IRC log of tagmem on 2007-01-09

Timestamps are in UTC.

16:57:17 [RRSAgent]
RRSAgent has joined #tagmem
16:57:17 [RRSAgent]
logging to
16:58:44 [ht]
Meeting: TAG telcon
16:58:50 [ht]
Scribe: Henry S. Thompson
16:58:55 [ht]
ScribeNick: ht
16:59:07 [ht]
Chair: Vincent Quint
16:59:22 [ht]
16:59:38 [ht]
ht has changed the topic to: Today's agenda:
17:04:55 [Stuart]
Stuart has joined #tagmem
17:05:30 [ht]
Evening sir
17:17:57 [Stuart]
Stuart has left #tagmem
17:59:22 [Vincent]
Vincent has joined #tagmem
18:00:54 [ht]
zakim, please call ht-781
18:00:54 [Zakim]
ok, ht; the call is being made
18:00:55 [Zakim]
TAG_Weekly()12:30PM has now started
18:00:56 [Zakim]
18:01:24 [noah]
noah has joined #tagmem
18:01:44 [Zakim]
18:01:49 [noah]
zakim, [IBMCambridge] is me
18:01:49 [Zakim]
+noah; got it
18:02:03 [Zakim]
18:02:31 [Zakim]
18:02:49 [Vincent]
Zakim, P11 is Vincent
18:02:49 [Zakim]
sorry, Vincent, I do not recognize a party named 'P11'
18:03:12 [Vincent]
Zakim, ??P11 is Vincent
18:03:12 [Zakim]
+Vincent; got it
18:04:21 [Vincent]
Zakim, who is here?
18:04:21 [Zakim]
On the phone I see Ht, noah, Ed_Rice, Vincent
18:04:22 [Zakim]
On IRC I see noah, Vincent, RRSAgent, Zakim, ht
18:06:03 [Ed]
Ed has joined #tagmem
18:08:57 [ht]
zakim, who is making noise?
18:09:08 [Zakim]
ht, listening for 10 seconds I heard sound from the following: Ed_Rice (32%)
18:09:09 [ht]
I've pinged DanC, no sign of timbl. . .
18:09:23 [Vincent]
Tim has sent regrets
18:09:31 [Zakim]
18:09:55 [Zakim]
18:10:08 [Zakim]
18:10:10 [ht]
zakim, who is making noise?
18:10:21 [Zakim]
ht, listening for 10 seconds I heard sound from the following: Vincent (100%)
18:10:21 [DanC]
DanC has joined #tagmem
18:10:34 [Zakim]
18:10:53 [ht]
zakim, who is making noise?
18:11:04 [Zakim]
ht, listening for 10 seconds I heard sound from the following: Vincent (95%)
18:11:14 [ht]
zakim, mute vincent
18:11:14 [Zakim]
Vincent should now be muted
18:11:22 [Zakim]
18:12:20 [Zakim]
18:12:35 [Zakim]
18:12:36 [Vincent]
Zakim, ??P3 is Vincent
18:12:36 [Zakim]
+Vincent; got it
18:12:52 [Vincent]
Zakim, who is here?
18:12:52 [Zakim]
On the phone I see Ht, noah, Ed_Rice, Vincent, DanC
18:12:53 [Zakim]
On IRC I see DanC, Ed, noah, Vincent, RRSAgent, Zakim, ht
18:13:45 [ht]
Topic: Administrative
18:15:04 [ht]
RESOLUTION: Minutes from last week approved
18:15:42 [ht]
VQ: Next telcon 16 January
18:15:52 [ht]
Regrets from DanC, timbl, Norm
18:16:59 [ht]
VQ: Agenda accepted as published
18:17:22 [ht]
ER: Comments on Noah's document are the most urgent item
18:17:52 [ht]
NM: Agree we shouldn't lose it, but let's delay a bit in hopes DaveO will join
18:18:14 [ht]
VQ: Agree to postpone that item for a while
18:18:41 [ht]
VQ: Stuart, our new chair, cannot make this timeslot
18:19:04 [ht]
... I'd like to have him join asap, even before he takes over as chair
18:19:23 [ht]
... We'll know the new participants by the end of this week
18:19:36 [ht]
... Everyone please send your timing constraints to
18:20:26 [noah]
Noah's pretty sure he sent an email with scheduling guidance.
