IRC log of tagmem on 2010-06-07

Timestamps are in UTC.

08:12:30 [RRSAgent]
RRSAgent has joined #tagmem
08:12:30 [RRSAgent]
logging to
08:12:50 [jar]
jar has joined #tagmem
08:13:07 [Yves]
08:13:12 [ht]
ht has joined #tagmem
08:13:13 [jar]
08:13:16 [RRSAgent]
I have made the request to generate Yves
08:14:02 [jar]
chair: Noah Mendelsohn
08:14:08 [jar]
scribe: Jonathan Rees
08:14:11 [jar]
scribenick: jar
08:14:21 [jar]
meeting: TAG F2F
08:14:22 [Ashok]
Ashok has joined #tagmem
08:15:15 [jar]
item: Convene, review agenda
08:15:51 [jar]
regrets: Larry Masinter
08:16:39 [jar]
Welcome Yves
08:19:33 [jar]
F2F Main Goals:
08:19:33 [jar]
Make progress on writing related to Web Application Architecture
08:19:33 [jar]
XML / HTML integration
08:19:33 [jar]
Other technical topics
08:20:52 [jar]
noah: Question: what is the best form for our publications? recs, findings, blogs
08:21:58 [jar]
noah: Let's get things written, push them out, then figure out their disposition (finding etc)
08:23:37 [jar]
noah: Move domain name discussion from Tues to Mon
08:24:41 [jar]
ht: My goal was to brainstorm with a few (non-TAG) people on whether a more substantial meeting for consensus building is worthwhile
08:25:10 [jar]
ht: Kevin Ashley, new director of DCC (digital curation center)
08:26:40 [ht]
Helen Hockx-Yu
08:27:02 [jar]
ht: Helen is from British Library
08:30:25 [jar]
(discussion of agenda, how to involve John K and others who have to call in)
08:31:21 [DKA]
08:31:33 [jar]
topic: Web Applications: Overview
08:32:11 [jar]
dka: (talking from projected page, follow above link)
08:34:04 [jar]
dka: TAG could act as a 'lens' relating frontline work to broader community
08:35:22 [jar]
dka: Robin Berjon has been helpful
08:35:57 [jar]
dka: Look at how how 'web applications' are being used in the field
08:36:25 [jar]
dka: Originally people used GET... maybe not always in the best way
08:37:09 [jar]
dka: Look at patterns of WA usage, say here's how they use the artifacts of web arch. Maybe this would be useful
08:37:24 [jar]
s/WA/web app/
08:38:11 [jar]
dka: relation of messaging protocols to webarch - e.g. in social networks
08:38:20 [jar]
timbl: Messages vs. information space
08:38:55 [jar]
dka: e.g. Websockets is making this connection; that's interesting
08:39:46 [jar]
ht: +1 to drilling down enough to understand how XMPP addresses [this]
08:40:15 [jar]
timbl: Pattern approach is good, say: If you use these protocols in this way you get this value.
08:40:52 [jar]
timbl: Applying this to web apps arch, there are many different areas, so [difficult]
08:41:06 [jar]
timbl: Taxonomies are ratholes...
08:41:18 [jar]
ht: People are inventing new things faster than we can classify them
08:42:00 [jar]
dka: People know REST, and ask what can the TAG add to the REST story?
08:43:14 [jar]
timbl: REST used to mean web + Fielding... now there are new patterns that build on this (e.g. odata, JSON, SPARQL patterns)
08:44:40 [jar]
noah: There's a level where we might say here's the architecture pattern, that connects client side & server side use of URIs
08:45:04 [jar]
noah: Raman is giving interesting particular examples; [that's a second level]
08:45:30 [jar]
... connect the 2 levels (architectural patterns & usage patterns)
08:46:47 [jar]
dka: I'm influenced by what we're doing in mobile web best practices group. Look into applying some of that methodology. Here's a usage, evaluate it, does it lead to a good result?
08:48:18 [jar]
timbl: often TAG work has been triggered by a very specific issue. Intense discussion, followed sometimes by saying it's OK.
