marengo (muted), maxf, arve, fjh, AnssiK, drogers
15:00:10 [Zakim]
On IRC I see drogersuk, darobin, AnssiK, marengo, Dzung_Tran, Zakim, RRSAgent, fjh, jmarting_TEF, arve, tlr, maxf, Marcos, ilkka, trackbot, dom
15:00:12 [Zakim]
+[IPcaller]
15:00:20 [darobin]
Zakim, [IPCaller is me]
15:00:20 [Zakim]
+me]; got it
15:00:24 [darobin]
gah
15:00:35 [darobin]
Zakim, [IPCaller] is me
15:00:35 [Zakim]
sorry, darobin, I do not recognize a party named '[IPCaller]'
15:00:43 [darobin]
Zakim, me] is me
15:00:43 [Zakim]
+darobin; got it
15:01:02 [LauraA]
LauraA has joined #dap
15:01:02 [Claes]
Claes has joined #dap
15:01:23 [Zakim]
+ +358.504.86aadd
15:01:29 [Claes]
Present+ Claes_Nilsson
15:01:32 [ilkka]
zakim, aadd is me
15:01:33 [Zakim]
+ilkka; got it
15:01:42 [fjh]
zakim, who is making noise?
15:01:46 [darobin]
I never understood what Zakim says, "a customised contrinetics conferencing system"?
15:01:49 [Zakim]
+Dom
15:01:50 [dom]
zakim, mute me
15:01:52 [Bryan]
Bryan has joined #dap
15:01:55 [Zakim]
+ +0777541aaee
15:01:59 [Zakim]
+Bryan_Sullivan
15:02:01 [Zakim]
Dom should now be muted
15:02:05 [Zakim]
fjh, listening for 10 seconds I could not identify any sounds
15:02:05 [dom]
Present+ Dominique_Hazael-Massieux
15:02:14 [fjh]
zakim, who is making noise?
15:02:21 [LauraA]
zakim, +0777541aaee is LauraA
15:02:23 [Zakim]
+LauraA; got it
15:02:27 [Zakim]
fjh, listening for 10 seconds I could not identify any sounds
15:02:34 [ilkka]
Present+ Ilkka_Oksanen
15:02:44 [fjh]
zakim, who is making noise?
15:02:54 [Zakim]
fjh, listening for 10 seconds I heard sound from the following: 11 (15%)
15:03:00 [darobin]
sorry, thought I was muted
15:03:27 [fjh]
zakim, who is here?
15:03:27 [Zakim]
On the phone I see marengo (muted), maxf, arve (muted), fjh, AnssiK, drogers, darobin, ilkka, Dom (muted), LauraA, Bryan_Sullivan
15:03:30 [Zakim]
On IRC I see Bryan, Claes, LauraA, drogersuk, darobin, AnssiK, marengo, Dzung_Tran, Zakim, RRSAgent, fjh, jmarting_TEF, arve, tlr, maxf, Marcos, ilkka, trackbot, dom
15:03:33 [Zakim]
+ +46.1.08.01.aaff
15:04:15 [jmarting_TEF]
Yes, that's right. I work for Telefonica. Thanks for letting me to participate
15:04:53 [richt]
richt has joined #dap
15:05:09 [Zakim]
+ +04610715aagg
15:05:17 [Zakim]
+Ingmar_Kliche
15:05:20 [dom]
zakim, aagg is Niklas
15:05:26 [Zakim]
+Niklas; got it
15:05:26 [Zakim]
+ +0208849aahh
15:05:40 [nwidell]
nwidell has joined #dap
15:05:41 [Zakim]
+ +03491482aaii
15:05:47 [Zakim]
+ +34.91.337.aajj
15:05:49 [fjh]
claes offers to scribe next time
15:05:52 [nwidell]
Present+ Niklas_Widell
15:06:03 [darobin]
Present+ Robin_Berjon
15:06:12 [Bryan]
Present+ Bryan_Sullivan
15:06:39 [Ingmar]
Ingmar has joined #dap
15:06:57 [LauraA]
Present+ LauraA
15:07:24 [Suresh]
Suresh has joined #dap
15:07:40 [Suresh]
Present+ Suresh_Chitturi
15:07:41 [fjh]
Announcement re BONDI 1.1
15:08:01 [dom]
-> http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0144.html David's announcement of BONDI 1.1 Approved Release
15:08:01 [Suresh]
regrets - will be late by 30mins to join the audio bridge!
