08:12:30 RRSAgent has joined #tagmem 08:12:30 logging to http://www.w3.org/2010/06/07-tagmem-irc 08:12:50 jar has joined #tagmem 08:13:07 Agenda: http://www.w3.org/2001/tag/2010/06/07-agenda 08:13:12 ht has joined #tagmem 08:13:13 convening 08:13:16 I have made the request to generate http://www.w3.org/2010/06/07-tagmem-minutes.html Yves 08:14:02 chair: Noah Mendelsohn 08:14:08 scribe: Jonathan Rees 08:14:11 scribenick: jar 08:14:21 meeting: TAG F2F 08:14:22 Ashok has joined #tagmem 08:15:15 item: Convene, review agenda 08:15:51 regrets: Larry Masinter 08:16:39 Welcome Yves 08:19:33 F2F Main Goals: 08:19:33 Make progress on writing related to Web Application Architecture 08:19:33 XML / HTML integration 08:19:33 Other technical topics 08:20:52 noah: Question: what is the best form for our publications? recs, findings, blogs 08:21:58 noah: Let's get things written, push them out, then figure out their disposition (finding etc) 08:23:37 noah: Move domain name discussion from Tues to Mon 08:24:41 ht: My goal was to brainstorm with a few (non-TAG) people on whether a more substantial meeting for consensus building is worthwhile 08:25:10 ht: Kevin Ashley, new director of DCC (digital curation center) 08:26:40 Helen Hockx-Yu 08:27:02 ht: Helen is from British Library 08:30:25 (discussion of agenda, how to involve John K and others who have to call in) 08:31:21 http://www.w3.org/2001/tag/2010/05/web-apps-notes.html 08:31:33 topic: Web Applications: Overview 08:32:11 dka: (talking from projected page, follow above link) 08:34:04 dka: TAG could act as a 'lens' relating frontline work to broader community 08:35:22 dka: Robin Berjon has been helpful 08:35:57 dka: Look at how how 'web applications' are being used in the field 08:36:25 dka: Originally people used GET... maybe not always in the best way 08:37:09 dka: Look at patterns of WA usage, say here's how they use the artifacts of web arch. Maybe this would be useful 08:37:24 s/WA/web app/ 08:38:11 dka: relation of messaging protocols to webarch - e.g. in social networks 08:38:20 timbl: Messages vs. information space 08:38:55 dka: e.g. Websockets is making this connection; that's interesting 08:39:46 ht: +1 to drilling down enough to understand how XMPP addresses [this] 08:40:15 timbl: Pattern approach is good, say: If you use these protocols in this way you get this value. 08:40:52 timbl: Applying this to web apps arch, there are many different areas, so [difficult] 08:41:06 timbl: Taxonomies are ratholes... 08:41:18 ht: People are inventing new things faster than we can classify them 08:42:00 dka: People know REST, and ask what can the TAG add to the REST story? 08:43:14 timbl: REST used to mean web + Fielding... now there are new patterns that build on this (e.g. odata, JSON, SPARQL patterns) 08:44:40 noah: There's a level where we might say here's the architecture pattern, that connects client side & server side use of URIs 08:45:04 noah: Raman is giving interesting particular examples; [that's a second level] 08:45:30 ... connect the 2 levels (architectural patterns & usage patterns) 08:46:47 dka: I'm influenced by what we're doing in mobile web best practices group. Look into applying some of that methodology. Here's a usage, evaluate it, does it lead to a good result? 08:48:18 timbl: often TAG work has been triggered by a very specific issue. Intense discussion, followed sometimes by saying it's OK. 08:51:22 dka: Where can we have an activist agenda? 08:51:59 noah: Our mandate is architecture... the web is an information space, much of the value comes from linking 08:52:20 ... network effects 08:53:26 dka: The 'cool uris don't change' resonates with people, they know w3c says this 08:54:40 yves: Hard to link into a silo. Entertainment industry, for example, tends to make monolithic [insular] apps 08:55:23 ashok: Is it lack of education, or is it business reasons? 