18:21:03 [ht]
VQ: DaveO to scribe next week, if possible, to be confirmed
18:21:25 [ht]
Topic: Issue utf7Encoding-55
18:21:44 [ht]
VQ: Created and announced this per our discussion last week
18:22:18 [ht]
... Waiting for input -- HST, DanC -- thoughts?
18:22:22 [DanC]
Zakim, mute VQ
18:22:22 [Zakim]
sorry, DanC, I do not know which phone connection belongs to VQ
18:22:25 [DanC]
Zakim, mute Vincent
18:22:25 [Zakim]
Vincent should now be muted
18:22:54 [DanC]
nor do I know about the security issue
18:23:04 [ht]
HST: Don't know anything about UTF7, no clue
18:23:14 [Zakim]
18:23:24 [ht]
DanC: Who voted this one on as an issue?
18:23:49 [ht]
ER: Me, for one -- I'll do some fact-finding
18:23:55 [Zakim]
18:24:26 [ht]
NM: I'm also pretty ignorant -- it would be very helpful to get an entry-level summary of the issue and what the main positions are, thank you
18:24:54 [Vincent]
Zakim, ??P3 is Vincent
18:24:54 [Zakim]
+Vincent; got it
18:25:16 [Zakim]
18:25:39 [ht]
Dave Orchard joins the call at 25 past the hour
18:28:38 [ht]
VQ: Thanks to ER, will wait for his input
18:29:04 [ht]
Topic: Last comments on the proposed submission to the workshop on Web of Services for Enterprise Computing
18:29:14 [ht]
18:29:14 [noah]
Note that a few minor typos, etc. that I intend to correct are at:
18:29:25 [DanC]
my review, in sum, is "thumbs up"
18:29:31 [ht]
ER: I sent my comments, I think it's a good summary of where we stand
18:29:35 [ht]
... It's a good document
18:29:51 [ht]
DaveO: I like the focus on use cases
18:30:13 [ht]
... Not sufficient mention of two things we've discussed in the past:
18:31:05 [ht]
... 1) The 'technology gap' which discourages option (3), e.g. EPR->URI conversion -- the limited discussion of this doesn't go far enough
18:31:05 [noah]
From the paper: Note that the SOAP Recommendation provides for such use of HTTP GET, though support for it is not widely deployed today.
18:31:52 [ht]
... Just a history of the TAG's interactions, w/o a discussion of the technology/state of play
18:32:09 [ht]
... I'd like to see more there, describing what we wished had happened there
18:32:11 [DanC]
(I would appreciate a bit more rah-rah around "Web description languages (e.g. WADL or the WSDL 1.2 HTTP Binding)" )
18:33:06 [ht]
NM: Wrt EPR->URI mapping, I could mention that, I guess my scepticism about likely success got in the way
18:33:34 [ht]
... I'd rather look towards a 'best practice' of not using Identifying params
18:33:46 [ht]
... DaveO, would that help
18:33:51 [ht]
DaveO: Yes
18:33:53 [dorchard]
dorchard has joined #tagmem
18:34:23 [ht]
NM: There is the mention of SOAP via HTTP GET
18:34:37 [ht]
DaveO: That's not what I was missing. . .
18:34:49 [ht]
DanC: What _were_ you looking for?
