IRC log of social on 2017-09-19

Timestamps are in UTC.

16:58:57 [RRSAgent]
RRSAgent has joined #social
16:58:57 [RRSAgent]
logging to http://www.w3.org/2017/09/19-social-irc
16:58:59 [trackbot]
RRSAgent, make logs public
16:58:59 [Zakim]
Zakim has joined #social
16:59:00 [cwebber]
tantek: yeah but we're biweekly
16:59:01 [trackbot]
Meeting: Social Web Working Group Teleconference
16:59:01 [trackbot]
Date: 19 September 2017
16:59:25 [eprodrom]
present+
16:59:34 [Loqi]
ajordan: lol
16:59:34 [eprodrom]
chairnick: eprodrom
17:00:01 [Loqi]
Strugee made 1 edit to [[Socialwg/2017-09-19]] https://www.w3.org/wiki/index.php?diff=104469&oldid=104461
17:00:07 [rhiaro]
present+
17:00:12 [rhiaro]
can scribe
17:00:44 [ajordan]
present+
17:00:53 [aaronpk]
present+
17:00:54 [rhiaro]
though I did leave my typing gloves at the office
17:00:57 [rhiaro]
scribenick: rhiaro
17:01:41 [tantek]
present+
17:03:05 [rhiaro]
TOPIC: last week's minutes
17:03:07 [rhiaro]
https://www.w3.org/wiki/Socialwg/2017-09-05-minutes
17:03:26 [eprodrom]
PROPOSED: Approve https://www.w3.org/wiki/Socialwg/2017-09-05-minutes as minutes for 05 Sep 2017 telcon
17:03:41 [ajordan]
SV_MEETING_CHAIR?
17:03:43 [rhiaro]
<rhiaro> 0 I wans't here
17:03:48 [cwebber]
+1
17:03:57 [ajordan]
tantek: you chaired right?
17:03:58 [tantek]
+1
17:04:15 [tantek]
yes
17:04:33 [ajordan]
+1
17:04:49 [rhiaro]
eprodrom: do we have people who were actually there? sandro?
17:04:54 [Loqi]
[AJ Jordan] AJ Jordan AJ Jordan at 2017-09-19T17:03:06Z (As seen today on the SocialWG call) @Christopher Allan Webber: I'm here to clack keyboards and ...
17:05:05 [eprodrom]
RESOLVED: Approve https://www.w3.org/wiki/Socialwg/2017-09-05-minutes as minutes for 05 Sep 2017 telcon
17:05:08 [sandro]
present+
17:05:32 [cwebber]
present+
17:05:40 [rhiaro]
TOPIC: October meeting schedule
17:05:58 [rhiaro]
eprodrom: We have a proposal from tantek to continue with our every other week unless we have runover
17:06:21 [rhiaro]
... My concern I think we have a december ??
17:06:47 [rhiaro]
... We are far enough along that it's going to be up to us to mess this up. My feeling is we don't need to do more than two during October. Any objectiosn?
17:06:52 [rhiaro]
sandro: seems good for now
17:06:58 [cwebber]
q+
17:07:13 [rhiaro]
eprodrom: 3rd, 17th and 31st of October
17:07:19 [rhiaro]
sandro: hallowe'en meeting yay
17:07:24 [rhiaro]
eprodrom: when is tpac?
17:07:27 [Loqi]
:D
17:07:30 [rhiaro]
tantek: the week after
17:07:35 [eprodrom]
PROPOSED: hold telcons on 3 Oct, 17 Oct and 31 Oct 2017
17:07:41 [eprodrom]
+1
17:07:48 [rhiaro]
tantek: so far we haven't decided to meet at tpac
17:08:03 [rhiaro]
??: Burlingate
17:08:08 [tantek]
Burlingame
17:08:11 [rhiaro]
... San Francisco
17:08:18 [tantek]
"San Francisco"
17:08:23 [eprodrom]
Burlingame
17:08:23 [rhiaro]
eprodrom: do we still have time to schedule for tpac?
