WAF WG F2F Meeting in Brisbane, AU

19 Apr 2007


See also: IRC log


Art, Anne, Cameron, Guido, Lachlan, Marcos, Marc




<artb> Date: 19 April 2007

access control

<scribe> Scribe: Cameron

<scribe> ScribeNick: heycam

AB: section 3, how do the headers and PIs interact?

AvK: the order doesn't matter

AB: one thing that was confusing to me is what parts of the algorithm/subalgorithm, what does it mean to abort the algorithm, etc.

AvK: it just says "runthe following algorithm"

AB: steps one and two below it?

AvK: yes

AB: ok that wasn't clear to me
... in 1.1, when you say "abort this sub algorithm", do that mean go to step 2?

AvK: no, go back to 1
... like a "continue" statement

AB: anyone else find it unclear?

AvK: maybe "go back to step 1 in the overall set of step"
... do you have any comments not editorial?

AB: that's confusing enough not to consider it editorial, imo
... it should be clarified
... in 1.2, you mean go back to 1. as well?

AvK: yes

AB: in 1.3, abort the overall algorithm, it means jump past 2.?

AvK: yeah, it means there's a positive match

AB: sometimes abort means go back 1., sometimes finish the whole thing

AvK: but in 1.3 it says the "overall algorithm"
... by default you deny access
... when there is a cross site request, it will run this algorithm. by default, access is denied. here this algorithm pokes a small hole in that.

AB: wrt this red block ["the request URL must be the ..."], how can we satisfy this issue? gut feeling?

AvK: no...
... i have a feeling that the second paragraph indicates what should be done
... but i'm not entirely sure

AB: is that the only clearly identified issue?

AvK: yes, the others are editorial, and not marked
... in theory the PI processing is an issue

AB: when i go back to the mailing list, you sent an email ("Syntax of an access-item")

<artb> AB: what about the open questions in http://lists.w3.org/Archives/Public/public-appformats/2007Mar/0035.html

AB: someone responded, maybe we can spend some time gathering input
... unless someone comes up with a compelling use case, i would go with the more simple

AvK: currently scheme is requred, port is optional (if omitted, determined by the scheme)
... new proposal is to have scheme and port optional, when omitted, they default to every port or scheme

GG: have you considered having restrictions on path?
... e.g. geocities, where many independent sites are under the same domain

AvK: we cannot impose restrictions, we just lift restrictions, and path urls are already a problem
... you can already load an iframe from other geocities sites

GG: you can't make additional restrictions, you can only ease restrictions?

AvK: yes, otherwise if the UA implements it, it would be less useful

GG: the other question: domain pattern or subdomain, they can't be ip addresses?

AvK: yes

GG: because of the definition of domain/subdomain productions in the rfcs?

AvK: domain is defined by us, subdomain by the rfc1034.
... at some point we could allow ip addresses if someone has a good use case

GG: i'm not pushing for it, but you have a use case for it in the widget spec already

AvK: not sure if that's a good use case
... for the moment they're disallowed, unless lots of people request them
... keep it simple

AB: the changes you propose here, they've not been reflected in cvs?

AvK: no

CM: what did thomas say?

AvK: nothing
... that was the only issue.
... i don't like the whole back story bit in the spec
... or the security considerations section

AB: technically wrong? or just style?

AvK: i should have a closer look at it, to see what's missing
... i think the intro needs more examples, a scenario or something
... has some background on why it's needed, but not how it works
... the technical part [of the spec] is sound, imo

AB: so what's the plan? what to do before publishing?

AvK: let's see what's currently published
... something was published in feb, with an incorrect algorithm
... ask for a new publication with the better algorithm, and some new examples?

AB: my recommendation is to just reflect the changes you proposed (in the latest email) in the document
... and then request publication

AvK: ok

<marcsil> * Yes, I'd be happy to chat about Read Access

<artb> do you want us to call you or do you want to call us (here in Brisbane)?

<marcsil> I can call there or into the bridge?

<artb> OK, Marc, Marcos is looking into the instructions ...

<marcos> marc, one sec....

<marcos> marc, the number is +61 7 301 153 57

<marcos> 61 is the country code

<marcos> Marc, if it fails, then we will call you... it's no problem.