18:35:22 [ht]
NM: I understand DaveO never liked that (SOAP via HTTP GET) approach
18:36:04 [ht]
DaveO: What I was looking for was something along the lines of converting XML requests [?] into headerless SOAP requests
18:36:14 [ht]
[Scribe unsure -- DaveO, please correct]
18:36:19 [DanC]
(if Dave has a 1/2hr or whatever to suggest a few bullets/sentences about gaps and ideas for filling them, I think it's worth Noah's time to try to integrate those.)
18:36:47 [DanC]
18:36:53 [ht]
NM: The lack of detail on the history was because of the guidance I got to try to be positive and forward looking
18:37:06 [ht]
... I can be more forthcoming on the day, if I'm asked to speak
18:37:15 [Vincent]
ack danc
18:37:37 [ht]
DanC: I like the length as it is.
18:37:58 [ht]
... About gaps and how to fill them, it's a bit subtle, but the detail is all there
18:38:21 [ht]
... Emphasizing the solutions more, with help from DaveO, would be good, but not required
18:38:57 [ht]
NM: Two different directions: more technical details (e.g. SOAP MEPs)
18:39:02 [DanC]
(yes, there are only so many gaps you can discuss in 5 pages; the WADL gap is one I'm interested in. I can see room for the EPR mapping, though I'm not as excited about it. I don't see room for much more.)
18:39:18 [ht]
zakim, disconnect ht
18:39:18 [Zakim]
Ht is being disconnected
18:39:19 [Zakim]
18:39:30 [dorchard]
18:39:30 [ht]
zakim, please call ht_781
18:39:30 [Zakim]
I am sorry, ht; I do not know a number for ht_781
18:39:36 [ht]
zakim, please call ht-781
18:39:36 [Zakim]
ok, ht; the call is being made
18:39:38 [Zakim]
18:40:28 [ht]
DaveO: The above pointer is one example of something which wasn't taken forward, which might have helped
18:40:41 [ht]
DanC: What about the printer example?
18:41:55 [DanC]
(yes, noting in passing in the 3rd printer scenario seems worth a sentence or two)
18:42:02 [ht]
DaveO: Well, at least some of the EPR-based SOAP requests could have been handled via GET given that proposal
18:42:45 [DanC]
"Note that over the course of the last [n] years, a number of interesting proposals have been [darn]. including..."
18:42:46 [ht]
NM: So, not to discuss in detail, but frame a reference to this as a way of facilitating the integration suggested in (3)
18:43:15 [ht]
... and some others - - I would be happy to take suggestions - - if others agreed?
18:43:38 [ht]
DanC: three or four things?
18:43:52 [ht]
DaveO: Yes -- the above, Sam Ruby's, ...
18:44:19 [ht]
NM: Happy with mentioning both WADL and WSDL 2.0?
18:44:24 [ht]
DaveO, DanC: Yes
18:45:25 [ht]
NM: I'll integrate pointers when received from DaveO, look for a punchier way to discuss the description stuff, and make it valid XHTML
18:45:49 [DanC]
(I'm more comfortable deciding today than last time, but I don't need a decision)
18:45:57 [ht]
RESOLUTION: NM to submit on behalf of the TAG once that's done
18:47:42 [ht]
s/, Norm/, DaveO (at risk)/
18:48:24 [ht]
s/DaveO to scribe/TV to scribe, or ER if TV cannot/
18:48:44 [ht]
Topic: Issue passwordsInTheClear-52
18:49:00 [ht]
VQ: M-E Zurko sent detailed comments -- ER?
18:49:29 [ht]
Comments are at
18:49:40 [ht]
Draft is at
18:50:13 [ht]
ER: She was happy with most of the Good Practices
18:50:21 [ht]
... some discussion of password masking
18:50:51 [ht]
... Also another bit of feedback contra password masking on handhelds
18:51:17 [ht]
DanC: New phone masks after a second or so
18:51:21 [ht]
HST: ditto
18:51:36 [ht]
NM: So, we say "you must mask, pretty quickly"?
18:52:12 [ht]
ER: Update the discussion to cover the handheld case?