17:08:48 [rhiaro]
tantek: I don't know that we have a reason to
17:08:57 [rhiaro]
cwebber2: I'm going, not specifically for swwg, but I'd love to hang out and talk about that stuff
17:09:05 [rhiaro]
... tantek suggested I set up a cg thing but I didn't
17:09:29 [rhiaro]
... but I'd love to if someone else organised it
17:09:43 [rhiaro]
eprodrom: I feel like if we booked a room and some time we would fill it up with work that we don't necessarily need to do
17:09:59 [rhiaro]
cwebber: a ?? meetup sounds good
17:10:02 [Loqi]
Eprodrom made 1 edit to [[Socialwg/2017-09-05-minutes]] https://www.w3.org/wiki/index.php?diff=104471&oldid=104202
17:10:07 [ajordan]
s/??/BoF/
17:10:13 [eprodrom]
RESOLVED: hold telcons on 3 Oct, 17 Oct and 31 Oct 2017
17:10:15 [eprodrom]
q?
17:10:20 [tantek]
I can't make 10/3 FYI
17:10:32 [eprodrom]
tantek: I think I owe you one
17:10:54 [rhiaro]
cwebber: I'm going to be at rebooting web of trust on Oct 3rd. I can maybe step away to be at the meeting. I also want to set expectations that I might not have that much to say because I'm representing a client all next week in DC and then I'm at rebooting web of trust, so that's going to take up a bunch of my time
17:11:16 [tantek]
10/17 I have conflict W3C #ab meeting
17:11:25 [eprodrom]
People with loud keyboards, please mute
17:11:27 [rhiaro]
?? *typing*
17:11:36 [tantek]
sorry
17:11:39 [tantek]
so I'm -0
17:11:42 [tantek]
oh well
17:12:24 [rhiaro]
tantek: can we consider the alternates?
17:12:27 [rhiaro]
eprodrom: I don't have a problem with that
17:12:31 [tantek]
or 10/10 and 10/24?
17:12:53 [rhiaro]
tantek: next week also if we feel like we didn't have enough time today
17:13:05 [eprodrom]
PROPOSED: hold telcons on 10 Oct, 24 Oct
17:13:17 [tantek]
+1
17:13:20 [eprodrom]
+1
17:13:22 [cwebber]
+1
17:13:24 [rhiaro]
+1
17:13:33 [ajordan]
+1
17:13:34 [eprodrom]
RESOLVED: hold telcons on 10 Oct, 24 Oct
17:13:49 [rhiaro]
eprodrom: and if we get to the end today and we need one on the 26th we can do that
17:14:04 [ajordan]
eprodrom: 26 September you mean?
17:14:11 [rhiaro]
TOPIC: ActivityPub
17:14:58 [rhiaro]
cwebber: Update on the test suite is that I've been working onit, had an unexpected item pushed onto the queue for it. Since Mastodon has taken the lead and a couple of other implementations are using http signatures be mandatory for server-to-server, I had to implement that
17:15:03 [rhiaro]
... in the process I found out the examples had a bug in them..
17:15:12 [rhiaro]
... but got that implemented and checked it is interoperable with another person in the channel
17:15:31 [rhiaro]
... I'm working on trying to get the.. I think the remaining two sections of the tests will be done at the end of october realistically
17:15:38 [rhiaro]
... There is one major issue that came up this week
17:15:41 [rhiaro]
... May be considered normative
17:15:47 [cwebber]
https://github.com/w3c/activitypub/issues/256
17:15:47 [rhiaro]
... Seems like a clear thing to do but I'm not sure if it's normative
17:15:48 [Loqi]
[erincandescent] #256 Content type of server-to-server request bodies unspecified
17:15:50 [rhiaro]
... an ommission basically
17:16:06 [rhiaro]
... we didn't specify the mime type in server to server
17:16:27 [rhiaro]
... as far as I know every implementation did this. It was just omitted. Something we should add. Not sure if it is considered normative, technically it's a requirement, but it was a bug in the spec
17:16:36 [eprodrom]
q?
17:16:40 [eprodrom]
ack cwebber
17:16:45 [rhiaro]
... does this sound normative?
17:16:59 [rhiaro]
eprodrom: it does sound like it would be normative
17:17:05 [tantek]
perhaps normative but not substantive unless impls are not compat?
17:17:15 [rhiaro]
... however from a practical standpoint I don't think it would have the same sort of effect as a normative change
17:17:27 [rhiaro]
sandro: is anybody going to have to change any code?
17:17:34 [rhiaro]
cwebber: not as far as I know, I think this is what everybody is doing
17:17:47 [rhiaro]
sandro: this was the implication of the spec all along we just didn't spell it out?