<artb> Marc's original e-mail re Access Control: http://lists.w3.org/Archives/Public/public-appformats/2007Mar/0011.html

AvK: marc have you followed the mailing list? i made several proposals there and replied to your mail.
... i was hoping for replies on those

MS: i will definitely do that. i haven't been following all of the mailing lists.
... i will commit to responding

<anne5> http://lists.w3.org/Archives/Public/public-appformats/2007Mar/0013.html

AvK: that one is a reply to the series of comments you sent

<anne5> http://lists.w3.org/Archives/Public/public-appformats/2007Mar/0035.html

AvK: that one is a proposal

MS: i took a quick read, and most of it looks pretty good
... i'll formally reply back, and see if there's any specific comments i have

AvK: the second link, at the end, there is my proposal for a new simpler pattern, where the scheme/port can be omitted
... probably addresses what you guys wanted. the scheme can't be a wildcard, but you omit it to do that.

MS: that makes sense

AvK: same for port. port no longer defaults to the scheme being used.

CM: could default the port if the scheme is specified

AvK: current plan to implement that syntax in the spec, then publish the spec as another WD
... do you have any estimates on when you can get replies yet?

MS: by early next week

AvK: anything else?

MS: none from this side

<anne5> http://dev.w3.org/cvsweb/~checkout~/2006/waf/access-control/Overview.html?content-type=text/html;%20charset=utf-8

AvK: that's a pointer to the latest draft

MS: have you guys discusssed charter yet?

AB: that's our next item. we cut the dfaui discussion down to 1 hour yesterday, so we completed the widgets discussion yesterday
... all we have left is charter and misc stuff
... included in that is future f2f meeting, telcons
... i'll be making a presentation at www2007 about WAF WG
... i want to gather input from you guys for key points for that presentation


<artb> Charter: http://www.w3.org/2006/appformats/admin/charter

AB: one of the interesting things about the charater, which came up in the context of DFAUI discussions, in the end the director ended up approving it in nov 2005
... and the date that he approved it, the WG had already missed some of the milestones
... it was discussed for several months before being approved, because webapi and waf were in a single charter
... during the comment period, the w3c decided to split it into two WGs
... the charter as it exists today, has only dfaui and xbl2 in it

<anne5> (I just got an e-mail saying that someone will update the differences between sXBL and XBL2 document.)

AB: unfortunately coach didn't join us until after we were done with dfaui yesterday
... the feeling in this room was that the dfaui work is, in practical terms, just two companies pushing it forward
... originally some other members were interested in it, but for whatever reasons dropped out of that
... nexaweb/telefonica haven't been very active either
... i think there's this recognition that the reqs and use cases that they're trying to address, will be satisfied by the new version of html that w3c's working on
... the new version of html isn't just about documents, it's about web applications as well
... if you expand html5 into a relatively short description, you come up with a declarative format for UIs
... in general, the UCs and reqs are going to be satified by that piece of work
... jose acknowledged that dfaui work hasn't moved as quickly as they'd hoped
... he was receptive to the proposal that i made (not a strong proposal, but an alternative way of handling their work) that it move to an incubator group in w3c
... we left the discussion yesterday with an action for me to talk to chris lilley about the lack of progress, and what we might do about it
... it's interesting looking at the charter, the description of dfaui there are 3 or 4 companies identified as having languages that can bootstrap the dfaui work
... i talked to all of those companies, and none of them are interested in bringing their work into w3c
... i think it's clear that none of the major players are going to contribute their work
... it's pretty futile to continue the work within this WG
... we need to recharter, because it doesn't include some of the work we do have in progress, such as widgets and access control
... i'd like to use the rechartering as an opportunity to remove dfaui

MS: i had a conversation with chris wilson about that today, i brough up the whole conversation of dfaui
... form controls are going to be part of the html charter, there are certain ui layout elements (e.g. splitter control) that aren't covered by the charter
... my concern is that if we don't take on that work, we won't have those components
... i'm wondering if all of the ui layout elements will be covered by html wg, or if there will be some that won't be covered at all

GG: i'm thinking aloud: this work could do a couple more high level controls, would they then be inserted into html5?