18:52:48 [ht]
NM: Dilute things so that it stays a fully general rule
18:53:08 [ht]
ER: But what's "a mobile device"
18:53:27 [ht]
NM: That doesn't matter, it's a counter-example
18:53:37 [ht]
q+ to say it's _not_ a counter-example
18:53:50 [Vincent]
ack ht
18:53:50 [Zakim]
ht, you wanted to say it's _not_ a counter-example
18:54:50 [ht]
HST: I think it's broken
18:54:57 [ht]
... and we should say so
18:55:10 [noah]
From Ed Davie's mail:
18:55:11 [ht]
ER: The case in the email is the OCR case
18:55:21 [noah]
"More substantially, PDAs which use handwriting recognition
18:55:21 [noah]
are good examples of devices where password masking is not
18:55:21 [noah]
a good strategy. Handwriting recognition is sufficiently
18:55:21 [noah]
unreliable that the user will want to see the characters
18:55:21 [noah]
entered to make sure they are correct. At the same time,
18:55:22 [noah]
with such devices it is easy to orientate the screen to
18:55:24 [noah]
avoid shoulder surfing."
18:55:49 [ht]
... on my handheld, the characters show after recognition, but are then masked
18:55:58 [ht]
DanC: A delayed mask is a mask
18:56:14 [ht]
ER: The HTML says it's to be masked
18:56:54 [ht]
... without that information, there's no basis for detecting password fields
18:57:11 [ht]
DanC: This note isn't about authoring, it's about UA's. . .
18:57:55 [ht]
ER: I agree there's flexibility in how 'masking' is done, e.g. after a delay
18:57:56 [DanC]
(I prefer the formulation that says: if you mask on the screen, you have to scramble over the wire, actually.)
18:58:59 [ht]
HST: How about saying "Exactly what masking amounts to will vary depending on input medium"
18:59:11 [ht]
DanC: Not clear it's worth the screen space
18:59:53 [ht]
NM: What are the current implications of "type='password'"
19:00:15 [ht]
ER: Puts you into the space where this finding applies
19:01:14 [ht]
NM, ER: Discussion about javascript submit-hooked scrambling
19:02:53 [ht]
NM: I'm worried in the presence of javascript onsubmit, the UA _can't_ implement the finding
19:03:13 [ht]
[above is scribe's summary of longer discussion]
19:04:12 [ht]
DanC: The conservative interpretation (type=password + non-secure connection) will warn in that case
19:04:55 [ht]
... because detecting encryption in the Javascript is impossible
19:05:34 [ht]
q+ to ask how we're converging on a change, if any
19:07:41 [Vincent]
ack ht
19:07:41 [Zakim]
ht, you wanted to ask how we're converging on a change, if any
19:07:43 [ht]
NM: We've focussed too narrowly on the UA -- no way this finding covers the case where someone _doesn't_ label a field as type='password', but uses the value as a password
19:08:54 [ht]
HST: Need to focus discussion on what we can say with certainty
19:08:59 [ht]
ER: I think we should drop it
19:09:23 [ht]
DanC: I don't think just because it's hard we should drop it
19:10:13 [ht]
HST: I'm not convinced we can't produce a useful result, by taking NM's idea of including the author in the mix
19:10:27 [Ed]
its not that its hard, its that the TAG cannot make everyone happy in this one and we're not willing to make anyone unhappy to resolve the issue.
19:11:08 [ht]
DanC: I'm inclined to ask Mary-Ellen if she has better wording. . .
19:11:47 [noah]
MEZ says: It's not clear to me actual security and user trust are tightly coupled in general, or in the case of the Web. User trust comes from perception. The best work I've seen on that is from:
19:11:47 [noah]
Andrew S. Patrick, Pamela Briggs, and Stephen Marsh, "Designing Systems That People Will Trust", Security and Usability: Designing Secure Systems that People Can Use, ed. Lorrie Faith Cranor and Simson Garfinkel.