17:17:53 [rhiaro]
cwebber: right, it was in a different section
17:18:09 [rhiaro]
sandro: that's not normative. our spec didn't clearly communicate our belief but we didn't change our belief
17:18:14 [rhiaro]
tantek: this shouldn't be a surprise to anyone
17:18:43 [rhiaro]
... if anyone can raise an objection saying they didn't think this was a requirement we have to reassesss
17:19:01 [rhiaro]
sandro: http signatures. Are we talking about a normative change to require them?
17:19:17 [rhiaro]
cwebber: No, in practice some implementations ... we left open the auth method
17:19:48 [rhiaro]
... I have implemented it [in the test suite] because actual implementations will ignore the content that I send
17:19:55 [rhiaro]
sandro: do we have a non-normative reference about this?
17:19:57 [rhiaro]
cwebber: we do
17:20:02 [Loqi]
Eprodrom made 1 edit to [[Socialwg/2017-09-19]] https://www.w3.org/wiki/index.php?diff=104473&oldid=104469
17:20:02 [Loqi]
Eprodrom made 1 edit to [[Socialwg/2017-10-10]] https://www.w3.org/wiki/index.php?diff=104474&oldid=0
17:20:06 [cwebber]
https://www.w3.org/TR/activitypub/#authorization
17:20:41 [rhiaro]
cwebber: this was the result that we came to because it wasn't clear waht the future direction was. I'm still not going to say that the worl dhas completely ... basically we left two routes, one was oauth2, one was LD signatures and http signatures
17:20:55 [rhiaro]
... in practice http signatures has become required and the LD signatures has become optional
17:21:04 [rhiaro]
... it's the in-practice what's being used route that we're seeing
17:21:22 [rhiaro]
sandro: what do you mean the LD signatures part is optional?
17:21:46 [rhiaro]
cwebber: it's being used in mastodon for the use case where... say you're doing a share
17:21:59 [rhiaro]
... how does that server know that if it's coming from you, the other person really said that thing
17:22:10 [rhiaro]
... it might not be feasible for themt o go back and retreive the original easily because of complicated access control stuff
17:22:21 [rhiaro]
... you just want to make sure that person really said the thing that was forwarded
17:22:41 [rhiaro]
... in practice mastodon realised that to make this work with AP they need the signatures
17:22:55 [rhiaro]
... they're only being checked in mastodon's usage when someone forwards to their followers cos it was the top post in the chain
17:23:07 [rhiaro]
... no other case is the signature actually checked. It's not required unless you're doing that
17:23:14 [rhiaro]
... maybe not everyone on the cal is familar with this probelm
17:23:36 [rhiaro]
... it sometimes results in a problem where the top poster in a comments chain gets comments from other servers and people in the thread miss out on messages
17:23:40 [cwebber]
https://www.w3.org/TR/activitypub/#inbox-delivery
17:23:59 [rhiaro]
... we worked out this forwarding mechanism that makes sure messages get sent to peoples' followers
17:24:21 [rhiaro]
... that use case uses LD signatures
17:24:34 [rhiaro]
... it's comparitively small
17:24:49 [rhiaro]
... I'm not sure if I'll need to implement that in the tests as well
17:25:03 [rhiaro]
sandro: sounds great in terms of interop. Trying to think of how to best help people who come along and read the spec right now
17:25:12 [rhiaro]
... they'll probably be a bit confused about what they're supposed to do
17:25:35 [rhiaro]
cwebber: it sounds like you're saying if it seems like things ar econverging shoudl we be nudging people?
17:25:47 [rhiaro]
sandro: yeahh th e two main ways are that we could take the oauth part out and just use the one that seems to be being used
17:26:05 [rhiaro]
... or just have section 8 be a pointer to some document maintained by the CG that can refine this going forward and maybe eventually put it into a separate spec
17:26:25 [tantek]
+1 sandro
17:26:27 [rhiaro]
eprodrom: I would be really surprised if taking out.. I know tha tmastodon doens't use the c2s part. I would be surprised to remove that
17:26:41 [rhiaro]
... but for s2s we wouldn't have any oauth stuff, it's gonna be all signatures?
17:26:55 [tantek]
in general we need to be converging the spec on what we know interops so we can increase chances of exiting CR sooner
17:27:11 [eprodrom]
https://tools.ietf.org/html/draft-cavage-http-signatures-07
17:27:12 [rhiaro]
eprodrom: I would love having oauth for c2s and having signatures for s2s and having that be it
17:27:17 [rhiaro]
... HTTP Signatures is a draft?
17:27:22 [rhiaro]
cwebber: ietf draft
17:27:32 [tantek]
I think I agree with eprodrom just proposed
17:27:34 [rhiaro]
eprodrom: that means we can't reference it normatively?