08:51:22 [jar]
dka: Where can we have an activist agenda?
08:51:59 [jar]
noah: Our mandate is architecture... the web is an information space, much of the value comes from linking
08:52:20 [jar]
... network effects
08:53:26 [jar]
dka: The 'cool uris don't change' resonates with people, they know w3c says this
08:54:40 [jar]
yves: Hard to link into a silo. Entertainment industry, for example, tends to make monolithic [insular] apps
08:55:23 [jar]
ashok: Is it lack of education, or is it business reasons?
08:56:31 [jar]
timbl: One concern about web apps is that they're too slow, this motivates things like app stores [native applications that could have been web apps]
08:57:13 [jar]
noah: The native apps are less clunky, little things
08:57:46 [jar]
timbl: We can [try to] clean up the web... we could push for very hot web apps...
08:59:36 [jar]
ht: Many of these "you need specific browser X to look at this page" errors are false - the page works fine if you edit out the browser detection code
09:01:15 [jar]
timbl: (writing on white board, 3rd item in list after 'very hot apps') Decent social networking (socially aware storage; P2P)
09:01:33 [jar]
dka: I care about this last one, but I wouldn't put it under the topic of web apps
09:02:44 [jar]
noah, timbl: "For more, see the facebook page"
09:03:46 [jar]
timbl: The problem is that the garden center is committed to FB being their ISP
09:04:36 [jar]
ht: But then it is on the web, right? [question preceded timbl: The problem...]
09:07:55 [jar]
dka: re security, I've been focusing on DAP, GEO
09:08:38 [jar]
... in widgets, there's the concept of a feature having a URI (e.g. the geolocation)
09:09:12 [jar]
... this mirrors what app stores are trying to do. E.g. "this app wants to access you camera and location, ok?"
09:10:06 [jar]
noah: There are 3 levels of apps, app store, drive-by, widgets (with install step)
09:10:32 [jar]
dka: What constitutes a web app?
09:10:54 [jar]
ht: we talked about this in Cambridge, with John K
09:11:48 [jar]
timbl: negotiating the interchange of data between otherwise untrusted parties. An install is part of a trust system. The dominant web sites are ones that get trusted.
09:12:57 [jar]
... different [orthogonal] from technical questions, such as shuffling data, caching
09:14:02 [jar]
noah: Users think they know what it means to install something. At install points they expect these annoying questions
09:14:39 [jar]
ashok: There can be problems if your situation changes (you don't want to allow use at a particular location, etc)
09:15:28 [jar]
noah: Tension between install step & on-the-spot decision making
09:15:50 [jar]
dka: Is there a middle way?
09:16:59 [jar]
... People who are building widgets think of them as app containers, maybe [missed]
09:17:41 [jar]
yves: You want a local storage of [privacy/security] properties that can be examined and changed
09:18:23 [jar]
timbl: BT open zone
09:19:11 [jar]
... there's an assumption that the domain is a principal ...
09:19:22 [jar]
individuals (social entities) and orgs are principals
09:19:42 [jar]
and then there are lumps of software - also treated as principals
09:20:11 [jar]
s/and/... and/
09:21:03 [jar]
timbl: Would be good if the TAG looked at this... maybe recommend keys... the user interface is the hard part
09:24:13 [jar]
ht: It always comes back to the question of principals. These systems founder because the identity not being useful to you.
09:24:37 [jar]
ht: That doesn't tell you whether you should accept content from that principal.
09:26:45 [jar]
jar: Lampson emphasizes accountability
09:27:46 [jar]
ashok: Certs are often meaningless
09:28:01 [ht]
09:29:24 [jar]
noah: PKI, Verisign but also PGP, Lotus Notes, integrated UI... PKI is a low level building block
09:29:53 [jar]
jar: Lampson article is cynical, interesting even if you don't agree
09:30:59 [jar]
timbl: The CORS idea seems bizarre to me, isn't the web public anyhow, why should scripts be different from other agents? - but it's a reputation system
09:33:11 [jar]
yves: Host X is fine for some things, but what if I don't like their tracking system?...