08:56:31 timbl: One concern about web apps is that they're too slow, this motivates things like app stores [native applications that could have been web apps] 08:57:13 noah: The native apps are less clunky, little things 08:57:46 timbl: We can [try to] clean up the web... we could push for very hot web apps... 08:59:36 ht: Many of these "you need specific browser X to look at this page" errors are false - the page works fine if you edit out the browser detection code 09:01:15 timbl: (writing on white board, 3rd item in list after 'very hot apps') Decent social networking (socially aware storage; P2P) 09:01:33 dka: I care about this last one, but I wouldn't put it under the topic of web apps 09:02:44 noah, timbl: "For more, see the facebook page" 09:03:46 timbl: The problem is that the garden center is committed to FB being their ISP 09:04:36 ht: But then it is on the web, right? [question preceded timbl: The problem...] 09:07:55 dka: re security, I've been focusing on DAP, GEO 09:08:38 ... in widgets, there's the concept of a feature having a URI (e.g. the geolocation) 09:09:12 ... this mirrors what app stores are trying to do. E.g. "this app wants to access you camera and location, ok?" 09:10:06 noah: There are 3 levels of apps, app store, drive-by, widgets (with install step) 09:10:32 dka: What constitutes a web app? 09:10:54 ht: we talked about this in Cambridge, with John K 09:11:48 timbl: negotiating the interchange of data between otherwise untrusted parties. An install is part of a trust system. The dominant web sites are ones that get trusted. 09:12:57 ... different [orthogonal] from technical questions, such as shuffling data, caching 09:14:02 noah: Users think they know what it means to install something. At install points they expect these annoying questions 09:14:39 ashok: There can be problems if your situation changes (you don't want to allow use at a particular location, etc) 09:15:28 noah: Tension between install step & on-the-spot decision making 09:15:50 dka: Is there a middle way? 09:16:59 ... People who are building widgets think of them as app containers, maybe [missed] 09:17:41 yves: You want a local storage of [privacy/security] properties that can be examined and changed 09:18:23 timbl: BT open zone 09:19:11 ... there's an assumption that the domain is a principal ... 09:19:22 individuals (social entities) and orgs are principals 09:19:42 and then there are lumps of software - also treated as principals 09:20:11 s/and/... and/ 09:21:03 timbl: Would be good if the TAG looked at this... maybe recommend keys... the user interface is the hard part 09:24:13 ht: It always comes back to the question of principals. These systems founder because the identity not being useful to you. 09:24:37 ht: That doesn't tell you whether you should accept content from that principal. 09:26:45 jar: Lampson emphasizes accountability 09:27:46 ashok: Certs are often meaningless 09:28:01 http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext 09:29:24 noah: PKI, Verisign but also PGP, Lotus Notes, integrated UI... PKI is a low level building block 09:29:53 jar: Lampson article is cynical, interesting even if you don't agree 09:30:59 timbl: The CORS idea seems bizarre to me, isn't the web public anyhow, why should scripts be different from other agents? - but it's a reputation system 09:33:11 yves: Host X is fine for some things, but what if I don't like their tracking system?... 09:35:31 dka: Let's look at the list, think about priorities 09:36:30 Break for 15 minutes. 09:59:02 FYI - art heist blog article in NYT I was referring to earlier: http://nyti.ms/d7qjaW [context: freedom of the Internet, also privacy] 10:04:15 Reconvening. 10:04:24 Agenda shuffling 10:05:23 topic: HTML / XML Unification 10:05:39 msg ht let me know if you think guests this afternoon will want internet access - if so, I need their email addresses if possible so I can get them passwords. 10:05:46 hrm 10:05:59 noah: There've been repeated efforts on tag soup / html moving forward. 10:08:10 noah: Raman had nominated TimBL to convene some kind of group to tackle this problem 10:09:28 timbl: When Raman said the TAG was ineffective, I said what should be done? 10:10:22 timbl: I've wanted to bring the XML and HTML forks back together 10:10:46 ... Making a client has been made more difficult, with two stacks 10:11:13 q+ to mention the widespread use of XML toolchains in web/document management environment 10:11:23 ... re mime types, Larry has said to fix it by fixing incentives ... 10:11:51 ... we want a culture where it's considered good to clean things up ... 