17:27:41 [rhiaro]
sandro: right this whole section is non-normative
17:27:45 [rhiaro]
... we can't require http signatures
17:27:55 [tantek]
q+ there is something very odd with an entire non-normative section that we are depending on for interop of a specific set of features
17:28:02 [rhiaro]
cwebber: I think we should leave the section non-normative and just remove the options
17:28:07 [eprodrom]
q?
17:28:08 [tantek]
q+ to note there is something very odd with an entire non-normative section that we are depending on for interop of a specific set of features
17:28:14 [ajordan]
q+
17:28:26 [rhiaro]
sandro: I don't really like the hack of marking the section as non-normative and still telling you what to do
17:28:40 [sandro]
q?
17:28:45 [eprodrom]
ack tantek
17:28:45 [Zakim]
tantek, you wanted to note there is something very odd with an entire non-normative section that we are depending on for interop of a specific set of features
17:29:12 [eprodrom]
\o/
17:29:15 [rhiaro]
tantek: I'm trying to understand what we're trying to do with this section
17:29:30 [rhiaro]
... It feels like we're trying to express an expectation of a feature and yet we're trying to do it via guidence instead of normative text
17:29:35 [rhiaro]
... doesn't feel right
17:29:38 [rhiaro]
cwebber: we did already do that
17:30:21 [rhiaro]
tantek: the spec advertises a set of features you get if you interop. We're trying to capture features that are essential noted by folks like mastodon. Good we're listening to our implementors. But not good it's in non-normative text
17:30:24 [rhiaro]
... I understand why
17:30:33 [rhiaro]
... THe reality is that part of the spec is not the same level of security
17:30:42 [rhiaro]
sandro: the normal solution is to put that in a Note or more mutable text
17:30:49 [rhiaro]
cwebber: I would be fine with that
17:30:56 [tantek]
s/security/maturity
17:30:57 [rhiaro]
... having a document maintained by the CG is fine with me
17:31:28 [rhiaro]
... evan? How do you feel about having pointers to an auth doc written by the CG which is mutable but starts out recommending what's actually in practice?
17:31:34 [rhiaro]
eprodrom: that sounds fantastic
17:31:48 [rhiaro]
... I feel like it would decouple the auth part of the spec from the api part
17:31:59 [rhiaro]
tantek: this is for private content right
17:32:22 [rhiaro]
cwebber: not just. The forwarding use case .. it's most likely to protect private content becuase that' swhen you can't necessarily look it up. There are two other cases where you still want it
17:33:05 [rhiaro]
... you could dial back and look at it publicly if it is public. But this means you don't hav eto do that
17:33:13 [rhiaro]
... you can use signatures as a uniform method
17:33:27 [rhiaro]
<rhiaro> sounds to me like it's not required if everything is public though..
17:33:37 [rhiaro]
tantek: sounds like a path to this ability in the spec is how to handle private content
17:34:11 [rhiaro]
cwebber: verification is important. It's right that it's not required if things are public
17:34:19 [rhiaro]
... you could use another mechanism which is to go look at the content
17:34:36 [rhiaro]
... but it sitll is important that i fyou get a post to your inbox that says here's some content, you have to make sure that the contnet really is from that server, and there are two ways to do it
17:34:40 [rhiaro]
... if it's public you can look at it
17:34:46 [rhiaro]
... or in eithe rcase you can use the signature check
17:35:21 [eprodrom]
It would make me cry, that's for sure
17:36:28 [jankusanagi_]
jankusanagi_ has joined #social
17:36:33 [cwebber]
PROPOSED: Remove section 8 on Authentication and Authorization from spec, move to pointing from security considerations to a mutable document maintained by CG which includes current deployment practices (OAuth 2.0 bearer tokens for C2S, HTTP signatures and sometimes Linked Data Signatures for S2S)
17:36:58 [cwebber]
^_^
17:37:04 [tantek]
o_O
17:37:10 [sandro]
+1
17:37:13 [cwebber]
+1
17:37:22 [tantek]
+1
17:37:28 [rhiaro]
<rhiaro> +1
17:37:36 [eprodrom]
+1
17:37:38 [ajordan]
+1
17:37:39 [aaronpk]
+1
17:38:04 [cwebber]
RESOLVED: Remove section 8 on Authentication and Authorization from spec, move to pointing from security considerations to a mutable document maintained by CG which includes current deployment practices (OAuth 2.0 bearer tokens for C2S, HTTP signatures and sometimes Linked Data Signatures for S2S)
17:38:16 [eprodrom]
please mute
17:38:26 [eprodrom]
q?