09:35:31 [jar]
dka: Let's look at the list, think about priorities
09:36:30 [jar]
Break for 15 minutes.
09:59:02 [DKA]
FYI - art heist blog article in NYT I was referring to earlier: [context: freedom of the Internet, also privacy]
10:04:15 [jar]
10:04:24 [jar]
Agenda shuffling
10:05:23 [jar]
topic: HTML / XML Unification
10:05:39 [DKA]
msg ht let me know if you think guests this afternoon will want internet access - if so, I need their email addresses if possible so I can get them passwords.
10:05:46 [DKA]
10:05:59 [jar]
noah: There've been repeated efforts on tag soup / html moving forward.
10:08:10 [jar]
noah: Raman had nominated TimBL to convene some kind of group to tackle this problem
10:09:28 [jar]
timbl: When Raman said the TAG was ineffective, I said what should be done?
10:10:22 [jar]
timbl: I've wanted to bring the XML and HTML forks back together
10:10:46 [jar]
... Making a client has been made more difficult, with two stacks
10:11:13 [ht]
q+ to mention the widespread use of XML toolchains in web/document management environment
10:11:23 [jar]
... re mime types, Larry has said to fix it by fixing incentives ...
10:11:51 [jar]
... we want a culture where it's considered good to clean things up ...
10:12:25 [jar]
... maybe we'll try and fail
10:12:35 [jar]
... So how can we clean this up.
10:13:14 [jar]
... E.g. maybe fix the validator, so it would say "you could do such and such and then it would work with so and so client"
10:13:50 [jar]
... To what extent do you move HTML toward XML, or XML toward HTML
10:14:18 [jar]
... One end of the scale, non-nested close tags are silly, we can just say it's not OK
10:14:54 [jar]
... On the other hand, default namespaces seem really convenient
10:15:14 [jar]
... thus a range of attitudes depending on feature
10:16:15 [jar]
... Possibility of a group with representation from both communities, people who understand issues deeply
10:17:18 [ht]
10:17:21 [jar]
... I've wanted to do this, but have felt there hasn't been backing. TAG support would be helpful
10:17:28 [noah]
ack next
10:17:30 [Zakim]
ht, you wanted to mention the widespread use of XML toolchains in web/document management environment
10:17:39 [jar]
ht: Yes
10:17:40 [DKA]
+1 to bringing together moderates rather than extremists.
10:17:55 [ht]
ack ht
10:18:26 [noah]
I don't think moderates/extremists is the point. In fact, most of the people in the community I think have important perspectives. I think we need to bring together experts who understands the needs of the communities and the details of the technologies.
10:18:45 [noah]
q+ to talk about XML tool chains and compatibility
10:18:59 [jar]
ht: I've become aware that there's a big community that has bought into XML toolchains.
10:19:23 [noah]
10:20:14 [jar]
ht: But this doesn't count with HTML5 community because they're not building web apps. Instead they're making documents
10:20:28 [jar]
timbl: Example website?
10:21:18 [jar]
ht: Many of the drivers for HTML are trying to make the browser the application delivery platform
10:22:26 [jar]
... The member participation in XHTML2 was from info delivery bus, not app deliv bus (yes, this is a specious distinction)
10:22:55 [jar]
... There's overlap but these are different communities
10:22:59 [DKA]
q+ to give a brief counter-example...
10:23:18 [noah]
10:23:29 [jar]
... We mustn't leave the XML community behind. They bought into XML, and they get no benefit from HTML5
10:24:12 [jar]
... They're shipping XHTML. They're uncertain about what would happen if they moved to HTML5
10:24:15 [noah]
ack next
10:24:17 [Zakim]
DKA, you wanted to give a brief counter-example...