10:12:25 ... maybe we'll try and fail 10:12:35 ... So how can we clean this up. 10:13:14 ... E.g. maybe fix the validator, so it would say "you could do such and such and then it would work with so and so client" 10:13:50 ... To what extent do you move HTML toward XML, or XML toward HTML 10:14:18 ... One end of the scale, non-nested close tags are silly, we can just say it's not OK 10:14:54 ... On the other hand, default namespaces seem really convenient 10:15:14 ... thus a range of attitudes depending on feature 10:16:15 ... Possibility of a group with representation from both communities, people who understand issues deeply 10:17:18 q? 10:17:21 ... I've wanted to do this, but have felt there hasn't been backing. TAG support would be helpful 10:17:28 ack next 10:17:30 ht, you wanted to mention the widespread use of XML toolchains in web/document management environment 10:17:39 ht: Yes 10:17:40 +1 to bringing together moderates rather than extremists. 10:17:55 ack ht 10:18:26 I don't think moderates/extremists is the point. In fact, most of the people in the community I think have important perspectives. I think we need to bring together experts who understands the needs of the communities and the details of the technologies. 10:18:45 q+ to talk about XML tool chains and compatibility 10:18:59 ht: I've become aware that there's a big community that has bought into XML toolchains. 10:19:23 q- 10:20:14 ht: But this doesn't count with HTML5 community because they're not building web apps. Instead they're making documents 10:20:28 timbl: Example website? 10:21:18 ht: Many of the drivers for HTML are trying to make the browser the application delivery platform 10:22:26 ... The member participation in XHTML2 was from info delivery bus, not app deliv bus (yes, this is a specious distinction) 10:22:55 ... There's overlap but these are different communities 10:22:59 q+ to give a brief counter-example... 10:23:18 q? 10:23:29 ... We mustn't leave the XML community behind. They bought into XML, and they get no benefit from HTML5 10:24:12 ... They're shipping XHTML. They're uncertain about what would happen if they moved to HTML5 10:24:15 ack next 10:24:17 DKA, you wanted to give a brief counter-example... 10:25:20 dka: When we launched VF5 portal over browser on phone, that was based on an XML toolchain 10:25:27 q+ to noodle on JSON 10:26:25 ... news, weather, horoscope - info sources don't want to build their own mobile sites, so we say, give us XML (partner markup) and we'll take care of it 10:27:05 Here's an example of an all XML toolchain-produced website, managed using the Factonomy product I mentioned -- the site owners (almost) never see markup, but maintain and augment the site via form-based interfaces: http://www.scottishhumanrights.com/ 10:27:15 ... XSLT, WML, XHTML 10:28:22 q? 10:28:28 ... Now, the devices have grown up, the clients have more mature browsers, the info providers now have skills, so portal infrastructure may have a diminishing role 10:28:49 ... Portal is evolving toward a directory 10:28:58 noah: compare AOL, Yahoo! ? 10:29:21 dka: Maybe this story gives a data point 10:29:34 q+ to present the above example 10:31:20 dka: If it's easier for an intermediary to use HTML5, they're going to gravitate toward it 10:31:45 timbl: A little person will get drupal ... 10:31:50 q? 10:31:55 ack ht 10:31:55 ht, you wanted to present the above example 10:33:09 .. and hope that drupal works well with mobile 10:34:04 So the CMSs (open source and other) have to be\ fixed to work with mobile. 10:34:23 ht: SHR writes no documents, just adds, organizes. Skins and layouts chosen from menu. The toolchain pulls both structure and content out of database and renders it in XHTML 10:34:59 ack next 10:35:00 ... javascript is used to make site look same in all browsers ... [grumble...] 10:35:01 noah, you wanted to noodle on JSON 10:36:17 noah: Why was XML to W3C? Because hope was that it was to be used generally on the web 10:36:24 x/XML to/XML brought to/ 10:37:01 noah: Losing to JSON et al. 10:37:49 HST wonders how sure you are that XML is (still) losing to JSON -- I hear less about it than I used to, and more about ATOM 10:38:01 ... the HTML5 app builders are not using XML ... 