17:38:29 [eprodrom]
ack ajordan
17:39:10 [ajordan]
question:
17:39:34 [ajordan]
are we specifying what type of document the CG might publish? e.g. Note?
17:39:39 [ajordan]
fine with this either way though
17:39:47 [rhiaro]
eprodrom: good question
17:40:08 [rhiaro]
sandro: cgs can't publish notes. I think they're called reports
17:40:36 [rhiaro]
... if we wanted to solidify it at some point, some w3c member like mozilla could turn it into a member submission and get it formally archived at w3c
17:40:44 [rhiaro]
eprodrom: this seems liek the right way to do things
17:40:49 [eprodrom]
q?
17:40:50 [rhiaro]
... anything more on AP?
17:40:57 [rhiaro]
cwebber: in my view we've exhausted it
17:41:02 [rhiaro]
tantek: the new CR got published right?
17:41:05 [rhiaro]
cwebber: oh yeah. Yay!
17:41:06 [Loqi]
😄
17:41:28 [rhiaro]
sandro: I just want to confirm our timeline
17:41:34 [rhiaro]
... particularly I'm worried about the test suite and test results
17:41:37 [rhiaro]
... do we have a results matrix yet?
17:41:52 [rhiaro]
cwebber: i didn't do that yet... implementationr eports or actual running test reports?
17:42:00 [rhiaro]
sandro: I mean an easy way to see how many tests are passed by implementations
17:42:11 [rhiaro]
cwebber: we don't have all the test suite done and I havne't been pushing people to use it, so no
17:42:24 [rhiaro]
sandro: we have about a month and a half to get enough test results to prove implementations
17:42:30 [rhiaro]
cwebber: it's gonna be difficult
17:42:35 [rhiaro]
... I guess I have no choice
17:43:12 [rhiaro]
sandro: there may be some alternative. one alternative is we don't necessarily use the test suite to prove interop. There are other ways, that's the usual one. I can imagine in the s2s thing that it might be more demonstrative to show these two systems federate by running them by hand with people watching
17:43:19 [rhiaro]
... that I think would suffice an dmight be less work
17:43:23 [rhiaro]
... make sense?
17:43:41 [rhiaro]
cwebber: makes sense as an option. DO you think we should hold off on this until midway through next month to say it's an optino on the table?
17:43:54 [rhiaro]
sandro: I'm saying don't spend all your time getting a s2s test suite if your'e afraid it's not even gonna get done
17:44:02 [rhiaro]
... if you know you can do it that would be great
17:44:20 [rhiaro]
cwebber: if there was an option for me to focus on my implementation and encouraging people to test implementations that are already happening
17:44:33 [rhiaro]
... that's hwo mastodon dev was mostly done, gargon and puckipedia were testing their implementations until they worked
17:44:40 [rhiaro]
sandro: if there are three implementations that interop that's good
17:44:47 [rhiaro]
... three makes the case
17:44:56 [rhiaro]
tantek: I'm not entirely comfortable with that
17:45:20 [rhiaro]
... if interop is defined by how two implementations happen to work together, there's no guarnatee we've captured those details in the normative spec
17:45:41 [rhiaro]
sandro: if you have three and one is written by the editor that.. that's the same guarantee as if the test suite aligns with the spec
17:45:55 [rhiaro]
... if the editor is making an implementation and that interops with two external ones, that's a good case we have interop
17:45:58 [rhiaro]
... and I think s2s testing is really hard
17:46:02 [rhiaro]
tantek: right about that
17:46:12 [rhiaro]
aaronpk: I would have beend one with websub and micropub a looottt sooner...
17:46:26 [rhiaro]
tantek: the big concern is because the editor is doing both there are assumptions that are not reflected
17:46:32 [rhiaro]
sandro: that's why you have those two other implementations
17:46:44 [rhiaro]
tantek: at that point the third implementation might as well be the test suite rather than a third implementation
17:46:59 [rhiaro]
sandro: if you want to call it the test suite sure, but it wouldn't be doing the same thing as what a test suite would do because it would be driven by hand
17:47:11 [ajordan]
q+
17:47:13 [rhiaro]
tantek: I don't think tha'ts accurate to call it a validator
17:47:21 [rhiaro]
... we noted it as such as a distinction from a regular implementation
17:47:48 [rhiaro]
sandro: I think the AP s2s test suite / validator, we can think creatively about it
17:48:03 [rhiaro]
... it doesn' thave to be a thing you can connect to and run automatically
17:48:09 [rhiaro]
tantek: I think driven by hand is fine. No requirement for automation
17:48:27 [rhiaro]
sandro: the standard I just specified is lower than what i was saying before because it doens't invovle puckipedia and mastodon talking to each other
17:48:57 [rhiaro]
tantek: you're saying we define interoperation by checking that these two interop. We need a textual description of what should happen when you runt wo implementatiosn against each other. That's a test suite.