10:25:20 [jar]
dka: When we launched VF5 portal over browser on phone, that was based on an XML toolchain
10:25:27 [noah]
q+ to noodle on JSON
10:26:25 [jar]
... news, weather, horoscope - info sources don't want to build their own mobile sites, so we say, give us XML (partner markup) and we'll take care of it
10:27:05 [ht]
Here's an example of an all XML toolchain-produced website, managed using the Factonomy product I mentioned -- the site owners (almost) never see markup, but maintain and augment the site via form-based interfaces:
10:27:15 [jar]
10:28:22 [noah]
10:28:28 [jar]
... Now, the devices have grown up, the clients have more mature browsers, the info providers now have skills, so portal infrastructure may have a diminishing role
10:28:49 [jar]
... Portal is evolving toward a directory
10:28:58 [jar]
noah: compare AOL, Yahoo! ?
10:29:21 [jar]
dka: Maybe this story gives a data point
10:29:34 [ht]
q+ to present the above example
10:31:20 [jar]
dka: If it's easier for an intermediary to use HTML5, they're going to gravitate toward it
10:31:45 [jar]
timbl: A little person will get drupal ...
10:31:50 [noah]
10:31:55 [noah]
ack ht
10:31:55 [Zakim]
ht, you wanted to present the above example
10:33:09 [timbl]
.. and hope that drupal works well with mobile
10:34:04 [timbl]
So the CMSs (open source and other) have to be\ fixed to work with mobile.
10:34:23 [jar]
ht: SHR writes no documents, just adds, organizes. Skins and layouts chosen from menu. The toolchain pulls both structure and content out of database and renders it in XHTML
10:34:59 [noah]
ack next
10:35:00 [jar]
... javascript is used to make site look same in all browsers ... [grumble...]
10:35:01 [Zakim]
noah, you wanted to noodle on JSON
10:36:17 [jar]
noah: Why was XML to W3C? Because hope was that it was to be used generally on the web
10:36:24 [jar]
x/XML to/XML brought to/
10:37:01 [jar]
noah: Losing to JSON et al.
10:37:49 [ht]
HST wonders how sure you are that XML is (still) losing to JSON -- I hear less about it than I used to, and more about ATOM
10:38:01 [jar]
... the HTML5 app builders are not using XML ...
10:38:41 [jar]
timbl: RSS, ATOM
10:39:38 [jar]
... there's lots of XML on the web... Word ...
10:40:29 [noah]
10:40:35 [noah]
ack next
10:40:42 [jar]
... issue is important to anyone who writes scripts, has to deal with two different DOMs
10:40:45 [timbl]
10:41:47 [jar]
yves: JSON has implied datatypes; XML datatypes are complex. JSON easier, natural
10:42:42 [jar]
... compound document is a hard problem, huge problem in XML/HTML integration
10:42:53 [noah]
10:43:56 [jar]
timbl: If people are moving data around, the direction to go is to standardize some way to map JSON to/from RDF
10:44:31 [jar]
ht: parsing XML is faster than parsing JSON...
10:44:36 [jar]
noah: transient effect
10:44:56 [timbl]
ht, pointers please!!!!
10:45:34 [jar]
ht: (that was just a footnote)
10:45:53 [ht]
10:47:13 [ht]
10:48:29 [noah]
JAR: Somehow reminds me of the LISP vision: universal format for data (did I get that right?_
10:48:44 [noah]
JAR: RDF somewhat the same
10:49:12 [noah]
JAR: Seems there's a constant struggle around getting data sent around in a machine processable way, and integrated with UI stuff.
10:50:14 [ht]
10:51:57 [ht]
10:52:24 [ht]
q+ to mention the meeting last Friday, and next steps
10:57:16 [jar]
ht: [cleaning up html ...] validator should give positive feedback, feedback directed to the authors ... this seems promising
10:58:03 [jar]
ht: What is the benefit we're trying to achieve? What is the motivating headline? We want to make the web (fill in blank)?
10:58:09 [jar]
timbl: simpler, cleaner?
10:58:51 [ht]
Whitepaper about short- and long-term benefits
10:58:53 [jar]
timbl: benefits, motto
10:59:12 [ht]
And then a catchphrase similar to "cool URIs don't change"
11:02:12 [jar]
timbl: Since 2 years ago, progress on polyglot documents, important idea & set of use cases
11:02:32 [jar]
... Many discussions on namespaces
11:02:50 [ht]
The survival of polyglot as a 1st-class citizen is what really matters for the XML-tool-chain-doc-management stuff I've been banging on about
11:04:36 [jar]
timbl: strategy?