15:08:15 [RuthVazquez]
RuthVazquez has joined #dap
15:08:29 [richt]
richt has joined #dap
15:08:34 [jmarting_TEF]
zakim, aajj is me, Jesus Martin
15:08:34 [Zakim]
I don't understand 'aajj is me, Jesus Martin', jmarting_TEF
15:08:48 [darobin]
Zakim, aajj is jmarting_TEF
15:08:48 [Zakim]
+jmarting_TEF; got it
15:08:56 [jmarting_TEF]
sorry made a mistake
15:09:39 [jmarting_TEF]
akim, aaii is me, Jesus Martin. Now it is correct
15:09:52 [richt]
Topic: Minutes Approval
15:10:12 [fjh]
http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/att-0074/minutes-2010-02-10.html
15:10:14 [richt]
RESOLUTION: Minutes 10th Feb approved
15:10:25 [richt]
TOPIC: Policy
15:10:51 [fjh]
Use cases & broswer-brokering access - http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0109.html
15:11:21 [dom]
s/brosw/brows/
15:11:22 [dom]
ack me
15:11:28 [richt]
fjh: I'd like to capture this material in one of our documents
15:11:49 [fjh]
find api vs input markup : http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0111.html
15:11:51 [richt]
dom: sure. if we find a way to capture it.
15:11:53 [tlr]
zakim, call thomas-781
15:11:53 [Zakim]
ok, tlr; the call is being made
15:11:55 [Zakim]
+Thomas
15:12:00 [fjh]
default to minimum returned material, none: http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0121.html
15:12:03 [Zakim]
+ +1.408.615.aakk
15:12:04 [tlr]
zakim, I am thomas
15:12:04 [Zakim]
ok, tlr, I now associate you with Thomas
15:12:06 [tlr]
zakim, mute me
15:12:06 [Zakim]
Thomas should now be muted
15:12:12 [tlr]
Present+ Thomas_Roessler
15:12:26 [richt]
fjh: We also need requirements on Privacy. We don't have material on Privacy. People care about this aspect and we need to document it
15:12:33 [Ingmar]
present+ Ingmar_Kliche
15:12:59 [richt]
fjh: Privacy is applicable to all APIs
15:13:04 [Bryan]
q+
15:13:14 [dom]
zakim, aakk is probably MarkMiller
15:13:14 [Zakim]
+MarkMiller?; got it
15:13:36 [fjh]
http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0073.html
15:13:39 [richt]
fjh: Bryan raised questions on OAuth. We can pick it up on the mailing list
15:14:09 [fjh]
http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0085.html
15:14:26 [fjh]
http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0089.html
15:14:36 [fjh]
http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0090.html
15:14:45 [dom]
q?
15:14:47 [dom]
ack Bryan
15:14:56 [drogersuk]
Completely agree with you FJH re: privacy
15:15:02 [fjh]
http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0093.html
15:15:32 [fjh]
bryan argues that policy for authorization can address privacy
15:15:36 [richt]
Bryan: Wondering whether Privacy is opening a can of worms and whether a good security framework will produce Privacy protection implicitly
15:16:02 [richt]
fjh: We need to document our actual Privacy requirements in the first instance.
15:16:36 [richt]
fjh: We need something simple and usable but need to make sure its covered.
15:16:48 [Bryan]
q-
15:17:04 [richt]
drogersuk: Geolocation passed off the privacy issue to DAP so we should not pass it on further
15:17:14 [RuthVazquez]
RuthVazquez has joined #dap
15:17:22 [richt]
fjh: looking for help to make these privacy requirements concrete
15:17:47 [richt]
MarkMiller: Powerbox is a concrete proposal that covers the privacy aspect
15:18:01 [richt]
fjh: We need to understand that better
15:18:46 [richt]
fjh: in the requirements we don't yet talk about security threats and privacy
15:19:00 [drogersuk]
I don't think we should publish for the sake of it
15:19:06 [richt]
fjh: this will be useful to push towards FPWD. Do we need to do more or use a placeholder for these items?
15:19:18 [dom]
q+
15:19:22 [dom]
ack me
15:19:55 [richt]
dom: the requirements document needs some more work before FPWD. We haven't quite framed the scope of what policy framework would be.
