00:02:46 <noah> noah has joined #tagmem
00:14:35 <marcosc> marcosc has joined #tagmem
00:53:08 <dka> dka has joined #tagmem
01:20:45 <annevk> annevk has joined #tagmem
01:57:27 <dka> dka has joined #tagmem
02:00:24 <annevk_> annevk_ has joined #tagmem
02:33:39 <marcosc> marcosc has joined #tagmem
03:00:21 <marcosc> marcosc has joined #tagmem
03:00:56 <marcosc_> marcosc_ has joined #tagmem
03:27:35 <marcosc> marcosc has joined #tagmem
03:27:53 <noah> noah has joined #tagmem
03:43:46 <annevk> annevk has joined #tagmem
04:52:43 <marcosc_> marcosc_ has joined #tagmem
05:19:32 <marcosc> marcosc has joined #tagmem
07:35:33 <darobin> darobin has joined #tagmem
07:58:46 <marcosc> marcosc has joined #tagmem
08:17:22 <Zakim> Zakim has left #tagmem
10:26:18 <dka> dka has joined #tagmem
10:34:46 <JeniT> JeniT has joined #tagmem
11:28:22 <dka> dka has joined #tagmem
11:44:11 <dka> dka has joined #tagmem
12:35:18 <JeniT> JeniT has joined #tagmem
12:36:53 <dka> dka has joined #tagmem
12:51:49 <dka> trackbot, this will be tag
12:51:49 <trackbot> Sorry, dka, I don't understand 'trackbot, this will be tag'. Please refer to <http://www.w3.org/2005/06/tracker/irc> for help.
12:51:54 <dka> rrsagent, this will be tag
12:51:54 <RRSAgent> I'm logging. I don't understand 'this will be tag', dka.  Try /msg RRSAgent help
12:51:56 <dka> ;alkyd;alksd
12:52:06 <dka> trackbot, start meeting
12:52:08 <trackbot> RRSAgent, make logs public
12:52:08 <Zakim> Zakim has joined #tagmem
12:52:10 <trackbot> Zakim, this will be TAG
12:52:10 <Zakim> "TAG" matches TAG_f2f()8:30AM, and TAG_(AWWSW)9:00AM, trackbot
12:52:11 <trackbot> Meeting: Technical Architecture Group Teleconference
12:52:11 <trackbot> Date: 01 October 2013
12:52:25 <dka> darobin can you join us this morning?
12:56:08 <twirl> twirl has joined #tagmem
12:56:54 <darobin> ohai
12:57:12 <darobin> dka: I can join in ~10min, for about 30-45min
12:57:53 <darobin> after that I'm off to tell the lovely people of Lyon how much they'd enjoy making standards
12:59:19 <wycats_> I'm on my way, fyi
12:59:25 <wycats_> Is Alex already there?
12:59:43 <Yves> not yet
12:59:52 <Yves> bor anne
12:59:54 <wycats_> OK I am at his hotel waiting for him
12:59:57 <Yves> s/bor/nor/
13:00:00 <dka> Ok - we really need to start shortly due to Philippe's schedule.
13:00:18 <wycats_> Anne's here
13:00:42 <dka> Suggest you come over - maybe you can ring up to Alex's room?
13:00:59 <wycats_> I texted him
13:03:40 <dka> ok we have Philippe until 10:30 so we can wait a few minutes
13:04:00 <dka> zakim, what is the code?
13:04:00 <Zakim> sorry, dka, I don't know what conference this is
13:04:05 <dka> zakim, this is tah
13:04:05 <Zakim> dka, I see TAG_f2f()8:30AM in the schedule but not yet started.  Perhaps you mean "this will be tah".
13:04:10 <dka> zakim, this will be tag
13:04:10 <Zakim> "tag" matches TAG_f2f()8:30AM, TAG_(AWWSW)9:00AM, and XML_(TAG TF)10:00AM, dka
13:04:22 <dka> zakim, start teleconference
13:04:22 <Zakim> I don't understand 'start teleconference', dka
13:04:34 <dka> Robin we are on 0824
13:05:05 <plinss> zakim, who is on the phone?
13:05:05 <Zakim>  has not yet started, plinss
13:05:06 <Zakim> On IRC I see twirl, Zakim, dka, JeniT, marcosc, darobin, dglazkov, projector, RRSAgent, Yves, plinss, slightlyoff, wycats_, bkardell, trackbot
13:05:08 <plh> plh has joined #tagmem
13:05:15 <plh> zakim, list conferences
13:05:15 <Zakim> I see SW_DPUB-IG()11:00AM, Team_(MEET)8:00AM, TAG_f2f()8:30AM active
13:05:16 <Zakim> also scheduled at this time are MM_MMI(Discovery)9:00AM, Team_(RevCadence)9:00AM, SW_SWSTR()9:00AM, TAG_(AWWSW)9:00AM, IA_Team()9:00AM, UW_WebTVIG()9:00AM
13:05:20 <plh> zakim, this is f2f
13:05:20 <Zakim> ok, plh; that matches TAG_f2f()8:30AM
13:05:36 <plh> zakim, aaaa is F2F_Room
13:05:36 <Zakim> +F2F_Room; got it
13:06:03 <plh> zakim, F2F_Room holds Dan, Peter, Tim, Serguey, Yves, Henry, plh
13:06:03 <Zakim> +Dan, Peter, Tim, Serguey, Yves, Henry, plh; got it
13:07:09 <plh> rrsagent, generate minutes
13:07:09 <RRSAgent> I have made the request to generate http://www.w3.org/2013/10/01-tagmem-minutes.html plh
13:07:53 <plh> Chair: Dan, Peter
13:08:24 <plh> zakim, F2F_Room also holds Anne, Yehuda
13:08:24 <Zakim> +Anne, Yehuda; got it
13:08:28 <annevk> annevk has joined #tagmem
13:09:16 <plh> zakim, passcode?
13:09:16 <Zakim> the conference code is 0824 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), plh
13:09:24 <Zakim> +[IPcaller]
13:09:33 <darobin> Zakim, [ is me
13:09:33 <Zakim> +darobin; got it
13:10:30 <Zakim> -F2F_Room
13:11:19 <Zakim> +F2F_Room
13:11:49 <Zakim> -darobin
13:11:59 <Zakim> +[IPcaller]
13:12:25 <plh> zakim, F2F_Room holds Dan, Peter, Tim, Serguey, Yves, Henry, plh, Anne, Yehuda
13:12:25 <Zakim> +Dan, Peter, Tim, Serguey, Yves, Henry, plh, Anne, Yehuda; got it
13:12:39 <Zakim> -darobin
13:12:44 <Zakim> -F2F_Room
13:12:45 <Zakim> TAG_f2f()8:30AM has ended
13:12:45 <Zakim> Attendees were +1.617.715.aaaa, Dan, Peter, Tim, Serguey, Yves, Henry, plh, Anne, Yehuda, [IPcaller], darobin
13:15:04 <plh> zakim, F2F_Room also holds Noah
13:15:04 <Zakim> sorry, plh, I do not recognize a party named 'F2F_Room'
13:15:52 <plh> Present: Dan, Peter, Tim, Serguey, Yves, Henry, plh, Anne, Yehuda, Noah, Robin
13:16:15 <noah> noah has joined #tagmem
13:17:52 <noah> noah has joined #tagmem
13:18:02 <noah> scribenick: noah
13:18:12 <darobin> [Polyglot has an update about to be published: http://dev.w3.org/html5/html-xhtml-author-guide/]
13:18:13 <noah> topic: HTML5
13:18:35 <noah> We have Philippe le Hegaret visiting in person and Robin Berjon on the phone
13:18:50 <JeniT> JeniT has joined #tagmem
13:18:54 <noah> HT: Proposed topics RDFa, polyglot, authoring spec, mediat type
13:18:57 <darobin> [RDFa isn't us, but Microdata is more or less in a bad state it would seem]
13:19:13 <noah> TBL: Is it appropriate to talk about proposed solution to the Web IDL problem
13:19:21 <noah> AVK: DRM?