AVK quotes from the html charter including the phrase "and other controls", which he asserts covers all of these things

MS: i'm not suggesting we have to do something, i think we should be clear and talk with the html folks to make sure we're not dropping anything on the floor here
... might mean having to define what controls we wanted to cover

AB: if the work was going to continue within w3c, the dfaui stuff, the interesting exercise is mapping the reqs to the existing specs, or work in progress, so we can understand what the real gaps are
... and where we are able to identify some specification gaps, for UI components, i think it makes sense for the w3c to consider writing specs for those
... and that kind of gap analysis could still be done with the WAF wg, or an incubator group, if it was pushed there
... that kind of gap analysis is something that dfaui "antagonists" have been trying to persuade coach and jose to do for over a year, and they keep ignoring that and saying no, we need a whole new language

MC: the other issue for me is that there are only 2 companies working on dfaui, and that means there are only 2 people working on it, and realistically it's beyond the scope of 2 people to define this
... the html wg has 300 group already, and what wg has 700 members, it takes a lot of people to create this thing

<anne5> Specifically: http://www.w3.org/2007/03/HTML-WG-charter.html#deliverables says "Forms and common UI widgets such as progress bars, datagrids, menus, and other controls." among lots of other things

MC: i imagine xaml wasn't just made by 2 people, you'd have had a large team
... if more people committed to dfaui, at this point it's just 2 people
... even if it is a fantastic idea, the work can't really move forward with just 2 people

AB: as chair, i'm a bit frustrated, i have to report to htcg, and the status on dfaui has been the same for 12 months now

MC: i understand that frustration, it's right that 2 people can't define the whole thing
... maybe part of the success metrics for this group, we just need to do some brainstorming around this
... such as, here's what we've come up with by the end of the day

[last 3 MCs should be MSs]

MC: we could spend a bit of time saying how the current UCs and Reqs are covered by html5 and web forms 2
... i dunno how much time would spend on this
... unless you guys want to put in some input into this
... how relevant is this work to you?

MS: i don't think i can take an action on it just yet, maybe we want to have a conversation with chris wilson and the html folks around what they're going to do

AB: ok. so i di have the proposal that the work have its visibility raised. if you think it's an important exercise to have the UCs and Reqs, that's the type of brainstorming stuff that the incubator activity was designed for

AvK: i'd be fine doing application controls in this group, but i'm not sure what controls aren't covered by the html charter
... or what problems aren't addressed by the whatwg html5 proposal or the html wg charter
... be good to have some use cases that aren't covered by those documents
... if there are good use cases, we could adopt it and go in that direction
... Microsoft wants this group to do extensions to html, not a whole new language, yes?

AB: when you say "this group", you mean WAF?

AvK: yes

MS: i think the short answer is yes, we don't need a whole new language
... we joined WAF to define what a web application is, i like the idea of finding out what the html5 specs are going to cover there
... maybe the gap analysis could be done in an incubator, or within our group, to see what's missing

AB: the good thing about moving the work into an incubtor group would be the increased visibility
... they could select their own chair and move the work forward

AvK: coach and jose want to do different things from what microsoft and opera want to do
... marc's been saying what we've been saying since the inception of the group, ...

AB: and nokia as well
... there's a bit of a risk that to form an incubator group, you need three members
... they might be able to find a third, but dunno

MS: i wonder if there would be interest in trying to focus in on what's missing? the gap analysis

AvK: certainly

MS: focus on what's critical to build a webapp

MC: we've been asking for that for a whole year from those guys

AB: we agree with you, as chair every time we have a meeting i say the same thing to them

GG: the gaps may actually lead to additional css, not necessarily just markup, it may even be more likely that we find some css stuff that we would like to have that would be useful for application UIs

AB: the gap analysis could result in conclusions to write new specs, or requirements for existing specs

MS: i think that's all fine

AB: let's come back to the charter.
... presumably we'd leave xbl2 as an explicit deliverable, we'd add read access and widgets work?

AvK: xbl primer

AB: yes

AvK: maybe some note on xbl schemas?
... non-normative note

LH: why do you want to produce a schema?

AvK: helps in editors, e.g. in Oxygen, you get auto completion
... people have said it'd be useful, and i've created one already!
... it's not completely done yet...

AB: maybe what i'm hearing then is that we need to have more discussion about dfaui, and that the deliverable here should be not a spec, but the gap analysis

MC: who's going to do it?

AB: assuming we could get those two to agree that that'd be the deliverable

MC: you can assume the whatwg has already done it, they developed web forms for a reason

AB: you believe the gap analysis will result in a null set?