17:49:06 [rhiaro]
... You can't avoid documenting hte epxected result
17:49:08 [rhiaro]
sandro: agreed
17:49:12 [rhiaro]
cwebber: There's some good news
17:49:32 [rhiaro]
... When I initially was working on the test suite, I implemented this promty thing that asked you questions
17:49:44 [rhiaro]
... and the response was you don't want to give people that many prompts
17:49:57 [rhiaro]
... I can start implementing and see if it can be automated, and if I can't I can have it be a bunch of questions that people can respond to
17:50:01 [rhiaro]
... and accomplish that way faster
17:50:03 [rhiaro]
sandro: sounds good
17:50:12 [rhiaro]
tantek: that's a better approach
17:50:19 [cwebber]
sure did
17:50:58 [rhiaro]
cwebber: knowing that I think we have a safe way forward
17:51:08 [ajordan]
q-
17:51:09 [rhiaro]
... I'll switch to the prompty question direction if automatiion doesn't work
17:51:15 [ajordan]
q+
17:51:25 [eprodrom]
ack ajordan
17:52:01 [rhiaro]
ajordan: if we're going down the prompty path, which seems fine, after we ship a rec I think it would be nice to go back and make that stuff automated, to make new implementations easier
17:52:15 [rhiaro]
cwebber: the path will still be left open to code i nthe automated tests
17:52:36 [rhiaro]
TOPIC: WebSub
17:53:25 [rhiaro]
eprodrom: status
17:53:35 [eprodrom]
Someone has background chatter going on
17:53:39 [eprodrom]
rhiaro: jinx
17:53:49 [eprodrom]
Please mute if you're not on
17:53:58 [rhiaro]
aaronpk: we have a couple of issues that popped up since ralph started looking
17:54:02 [aaronpk]
https://github.com/w3c/websub/issues/125
17:54:03 [Loqi]
[sandhawke] #125 Hash Algorithm Selection
17:54:11 [rhiaro]
... the biggest one is the hashing algorithm thing
17:54:24 [ajordan]
OK I gotta go to class but just want to say that I've finally been sending stuff to ben_thatmustbeme
17:54:35 [ajordan]
nothing major, lots of clarifications merged
17:54:35 [rhiaro]
... essentially PuSH had only specified sha1 as the only valid hash algorithm. A while ago we had added other algorithsm and sha1 is mostly broken now
17:54:56 [rhiaro]
... but then there was a concern that servers and the hub need a way to negotiate which algorithm to use, which is a rather large new mechanism to add
17:54:57 [ajordan]
bye all! thanks for a good (partial) meeting
17:55:25 [rhiaro]
... the current proposal is to drop all the new algorithms from the spec, goign back to the way it was in PuSH and then mention that we may add new algorithms as an extension so we can actually better specify how these algorithms are negotiated
17:55:31 [rhiaro]
... is that fair sandro?
17:55:37 [rhiaro]
sandro: I was not proposing formally dropping the other 3
17:55:43 [rhiaro]
... that struck me as hard to do without restarting CR
17:55:55 [rhiaro]
aaronpk: I guess I was assumign that the... oh you're right the proposed text doens't drop th eother three
17:56:03 [rhiaro]
... that leaves it in the same sort of undefined state
17:56:14 [rhiaro]
sandro: i"m not thrilled with the undefined state but I think tha'ts the most expedient way forward
17:56:42 [rhiaro]
aaronpk: julien's comment is that it's not a big deal to use a weak hash beacuse if you're also using https there are a lot of layers to break before you can take advantage of a weak hash
17:56:50 [rhiaro]
sandro: and also if the callback url is secret that also protects you
17:56:53 [rhiaro]
aaronpk: yeah right
17:57:07 [rhiaro]
... there's a bunch of layers that are useful even if you have no secret, no hash
17:57:17 [rhiaro]
sandro: julien's wrong though
17:57:25 [rhiaro]
... *reads from issue*
17:57:33 [rhiaro]
... the attacker is trying to alter the content
17:57:38 [rhiaro]
... not read it
17:57:51 [rhiaro]
... but as long as it's over https, you could put the secret in cleartext in the packet and it would be fine
17:57:57 [rhiaro]
... you'd still have to break tls to get through that
17:58:26 [rhiaro]
aaronpk: the suggestion is to drop the undefined extension
17:58:30 [rhiaro]
... makes sense to me
17:58:35 [rhiaro]
... and we don't bother with the rest of the issue?