13:19:48 <noah> HT: EME = Encrypted Media Extensions are actually going into the browsers
13:20:06 <darobin> [the TAG brainstormed about DRM last time (or the time before?), did anything come of that?]
13:20:37 <noah> PLH: EME is in HTML WG pushed by Web & TV interest group. 1.5 years work in HT L wg subgroup.
13:20:46 <noah> s/HT L/HTML/
13:21:08 <noah> PLH: Microsoft, Netflix and XXX are active and contributed editors to the specification
13:21:16 <plh> s/XXX/Google/
13:21:23 <noah> PLH: Use case is ability to play back protected premium content
13:21:27 <noah> s/XXX/Google/
13:22:05 <noah> PLH: Want you to be able to interact with platform's Content Distribution Management system (CDM), which provides whatever actual DRM, possibly HW or SW
13:22:31 <noah> PLH: You can also use the API for less constrainted systems, but in practice browser vendors are implementing to use underlying platform
13:22:50 <noah> PLH: Mozilla is said to be working on this but their detailed plans aren't clear to me. Henri Sivonen is involved from Mozilla
13:23:00 <noah> HT: Google means Webkit?
13:23:05 <noah> Several: No, blink
13:23:55 <noah> PLH: (scribed missed some details about MPEG Dash?)
13:24:06 <noah> HT: Is the CDM target exclusively Windows?
13:24:14 <noah> PLH: No, Apple as well
13:24:19 <noah> HT: Linux?
13:24:42 <noah> PLH: Well, if you want some content on Linux, there are providers who require DRM.
13:25:26 <noah> YK: Jeff's opinion last time, with which I disagree, is that it could run on Linux should the community wish to do it. I (Yehuda) think most agree that the necessary support won't be on Linux in practice.
13:25:49 <noah> DA: Why can't others write it for Linux
13:25:56 <noah> YK: You won't get certs
13:26:03 <noah> TBL: Too many assumptions here
13:26:20 <noah> YK: OK, I retract, but I'm betting Netflix won't publish to Linux without DRM
13:26:45 <noah> TBL: Why?
13:27:44 <noah> TBL: There are lots of possible architectures. The problem with building it this way is that it depends on support from machine manufacturer. You could imagine, for example, built into the LCD that does the decryption. You could image a band publishing music, some free some priced.
13:28:21 <noah> TBL: You could imagine a deployed infrastructure for deploying the keys. For the musician, likely preferable to having control of keys so centralized. Moving to a more open market is desirable.
13:28:44 <plh> q+
13:28:55 <noah> YK: I'm not saying we will necessarily not have DRM on Linux, I'm skeptical that companies with content like Netflix will publish to it.
13:29:47 <darobin> q+ to talk about potential reform action
13:29:59 <noah> TBL: False assumption that there is only one CPU. Phones have many e.g. I have root access on my Mac and can install open source on it. It's not easy for me to copy something downloaded using iTunes. I know/suspect the machine also has subsystems to which I don't have access.
13:30:45 <darobin> ack plh
13:31:04 <timbl> timbl has joined #tagmem
13:31:24 <dka> q?
13:31:41 <dka> ack da
13:31:41 <Zakim> darobin, you wanted to talk about potential reform action
13:31:46 <noah> PLH: Today, to watch Hulu or Netflix you need a Flash plugin. If EME works right, then no need for plugin. Now there's a burden on browsers to work with the platform, and this is especially problematic for open source systems.
13:31:49 <timbl> logger, pointer
13:31:56 <timbl> logger, pointer?
13:32:09 <timbl> RRSAgent, pointer?
13:32:09 <RRSAgent> See http://www.w3.org/2013/10/01-tagmem-irc#T13-32-09
13:32:15 <wycats_> q+ to ask about the distinction between built-in EME and built-in  Flash
13:32:45 <noah> RB: Media is just the tip of the iceberg. We need to anticipate requests for protection of Apps, Books, media. Wondering whether the TAG could help push on question of Web-compatible copyrights.
13:32:58 <noah> DA: Bookmark that thought
13:33:32 <noah> PLH: So, no plugin, but browser has no control over underlying DRM systems, e.g. issues like accessibility.
13:34:49 <noah> HT: The well argued >technical< objection is that it is a step toward taking control of the platform away from the owner. That's the key problem. We are making a link in that chain easier, but the deep evil (if you believe it's evil) is further down the chain
13:34:55 <noah> PLH: It's a small step
13:35:03 <dka> q?
13:35:06 <annevk> q+
13:35:06 <dka> ack wycats
13:35:07 <Zakim> wycats_, you wanted to ask about the distinction between built-in EME and built-in  Flash
13:35:51 <noah> YK: I see benefits of standard thing with standard interface. I wouldn't like it but can see benefit. I'm not convinced EME is better than plugin.
13:36:17 <noah> PLH: You would not have to ship flash, reduces browser footprint
13:36:23 <noah> YK: Do you think that will happen
13:36:26 <darobin> [with EME you push the plugin further down the stack and reduce its surface compared to Flash]
13:36:32 <noah> PLH: Yes, streaming etc would need to be addressed
13:36:32 <slightlyoff> AR: necessary but not sufficient
13:36:33 <noah> q?
13:36:53 <noah> q+ to say even small steps are symbolically significant
13:37:33 <noah> PLH: I'd guess EME will show on mobile platforms over time
13:37:48 <dka> ack anne
13:37:49 <dka> q?
13:38:27 <noah> AVK: We never standardized the plugin API, and we know plugins have problems. Now we're opening an extra hole.
13:39:12 <noah> YK: At least with Flash you could implement it yourself in principle. With EME it's not clear that you can.
13:39:15 <ht> ht has joined #tagmem
13:39:26 <noah> AVK: Standardizing this seems counter to the W3C's mission
13:40:04 <dka> q?
13:40:13 <wycats_> to be clear, I didn't mean that you could implement the DRM part -- what I meant was that you could implement FLASH yourself
13:40:39 <noah> TBL: That's a complex discussion
13:40:40 <wycats_> so the undocumented EME API is worse than the undocumented Flash API as it relates to the web content that each of them is enabling
13:41:08 <noah> AVK: I am worried about the Web depending on proprietary technologies not easily ported to other platforms.
13:41:20 <noah> Robin Berjon thanks the group but has to leave.
13:41:43 <dka> ack noah
13:41:43 <Zakim> noah, you wanted to say even small steps are symbolically significant
13:41:53 <noah> q-
13:41:55 <wycats_> For me, the nut of the issue is that new browsers will not be able to run "web content" without a non-trivial amount of non-technical work
13:42:08 <annevk> +1 to wycats_
13:42:14 <slightlyoff> thanks darobin !
13:42:46 <slightlyoff> wycats_: that seems like a no-op vs the current state, no?
13:42:54 <noah> PLH: Regarding Web IDL: it's a metasyntax for writing  specifications. Within a few years we'll use that either Web IDL or JS IDL.
13:43:02 <noah> q?
13:43:08 <wycats_> slightlyoff: the current state is not in a standard -- so the current content is not "web content" and we're honest about it
13:43:19 <wycats_> the claimed benefit of the new state is that it can be described as "web content"
13:43:26 <wycats_> except it's not actually
13:43:40 <slightlyoff> I accept the semantic distinction.
13:43:46 <noah> PLH: Some groups are using the full semantics of WEB IDL but older stuff doesn't support that.
13:43:50 <wycats_> this conversation is nuanced... we should have it in person
13:44:17 <noah> PLH: Both Geolocation and Touch Events claim to be using ECMAscript bindings, but when it gets to things like prototypes it doesn't work.
13:44:22 <noah> AVK: Browser bugs?
13:44:42 <wycats_> I totally disagree that these are just "browser bugs"
13:44:54 <noah> YK: Yes, but it's not that simple, even browser vendors have trouble knowing what's right. Ordinary users have no chance.
13:45:03 <Yves> type conversion is also overlook
13:45:24 <noah> PLH: Leads to a situation where specifications lose credibility because don't match reality. Conformance tests fail.
13:46:05 <JeniT> JeniT has joined #tagmem
13:46:17 <noah> PLH: The incentive to fix isn't strong enough.