11:12:48 [jar]
jar: Task force vs. working group vs. other - let's be clear
11:13:34 [jar]
. action timbl to Create a task force on XML / HTML integration
11:14:14 [jar]
action timbl to Create a task force on XML / HTML convergence
11:14:14 [trackbot]
Created ACTION-437 - Create a task force on XML / HTML convergence [on Tim Berners-Lee - due 2010-06-14].
11:14:26 [jar]
action-437 due in one month
11:14:26 [trackbot]
ACTION-437 Create a task force on XML / HTML convergence due date now in one month
11:17:04 [jar]
. RESOLVED: The TAG recommends the formation of a task force to drive the reunification of XML and HTML
11:17:23 [jar]
RESOLVED: The TAG recommends the formation of a task force to drive the reunification of XML and HTML
11:17:39 [jar]
(passed by general acclaim)
11:18:20 [ht]
OK, I have found the beginning of the thread about Tim's document:
11:18:31 [jar]
Yves will scribe this afternoon
11:18:43 [jar]
ADJOURNED until after lunch.
11:18:53 [ht]
[Member-only link above, sorry]
12:16:01 [Yves]
scribenick: Yves
12:16:05 [Yves]
scribe: Yves
12:18:07 [Yves]
Topic: Domain name persistence (mini-workshop)
12:18:26 [Yves]
(round of introductions)
12:19:22 [Yves]
Helen Hockx-Yu & Kevin Ashley
12:22:45 [Yves]
ht: commonly raised issue about using http URIs for persistence is because of possibilities of 404.
12:24:35 [Yves]
persistence for multi hundred of years, how (owned) domain names could achieve such persistence?
12:25:10 [Yves]
might lead to a workshop on digital data persistence.
12:28:41 [noah]
s/mini-workshop/workshop planning/
12:28:41 [Yves]
there are two main lines, first one is to go to IANA for new TLDs under new rules that deserver to live forever
12:28:54 [Yves]
12:29:24 [Yves]
leading to more stable reference than with usual domain names
12:30:11 [Yves]
alternate way is to allow existing domains to fall in that category of "persistent domain"
12:31:01 [Yves]
open question, what would be the basis for selecting/allowing specific domains to become persistent
12:32:50 [Yves]
also some legal issues relative to endowments
12:35:51 [Yves]
jar: question about attaching metadata to a document, more difficult to do in an archive system than on a regular web site
12:36:28 [Yves]
advocates for URN claiming it was more reliable, how to you solve the URN resolving issue?
12:38:56 [Yves]
Kevin: difference between persistent of content, and persistence of domain name
12:39:35 [Yves]
jar: there are two aspects, the data, the cataloguing aspect, the metadata, and how to access them
12:40:42 [Ashok]
12:40:55 [Yves]
persistence, cataloguing are almost solved problems, but automatic retrieval and update of metadata in archived records is an unsolved issue
12:42:31 [johnk]
johnk has joined #tagmem
12:43:51 [Yves]
Helen: we start with seeds URI and crawls. We did two domain crawls (of .uk). between the 2 crawls, more than 5% became unavailable, and new one emerged. Also ownership changed on some domain, with different content.
12:44:14 [Yves]
timbl: how many domains have meaningful whois information?
12:44:46 [Yves]
Helen: the goal is not to detect who the owner is, but that it changed
12:45:46 [Yves]
memento project is to embed time and date dimension in http requests, allowing you to do conneg based on time
12:46:43 [Yves]
you can link to dated version, and the memento server would serve the closest in time dated version of the content
12:47:19 [Yves]
there is a plugin for firefox that add a time slider.