10:38:41 timbl: RSS, ATOM 10:39:38 ... there's lots of XML on the web... Word ... 10:40:29 q? 10:40:35 ack next 10:40:42 ... issue is important to anyone who writes scripts, has to deal with two different DOMs 10:40:45 SVG, DOCX 10:41:47 yves: JSON has implied datatypes; XML datatypes are complex. JSON easier, natural 10:42:42 ... compound document is a hard problem, huge problem in XML/HTML integration 10:42:53 q? 10:43:56 timbl: If people are moving data around, the direction to go is to standardize some way to map JSON to/from RDF 10:44:31 ht: parsing XML is faster than parsing JSON... 10:44:36 noah: transient effect 10:44:56 ht, pointers please!!!! 10:45:34 ht: (that was just a footnote) 10:45:53 http://performance.survol.fr/2008/04/json/ 10:47:13 http://blogs.nitobi.com/dave/2005/09/29/javascript-benchmarking-iv-json-revisited/ 10:48:29 JAR: Somehow reminds me of the LISP vision: universal format for data (did I get that right?_ 10:48:44 JAR: RDF somewhat the same 10:49:12 JAR: Seems there's a constant struggle around getting data sent around in a machine processable way, and integrated with UI stuff. 10:50:14 http://labs.mudynamics.com/2009/05/01/json-xml-performance/ 10:51:57 http://ejohn.org/apps/jsonvxml/jsonvxml.png 10:52:24 q+ to mention the meeting last Friday, and next steps 10:57:16 ht: [cleaning up html ...] validator should give positive feedback, feedback directed to the authors ... this seems promising 10:58:03 ht: What is the benefit we're trying to achieve? What is the motivating headline? We want to make the web (fill in blank)? 10:58:09 timbl: simpler, cleaner? 10:58:51 Whitepaper about short- and long-term benefits 10:58:53 timbl: benefits, motto 10:59:12 And then a catchphrase similar to "cool URIs don't change" 11:02:12 timbl: Since 2 years ago, progress on polyglot documents, important idea & set of use cases 11:02:32 ... Many discussions on namespaces 11:02:50 The survival of polyglot as a 1st-class citizen is what really matters for the XML-tool-chain-doc-management stuff I've been banging on about 11:04:36 timbl: strategy? 11:12:48 jar: Task force vs. working group vs. other - let's be clear 11:13:34 . action timbl to Create a task force on XML / HTML integration 11:14:14 action timbl to Create a task force on XML / HTML convergence 11:14:14 Created ACTION-437 - Create a task force on XML / HTML convergence [on Tim Berners-Lee - due 2010-06-14]. 11:14:26 action-437 due in one month 11:14:26 ACTION-437 Create a task force on XML / HTML convergence due date now in one month 11:17:04 . RESOLVED: The TAG recommends the formation of a task force to drive the reunification of XML and HTML 11:17:23 RESOLVED: The TAG recommends the formation of a task force to drive the reunification of XML and HTML 11:17:39 (passed by general acclaim) 11:18:20 OK, I have found the beginning of the thread about Tim's document: http://lists.w3.org/Archives/Member/tag/2008Aug/0067.html 11:18:31 Yves will scribe this afternoon 11:18:43 ADJOURNED until after lunch. 11:18:53 [Member-only link above, sorry] 12:16:01 scribenick: Yves 12:16:05 scribe: Yves 12:18:07 Topic: Domain name persistence (mini-workshop) 12:18:26 (round of introductions) 12:19:22 Helen Hockx-Yu & Kevin Ashley 12:22:45 ht: commonly raised issue about using http URIs for persistence is because of possibilities of 404. 12:24:35 persistence for multi hundred of years, how (owned) domain names could achieve such persistence? 12:25:10 might lead to a workshop on digital data persistence. 12:28:41 s/mini-workshop/workshop planning/ 12:28:41 there are two main lines, first one is to go to IANA for new TLDs under new rules that deserver to live forever 12:28:54 s/deserver/deserve/ 12:29:24 leading to more stable reference than with usual domain names 12:30:11 alternate way is to allow existing domains to fall in that category of "persistent domain" 12:31:01 open question, what would be the basis for selecting/allowing specific domains to become persistent 12:32:50 also some legal issues relative to endowments 12:35:51 jar: question about attaching metadata to a document, more difficult to do in an archive system than on a regular web site 12:36:28 advocates for URN claiming it was more reliable, how to you solve the URN resolving issue? 