15:20:13 [fjh]
+1 to dom, personally
15:20:21 [arve]
+1 to DOM from here as well
15:20:26 [fjh]
suggest we address threats and privacy
15:20:35 [richt]
dom: We need to do some more work on these areas before we get to FPWD
15:20:36 [darobin]
+1 too (I always agree with dom anyway)
15:20:55 [drogersuk]
q+
15:20:57 [dom]
ACTION: Dom to draft something on privacy in policy-reqs
15:20:57 [trackbot]
Created ACTION-95 - Draft something on privacy in policy-reqs [on Dominique Hazaël-Massieux - due 2010-03-03].
15:21:01 [dom]
zakim, mute me
15:21:01 [Zakim]
Dom should now be muted
15:21:07 [fjh]
ack drogersuk
15:21:21 [richt]
drogersuk: Outstanding action from OMTP on this aspect.
15:21:39 [richt]
drogersuk: we don't want to see FPWD until we've resolved this action
15:21:57 [fjh]
ACIONT-45?
15:21:59 [richt]
fjh: action is ACTION-45
15:22:04 [fjh]
ACTION-45?
15:22:04 [trackbot]
ACTION-45 -- David Rogers to provide use case with threat model scenarios -- due 2010-03-10 -- OPEN
15:22:04 [trackbot]
http://www.w3.org/2009/dap/track/actions/45
15:22:10 [richt]
s/action/OMTP action/
15:22:29 [fjh]
ACTION-16?
15:22:29 [trackbot]
ACTION-16 -- Bryan Sullivan to help review/compare device capabilities and features -- due 2010-02-24 -- PENDINGREVIEW
15:22:29 [trackbot]
http://www.w3.org/2009/dap/track/actions/16
15:23:00 [fjh]
ACTION-48?
15:23:00 [trackbot]
ACTION-48 -- Suresh Chitturi to propose a definition for API access control, and a possible model for policy enforcement -- due 2010-02-24 -- PENDINGREVIEW
15:23:00 [trackbot]
http://www.w3.org/2009/dap/track/actions/48
15:23:16 [richt]
Bryan: On ACTION-16, something has been posted on the list and more will be coming
15:23:23 [rvazquez]
rvazquez has joined #dap
15:23:29 [richt]
Topic: APIs
15:23:48 [richt]
Topic: Powerbox discussion
15:24:30 [dom]
-> http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/att-0140/Overview.html Latest PowerBox draft
15:24:55 [richt]
darobin: MarkMiller, can you introduce Powerbox?
15:25:21 [dom]
-> http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0148.html Dom's illustration of PowerBox operations
15:25:31 [richt]
MarkMiller: a lot of the questions in DAP mirror the reasons for producing OAuth
15:25:50 [richt]
MarkMiller: Personal opinion is that OAuth made the browser difficult
15:26:16 [fjh]
zakim, who is here?
15:26:16 [Zakim]
On the phone I see marengo (muted), maxf, arve (muted), fjh, AnssiK, drogers, darobin, ilkka, Dom (muted), LauraA, Bryan_Sullivan, +46.1.08.01.aaff, Niklas, Ingmar_Kliche,
15:26:17 [darobin]
s/Personal opinion is that OAuth made the browser difficult/Personal opinion is that OAuth was a bad solution, but browsers made good solution difficult/
15:26:19 [Zakim]
... +0208849aahh, +03491482aaii, jmarting_TEF (muted), Thomas (muted), MarkMiller?
15:26:21 [Zakim]
On IRC I see rvazquez, RuthVazquez, richt, Suresh, Ingmar, nwidell, Bryan, Claes, LauraA, drogersuk, darobin, AnssiK, marengo, Dzung_Tran, Zakim, RRSAgent, fjh, jmarting_TEF, arve,
15:26:24 [Zakim]
... tlr, maxf, Marcos, ilkka, trackbot, dom
15:26:32 [richt]
MarkMiller: The design principles are the same. The interaction is driven by a requesting site.
15:26:39 [fjh]
mark notes delegated access to web resources
15:27:19 [darobin]
MM: e.g. Facebook wants your GMail password, but it's not that it wants it, it needs it for access to GMail contacts
15:27:35 [darobin]
.... it would be good to only provide the information that you want to provide
15:27:46 [richt]
MarkMiller: Provide a web site with continued access to your data is the principle.