12:47:42 [Yves]
timbl: so you need to add in your server a link to the memento server of your choice
12:53:01 [Yves]
timbl: difficulty at W3C to mementoify our content is because of ACLs is not versionned in time, so you can get content at a specific time, but not the list of who was able to access this data
12:53:25 [Yves]
Kevin: same issue with government material
12:54:25 [Yves]
ht: there are some examples of useful software where the free version of it is only accessible through the wayback machine
12:56:06 [Yves]
Helen: in our case, we store things in archival format, so when people request archived copy, they may not be able to access the content
12:56:20 [Yves]
12:58:53 [Yves]
ht: there are different requirements. in the IETF or W3C case, "follow your nose" means that when you get an http exchange, you can follow blindy the set of rules, so everything you need to know is on the web. But it all depends on http URI resolving.
12:59:29 [Yves]
having the bits available in an archived site is good, but having the /TR/ and RFCs available at their URIs is crucial
12:59:43 [jar]
q+ jar to suggest 'persistent linking'
12:59:51 [ht]
ack ht
12:59:51 [Zakim]
ht, you wanted to mention the meeting last Friday, and next steps
13:00:45 [noah]
TAG Finding on linking to alternate formats:
13:02:18 [Yves]
trade off between conneg and linkable versions. If you have multiple versions, it is good practise to have URIs of the specific versions, and a way to list and compare alternates
13:04:57 [jar]
13:08:12 [Yves]
Helen: because of technology limitation archived content is not an 100% faithful copy of a website (because of active content), also lots of producers don't want theit content archived
13:08:33 [ht]
So, kinds of reference preservation goals. . . in archives, for web standards (follow your nose), [what else]
13:08:47 [Yves]
like making accessible things that were removed on purpose (like for legal reasons) on one site
13:09:01 [ht]
q+ to mention tar pits
13:09:21 [ht]
ack jar
13:09:21 [Zakim]
jar, you wanted to suggest 'persistent linking'
13:10:47 [ht]
and "interarchival reference" to the list above
13:10:49 [noah]
Should we start thinking about the workshop?
13:12:27 [ht]
UNESCO ICA -- International Council xxx Archives
13:14:43 [Yves]
ht: archival task is a bit similar to search engines to avoid tarpits (automatic crawling)
13:16:26 [Yves]
ht: jar's issue is persistent linking and not persistent content
13:22:43 [Yves]
ht: need to find a direction
13:26:24 [ht]
ISO group forming wrt Web (archive) Metrics, says Helen H-Y
13:28:10 [Ashok]
13:28:28 [Yves]
(discussions on who would be interested in participating in a workshop on persistence)
13:28:38 [ht]
Possible attendees: DNS people (Ask TLR?), Memento designer (Herbert van der ???), Internet Archive (Wayback) ???
13:29:12 [ht]
(different) National Library people
13:31:00 [ht]
Ray Dennenbarg, Stu Weibel
13:31:28 [Ashok]
13:31:43 [ht]
JR's question: Which intervention point(s) are the most promising?
13:31:55 [Ashok]
13:36:07 [ht]
Australian National Data Service; IIPC (International Internet Preservation ?), Radu, Int'l library of Singapore (mtg at IPRES, Vienna, September), then IIPC next May in NL
13:44:10 [jar]
13:46:10 [ht]
Paul Cunnea, National Library of Scotland, IIPC
13:46:54 [noah]
Henry lists things to do moving forward:
13:48:11 [jar] international internet preservation consortium
13:49:04 [ht]
s/Preservation ?/Preservation Consortium/
13:49:28 [Yves]
ht: need a white paper to document the different use cases and scenarios, so that we can point possible invitees to
13:50:01 [noah]
Is the whitepaper input to or prepared with output from the proposed workshop?