12:38:56 Kevin: difference between persistent of content, and persistence of domain name 12:39:35 jar: there are two aspects, the data, the cataloguing aspect, the metadata, and how to access them 12:40:42 s/two/three/ 12:40:55 persistence, cataloguing are almost solved problems, but automatic retrieval and update of metadata in archived records is an unsolved issue 12:42:31 johnk has joined #tagmem 12:43:51 Helen: we start with seeds URI and crawls. We did two domain crawls (of .uk). between the 2 crawls, more than 5% became unavailable, and new one emerged. Also ownership changed on some domain, with different content. 12:44:14 timbl: how many domains have meaningful whois information? 12:44:46 Helen: the goal is not to detect who the owner is, but that it changed 12:45:46 memento project is to embed time and date dimension in http requests, allowing you to do conneg based on time 12:46:43 you can link to dated version, and the memento server would serve the closest in time dated version of the content 12:47:19 there is a plugin for firefox that add a time slider. 12:47:42 timbl: so you need to add in your server a link to the memento server of your choice 12:53:01 timbl: difficulty at W3C to mementoify our content is because of ACLs is not versionned in time, so you can get content at a specific time, but not the list of who was able to access this data 12:53:25 Kevin: same issue with government material 12:54:25 ht: there are some examples of useful software where the free version of it is only accessible through the wayback machine 12:56:06 Helen: in our case, we store things in archival format, so when people request archived copy, they may not be able to access the content 12:56:20 (arc) 12:58:53 ht: there are different requirements. in the IETF or W3C case, "follow your nose" means that when you get an http exchange, you can follow blindy the set of rules, so everything you need to know is on the web. But it all depends on http URI resolving. 12:59:29 having the bits available in an archived site is good, but having the /TR/ and RFCs available at their URIs is crucial 12:59:43 q+ jar to suggest 'persistent linking' 12:59:51 ack ht 12:59:51 ht, you wanted to mention the meeting last Friday, and next steps 13:00:45 TAG Finding on linking to alternate formats: http://www.w3.org/2001/tag/doc/alternatives-discovery.html 13:02:18 trade off between conneg and linkable versions. If you have multiple versions, it is good practise to have URIs of the specific versions, and a way to list and compare alternates 13:04:57 q? 13:08:12 Helen: because of technology limitation archived content is not an 100% faithful copy of a website (because of active content), also lots of producers don't want theit content archived 13:08:33 So, kinds of reference preservation goals. . . in archives, for web standards (follow your nose), [what else] 13:08:47 like making accessible things that were removed on purpose (like for legal reasons) on one site 13:09:01 q+ to mention tar pits 13:09:21 ack jar 13:09:21 jar, you wanted to suggest 'persistent linking' 13:10:47 and "interarchival reference" to the list above 13:10:49 Should we start thinking about the workshop? 13:12:27 UNESCO ICA -- International Council xxx Archives 13:14:43 ht: archival task is a bit similar to search engines to avoid tarpits (automatic crawling) 13:16:26 ht: jar's issue is persistent linking and not persistent content 13:22:43 ht: need to find a direction 13:26:24 ISO group forming wrt Web (archive) Metrics, says Helen H-Y 13:28:10 q+ 13:28:28 (discussions on who would be interested in participating in a workshop on persistence) 13:28:38 Possible attendees: DNS people (Ask TLR?), Memento designer (Herbert van der ???), Internet Archive (Wayback) ??? 13:29:12 (different) National Library people 13:31:00 Ray Dennenbarg, Stu Weibel 13:31:28 s/Dennebarg/Dennenberg/ 13:31:43 JR's question: Which intervention point(s) are the most promising? 