13:47:22 <noah> YK: I agree that in principle this stuff tends to be edge cases, but I have spent say 100 hours of my career burning time figuring out such mismatches between spec and reality. Getting the specs to where they are an accurate guide to practical reality is important (scribe has paraphrased)
13:47:33 <dka> q?
13:47:59 <noah> AVK: Don't follow. You want specs to say where implementations will go, not where they are.
13:48:04 <noah> TBL: Anne, delighted to hear that!
13:48:13 <noah> YK: Not making strong statement on that distinction
13:48:33 <timbl> q+
13:48:40 <noah> AVK: Mozilla uses Web IDL for geolocation
13:48:55 <noah> AR: Chrome doesn't always follow the IDL
13:49:07 <noah> AR: Is the issue that prototypes aren't be linearized?
13:49:14 <noah> YK: Part of the problem
13:49:44 <noah> AR: We in chrome never have performance regression, and have spent years figuring out how to linearize prototypes. So far, haven't found a way that performs.
13:49:47 <noah> TBL: Eventually?
13:50:11 <noah> AR: Eventually we should be able to do it except maybe for some real edge cases
13:50:55 <noah> YK: I'm on chrome going to monkey patch an event target, and on another platforms may not work
13:51:12 <noah> AVK: We've had WEB IDL based stuff since forever
13:51:19 <noah> AR: Yeah, done by hand
13:51:26 <noah> s/WEB IDL/IDL/
13:52:00 <slightlyoff> s/done by hand/it's a pain to do it by hand/
13:52:05 <noah> AVK: Then we moved to Web IDL and some did it piecemeal (Chrome?). We are trying for the whole thing, but across browser versions it's a huge job. Real interop will take you a long time.
13:52:27 <noah> YK: So, your view is WEB IDL documents ideal reality, and it's just taking a very long time for real reality to catch up?
13:52:31 <noah> AVK: Yes
13:52:42 <plh> q+
13:52:45 <noah> YK: I have more optimism that it's a few years, but not decade(s)
13:53:13 <plh> queue=timbl, plh
13:53:27 <noah> YK: Some things like that some browsers require capture flag and some don't really does bother developers. We play lip service to interop
13:53:36 <noah> AVK: Pressure for new features
13:53:39 <timbl> q-
13:53:48 <noah> YK: Maybe, the HTML5 parser was welcomed for improving interop
13:54:46 <noah> AR: WEB IDL is high fidelity but to the wrong ideal
13:55:04 <noah> YK: But PLH was asking is there enough info there, if so, then browser vendors please prioritize
13:55:05 <dka> q?
13:55:27 <noah> TBL: So, we have specs that are not really WEB IDL compatible but still use WEB IDL to list parameters
13:55:32 <noah> YK: Does prose tell you
13:56:27 <noah> TBL: I'm saying it's being used just for the parameter list, with no implication that there are prototypes, setters, getters etc. They are usefully using as a descriptive.
13:56:48 <noah> Several: Whoa, there are specifications saying that things like getters and setters >are< implied
13:57:20 <noah> TBL: So, let's say the don't have getters and setters, should they not use WEB IDL and instead use something else, or should they say they're using WEB IDL in limited way.
13:57:30 <noah> AR: First, do you think the API without getters/setters is good
13:57:56 <noah> TBL: Right now, they are trying to document a spec that for better or worse does not intend to have getters and setters
13:58:04 <dka> ack plh
13:58:52 <noah> PLH: So, today the protoypes are being followed by all execpt Webkit and Blink. Mozilla and Microsot are doing what they reasonably can.
13:59:11 <JeniT> JeniT has joined #tagmem
13:59:23 <noah> PLH: We need to make sure specs describe deployed reality even if later we hope to improve implementations
13:59:53 <noah> TBL: Is it pragmatic for them to use the WebIDL syntax?
14:00:21 <noah> AR: Two issues. A) Carries implications that to which they are not signing up, so misleading B) It's going to mislead implementors
14:00:28 <dka> q?
14:00:39 <noah> TBL: The implementations were done "without thinking" in the sense of without attending to Web IDL
14:01:14 <noah> AR: If you are attempting to describe a Javasript interface that doesn't match WEB IDL, use Javascript to describe it
14:03:23 <noah> AR: Insofar as Javascript is a poor description language, that's on TC 39 to fix. It is however to write out an interface description, e.g. with a dummy implementation, that can meet the need
14:03:43 <noah> PLH: There are a few like that, maybe Web storage
14:03:53 <noah> TBL: Or you could clone WEB IDL and rip out pieces
14:04:16 <noah> YK: People have enough problem reading/learning WebIDL. Subset version adds confusion.
14:04:40 <noah> Someone: so, the browsers are on the road to fixing the APIs
14:04:51 <noah> PLH: But doing things like adding getters is very low priority
14:05:06 <noah> YK: I can live with that. Web IDL is the desired reality, fixing bugs is low priority
14:05:37 <noah> TBL: Not OK. When bugs are likely to be open for ten years, then that's not OK because specs aren't affecting reality
14:05:39 <annevk> plh: http://mxr.mozilla.org/mozilla-central/source/dom/webidl/Geolocation.webidl
14:05:46 <noah> YK: Really going to take ten years for geolocation
14:05:50 <noah> AVK: No
14:06:04 <noah> YK: So?
14:06:17 <noah> TBL: I think I'm hearing browser vendors don't want to fix some of these bugs
14:06:46 <noah> YK: I'm more optimistic that implementations are converging on the spec faster than that
14:07:45 <noah> DA: Does this fit into bucket of "TAG provides guidance to working groups"? If so, what guidance.
14:07:52 <noah> TBL: I think the deep dive here is valuable.
14:08:11 <noah> TBL: Popping back up might lose that value
14:08:25 <noah> YK: I think we can get behind saying "standards should drive interop"
14:08:40 <noah> DA: But TAG can get involved at detail level as we did with Web audio. Anything like that here?
14:09:22 <noah> AVK: The geolocation group is "run" by two people who work on Blink, so they are likely to give the corresponding answer
14:09:30 <noah> AR: If it's only geolocation, then we can fix this
14:09:50 <noah> AVK: I assume they felt that fixing this wasn't consistent with getting to REC in a timely way
14:10:18 <noah> AVK: We >want< the prototype and we want it interoperable
14:10:38 <noah> YK: Would be useful to know why blink isn't doing it. Was there a deep reason making it really hard, or just didn't push hard on it?
14:10:43 <noah> AVK: What's a long time?
14:10:51 <noah> YK: Having a spec not interoperate for multiple years
14:10:57 <noah> AVK: We have several
14:11:47 <noah> YK: We should consider avoiding publication of specs likely not be interoperable for extended periods
14:11:55 <slightlyoff> plh: do you have a pointer to the discussions about this?
14:12:21 <dka> q?
14:13:07 <slightlyoff> q+
14:13:11 <JeniT> JeniT has joined #tagmem
14:13:18 <slightlyoff> hey JeniT!
14:13:52 <noah> NM: If you're going to write specs that cover ideal behavior and interim, can be useful to give them formal distinction as differently named conformance levels.
14:13:55 <dka> ack slight
14:14:15 <noah> AR: Confused. Of what substantive issue is geolocation an example.
14:14:51 <plh> http://dev.w3.org/geo/api/idl-test-suite/idlharness.html
14:15:12 <noah> PLH: Well touch events is more clearcut, but considering geolation, the specification says the XXX object must be supported on the navigator interface, but it is not.
14:15:40 <noah> AVK: Makes sense, because navigator was complex and took a long time to convert.
14:16:15 <annevk> To be clear, Firefox Nightly passes that test
14:16:19 <noah> AR: When geolocation was published, WEB IDL was only a working draft. What is the core issue, that Blink isn't linearizing prototypes, or is there an issue unique to geolocation?
14:17:53 <noah> PLH: I now see that something told to the director was unduly pessimistic. We thought we heard there were not two implementations because IE passed but Firefox failed IDL compliance. We now hear that was a short term concern, bug fixed, and so we do have two implementations.