15:27:52 [darobin]
... but FB doesn't have a way to initiate that interaction
15:28:25 [darobin]
.... even with OAuth, the FB page might take you to a phishing page
15:28:26 [richt]
MarkMiller: How do you know you're interacting with the correct provider? Phishing is possible with OAuth
15:28:35 [Zakim]
-drogers
15:29:01 [drogersuk]
drogersuk has joined #dap
15:29:05 [Zakim]
+??P1
15:29:06 [fjh]
Present+ Mark_Miller
15:29:08 [darobin]
... the phishing problem is big because it is initiated by the initial site
15:29:44 [darobin]
... but browsers already have a way to handle trustable openings — the file input
15:30:18 [fjh]
question - how to specify the granularity of delegated access
15:30:29 [darobin]
... it's an ideal solution to reuse if possible
15:30:43 [darobin]
... remaining important insight is that granting of a file is a direct interaction
15:30:51 [darobin]
... it's a fine grained choice of individual files
15:31:05 [darobin]
.... browser can't do that for resources on a site or device
15:31:31 [darobin]
... because it would need to understand the semantics of the service and how it cuts itself up into subresources
15:31:57 [darobin]
... in Powerbox the service can return not just the resource, but an HTML page that can give the user the granularity she needs
15:31:59 [Zakim]
+ +1.972.373.aall
15:32:26 [fjh]
q+ to ask about granularity and html
15:32:39 [dom]
zakim, aall is probably suresh
15:32:39 [Zakim]
+suresh?; got it
15:32:45 [Suresh]
yes
15:32:52 [darobin]
... the advantage in terms of security and privacy is that users understand what they're doing [rest garbled from here]
15:32:58 [richt]
q+ to ask about use of file input
15:33:10 [drogersuk]
q+
15:33:16 [Bryan]
q+
15:33:59 [fjh]
ack fjh
15:33:59 [Zakim]
fjh, you wanted to ask about granularity and html
15:33:59 [darobin]
q?
15:34:32 [darobin]
MM: OAuth has both a coarseness problem and a trusted path problem
15:34:47 [darobin]
FJH had asked about how granularity plays out with HTML
15:35:00 [darobin]
MM: also with OAuth, only big players get to play
15:35:19 [darobin]
.... eg FB will list Yahoo, GMail, MS Live, but not your local friendly community
15:35:23 [richt]
Mark_Miller: Powerbox is polymorphic to the provider
15:35:39 [richt]
Mark_Miller: Powerbox only needs a provider of the right type, not any specific provider(s)
15:35:45 [darobin]
... Powerbox can work with anything that the user has set up because they care
15:36:01 [darobin]
... small players find themselves on par with big ones
15:36:15 [richt]
Mark_Miller: The Powerbox choice dialog is rendered on user's registered Providers
15:36:20 [fjh]
q?
15:36:38 [dom]
ack richt
15:36:38 [Zakim]
richt, you wanted to ask about use of file input
15:36:42 [darobin]
... and not on just a preselected list
15:37:07 [darobin]
richt: it would be great to use input, but it doesn't degrade nicely in browsers that don't support it
15:37:17 [darobin]
... falling back to a file picker is not ideal
15:37:26 [Zakim]
-arve
15:37:33 [darobin]
MM: what is the proposed enhanced interaction that's better than file picker?
15:37:59 [darobin]
richt: we were considered relying on JS, could be implemented as a button
15:38:20 [darobin]
... can be implemented easily, but security/privacy maintained
15:38:35 [darobin]
... at this point in time the file picker isn't as great as we'd like it to be
15:38:41 [Zakim]
+arve/marcos
15:38:47 [darobin]
MM: had not thought about the degrading issue
15:38:54 [darobin]
.... the approach itself is non-blocking
15:39:11 [dom]
ack me
15:39:15 [Zakim]
-jmarting_TEF
15:39:22 [darobin]
... is there a proposal for a general authorisation/interaction that degrades well to older browsers
15:39:41 [darobin]
richt: what the JS approch gives is the ability to check if that exists
15:39:47 [darobin]
MM: so the issue is feature testing
15:39:54 [darobin]
richt: could be a solution, yes
15:40:03 [darobin]
MM: in that case, all we need is something to test
15:40:31 [darobin]
... that could be [garbled, but I presume a navigator.powerbox idea]
15:40:37 [darobin]
richt: that could be a mitigating approach
15:41:23 [darobin]
MM: it's ridiculous that if I have a pic on flickr now, I have to download it to my drive in order to upload it elsewhere
15:42:03 [darobin]
... here with the file control if it's PB-enabled flickr would be addressable, and the degradation is select from drive
15:42:28 [darobin]
richt: ideally the test and the object would be the same thing, but yes this could be a mitigating factor
15:42:42 [darobin]
... we should explore a test
15:42:43 [fjh]
q?