13:31:55 q- 13:36:07 Australian National Data Service; IIPC (International Internet Preservation ?), Radu, Int'l library of Singapore (mtg at IPRES, Vienna, September), then IIPC next May in NL 13:44:10 http://lists.w3.org/Archives/Public/www-tag/2009Dec/0109.html 13:46:10 Paul Cunnea, National Library of Scotland, IIPC 13:46:54 Henry lists things to do moving forward: 13:48:11 http://netpreserve.org/about/index.php international internet preservation consortium 13:49:04 s/Preservation ?/Preservation Consortium/ 13:49:28 ht: need a white paper to document the different use cases and scenarios, so that we can point possible invitees to 13:50:01 Is the whitepaper input to or prepared with output from the proposed workshop? 13:50:50 white paper as a way to ground the discussion on agreed and understood points 13:51:15 s/Paul Cunnea// 13:51:23 s/Radu/???/ 13:51:55 I have made the request to generate http://www.w3.org/2010/06/07-tagmem-minutes.html Yves 13:56:56 Present: Jonathan_Rees, Noah_Mendelsohn, Ashok_Malhotra, Henry_Thompson, Daniel_Appelquist, TimBL, Yves_Lafon 14:12:28 johnk has joined #tagmem 14:34:36 Topic: Web Application, Client-side state 14:34:57 topic: Web Applications: Client-side state 14:35:11 ACTION-430? 14:35:11 ACTION-430 -- Ashok Malhotra to propose a plan for his contributions to section 5: Client-side state -- due 2010-06-07 -- OPEN 14:35:11 http://www.w3.org/2001/tag/group/track/actions/430 14:36:05 http://www.w3.org/2001/tag/2010/05/WebApps.html 14:37:20 hello, this is John - is it OK for me to dial in? 14:38:27 Yes, great JK. We'll figure out the phone here and dial in ASAP. 14:38:33 thanks 14:39:13 TAG_f2f()3:00AM has now started 14:39:20 + +0163567aaaa 14:40:16 yes, when my phone boots up ;) 14:41:05 If you'll be on soon, we're waiting. 14:41:28 +John_Kemp 14:44:05 discussion moving to security 14:44:15 http://www.w3.org/2001/tag/tag-weekly#WebAppsSec 14:44:21 Topic: Web Applications - Security 14:45:20 http://www.w3.org/2001/tag/2010/06/01-cross-domain.html 14:45:26 ACTION-240? 14:45:26 ACTION-240 -- John Kemp to read thread on RDFa, CURIEs and profile and summarize http://lists.w3.org/Archives/Public/www-tag/2009Feb/0295.html -- due 2009-03-21 -- CLOSED 14:45:26 http://www.w3.org/2001/tag/group/track/actions/240 14:45:28 ACTION-340? 14:45:28 ACTION-340 -- John Kemp to summarize recent discussion around XHR and UMP -- due 2010-06-04 -- PENDINGREVIEW 14:45:28 http://www.w3.org/2001/tag/group/track/actions/340 14:46:04 http://www.w3.org/2001/tag/2010/06/01-cross-domain.html 14:47:34 JohnK: document updated after email feedback from the original TAG email on the topic 14:52:32 it is clear that no specification completely forbid to leak information form one site to the other (cross-origin forgeries) 14:53:54 Tim: is it because it is not about all URIs and methods for retrieving them (like script, or tags)? 14:54:34 jar: it is considered safe to load an image or script, not sending information 14:56:14 *loading* script is ok... it's honoring the script's requests that's troublesome 14:56:39 ashok: if you want websites to cooperate, same origin policy will forbid that. cors will help that while still allowing same origin policy checks 14:57:18 ashok: does cors provide solution to xsrf/clickjacking? => not 14:58:12 johnK: validating origin alone is not enough to decide to do the request or not 14:58:47 timbl: origin is the origin of the script, the main question is how to run script form an untrusted website 15:01:55 Noah: I sign on an airline site, get a cookie from that site. I visit another site that wants to cancel my flight (attack script). it starts with a GET request. With CORS, the cookie will go out, potentially authenticating me, it will have extra header 15:02:33 for the browser to hand or not the data to the script if it is from the authorized list 15:02:52 now, what if it is a POST (or any unsafe operation) 15:03:06 JohnK: for any unsafe operation there is a 'pre-flight' request 15:04:03 http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1324.html 15:04:04 http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1324.html 15:07:30 DBAD = don't be a deputy 15:07:59 http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0468/CORS.pdf 15:09:30 jar: if you reuse credentials, there will always be confused deputy attacks 15:09:52 q+ to ask John a somewhat orthogonal question: compare CORS to http://www.w3.org/TR/access-control/ ? 