17:58:45 [rhiaro]
sandro: I think so. If somebody wants to go ahead and write otu that formal extension
17:58:57 [rhiaro]
... I think the two reasonable options are my proposed text, or we specify the extension now and do another quick cr
17:59:05 [rhiaro]
aaronpk: that seems like a pretty drastic thing to be adding
17:59:11 [rhiaro]
sandro: my guess is nobody has the energy to do that
17:59:14 [rhiaro]
tantek: I lost track
17:59:26 [rhiaro]
sandro: I'm not advocating define the negotiation mechanism now
17:59:31 [rhiaro]
... tha twould be too much work
17:59:35 [rhiaro]
tantek: which spec change are you advocating?
17:59:42 [rhiaro]
sandro: the one that's described in issue 125
17:59:49 [rhiaro]
... remove one sentence and replace it with those two sentences
17:59:58 [rhiaro]
tantek: and that leaves an opportunity for a later spec to say something?
18:00:00 [rhiaro]
sandro: yeah
18:00:06 [sandro]
In the future, an extension may be specified allowing subscribers to indicate which algorithms they can use for validation. As of this writing, most hubs sign with SHA-1, despite its known cryptographic weakness, in order to be interoperable with older subscribers.
18:00:09 [rhiaro]
aaronpk: it explicitly says we should define the algorithm extension as an extension
18:00:17 [rhiaro]
s/algorithm extension/algorith selection
18:00:20 [JanKusanagi]
JanKusanagi has joined #social
18:00:29 [rhiaro]
tantek: aaronpk can you take that up as a CG item? Create an issue? make sure it continues
18:00:32 [rhiaro]
aaronpk: yeah
18:00:41 [rhiaro]
sandro: put the timeline as around the time TLS is broken..
18:01:28 [sandro]
PROPOSED: Resolve websub #125 by accepting proposal as written
18:01:28 [rhiaro]
aaronpk: resolution on proposed text?
18:01:38 [eprodrom]
+1
18:01:40 [rhiaro]
<rhiaro> +1
18:01:40 [aaronpk]
+1
18:01:43 [sandro]
+1
18:01:47 [cwebber]
+1
18:01:58 [tantek]
+1
18:02:09 [sandro]
RESOLVED: Resolve websub #125 by accepting proposal as written
18:02:45 [rhiaro]
tantek: the text sandro put does touch on a security vulnerability, could you include a list item in security & privacy considerations that calls it out explicitly?
18:02:48 [rhiaro]
aaronpk: good idea
18:02:50 [rhiaro]
sandro: yeah
18:03:30 [rhiaro]
sandro: and I think if the CG puts together an editor's note type thing in github we could probably link to that as an example
18:03:36 [rhiaro]
... when the rec actually goes out
18:03:56 [rhiaro]
... that's a reason to write up a draft for the extension in the next few weeks if somebody feels motivated
18:04:32 [rhiaro]
sandro: 124. We have this content negotiation solution we came up with a while ago. Richard the i18n guy pointed out there's language negotiation too
18:04:37 [rhiaro]
... and he's asking if we forgot or chose not to do it
18:04:40 [rhiaro]
... and could we do something about it
18:05:05 [rhiaro]
... I think the answer is we forgot and should include text saying for either content type negotiation or language negotiation you should be doing the same thing
18:05:08 [rhiaro]
... I think that solves the problem
18:05:26 [rhiaro]
eprodrom: next step?
18:05:31 [rhiaro]
sandro: ben has suggested some text
18:05:38 [rhiaro]
aaronpk: I want to rephrase that slightly but it has the idea
18:05:46 [rhiaro]
sandro: sounds good to me
18:06:29 [rhiaro]
... shall we delegate to aaron to adopt something similar to ben's text and say we'll try to also get richard's approval but I don't think we need to
18:06:57 [sandro]
PROPOSED: Resolved websub #124 with something like https://github.com/w3c/websub/issues/124#issuecomment-330580664 but actual working up to editors
18:06:57 [Loqi]
[dissolve] Suggested text
18:06:57 [Loqi]
For practical purposes, it is important that the rel=self URL only offers a single representation. As the hub has no way of knowing what mime-type or language may have been requested by the subscriber upon discovery, it would not be...