19:12:19 [noah]
She was commenting on: "Security on the World Wide Web is an important issue which needs to be addressed or mistrust of the Web will limit its growth potential."
19:12:59 [noah]
MEZ also says: "There are a bunch of other places passwords can leak, starting with server logs, and going on to any (temporary) files written by either the browser or server. My product experience is that users do not want their passwords in the clear anywhere. Bugs that leave passwords in the clear immediately heighten user mistrust of the system. I'm guessing that the finding is restricting itself to the transmission because there's where the sufficient tec
19:13:12 [ht]
NM: Let's ask MEZ to propose wording
19:13:15 [ht]
DanC: +0
19:13:30 [noah]
I said let's invite MEZ to propose wording on any or all of the points she's raised.
19:14:39 [ht]
HST: I'm happy with both the MEZ situation and the masking, but not the Yahoo example
19:14:56 [ht]
DanC: Please send that to www-tag
19:15:35 [ht]
HST: Will do
19:16:14 [Zakim]
19:16:36 [ht]
NM: I am not sure we are describing Yahoo's usage correctly
19:16:47 [ht]
HST: I'll be careful not to assume that
19:17:07 [DanC]
Vincent, Zakim, says you've disconnected...
19:17:15 [ht]
ACTION: HST to send email about onsubmit hooking via javascript and its impact on PWintheclear to www-tag
19:17:18 [DanC]
... shall we take that as a motion to adjourn? I think we've done a useful bit of work today.
19:17:28 [Zakim]
19:18:06 [ht]
zakim, ? is vincent
19:18:07 [Zakim]
+vincent; got it
19:18:26 [ht]
topic: Issue siteData-36
19:18:56 [DanC]
Subject:, siteData-36, standardizedFieldValues-51
19:18:56 [DanC]
Date: Tue, 21 Nov 2006 08:55:06 -0600
19:19:00 [ht]
VQ: DanC, what was the thing which reminded you of this
19:19:21 [ht]
DanC: Please withdraw that old action, I am not going to do it
19:19:22 [DanC]
19:19:59 [ht]
DanC: Google, MS and [?] have released a site-map story
19:20:28 [ht]
... Norm said he was interested in discussing this
19:20:32 [ht]
DaveO: Me too
19:20:40 [Vincent]
19:21:03 [ht]
19:21:17 [DanC]
"Yahoo, Google, and Microsoft" --
19:21:49 [ht]
DanC: Is the only pblm that they're squatting on http address space, by using a well-known URI (robots.txt, sitemap.xml
19:22:01 [ht]
DaveO: I don't know of a better way
19:22:38 [ht]
... This is part of discover of widgets as part of the light-weight services explosion
19:22:49 [ht]
19:23:20 [ht]
DanC: Summary: Noted, return to 'someday' pile
19:24:05 [ht]
VQ: I'll drop DanC's old action, the issue will go into 'sleep' mode
19:25:17 [Zakim]
19:25:19 [ht]
... Adjourned until next week
19:25:20 [Zakim]
19:25:23 [Zakim]
19:25:25 [Zakim]
19:25:26 [Zakim]
19:25:27 [ht]
zakim, bye
19:25:27 [Zakim]
Zakim has left #tagmem
19:25:28 [Zakim]
leaving. As of this point the attendees were Ht, noah, Ed_Rice, Vincent, DanC, DOrchard
19:25:38 [ht]
rrsagent, make logs world-visible
19:25:46 [ht]
rrsagent, please draft minutes
19:25:46 [RRSAgent]
I have made the request to generate ht
19:25:52 [ht]
rrsagent, bye
19:25:52 [RRSAgent]
I see 1 open action item saved in :
19:25:52 [RRSAgent]
ACTION: HST to send email about onsubmit hooking via javascript and its impact on PWintheclear to www-tag [1]
19:25:52 [RRSAgent]
recorded in