13:50:50 [Yves]
white paper as a way to ground the discussion on agreed and understood points
13:51:15 [noah]
s/Paul Cunnea//
13:51:23 [Yves]
13:51:55 [RRSAgent]
I have made the request to generate Yves
13:56:56 [Yves]
Present: Jonathan_Rees, Noah_Mendelsohn, Ashok_Malhotra, Henry_Thompson, Daniel_Appelquist, TimBL, Yves_Lafon
14:12:28 [johnk]
johnk has joined #tagmem
14:34:36 [Yves]
Topic: Web Application, Client-side state
14:34:57 [noah]
topic: Web Applications: Client-side state
14:35:11 [noah]
14:35:11 [trackbot]
ACTION-430 -- Ashok Malhotra to propose a plan for his contributions to section 5: Client-side state -- due 2010-06-07 -- OPEN
14:35:11 [trackbot]
14:36:05 [Yves]
14:37:20 [johnk]
hello, this is John - is it OK for me to dial in?
14:38:27 [noah]
Yes, great JK. We'll figure out the phone here and dial in ASAP.
14:38:33 [johnk]
14:39:13 [Zakim]
TAG_f2f()3:00AM has now started
14:39:20 [Zakim]
+ +0163567aaaa
14:40:16 [johnk]
yes, when my phone boots up ;)
14:41:05 [noah]
If you'll be on soon, we're waiting.
14:41:28 [Zakim]
14:44:05 [Yves]
discussion moving to security
14:44:15 [noah]
14:44:21 [Yves]
Topic: Web Applications - Security
14:45:20 [noah]
14:45:26 [noah]
14:45:26 [trackbot]
ACTION-240 -- John Kemp to read thread on RDFa, CURIEs and profile and summarize -- due 2009-03-21 -- CLOSED
14:45:26 [trackbot]
14:45:28 [noah]
14:45:28 [trackbot]
ACTION-340 -- John Kemp to summarize recent discussion around XHR and UMP -- due 2010-06-04 -- PENDINGREVIEW
14:45:28 [trackbot]
14:46:04 [Yves]
14:47:34 [Yves]
JohnK: document updated after email feedback from the original TAG email on the topic
14:52:32 [Yves]
it is clear that no specification completely forbid to leak information form one site to the other (cross-origin forgeries)
14:53:54 [Yves]
Tim: is it because it is not about all URIs and methods for retrieving them (like script, or <img> tags)?
14:54:34 [Yves]
jar: it is considered safe to load an image or script, not sending information
14:56:14 [jar]
*loading* script is ok... it's honoring the script's requests that's troublesome
14:56:39 [Yves]
ashok: if you want websites to cooperate, same origin policy will forbid that. cors will help that while still allowing same origin policy checks
14:57:18 [Yves]
ashok: does cors provide solution to xsrf/clickjacking? => not
14:58:12 [Yves]
johnK: validating origin alone is not enough to decide to do the request or not
14:58:47 [Yves]
timbl: origin is the origin of the script, the main question is how to run script form an untrusted website
15:01:55 [Yves]
Noah: I sign on an airline site, get a cookie from that site. I visit another site that wants to cancel my flight (attack script). it starts with a GET request. With CORS, the cookie will go out, potentially authenticating me, it will have extra header
15:02:33 [Yves]
for the browser to hand or not the data to the script if it is from the authorized list
15:02:52 [Yves]
now, what if it is a POST (or any unsafe operation)
15:03:06 [Yves]
JohnK: for any unsafe operation there is a 'pre-flight' request
15:04:03 [Yves]
15:04:04 [noah]
15:07:30 [jar]
DBAD = don't be a deputy
15:07:59 [Yves]
15:09:30 [Yves]
jar: if you reuse credentials, there will always be confused deputy attacks
15:09:52 [DKA]
q+ to ask John a somewhat orthogonal question: compare CORS to ?
15:10:15 [ht]
q- ht
15:12:29 [Yves]
Noah: surprising in the GET case that instead of having the server not returning the data if not allowed, it sends back data and trust the user-agent to do the security check on its behalf
15:14:16 [johnk]
dka: that link is also to CORS - (see the link below the title to /cors)
15:14:40 [DKA]
oops :)
15:14:48 [DKA]
I meant:
15:15:09 [Yves]
jar: when you authenticate yourself, you give information to your user-agent
15:22:09 [Yves]
ht: in a capability oriented system, there are URIs that allows to identify compound resources that are resources+locks
15:22:39 [johnk]
a capability URI is not only a pointer to a resource, but the ability to use it
15:23:00 [johnk]
... do something to that resource
15:26:25 [Yves]
Noah: is there an guessability of capabiity URI?