14:18:31 <noah> PLH: The touch events one was also presented to (Tim). Looked at running on both Firefox and Chrome mobile. There were pieces of a test failing (scribe isn't sure he got this right)
14:18:40 <slightlyoff_> slightlyoff_ has joined #tagmem
14:18:44 <noah> TBL: Can you do touch evens with trackpad on desktop
14:18:53 <noah> PLH: In principle, but I can't check that mysefl
14:19:02 <noah> s/mysefl/myself/
14:19:25 <noah> AVK: If someone had checked the Firefox bug database they would have seen the fix was on the way.
14:19:26 <slightlyoff_> slightlyoff_ has joined #tagmem
14:19:34 <noah> PLH: We somewhat trust the WGs
14:19:56 <noah> AVK: Not clear this WG has deep insight into implementations other than Blink
14:20:25 <noah> PL: Did I hear someone concerned about need to express things beyond what WEB IDL can do?
14:20:44 <noah> YK: Well, I heard Tim speculate that if Web IDL semantics not right for all, the syntax might still be used.
14:21:18 <dka> I will note: we have talked about 3 APIs this morning - Geolocation enables access to an underlying capability of the device which may be implemented using a patent-encumbered technology (GPS); Touch events enables access to an underlying capability of the device which may be implemented using a patent-encumbered technology (multi-touch); EME enables access to an underlying capability of the device which may be implemented using a patent-encumbered technology (some
14:21:18 <dka> underlying DRM).
14:21:21 <noah> TBL: They came to me and asked about syntactic conformance (just matches Web IDL grammar). I said "no", we need syntax and semantics here
14:22:44 <noah> PLH: Touch events is a bit tricky. IE doesn't implement.
14:23:04 <noah> YK: What's the status of the patents
14:23:34 <noah> PLH: There is a PAG.
14:23:41 <noah> YK: Aren't we moving to pointer events?
14:24:03 <noah> PLH: Yes, but there is deployments of Touch Events so they want a 1.0 rec
14:24:22 <noah> YK: But not likely to get much attention in the future? Then I don't care about Web IDL so much.
14:24:33 <noah> AVK: But I care, because we do it with Web IDL
14:24:40 <noah> AR: What's the issue?
14:24:44 <plh> http://w3c-test.org/webevents/tests/touch-events-v1/submissions/Nokia/idlharness.html
14:24:55 <noah> YK: Should touch events become a REC if not describable by suitable IDL
14:25:34 <noah> YK: Given that Web IDL is part of the spec, we don't have interoperable implementations of touch events
14:26:10 <noah> DA: Is this a TAG issue? Unconvinced.
14:26:29 <dka> q?
14:26:33 <noah> YK: Broader issue is whether WEB IDL semantics are important when considering interoperable implementations? I think we agree: yes.
14:26:39 <noah> PLH: Anything else in remaining 4 minutes.
14:26:48 <noah> HT: I want to know where we are on Polyglot
14:26:55 <noah> PLH: HTML WG is publishing it.
14:27:08 <noah> HT: Henri had an objection
14:27:13 <noah> PLH: I think it's moving forward
14:27:31 <noah> PLH: As long as someone is willing to do the work it will move forward.
14:30:25 <noah> PLH: On other things: RDFa went to rec awhile ago; on microdata it's going to note
14:30:39 <noah> PLH: We're doing the same with Authoring spec
14:31:07 <timbl> agenda+ auhoring spec
14:31:08 <noah> NM: We had a clear, negotiated agreement with HTML WG chairs that authoring spec goes to REC. please check the record from a couple of years ago.
14:31:13 <noah> DA: I agree with Noah
14:31:16 <noah> PLH: I will check
14:31:20 <plh> http://www.w3.org/2013/09/html-charter.html
14:32:26 <ht> http://www.w3.org/blog/news/archives/3253
14:32:39 <noah> PLH: The HTML WG got a new charter yesterday with two new things 1) new dual license which can be used for extension specifications
14:33:00 <noah> PLH: The DOM4 specification was moved into HTML WG also announced yesterday and can get cc: by license
14:33:22 <noah> s/The DOM4/2) The DOM4/
14:34:08 <noah> AVK: I am concerned that the cc: by license is non-GPL compatible.
14:34:22 <noah> AR: I'm unhappy disucssing document licenses for software
14:34:41 <plh> Plh: an example is: Is Anne willing to edit the DOM specification in the HTML WG under the new dual license?
14:34:51 <plh> Anne: no, because it's compatible with GPL
14:35:05 <annevk> s/compatible/incompatible/
14:35:10 <noah> TBL: There are some people in this discussion who have taken the trouble to be quite pedantic about it. The notion that GPL would be incompatible with cc: by is a bit pedantic.
14:36:19 <noah> AR: You can't drill on this without asking who would sue whom and why? Who owns the rights? If these are rights granted to the Free Software Foundation, they may be litigious. I think it's less likely that W3C or Mozilla will. There are multiple potential ways to solve this. One might be a covenant not to sue.
14:36:52 <noah> PLH: We published a FAQ. Our legal people believe that in this particular case your use of cc: by is compatiable with GPL.
14:36:56 <noah> YK: How do you link a spec.
14:37:09 <noah> AVK: Given that FSF considers it incompatible...
14:37:12 <ht> http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620
14:37:24 <plh> http://www.w3.org/2013/09/html-faq.html
14:37:45 <plh> http://www.w3.org/2013/09/html-faq.html#gplcompatibility
14:38:07 <noah> AR: Henri Sivonen makes an argument, of which I'm not convinced, that if you are going to automatically generate help or error text that extracts from the specification and winds up in code, the code is then potentially not GPL clean.
14:38:17 <noah> AR: I believe that a covenent should resolve that concern.
14:38:54 <noah> AR: I do understand that this doesn't in the general case resolve the question of whether cc: by leaves you GPL clean
14:39:11 <noah> TBL: Definitely not just help text. It's also generating parsers from BNF, etc.
14:39:14 <noah> NM: I agree with Tim
14:40:11 <noah> DA: The question is,  FSF and Creative Commons say it's incompatible and W3C says compatible, are we getting them together.
14:40:16 <noah> PLH: Harder than that.
14:40:34 <noah> AR: FSF has their own interpretation that they can enforce with respect to the products they control
14:41:33 <noah> DA: Thank you Philippe
14:41:38 <noah> Philippe leaves
14:43:11 <noah> TBL: This about people doing things on principle. Principle is important, and important things follow from principles. Viral licenses are complicated to design and are tweaked occasionally. The fact that FSF has come to this conclusion is a failure of the GPL license. Compatibility with cc: By should be straightforward and should be a requirement for GPL.
14:43:48 <noah> AVK: Yes, some of it is principle. I would like my work to be in the public domain, much as Tim got the browser to be given away.
14:44:45 <noah> AR: CC: by is NOT public domain. Having a license and public domain is different thing. In US law, governments can put things in public domain but individuals can't.
14:45:27 <noah> SK: But laws typically say that the owner has all rights to do anything.
14:45:32 <noah> DA: Which jurisdiction?
14:45:57 <noah> SK: I guess I'm speaking of Russia, but that's based closely on Berne convention and should apply at least to most of Europe.
14:46:01 <noah> AR: ...and US
14:46:04 <annevk> s/the browser/the ideas and software around the Web/
14:46:36 <annevk> s/CC: by/CC0/
14:47:02 <noah> AR: What can the TAG do? Ask US libary of congress to let W3C put into public domain.
14:47:14 <noah> TBL: But our members don't want to put our work into the public domain.
14:48:04 <noah> TBL: I did not get the Web into public domain. I got CERN to agree not to charge license. The work I did here is MIT license and copyright MIT, similar to BSD and cc: by.
14:48:10 <noah> AR: So key was?
14:48:18 <noah> TBL: As I recall, not to charge royalties.
14:50:22 <ht> Yehuda -- yes, this is the "Authoring Spec": http://www.w3.org/TR/html5-author/
14:50:31 <ht> "HTML5: Edition for Web Authors"
14:51:09 <slightlyoff> big deprecated warning at the top?