MC: yes, i'd be surprised if it didn't

CM: layouts/containers is something that isn't addressed

MC: the xul layout stuff..
... that poses a problem for html itself, for layout in html
... but sure if people want to do the analysis, there's no harm in it
... i'm ok for it to move to an incubator

CM: if people are willing to do it here, it could stay

AB: the charter today, there's a difference between gap analysis and the dfaui spec
... the only other comment about deliverables is the "Other items as required" item
... as an AC rep, i don't really like these catch-alls
... i'm sure this'd never get through the AC again as is

MC: i think we've got enough work to keep us going for a while

AvK: i'd have to see the rest of the proposal first, but i guess we can take it out
... other items might be nice, but it should be more scoped to be related to the other items we're doing
... it's nice to have something like that open

AB: any thoughts or ideas on any new work we might want to take on?

AvK: apart from what marc suggested, no

AB: ok
... skipping to the next section, confidentiality

MS: for widgets, i missed the conversation on scope. as part of the charter, it looked like we were looking to widgets being within mobile space. did i misread that?

GG: i think we're definitely looking at widgets across different environments, desktops and mobiles
... we should definitely address the whole space, not just mobiles
... with a goal that at least, a basic set of widgets works across these environments

MS: that's what i was hoping for

AvK: we actually discussed a mechanism to have different content for mobile widgets than desktop widgets, some negotiation going on

GG: you have a negotiation already there, in the resource file

AvK: it's not in the spec yet though

MS: that makes sense

AvK: definitely a goal to make them as device independent as possible

MS: i'd like to see it addresses browser type extensions, too, not just markup/script, but even binary ones

AB: i think that some people jumped to the conclusion that nokia is looking at it purely from a mobile perspective, but that's not the case at all
... e.g. some people in the mobile web initiative
... i'll come up with some text to mention widgets in the new charter
... we really need a team contact to help us through these process issues
... it'll take longer than it should, but that's just the way it goes
... deps/collaboration section, might need to be updated, but no specific comments on it
... the confidentiality is something i want to touch on
... we're already outside the model "prescribed" here, that we have an agreement to have discsusions on the public list, and the new charter should reflect that
... hoping the WG members would support that change
... i would recommend that we continue to have a member only list
... e.g. for admin, f2f organisation, etc.

AvK: we should be as open as the html wg

GG: what are the drawbacks of being public?

AvK: more mail
... not sure about any other drawbacks
... maybe that it's harder to make "confidential" remarks to other people

AB: this level of transparency, member-only vs all-public, is an issue that the AC is going to discuss in calgary
... the position from nokia is that open is better
... some of my dealings with collegaues and collaborators, it's problematic not having public uris for these discussions

MC: my only concern is that if we have 50 invited experts, doing meetings is going to become very difficult
... might still work ok, that's my only concern
... does everyone have equal weight?

AvK: of course..

MC: they might, it'd need to be discussed

CM: i'm happy with public

LH: me too

MS: looks good

AB: my next step will be to talk to chris, figure out how to go about doing this

AvK: did you already shut down the access control taskforce?

AB: no

<anne5> (and that tellme is part of microsoft iirc)

AB: since BP no longer works for tellme, i'm going to propose that we close the taskforce

<anne5> (now)

AB: find out with chris if there are any process gotchas
... objections?

<scribe> ACTION: art to close the access control taskforce [recorded in http://www.w3.org/2007/04/19-waf-minutes.html#action01]

<trackbot> Created ACTION-88 - Close the access control taskforce [on Arthur Barstow - due 2007-04-26].

AB: three additional topics
... f2f meetings, we'll have an opportunity to meet during the tech plenary

<artb> http://www.w3.org/2002/09/TPOverview.html

AB: meeting will be 5-10 november
... we can participate if we want to, i would recommend that we meet that week, even if it's only for 2 days max
... the question is do we want to try to have a f2f meeting between now and november? July?
... in anticipation that people would be agreeable to such a meeting, mikko from HUT agreed to host it the week of july 23
... do we want to take advantage of that?