15:43:03 [darobin]
MM: I thikn that's a good idea, I'll relay it to the team
15:43:12 [fjh]
ack drogersuk
15:43:33 [richt]
drogersuk: How does this sit alongside the JS API work done so far? Supersedes or sits alongside?
15:43:40 [richt]
MM: I see it as super-seeding
15:43:42 [dom]
[I think PowerBox provides two very different aspects: a way to register remote resources providers, and a way to communicate with a resource provider; I'll note that we could use both aspects, or only one of them, or one always and the other sometimes]
15:43:45 [dom]
zakim, mute me
15:43:45 [Zakim]
Dom should now be muted
15:44:07 [darobin]
q+ dom to make his point on the call :)
15:44:20 [richt]
MM: Devices as REST services approach does not need abstraction to JS APIs. The common language of these requests is XHR
15:44:49 [richt]
MM: Phrasing all devices as XHR interactions you get abstracted in the JS libraries in a way compliant with existing libraries
15:44:55 [fjh]
i thought mm said many libraries abstract rest into js calls
15:45:06 [richt]
MM: REST APIs are abstracted to JS APIs according to existing conventions.
15:45:25 [richt]
drogersuk: how does Powerbox work with a non-connected device or without a web server?
15:45:38 [richt]
MM: The device doesn't need an actual web server...
15:45:39 [darobin]
-> http://dev.w3.org/2009/dap/docs/lrest/gallery-lrest.html (shows an example of XHR requests without the web server)
15:46:28 [richt]
MM: ...Devices only need to appear to be web services. i.e. you interact via XHR in much the same way as web services
15:46:31 [Zakim]
+jmarting_TEF
15:46:54 [Zakim]
-arve
15:47:03 [Suresh]
q+
15:47:11 [dom]
Present+ Jesus_Martin_Garcia
15:47:21 [darobin]
drogersuk: are we not just shifting the problem?
15:47:23 [richt]
drogersuk: Is Powerbox shifting the problem to XHR?
15:47:35 [richt]
MM: The weakest link shifts to XHR
15:47:56 [darobin]
s/shifts to XHR/shifts to XHR, which is a stronger link, which is better/
15:48:09 [Claes1]
Claes1 has joined #dap
15:48:41 [richt]
MM: No policy framework in the browser to understand a policy framework language.
15:48:50 [richt]
Browsers don't have that now.
15:49:03 [darobin]
.... have never seen a policy system based on a solid security theory
15:49:11 [fjh]
s/system/language
15:49:15 [richt]
A user can form a mental model of the risks they are undertaking without a policy framework language
15:49:53 [richt]
s/A user can form/MM: A user can form
15:50:40 [richt]
s/Browsers don't have that now./MM: Browsers don't have that now.
15:51:08 [richt]
MM: The only thing they are placing at risk to a requesting site is the things they have selected.
15:51:13 [darobin]
MM tells a story about the mental model of users, and how a text editor should only have access to the files they are told to manipulate (as opposed to the whole FS)
15:51:35 [darobin]
q?
15:51:39 [richt]
drogersuk: User interaction is required with every file that a file manager sees?
15:52:09 [richt]
MM: No. A directory as a container is a plausible mental model.
15:52:15 [darobin]
[in the PB model, the granularity is decided by the service provider]
15:52:43 [darobin]
TAHOE
15:52:57 [dom]
-> http://allmydata.org/~warner/pycon-tahoe.html Tahoe: A Secure Distributed Filesystem
15:53:37 [richt]
MM: Tahoe provides affordance for being able to provide a directory. It can only provide read access or read/write access to specific files
15:54:30 [richt]
MM: e.g. The PowerBox doesn't need to have any knowledge of those choices. The providing site decides on the semantics
15:54:40 [darobin]
... and the access granularity
15:54:57 [richt]
drogersuk: Relying on the user to make an intelligent choice
15:55:07 [darobin]
... I don't think that we're a million miles away
15:55:08 [fjh]
mm notes providing site has to give choices based on semantics, and do this appropriately
15:55:11 [richt]
s/Relying/You're relying
15:55:35 [Claes2]
Claes2 has joined #dap
15:55:40 [richt]
drogersuk: we need to be careful on that approach
15:56:02 [richt]
MM: Agree. The user doens't want to be faced with lots and lots of choices, just to agree with anything to get their work done.