14:51:19 <slightlyoff> "This document has been discontinued and is only made available for historical purposes. The HTML specification includes a style switcher that will hide implementer-oriented content."
14:51:34 <ht> It's a Note, whereas Polyglot (http://www.w3.org/TR/html-polyglot/) is still on the REC track
14:52:10 <slightlyoff_> slightlyoff_ has joined #tagmem
14:52:16 <ht> But the link to the Authoring spec. from the charter says "The HTML Working Group will complete work on the following existing deliverables of the group:"
14:52:19 <ht> ???
14:52:21 <annevk> timbl: http://www.w3.org/Policy.html
14:52:41 <annevk> timbl: "The definition of protocols such as HTTP and data formats such as HTML are in the public domain and may be freely used by anyone. -- Tim BL"
14:53:03 <wycats_> wycats_ has joined #tagmem
14:53:29 <wycats_> wycats_ has left #tagmem
14:53:33 <wycats_> wycats_ has joined #tagmem
14:54:52 <ht> Anne, yes, but as AR and SK said, _saying_ that is an indication of author's intent, but it doesn't, legally, make it so IIUC: only the US gov't can 'make' something public domain wrt US law, I believe.
14:55:53 <annevk> ht: this was back in Switzerland I suspect
14:56:11 <annevk> ht: either way, CC0 covers the US gov case
15:06:15 <trackbot> RRSAgent, make logs public
15:06:17 <trackbot> Zakim, this will be TAG
15:06:17 <Zakim> ok, trackbot; I see TAG_f2f()8:30AM scheduled to start 156 minutes ago
15:06:18 <trackbot> Meeting: Technical Architecture Group Teleconference
15:06:18 <trackbot> Date: 01 October 2013
15:06:26 <RRSAgent> I have made the request to generate http://www.w3.org/2013/10/01-tagmem-minutes.html Yves
15:10:18 <Yves> Regrets: Jeni
15:10:36 <ht> Here is the (relatively) famous analysis of DRM effect on Vista and chip design: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
15:12:15 <slightlyoff> Scribe: slightlyoff
15:13:08 <slightlyoff> Topic: API design
15:13:31 <slightlyoff> DKA: sergey, you volunteered the topic, perhaps you can talk a little bit about it?
15:14:27 <twirl> https://github.com/w3ctag/api-design-guide/blob/master/API%20Design%20Guide.md
15:15:20 <slightlyoff> SK: in my opinion, the design guide should serve 2 main goals
15:15:27 <slightlyoff> SK: 1.) to be a guide for folks who design APIs
15:16:27 <slightlyoff> SK: 2.) to build a guide for API reviews
15:16:47 <slightlyoff> SK: the second is guide for the TAG
15:17:05 <slightlyoff> YK: should non-platform builders trying to design things use the guide? what about ember?
15:17:13 <slightlyoff> SK: what I've written is very general
15:17:25 <slightlyoff> SK: it should primarily be focused on the web platform
15:17:39 <slightlyoff> YK: if it can't be useful for library developers, it'll probably fail the idiomaticness test
15:18:24 <slightlyoff> DKA: my sense is that we should be focusing primarily on the work of spec developers
15:18:31 <slightlyoff> YK: I'm saying this is an acceptance criteria
15:18:41 <slightlyoff> AVK: "idiomatic" changes over time
15:18:53 <slightlyoff> AVK: what AWB does is different in style from what query does
15:19:27 <slightlyoff> SK: there are some bits that are specific to our field, but hopefully it will be relatively general
15:19:32 <twirl> http://www.w3.org/TR/api-design/#basics
15:20:11 <slightlyoff> SK: it's not a guide, per sae, but it includes good IDL design notes
15:20:32 <wycats_> AR: Proscriptive text should be more fluid
15:20:47 <wycats_> AR: I would like there to be a more general design guidelines
15:21:03 <wycats_> ... my sense of Robin's guidelines is that they are good tactical advice but not a broad sense of the landscape
15:21:16 <slightlyoff> (thanks wycats_)
15:21:17 <wycats_> ... we need something that helps people navigate the landscape
15:21:22 <slightlyoff> Scribe: slightlyoff
15:21:30 <slightlyoff> SK: I think it should have 2 parts
15:22:00 <slightlyoff> SK: something to help folks designing interfaces and more general guidance. It could be 2 documents.
15:22:27 <slightlyoff> YK: some of this stuff is going to need to change, e.g. the advice about globals will change in the light of ES6 modules
15:22:39 <slightlyoff> DKA: don't we ant to build looking forward to that future?
15:23:05 <slightlyoff> YK: if we do that, there's a group in TC39 that's refactoring the exiting platform in terms of modules and classes and they'll need to be roped into this effort to make it forward looking
15:23:40 <wycats_> AR: I feel like that is an attractive thing to want to do, but it's maybe too soon
15:23:48 <wycats_> ... since we don't have a lot of design expertise with modules
15:23:54 <wycats_> ... and no consumers among working groups yet
15:24:03 <wycats_> ... I would like to focus on the design challenges that we've observed
15:24:48 <slightlyoff> YK: new specs will want to use modules in 6 months
15:24:52 <slightlyoff> AVK: I'm not sure
15:25:00 <slightlyoff> YK: that's my sense of the timeline
15:25:28 <slightlyoff> DKA: my main concern for this work is getting started on what we can get consensus on
15:25:38 <slightlyoff> DKA: I'd like to have something meaty by the end of the year
15:25:59 <slightlyoff> YK: if we can get it done by the end of the year, the current outline seems good
15:26:37 <slightlyoff> YK: it sounds like there's a lack of consensus
15:27:36 <slightlyoff> DKA: until there's something concrete, perhaps we should be talking about what we should say in this document
15:28:29 <slightlyoff> YK: I think there are some areas where we should be explaining to people how to use modules to help get them over the hurdle of using them
15:28:41 <slightlyoff> AVK: there's a problem with shipping
15:28:52 <slightlyoff> YK: slightlyoff is right…there's a transition problem
15:29:10 <slightlyoff> YK: we need to both provide the back off strategy -- someplace to do things with modules in the interim
15:29:29 <slightlyoff> AVK: once things ship in 2 browsers, I think it'll be "game on"
15:30:13 <slightlyoff> SK: the platform is evolving permanently. Every 6 months there will be some changes that will cause spec authors to need to revise their work
15:30:17 <slightlyoff> SK: modules are not blocking this
15:30:56 <slightlyoff> SK: the TAG has a role: questions about wether or not to use modules _will_ be directed to the tag, so we'll be on the hook for providing advice; both current state and how to think bout the future
15:31:46 <slightlyoff> SK: I don't know if we should write down the current state in this guide, and how to cope, and how to think about designing in the future. Perhaps we should have 2 parts? something general that doesn't change frequently and a part that's more tactical: how to use modules, promises, etc.
15:31:59 <wycats_> Just to be clear, I am not saying that everyone will be using modules in 6 months, but that new specs will want to use them in 6 months
15:31:59 <slightlyoff> SK: are we agreed about the main goals of the guide?
15:32:10 <slightlyoff> [agreement]
15:32:23 <slightlyoff> SK: I have a plan for the relatively general part
15:32:48 <slightlyoff> SK: I'd like to present it and collect your feedback, and if we agree, I'll start working on the general part of the guide
15:33:39 <slightlyoff> SK: API developers should be explaining what tasks the API should solve
15:34:01 <slightlyoff> SK: how are those tasks solved in other plaforms/APIs (prior art)
15:34:38 <slightlyoff> SK: and there should be some rationale and exposition about what to borrow and why to leave behind
15:34:45 <slightlyoff> SK: the other question is: what are the use cases?