15:10:15 q- ht 15:12:29 Noah: surprising in the GET case that instead of having the server not returning the data if not allowed, it sends back data and trust the user-agent to do the security check on its behalf 15:14:16 dka: that link is also to CORS - (see the link below the title to /cors) 15:14:40 oops :) 15:14:48 I meant: http://www.w3.org/TR/widgets-access/ 15:15:09 jar: when you authenticate yourself, you give information to your user-agent 15:22:09 ht: in a capability oriented system, there are URIs that allows to identify compound resources that are resources+locks 15:22:39 a capability URI is not only a pointer to a resource, but the ability to use it 15:23:00 ... do something to that resource 15:26:25 Noah: is there an guessability of capabiity URI? 15:26:45 jar: not if you don't have the credentials to use that capability 15:29:19 jar: protection against CSRF is about unguessable tokens, in the URI or not 15:31:42 ht: unguessable, but it is interceptable? 15:32:32 jar: in banks, they also use defense against interception 15:34:11 CSRF prevention example (from my Google account register domain HTML form): 15:34:11 value='a06972ccb723db43c20d95985e5f17c5'/> 15:34:52 q? 15:40:32 http://www.w3.org/TR/UMP/#access-control-allow-origin-header (about U:) 15:41:51 s,http://www.w3.org/TR/UMP/#access-control-allow-origin-header,http://www.w3.org/TR/2010/WD-UMP-20100126/#access-control-allow-origin-header 15:41:54 oauth vs. capabilities: http://www.eros-os.org/pipermail/cap-talk/2010-June/014235.html 15:43:47 Why we're talking about this (1) the finding that could be read as no secrets in URIs, (2) web app security in general 15:44:08 q+ 15:44:12 Explaining a bit about OAuth vs. CORS/UMP might be worthwhile, but I'm a little reluctant to get into doing an analysis of the whole server-side vs. client-side data integration tradeoff. 15:44:25 q- DKA 15:44:46 ok 15:44:52 timbl: Do we accept the idea that origins can be principals? 15:46:16 timbl: Consider a company that provides scripts, and is generally trusted to do so 15:47:02 q+ to talk about CDN's etc. 15:47:33 timbl: using domains as principals means that you trust the script to do the right thing, be an intermediary, respect the access controls 15:47:39 q+ ashok 15:47:40 timbl: Hypothesis: using domains as principals counts, and means something... that you trust the scripts to do the right thing ... to be trustworthy intermediaries, to implement some kind of access control on behalf of others 15:48:25 So in an ACL-based system, users have to be able to add script domains to the ACLs. 15:48:27 johnk: how do we move forward? broad architectural isue about security on the web. The current model is mixing user agent authentication and server-based authentication 15:48:37 ack next 15:48:48 so security is build on hacks over hacks 15:49:13 q- Noah 15:49:18 johnK: the algorithm for user agent is complex that is may leave holes in the implementation 15:49:29 s/complex/sufficiently complex/ 15:50:05 johnk: will ordinary web developers be able to do the right thing, or will it be too complex 15:50:08 need to have a way to allow web developers to do the right thing without having to think too much about it 15:50:33 q+ to ask about followup & more sessions at this F2F 15:50:52 ack next 15:51:47 ashok: critical to allow people to assess trust, but why is it at the header level, and not using policy URIs? 15:51:48 ack next 15:51:50 noah, you wanted to ask about followup & more sessions at this F2F 15:51:50 jar: it has been proposed 15:58:20 ADJOURNED 15:58:28 I have made the request to generate http://www.w3.org/2010/06/07-tagmem-minutes.html Yves 15:59:27 ScribeOptions: -final -noEmbedDiagnostics 15:59:28 I have made the request to generate http://www.w3.org/2010/06/07-tagmem-minutes.html Yves 16:00:36 ok, I'm going to drop off 16:00:52 please let me know if you have any idea of dates for the next meetings 16:00:55 bye! 16:01:13 -John_Kemp 16:02:07 thanks Yves 16:02:55 johnk has left #tagmem 16:31:10 -Vodafone 16:31:12 TAG_f2f()3:00AM has ended 16:31:13 Attendees were +0163567aaaa, ht, timbl, jar, ashok, Yves, dka, Noah, John_Kemp 16:38:55 timbl has joined #tagmem 18:17:00 Zakim has left #tagmem