15:26:45 [Yves]
jar: not if you don't have the credentials to use that capability
15:29:19 [Yves]
jar: protection against CSRF is about unguessable tokens, in the URI or not
15:31:42 [Yves]
ht: unguessable, but it is interceptable?
15:32:32 [Yves]
jar: in banks, they also use defense against interception
15:34:11 [johnk]
CSRF prevention example (from my Google account register domain HTML form):
15:34:11 [johnk]
<input type="hidden" name="secTok" id="secTok"
15:34:11 [johnk]
15:34:52 [noah]
15:40:32 [Yves] (about U:)
15:41:51 [Yves]
15:41:54 [jar]
oauth vs. capabilities:
15:43:47 [jar]
Why we're talking about this (1) the finding that could be read as no secrets in URIs, (2) web app security in general
15:44:08 [johnk]
15:44:12 [noah]
Explaining a bit about OAuth vs. CORS/UMP might be worthwhile, but I'm a little reluctant to get into doing an analysis of the whole server-side vs. client-side data integration tradeoff.
15:44:25 [noah]
q- DKA
15:44:46 [johnk]
15:44:52 [jar]
timbl: Do we accept the idea that origins can be principals?
15:46:16 [jar]
timbl: Consider a company that provides scripts, and is generally trusted to do so
15:47:02 [noah]
q+ to talk about CDN's etc.
15:47:33 [Yves]
timbl: using domains as principals means that you trust the script to do the right thing, be an intermediary, respect the access controls
15:47:39 [noah]
q+ ashok
15:47:40 [jar]
timbl: Hypothesis: using domains as principals counts, and means something... that you trust the scripts to do the right thing ... to be trustworthy intermediaries, to implement some kind of access control on behalf of others
15:48:25 [timbl]
So in an ACL-based system, users have to be able to add script domains to the ACLs.
15:48:27 [Yves]
johnk: how do we move forward? broad architectural isue about security on the web. The current model is mixing user agent authentication and server-based authentication
15:48:37 [noah]
ack next
15:48:48 [Yves]
so security is build on hacks over hacks
15:49:13 [noah]
q- Noah
15:49:18 [Yves]
johnK: the algorithm for user agent is complex that is may leave holes in the implementation
15:49:29 [Yves]
s/complex/sufficiently complex/
15:50:05 [jar]
johnk: will ordinary web developers be able to do the right thing, or will it be too complex
15:50:08 [Yves]
need to have a way to allow web developers to do the right thing without having to think too much about it
15:50:33 [noah]
q+ to ask about followup & more sessions at this F2F
15:50:52 [noah]
ack next
15:51:47 [Yves]
ashok: critical to allow people to assess trust, but why is it at the header level, and not using policy URIs?
15:51:48 [noah]
ack next
15:51:50 [Zakim]
noah, you wanted to ask about followup & more sessions at this F2F
15:51:50 [Yves]
jar: it has been proposed
15:58:20 [Yves]
15:58:28 [RRSAgent]
I have made the request to generate Yves
15:59:27 [Yves]
ScribeOptions: -final -noEmbedDiagnostics
15:59:28 [RRSAgent]
I have made the request to generate Yves
16:00:36 [johnk]
ok, I'm going to drop off
16:00:52 [johnk]
please let me know if you have any idea of dates for the next meetings
16:00:55 [johnk]
16:01:13 [Zakim]
16:02:07 [johnk]
thanks Yves
16:02:55 [johnk]
johnk has left #tagmem
16:31:10 [Zakim]
16:31:12 [Zakim]
TAG_f2f()3:00AM has ended
16:31:13 [Zakim]
Attendees were +0163567aaaa, ht, timbl, jar, ashok, Yves, dka, Noah, John_Kemp
16:38:55 [timbl]
timbl has joined #tagmem
18:17:00 [Zakim]
Zakim has left #tagmem