15:35:19 <slightlyoff> SK: i've reviewed 3 APis before this meeting: web audio, web animations, and push notifications
15:35:26 <slightlyoff> SK: all presented me the same problem
15:35:42 <slightlyoff> SK: I don't know what the common use-cases are and the spec doesn't provide direction about where to find them
15:35:56 <slightlyoff> SK: I think that's a major problem with these specs
15:36:09 <slightlyoff> SK: I have to find out how they're used and why the current solutions aren't used
15:38:06 <slightlyoff> AR: it might be good for spec authors to have that sort of text for their own sake, but it doesn't seem like it'll be a shortcut for reviewers
15:38:38 <slightlyoff> SK: I agree, I do still need to review and check the background
15:38:56 <slightlyoff> SK: when you're reviewing the spec, you need to come to an independent view
15:39:33 <slightlyoff> SK: so it's good to have the list to see if the spec authors were hitting the right issues
15:39:55 <slightlyoff> SK: for example web audio, it's intended in a browser, but it has no mechanisms for working with audio more than a minute in lenght
15:40:23 <slightlyoff> SK: it's important to have the use cases both for the folks doing review and for the folks doing the specs
15:40:56 <slightlyoff> SK: the designer should be reviewing the spec at checkpoints to make sure they align with the major design guidance
15:41:04 <slightlyoff> SK: else things may drift in scope
15:41:34 <slightlyoff> SK: I'll write this down with extended examples
15:41:41 <slightlyoff> SK: both good and bad
15:42:29 <slightlyoff> AR: how do we imagine this  being used primarily? In coordination with us? independently?
15:42:42 <slightlyoff> DKA: my though was that folks who are building specs would use this as an input
15:43:04 <slightlyoff> AR: so it needs to stand alone and be self-supporting
15:43:08 <slightlyoff> DKA: agree
15:43:22 <slightlyoff> SK: we don't want to be going to each spec designer and having to explain the guide
15:43:52 <slightlyoff> AR: I think that raises the risk for advice that has a sell-by date
15:44:03 <slightlyoff> YK: yeah, promises, streams, globals
15:44:27 <wycats_> AR: I think the right way to do this is to extract advice out of our interactions with working groups
15:44:48 <wycats_> AR: otherwise we'll find ourselves with a pile of good but eventually contradictory statements that will not hang together
15:44:51 <slightlyoff> (thanks wycats_ )
15:45:00 <slightlyoff> DKA: is this a traditional TAG finding?
15:45:09 <slightlyoff> DKA: or is this  different kind of document?
15:45:18 <slightlyoff> DKA: TAG findings have publication dates and errata
15:45:30 <slightlyoff> DKA: or should this be a living doc that only lives on github, etc.
15:45:44 <slightlyoff> NM: it could even go to REC
15:46:00 <slightlyoff> DKA: but if the ground is shifting quickly....
15:46:14 <slightlyoff> YL: we need a clear way of updating it and marking some advice obselete
15:46:18 <slightlyoff> DKA: agree
15:46:30 <slightlyoff> SK: I think this document will be tested when we continue to do reviews
15:46:55 <slightlyoff> SK: and we can come up with  determination about how it should live as a result
15:47:24 <slightlyoff> DKA: what can we pull out of our work with WebAudio? WebRTC?
15:47:47 <slightlyoff> wycats_: there's a chicken-and-egg problem with Alex's approach: it won't help us spread new technology that should be broadly used
15:47:55 <slightlyoff> AR: agree
15:48:15 <slightlyoff> SK: next chapter
15:48:20 <slightlyoff> AR: what do we want to do about it?
15:48:27 <slightlyoff> YK: I think we're going to have to take a bit of a leading role
15:48:44 <slightlyoff> SK: the second level that should be explained in a spec is defining the levels of abstraction
15:49:12 <slightlyoff> SK: what are the data structures?
15:49:35 <slightlyoff> SK: how abstract is it?
15:50:36 <slightlyoff> SK: what UI does the spec provide?
15:50:54 <slightlyoff> SK: how doe the spec objects interact with each other?
15:51:38 <slightlyoff> SK: so WA becomes clear: the data structures are very low level and it doesn't have UI
15:52:07 <slightlyoff> AR: how does this help us or a spec author get clarity on wether or not these are the right choices to make?
15:53:24 <slightlyoff> SK: it's pretty basic that the levels of abstraction should be outlined. If the abstraction levels are defined, things will compose well
15:53:55 <slightlyoff> AR: but does this provide practical advice? How does noting the level of abstraction turn into guidance?
15:54:05 <slightlyoff> SK: I've thought a lot about this….
15:54:22 <slightlyoff> YK: do we think this sort of document will help folks in the wrong headspace?
15:54:36 <slightlyoff> SK: I do think it'll help. Won't be a magic bullet,but will help clarify
15:55:17 <slightlyoff> PL: it'd be nice if we had a clear description of where the levels of abstraction really ARE in the platform. Seems like something the TAG should provide.
15:55:27 <slightlyoff> YK: agree. That  seems like the first thing we should do here
15:55:48 <slightlyoff> PL: I think a lot of us have pictures of it in our heads, but we haven't annunciated it
15:56:00 <slightlyoff> YK: if you're crossing layers, at a minimum there should be an API
15:56:05 <slightlyoff> PL: I think we should define this model
15:56:20 <slightlyoff> DKA: that seems like a separate part of this document that needs to be written
15:56:48 <slightlyoff> YK: yeah, this was the thing that Alex and I had in mind and we should talk about it more
15:56:55 <slightlyoff> YK: [ need offline discussion ]
15:57:06 <slightlyoff> DKA: if you don't have the bandwidth, perhaps you can review?
15:57:11 <slightlyoff> YK: yeah, need to find time
15:57:33 <slightlyoff> DKA: you agree with the basic formulation of the plan? draft and let sergey edit?
15:57:36 <slightlyoff> [ agreement ]
15:57:51 <slightlyoff> SK: defining the abstraction levels is the hard part
15:57:58 <slightlyoff> YK: I think there's a growing consensus
15:58:07 <slightlyoff> YK: I'm optimistic that we're more on the same page than not
15:58:13 <slightlyoff> SK: are there written results?
15:58:25 <slightlyoff> [ no ]
15:58:58 <slightlyoff> YK: I think the extensible web manifesto is one work product. Trying to explain the platform in terms of those broad ideas is something we need to do
15:59:10 <slightlyoff> [ breaking for lunch ]
15:59:27 <slightlyoff> DKA: after lunch, we have wendy seltzer joining us to discuss privacy and security
15:59:33 <slightlyoff> DKA: after that we can loop back to this
15:59:44 <slightlyoff> Topic: lunch
15:59:57 <slightlyoff> (back at 1pm EST)
16:01:51 <annevk> annevk has joined #tagmem
16:18:38 <bkardell> bkardell has joined #tagmem
16:44:58 <dka> dka has joined #tagmem
16:53:19 <ht> ht has joined #tagmem
16:55:19 <annevk> annevk has joined #tagmem
16:56:01 <timbl> timbl has joined #tagmem
17:03:16 <wseltzer> wseltzer has joined #tagmem
17:03:27 <dka> trackbot, start meeting
17:03:29 <trackbot> RRSAgent, make logs public
17:03:31 <trackbot> Zakim, this will be TAG
17:03:31 <Zakim> ok, trackbot; I see TAG_f2f()8:30AM scheduled to start 273 minutes ago
17:03:32 <trackbot> Meeting: Technical Architecture Group Teleconference
17:03:32 <trackbot> Date: 01 October 2013
17:06:34 <dka> Topic: Security & Privacy
17:10:08 <twirl> twirl has joined #tagmem
17:10:28 <dka> Scribe: wycats_
17:11:15 <wycats> Scribe: wycats
17:11:37 <wycats> Wendy (WS): Security and Privacy expert
17:12:07 <wycats> WS: Here to talk about where society is going with regard to security and privacy
17:12:47 <wycats> DKA: We had some ideas about what we can talk about
17:13:30 <wycats> 1) What could we (TAG) be doing with regard to the government snooping situation?