15:56:08 [richt]
MM: This is something we all want to avoid
15:56:31 [darobin]
q?
15:56:37 [richt]
drogersuk: This comes back to the requirement to have more Privacy and Security Threat discussion included in the Privacy requirements.
15:56:43 [blassey]
blassey has joined #dap
15:57:11 [dom]
[concrete next steps in forms of action items would be a good outcome of this discussion]
15:57:11 [richt]
Bryan: For me, the PowerBox proposal fits better in the WebApps group.
15:57:29 [fjh]
s/group/group, and is a v2 topic/
15:57:51 [dom]
[I disagree that this is not in scope for our group]
15:57:57 [richt]
Bryan: I think this is a generic web thing and not a device thing
15:58:01 [tlr]
[+1 to Dom's disagreement]
15:58:16 [darobin]
+10000
15:58:22 [fjh]
+1 to Dom, this should be considered
15:58:40 [Claes2]
+1 to Dom
15:58:43 [richt]
MM: Devices being standardised as RESTful provider APIs is the proposed scope of PowerBox
15:59:04 [richt]
darobin: disagrees with Bryan. This is directly relevant to the DAP WG
15:59:05 [Zakim]
-Thomas
15:59:21 [richt]
darobin: provides much better integration of devices in to the web
16:00:10 [darobin]
q?
16:00:11 [richt]
Bryan: The concept driving DAP was not such a distributed resource concept. This may have further implications.
16:00:13 [darobin]
ack Bryan
16:00:35 [richt]
Bryan: There would be no notion of session or blanket access to the PowerBox?
16:00:55 [tlr]
for the record, I believe that using PowerBox to frame device APIs is within the scope of the work here.
16:01:23 [richt]
MM: e.g. I want a resource to be provided on an ongoing basis without further interaction with the Powerbox
16:01:42 [richt]
s/MM: e.g. I/Bryan: e.g. I
16:03:03 [richt]
MM: A serving site can include the URL to a previously chosen resource to provide continued access in a session manner
16:04:49 [fjh]
mm notes mime type and class allows requesting site to say what it wants, provider must interact appropriately based on it. dap should provide conventions for this as part of its work, using the powerbox framework
16:05:00 [richt]
MM: The response is communicated to the Provider and the Provider acts on that to provide access. We could come up with conventions to make the distinctions between one-time access/continued access and read-write/read access.
16:05:01 [fjh]
s/dap/mm notes that dap
16:05:21 [AnssiK]
[re Powerbox degradation & feature detection: if we were to introduce an attribute unique to PB to <input>, e.g. "pattern" as in Robin's Powerbox walkthough, we'd be able to test whether a certain property exists on an input object and act accordingly, this would be similar to HTML5 feature detection: http://www.modernizr.com/]
16:05:38 [richt]
Mark: Not a fan of XACML. Taken a look at BONDI - seems way over complicated for the DAP problem.
16:05:48 [richt]
s/Mark: Not/MM: Not
16:06:56 [richt]
Bryan: We have the need for a seamless less obtrusive UX by acting on the preferences of a user
16:07:26 [richt]
Bryan: so we should not rely on just having a user choosing based on their mental model but to also delegate that choice
16:07:45 [richt]
MM: What interaction do you provide with the user for them to make informed choices?
16:07:58 [richt]
Bryan: e.g. I trust AT&T. I trust Yahoo, etc
16:08:03 [drogersuk]
q+
16:08:22 [richt]
MM: Want to avoid that at all costs. I don't trust any entity. I trust particular entities with particular things
16:08:47 [dom]
[I think this discussion is only highlight different perspectives, not sure it's worth continuing]
16:08:50 [Bryan]
q-
16:10:13 [richt]
Perhaps we could focus on contributions rather than general discussion on trust?
16:10:16 [fjh]
then you are back to OAuth if you fully trust a site?
16:10:40 [darobin]
ack drogersuk
16:11:43 [richt]
drogersuk: What BONDI is trying to do is delegate to 3rd parties the trust.
16:12:03 [richt]
drogersuk: Network operators have a legal liability to consumers and they need to pay attention to this aspect.