18:07:15 [sandro]
(it's non-normative -- it's explaining what's implied already)
18:07:37 [rhiaro]
s/working/wording
18:07:52 [sandro]
+1
18:07:53 [aaronpk]
+1
18:07:56 [rhiaro]
<rhiaro> +1
18:07:58 [eprodrom]
+1
18:08:22 [rhiaro]
eprodrom: any objections?
18:08:29 [rhiaro]
... anyone still thinking?
18:08:29 [tantek]
+1
18:08:29 [sandro]
RESOLVED: Resolved websub #124 with something like https://github.com/w3c/websub/issues/124#issuecomment-330580664 but actual wording up to editors
18:08:30 [Loqi]
[dissolve] Suggested text
18:08:30 [Loqi]
For practical purposes, it is important that the rel=self URL only offers a single representation. As the hub has no way of knowing what mime-type or language may have been requested by the subscriber upon discovery, it would not be...
18:08:55 [rhiaro]
sandro: can we have another resolution to request PR?
18:09:00 [rhiaro]
tantek: good idea, with the new approvals
18:09:03 [cwebber]
+1
18:09:21 [eprodrom]
PROPOSED: Advance Websub to PR upon completion of issues #124 and #125
18:09:36 [erincandescent]
Hmm, why does #124 not propose the option of multiple hubs? :P
18:09:58 [sandro]
+1
18:10:01 [cwebber]
+1
18:10:01 [Loqi]
Tantekelik made 1 edit to [[Socialwg/2017-09-19]] https://www.w3.org/wiki/index.php?diff=104476&oldid=104473
18:10:04 [rhiaro]
<rhiaro> +1
18:10:10 [eprodrom]
+1
18:10:13 [tantek]
+1
18:10:20 [aaronpk]
+1
18:10:51 [eprodrom]
RESOLVED: Advance Websub to PR upon completion of issues #124 and #125
18:10:56 [rhiaro]
sandro: aaronpk can you do these changes today? it would be nice to get this stuff off
18:10:59 [rhiaro]
aaronpk: yeah
18:11:05 [rhiaro]
tantek: and update the changelog
18:11:10 [rhiaro]
aaronpk: yep
18:11:20 [rhiaro]
eprodrom: that wrap sthings up for websub?
18:11:45 [rhiaro]
TOPIC: AOB
18:11:53 [rhiaro]
TOPIC: Post type discovery
18:11:55 [rhiaro]
tantek: nothing this week
18:12:04 [rhiaro]
TOPIC: jf2
18:12:31 [rhiaro]
tantek: I think ajordan submitted a bunch of patches and ben merged some of them but we dno't have aj or ben
18:12:34 [rhiaro]
TOPIC: SWP
18:12:51 [rhiaro]
rhiaro: Nothing to report
18:13:04 [rhiaro]
TOPIC: SWICG update
18:13:26 [rhiaro]
cwebber: only thing is that we have a new member of the group who is excited about anti abuse stuff
18:13:36 [rhiaro]
... so we should discuss that next week
18:13:59 [rhiaro]
tantek: cwebber can you email Coralie Mercier requesting space and time at tpac for the social cg
18:14:38 [rhiaro]
coralie@w3.org
18:15:04 [rhiaro]
... THe CG has enough stuff to discuss
18:15:09 [rhiaro]
... We could also do a break out
18:15:12 [rhiaro]
eprodrom: I think that concludes
18:15:24 [rhiaro]
tantek: next meeting in 3 weeks, 10th October
18:15:43 [eprodrom]
trackbot, end meeting
18:15:43 [trackbot]
Zakim, list attendees
18:15:43 [Zakim]
As of this point the attendees have been eprodrom, rhiaro, ajordan, aaronpk, tantek, sandro, cwebber
18:15:51 [trackbot]
RRSAgent, please draft minutes
18:15:51 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/09/19-social-minutes.html trackbot
18:15:52 [trackbot]
RRSAgent, bye
18:15:52 [RRSAgent]
I see no action items
18:15:52 [eprodrom]
rhiaro++
18:15:52 [Loqi]
rhiaro has 159 karma in this channel (278 overall)