17:13:42 <wycats> DKA: It's not our role to wade into the politics
17:13:56 <wycats> ... but the question of securing the web is something that is clearly in the realm of the TAG and Web Architecture
17:14:01 <wseltzer> q+
17:14:18 <wycats> ... so could we be giving more guidance about the use or non-use of "security" technologies
17:14:50 <wycats> 2) Publishing and Linking
17:15:12 <wycats> ... is there any action that W3C is planning to take with amicus briefs or anything that we can provide background
17:16:32 <slightlyoff> thanks wycats
17:16:40 <wycats> 3) Some top-level thoughts on "let's make a deal" application security model
17:17:12 <wycats> DKA: 4) any input into the API design guide around privacy and security
17:17:31 <wycats> ... 5) What should we be thinking about
17:18:17 <wycats> WS: Let's sketch out what T&S is doing right now
17:18:31 <wycats> ... and we'll see if there are architectural questions that TAG can help with
17:18:49 <wycats> ... to influence a "secure and trustworthy web"
17:19:00 <wycats> DKA: Let's start with (1) "government snooping"
17:19:44 <wycats> ... AR: Can you outline your security proposals
17:19:55 <wycats> AR: I have the benefit of leaning on much smarter people
17:20:05 <wycats> ... specifically Adam Langley, who works on SSL in Chrome
17:20:12 <wycats> ... I would trust AGL with my private data
17:20:24 <wycats> ... I asked him: (1) should the TAG weigh in
17:20:30 <wycats> ... and he said yes
17:20:44 <wycats> ... (2) what specific things can we do around SSL?
17:20:56 <wycats> ... (a) Perfect Forward Secrecy
17:21:00 <wycats> ... (b) strong keys
17:21:16 <wycats> ... (c) cert pinning and OCSP
17:21:30 <wycats> (http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)
17:21:43 <wycats> ... (d) removing weak TLS versions
17:21:53 <wycats> ... (e) Strict Transport Security headers
17:22:01 <wycats> (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
17:22:16 <wycats> ... he doesn't believe that pinning is something most sites can do
17:22:25 <wycats> ... cert pinning is really hard
17:22:30 <wycats> ... OCSP pinning is a performance optimization
17:22:41 <wycats> ... OCSP is a response to the problem of revoking certificates
17:22:50 <wycats> ... browsers can look up in a global list for revoke certs
17:22:55 <wycats> ... high lag / low compliance
17:23:11 <wycats> YK: issues with captive portals
17:23:21 <wycats> ... (The previous discussion was about CRLs)
17:23:31 <wycats> ... OCSP is an improvement on CRLs
17:23:41 <wycats> (http://en.wikipedia.org/wiki/Revocation_list)
17:23:49 <wycats> ... OCSP is blocking
17:23:53 <wycats> ... therefore sucks
17:24:10 <wycats> ... OCSP pinning is a way to provide a response to the OCSP question as part of the handshake
17:24:54 <wycats> YK: Is there a solution for OCSP and Captive Portals?
17:25:05 <wycats> AR: We need to never trust captive portals on the browser side
17:25:20 <wycats> ... AGL thinks both kinds of pinning are too hard for most publishers
17:25:44 <wycats> ... because OCSP pinning requires relatively frequently updating your certs and maintaining strict security around the key material
17:26:00 <wycats> YK: Google does pinnin
17:26:02 <wycats> AR: Yep
17:26:24 <wycats> HT: I assumed there was an informal consensus that SSL itself isn't fit for purpose
17:26:36 <wycats> AR: Let's try to be more specific
17:27:03 <wycats> ... the issue with SSL is trusting the root signer
17:27:17 <wycats> ... you have to trust the root signer for a long time and you have to update them sometime
17:27:27 <wycats> ... there are economic forces that drive prices down
17:27:56 <wycats> ... it's legitimate to have a varying view of their (roots of trusts) compliance efforts
17:28:09 <wycats> HT: I hit cert errors from sites I have reason to trust so I blow them off
17:28:16 <wycats> ... and I think it's a universal experience
17:28:21 <wycats> ... which means certs aren't useful
17:29:13 <wycats> AR: (f) Crypto all the things
17:29:59 <wycats> DKA: Website authors may tell people to skip cert errors
17:30:13 <wycats> HT: UofE does this
17:31:05 <wycats> YK: This is really an issue of self-signed certs
17:31:12 <wycats> AR: The advice is "spend a couple hundred bucks"
17:31:21 <dka> q?
17:31:24 <wycats> TBL: MIT says to install the MIT root cert
17:31:38 <Yves> install... but what to do when it's revoked?
17:32:10 <wycats> AR: PFS can be implemented without high costs
17:32:15 <wycats> ... we need to get more browsers to implement it
17:32:19 <wycats> ... it would be great if they did
17:32:28 <wycats> ... IE doesn't support PFS
17:32:43 <wycats> ... it's an option in the SSL handshake
17:33:08 <wycats> (scribe suggests reading the wikipedia page for more information -- cannot scribe all the technical details)
17:33:30 <dka> http://en.wikipedia.org/wiki/Perfect_forward_secrecy
17:34:09 <wycats> AR: Proposal: We should advocate that major publishers should provide it and all browsers should implement it
17:34:16 <wycats> TBL: How do you tell someone to do it
17:34:28 <wycats> http://stackoverflow.com/questions/17308690/how-do-i-enable-perfect-forward-secrecy-by-default-on-apache
17:35:02 <wycats> DKA: This really all gets to Wendy's discussion about UI
17:35:38 <marcosc> marcosc has joined #tagmem
17:35:59 <wycats> WS: The user research that I'm aware of is that users are terrible at any question about security
17:36:55 <wycats> YK: What about the "zomg don't enter this site" malicious modal dialog
17:36:58 <wycats> AR: I'm looking into it
17:37:12 <wycats> SK: I think it's over 90% don't follow it
17:37:25 <marcosc_> marcosc_ has joined #tagmem
17:38:25 <wycats> AR: We've made it more and more onerous over time
17:38:42 <wycats> HT: There is at least one page that I don't know how to get past
17:39:08 <wycats> AVK: There are issues with captive portals
17:39:33 <wycats> PL: Is there a standard for captive portals
17:39:41 <wycats> YK: There is a proposed status code
17:39:49 <wycats> TBL: Can we (TAG) kill captive portals
17:39:58 <wycats> YK/AVK: No
17:40:04 <wycats> AR: We can maybe limit them to reserved IPs
17:40:43 <wycats> PL: We need a solution before HTTP status codes
17:40:54 <wycats> TBL: Which adds problems for cert errors
17:41:11 <wseltzer> [the captive portal problem... how many AP devices provide the bulk of these?]
17:41:26 <wycats> should we be change the OS UI when you're behind a captive portal?
17:42:36 <wycats> YK: explains the generate_204 solution
17:42:54 <wycats> (http://www.chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection)
17:43:10 <wycats> AVK: There are also issues with timeouts
17:43:48 <wycats> DKA: Captive portals make people oblivious to security errors
17:43:58 <wycats> TBL: Captive portals violate web principles
17:44:07 <wycats> ... it makes HTTP meaningless
17:44:07 <slightlyoff> AGL advises that the data here is pretty fresh: http://www.cs.berkeley.edu/~devdatta/papers/alice-in-warningland.pdf
17:44:45 <wycats> (http://tools.ietf.org/html/rfc6585)
17:44:54 <wycats> WS: There isn't "one owner" of this problem
17:44:59 <wycats> ... there are many interactions
17:45:06 <wycats> ... you can't solve it with one solution
17:45:16 <slightlyoff> Click through rates for badware/malware is low, click-through rates SSL warnings is sadly very high = (
17:45:17 <wycats> ... but maybe an architectural solution can work across the board to solve it cooperatively
17:46:08 <wycats> slightlyoff: how do users perceive the difference
17:46:20 <slightlyoff> IIRC, different colors, but I'd have to go dig up the HTML
17:46:38 <wycats> DKA: Work item Proposal: Recommendations for Captive Portal Owners
17:47:01 <wycats> YK: You might be able to design a good captive portal
17:47:13 <wycats> PL: Yes, you can for example block all ports by 80 and 443
17:47:18 <wycats> TBL: They can look at the user agent
17:47:19 <dka> q?