16:12:11 [darobin]
ack dom
16:12:12 [Zakim]
dom, you wanted to make his point on the call :)
16:12:25 [richt]
dom: Thanks MArk for this proposal.
16:12:40 [richt]
s/MArk for this/Mark and colleagues for this
16:13:11 [richt]
dom: How do you interact with resource providers?
16:13:20 [fjh]
+1 to thanking Mark and his colleagues
16:13:25 [darobin]
s/dom: How do you interact with resource providers?//
16:13:31 [darobin]
dom: there are two aspects in that proposal
16:13:43 [darobin]
... one is how to add providers, the other is how to interact with
16:14:06 [darobin]
... we can use either or both, perhaps different for different APIs
16:14:25 [darobin]
dom: thinking in terms of other tabs may have usability/accessibility issues
16:14:33 [fjh]
thanks to Bryan and David mentioning issues as well
16:14:56 [darobin]
MM: didn't necessarily mean "tab", it can be anything other
16:15:01 [richt]
MM: The tabbed approach was intented to be illustrative only
16:15:10 [richt]
MM: May be other interaction implications
16:15:20 [darobin]
ack Suresh
16:15:24 [dom]
zakim, mute me
16:15:24 [Zakim]
Dom should now be muted
16:15:32 [darobin]
ack Suresh
16:16:07 [richt]
Suresh: What are the implications on performance with the Powerbox approach vs existing direct JS APIs approach?
16:16:31 [richt]
Suresh: Seem to be Security issues that need to be resolved regardless of the approach
16:16:45 [fjh]
q+
16:17:08 [richt]
Suresh: We've done work and how are we going to address the change of direction?
16:17:21 [richt]
Suresh: Are they complimentary, layered, etc?
16:17:23 [darobin]
q+ to say that reuse is possible
16:18:42 [richt]
MM: Performance is constrined to an existing resources with the overhead of XHR for mediation
16:19:02 [richt]
s/ constrined to an existing resources/ constrained to an existing device resources
16:19:30 [jmarting_TEF]
jmarting_TEF has joined #dap
16:19:43 [richt]
Suresh: Currently the direct APIs we don't see any overhead with
16:19:57 [richt]
s/ the direct APIs we don't see any overhead with/ with the direct APIs we don't see any overhead
16:20:37 [dom]
q?
16:20:41 [darobin]
ack fjh
16:20:43 [dom]
ack fjh
16:20:45 [richt]
MM: They would need to be serialised to be communicated with XHR. Symbolic traffic does not need to be significant.
16:21:15 [dom]
[a good exercice would be to re-write the examples in our existing relevant APIs into PowerBox-like interactions]
16:21:35 [richt]
fjh: we need to understand our choices, look at proposals and work out how it fits together in the coming days/weeks
16:21:44 [dom]
[also, I doubt SysInfo would be re-casted into this model?]
16:21:51 [richt]
fjh: valuable to take a new proposal and consider its applicability to the problem
16:21:52 [darobin]
ack me
16:21:52 [Zakim]
darobin, you wanted to say that reuse is possible
16:22:00 [richt]
fjh: ...sxpecially for the long run
16:22:13 [richt]
s/sxpecially/especially
16:22:25 [Bryan]
q+
16:22:41 [richt]
darobin: existing work can be used to build the JSON protocols for the Powerbox approach. No strong duplication of effort
16:22:52 [darobin]
ACTION: Robin to rewrite exsiting examples as PB
16:22:53 [trackbot]
Created ACTION-96 - Rewrite exsiting examples as PB [on Robin Berjon - due 2010-03-03].
16:23:22 [richt]
darobin: Might not want to push all APIs to the PowerBox approach because it may not have the same privacy considerations.
16:23:45 [fjh]
s/considerations./considrations. An example might be Sysinfo./
16:23:54 [richt]
Suresh: Does not want to see an inconsistent approach: part JS APIs / part REST. Security would become difficult.
16:24:17 [fjh]
s/difficult/difficult, using two paradigms./
16:24:36 [richt]
Suresh: would like to continue work on what we have and work out if we can converge in the coming weeks
16:24:51 [Suresh]
q-
16:24:58 [maxf]
or we could go REST 100%, even sysinfo. I'll think about it.