CM: seems that the f2fs are useful for spurring work, but i can't attend then

GG: yes, progress is being made during meetings, and just before the meeting too
... i'm in favour of it, i can help mikko with the arrangements

AB: we've had 3 meetings already in the US, one is aus, only one in europe, so i think we should have a europe host

GG: daylight until 11 or midnight there too, for extra working :)

AvK: i concur [on the meeting]

MC: as for my attendance, probably can't, but we'll see

MS: i think it makes sense, dunno if i can make it yet though

AB: ok, we'll proceed with that plan

voice confs

AB: frequency, and time of day
... charter says weekly telcons
... we're now in our second timezone change

CM: i guess i'd be happy with dropping to every two weeks, since telcons lately haven't been too productive

GG: i haven't been attending many lately, so don't take my input into account :)

MC: i'd say have no telcons unless there's an agenda

AvK: i agree

MC: i prefer them to catch up on rumours and so on

CM: maybe fewer telcons would mean less work getting done

AB: i'd have to be more proactive in getting status information, and prodding people

AVK: telcons so far haven't really helped with people slacking off

MS: i'm fine with having them as we need to

AB: we'll start dropping them back to every other week, see how that goes
... i'll be more dilligent in logging in to irc between meetings, see if we can have more community going to help work get done


AB: i'll find my 2006 presentation

AB displays his presentation he gave about WAF to www2006

AB: interesting to compare it with where we are today
... input from you guys on any key messages to deliver?
... looking at xbl2 from last year, we didn't know if mozilla was going to come on board, but that was a big new piece of news
... and it's in CR now
... access control last year was just the PI, and anne has added significant new functionality to that document
... what i said about dfaui 12 months ago was "2 members submitted a proposal, just taking a look at it", and that's still the same now, unfortunately

GG: perhaps until banff we agree to shelve that work, and give reasoning on that in the presentation

AvK: maybe you could also mention that we agreed to look at the gap analysis

AB: i think the idea that we were going to do something related to widgets was only a week old by the time of the www2006 presentation
... the last thing i mentioned last year was about web forms, the only thing to say about that this year would be that that work i s being moved into the html wg
... i think we've come to the end of the topics we had
... summary of key actions over the next few months
... marcos to prepare widget reqs doc for publication by end of april

MC: i'm away next week but i'll give it a go

AB: how about April/May

MC: ok

AB: for widget spec, GG agreed to work with one of his colleagues to modify the widget signing proposal and submit that

GG: should have something on the list by the end of the coming week
... only thing is that then i'll be on holiday for a while
... outsiders can't post to the list, right?

AB: if we move the discussion to the public, he can join the public list and discuss it there

GG: we'll sort it out

AvK: or just send to www-archive

AB: anne agreed to write a processing model for the widgets spec
... timeframe?

AvK: i want to the metadata format in the coming two weeks
... don't know about the entire UA processing model

AB: cameron you'd do some work on the xbl2 test case structure?

CM: i might just write a few test cases and check them in, so people can give some ideas on it

AB: dfaui, i'll talk to chris about it
... access control, ready in a week or two for a new publication?

AvK: yeah, depending if there's much impact from the new comments
... hopefully publication by the end of april?

AB: for FPWD we need an official decision, but for subsequent we can just send mail to the public list asking for opinions

AvK: even for XHR, i posted to the public webapi list asking if there are any objections to publishing LC WD

AB: i don't think we're the only group to get work done mainly around f2f meetings
... aob?
... thanks for joining marc

MS: enjoy your stay!

MC: team contact?

AB: i haven't got a reply from chris

<marcos> MC: I want Dino back!

<artb> +1

Summary of Action Items

[NEW] ACTION: art to close the access control taskforce [recorded in http://www.w3.org/2007/04/19-waf-minutes.html#action01]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.128 (CVS log)
$Date: 2007/04/19 02:24:55 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.128  of Date: 2007/02/23 21:38:13  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/sub //
Succeeded: s/ in an iframe//
Succeeded: s/example/examples/
Succeeded: s/AVK:/AvK:/G
Succeeded: s/e-mail/e-mail saying/
Succeeded: s/duno/dunno/
Succeeded: s/not //
Succeeded: s/confidential/"confidential"/
Succeeded: s/chirs/chris/
Succeeded: s/;/:/
Found Scribe: Cameron
Found ScribeNick: heycam
Present: Art Anne Cameron Guido Lachlan Marcos Marc
Agenda: http://lists.w3.org/Archives/Member/member-appformats/2007Apr/0002.html
Found Date: 19 Apr 2007
Guessing minutes URL: http://www.w3.org/2007/04/19-waf-minutes.html
People with action items: art

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

[End of scribe.perl diagnostic output]