16:25:01 [drogersuk]
q-
16:25:02 [Claes]
Claes has joined #dap
16:25:04 [dom]
ack Bryan
16:25:39 [richt]
Bryan: when we look at serialize/unserialize it's not just a small amount of data. Sometimes theres a lot of data and that could affect performance.
16:26:11 [dom]
[Bryan makes a good point on the amount of data serialization/de-serialization]
16:26:22 [fjh]
s/performance./performance. Need to consider other cases such as getting multiple contacts./
16:26:56 [richt]
darobin: Any other action items to discuss on Powerbox?
16:28:23 [richt]
drogersuk: I can lay out abuse cases around widgets. We could compare how BONDI and PowerBox would compare those abuse cases
16:28:38 [dom]
ACTION-45?
16:28:38 [trackbot]
ACTION-45 -- David Rogers to provide use case with threat model scenarios -- due 2010-03-10 -- OPEN
16:28:38 [trackbot]
http://www.w3.org/2009/dap/track/actions/45
16:28:49 [richt]
s/ compare those abuse cases/ compare in handling those abuse cases
16:29:24 [richt]
drogersuk: will lay out e.g. phishing scenarios and we can compare the approaches
16:29:58 [richt]
TOPIC: BONDI 1.1 Release
16:30:02 [fjh]
s/approaches/approaches. Can indicate how BONDI addresses, Mark can cover Powerbox
16:30:35 [richt]
drogersuk: BONDI 1.1 introduces a number of updates to improve the overall quality of the initiative
16:30:45 [fjh]
David requests that this be added as submission to home page of DAP.
16:30:56 [richt]
drogersuk: At Mobile Worl Congress implementations of BONDI were demoed.
16:31:07 [richt]
s/Mobile Worl Congress /Mobile World Congress
16:31:21 [richt]
drogersuk: WAC announcement also good for W3C DAP
16:31:31 [Zakim]
-??P1
16:31:32 [Zakim]
-Niklas
16:31:32 [Zakim]
-darobin
16:31:34 [Zakim]
-Dom
16:31:34 [Zakim]
-AnssiK
16:31:34 [Zakim]
- +46.1.08.01.aaff
16:31:35 [Zakim]
-suresh?
16:31:36 [Zakim]
-LauraA
16:31:38 [Zakim]
-ilkka
16:31:40 [Zakim]
- +03491482aaii
16:31:42 [Zakim]
-marengo
16:31:44 [Zakim]
-MarkMiller?
16:31:46 [Zakim]
-Bryan_Sullivan
16:31:49 [Zakim]
-maxf
16:31:50 [Zakim]
-Ingmar_Kliche
16:31:58 [Zakim]
- +0208849aahh
16:31:59 [Zakim]
-fjh
16:32:00 [Zakim]
UW_DAP()10:00AM has ended
16:32:02 [Zakim]
Attendees were +39.011.228.aaaa, marengo, +0472369aabb, maxf, fjh, arve, +035850486aacc, AnssiK, drogers, [IPcaller], darobin, +358.504.86aadd, ilkka, Dom, Bryan_Sullivan, LauraA,
16:32:04 [fjh]
rrsagent, generate minutes
16:32:04 [RRSAgent]
I have made the request to generate http://www.w3.org/2010/02/24-dap-minutes.html fjh
16:32:07 [Zakim]
... +46.1.08.01.aaff, +04610715aagg, Ingmar_Kliche, Niklas, +0208849aahh, +03491482aaii, +34.91.337.aajj, jmarting_TEF, Thomas, +1.408.615.aakk, MarkMiller?, +1.972.373.aall,
16:32:09 [Zakim]
... suresh?
16:32:20 [darobin]
phew, long call :)
16:32:29 [darobin]
thanks richt, you picked your week to minute!
16:32:31 [fhirsch3]
fhirsch3 has joined #dap
16:32:42 [fjh]
Much thanks Richard for scribing!!
16:33:35 [fhirsch3]
rrsagent, generate minutes
16:33:35 [RRSAgent]
I have made the request to generate http://www.w3.org/2010/02/24-dap-minutes.html fhirsch3
17:00:16 [richt]
richt has left #dap
17:26:52 [AnssiK]
AnssiK has left #dap
17:52:21 [shepazu]
shepazu has joined #dap
18:30:39 [Zakim]
Zakim has left #dap
18:55:40 [MarkM]
MarkM has joined #dap
19:43:16 [arve]
arve has joined #dap
19:55:06 [arve_]
arve_ has joined #dap