17:47:26 <wseltzer> q-
17:47:32 <wycats> AR: Key strength is in flux
17:47:46 <wycats> ... we can count on governments and non-commercial actors being able to do 2^80 computation
17:48:00 <wycats> ... being able to break 1024 bit keys now or at least soon
17:48:08 <wycats> ... we need to take 1024 keys off the table
17:48:14 <wycats> ... browsers will warn
17:48:20 <wycats> ... (for 1024 keys)
17:49:53 <wycats> AVK: What's moving faster - ability to generate keys or ability to crack them
17:50:14 <wycats> Yves: Weak ciphers can also render the keys useless
17:50:50 <wycats> HT: If you're paranoid you may believe that government agencies may have cracked 1024-bits better than brute force
17:51:29 <slightlyoff> was looking for this earlier....: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
17:51:29 <wycats> YK: It may still be worth protecting ourselves from others than the NSA even if the NSA cracked RSA
17:52:09 <wycats> TBL: The TAG could just say "don't use 1024 bit keys"
17:52:15 <wycats> AR: And we can say "don't use the null cipher"
17:52:28 <wycats> TBL: We can ask the validator suite to add validation for sane SSL practices
17:52:32 <wycats> AR: And a name-and-shame list
17:52:33 <Yves> https://www.ssllabs.com/ssltest/
17:52:47 <wycats> ... Strong Versions
17:53:01 <wycats> ... 1.1 and 1.2 are the state of play, people should not be using something else
17:53:10 <wycats> ... don't use TLS <= 1.0 or SSL <= 3.0
17:53:16 <wycats> ... Strict Transport Security
17:53:30 <wycats> ... http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
17:53:43 <wycats> ... Crypto All the Things
17:53:51 <wycats> ... Public services should all be HTTP
17:54:04 <wycats> Yves: What about caching
17:54:32 <wycats> HT: HTTP thinks that the web only works because of caching
17:55:13 <wycats> YK: Public caches are such bad actors that you may wish to use SSL just to opt out of them
17:55:45 <wycats> HT: The W3C servers were being brought to their knees by poorly written proxies that were requesting namespaces
17:55:59 <wycats> ... IBM said bandwidth was cheaper than writing a cache
17:56:33 <slightlyoff> HSTS background: http://www.chromium.org/sts
17:56:56 <wycats> YK: The mixed content warning has helped with getting SSL support in CDNs
17:57:13 <wycats> AR: TL;DR We need more crypto
17:57:41 <wycats> ... the expectation that the web's traffic is mostly encrypted is "an invitation to be embarrassed later"
17:58:25 <wycats> DKA: What other unintended consequences are there
17:58:29 <wycats> (scattered discussion)
17:58:46 <slightlyoff> s/encrypted/unencrypted/
17:59:04 <slightlyoff> heh
17:59:41 <dka> q?
17:59:45 <wycats> YL: People tend to use SSL and/or port 443 for new services to avoid proxies messing around
18:00:01 <Yves> especially interception proxies
18:00:09 <wycats> WS: UI issues
18:00:24 <wycats> ... in some ways we have steered away from recommending UI because browsers see it as a competitive advantage
18:00:32 <wycats> ... but maybe we really do need to make some recommendations now
18:00:45 <wycats> ... so users have a sane mental model of what good behavior is vs. bad behavior with regard to warnings
18:00:50 <wycats> s/sane/consistent/
18:00:59 <wycats> ... and have a hope of making better decisions about security
18:01:13 <wycats> ... rather than throwing up our hands and letting users choose browsers that make decisions for them
18:02:11 <wseltzer> "warning fatigue"
18:02:43 <wycats> YK: Why are self-signed certs still emitting warnings
18:03:04 <wycats> YK: Why not "no padlock, no warning"?
18:03:09 <wycats> AR: You could imagine this
18:03:21 <wycats> ... the only real value is that it makes the work of hackers more difficult
18:03:27 <wseltzer> q+
18:03:33 <wycats> ... it also puts encrypted traffic in a different bucket
18:03:51 <wycats> (if we think this warning is useful, why not yell at the user when they use HTTP)
18:04:01 <wycats> (surely a self-signed cert is no worse than unencrypted HTTP?)
18:04:38 <wseltzer> (how do you help the user differentiate between seeing a self-signed cert for well-known-site and one for his own/friend's site?
18:04:51 <wycats> HT: I have my owned self-signed cert -- what's the additional vulnerability if I don't install the self-signed certs
18:05:21 <wycats> YK: Strict Transport Security may help
18:05:34 <wycats> AR: It gives you temporal security
18:05:40 <wycats> TBL/AR: Man in the middle is still easy
18:05:47 <wycats> ("easy")
18:06:34 <wycats> TBL: I like being able to opt into trusting a specific self-signed cert
18:07:34 <wycats> YK: I think you are in the top 0.00001% of the mental model of the situation
18:07:47 <wycats> TBL: Teenagers using facebook understand friends of friends
18:08:04 <wycats> ... the only major difference is UI
18:09:28 <wseltzer> "we have bad security heuristics"
18:10:40 <wycats> WS: This is a very hard set of problems
18:10:45 <wycats> .. what can we do to chip away at it?
18:10:56 <wycats> ... how can we think about the different elements of the threat model?
18:11:21 <wycats> ... for example the pervasive passive adversary vs. the adversary targeting you vs. the adversary targeting a type of communication
18:11:32 <wycats> ... for example crypto all the things helps with passive collections
18:12:01 <wycats> ... and a warning for self-signed-certs interferes with "Crypto All the Things" which helps with passive adversaries
18:12:29 <wycats> ... we now know that there is much more of the passive adversary threat
18:12:40 <wycats> ... so maybe Crypto All the Things is a high priority
18:13:05 <wycats> ... as IETF liaison I'm thinking more about what orgs have what responsibilities
18:13:16 <slightlyoff> http://infrequently.org/13/crypto-all-the-things.jpg
18:13:24 <wycats> AR: What is IETF thinking
18:13:32 <wycats> WS: Crypto All the Things
18:14:04 <wycats> AR: Good Crypto All the Things
18:14:25 <wycats> WS: Also PFS to avoid passive collection and future cracking
18:14:38 <wycats> YL: What about DNSSEC?
18:14:41 <annevk> Crypto All the Things Strongly? -> CATS!
18:14:58 <Yves> DANE
18:15:02 <Yves> withint IETF
18:15:16 <slightlyoff> https://datatracker.ietf.org/wg/dane/charter/
18:18:16 <twirl> q+
18:18:30 <wseltzer> q-
18:18:33 <wycats> YK: I want to remove the padlock and the warning for self-signed certs
18:18:36 <wycats> AVK: File a bug
18:18:59 <wycats> YK: Sounds good
18:19:44 <wycats> YK: I don't think enlisting users to yell at webmasters  is a generally effective strategy
18:20:17 <wycats> TBL: Maybe the browser should send requests to a website so it shows up in their error logs
18:20:45 <wycats> DKA: Should we have a work item?
18:20:56 <wycats> AR: Let's get SSL experts as collaborators
18:21:13 <wycats> DKA: we have some good starting points there
18:21:51 <dka> q
18:21:52 <dka> q?
18:21:55 <wycats> YK: Let's make a starting document that isn't controversial
18:21:58 <dka> ack twi
18:22:14 <wycats> Sergey: what about expired certs?
18:22:22 <wycats> AR: No. We need to warn people
18:22:41 <wycats> ... the idea is to create a class of certs that aren't meant to imply protection from MitM
18:24:17 <wycats> ... what about expired self-signed certs
18:24:45 <wycats> YK: People aren't willing to say that HTTP traffic is specially warned, so anything better than HTTP shouldn't warn unless the server expresses intent to have a padlock show up
18:25:16 <wycats> DKA: Let's rope some people in
18:25:30 <wycats> ... like your friend
18:26:08 <wycats> ACTION Alex to start writing some text for security recommendations with AGL's help
18:26:08 <trackbot> Created ACTION-831 - Start writing some text for security recommendations with agl's help [on Alex Russell - due 2013-10-08].
18:26:37 <twirl> q-
18:27:24 <wycats> (scattered discussion about spy vs. spy icon)
18:28:33 <wycats> DKA: What should we be thinking
18:29:09 <wycats> WS: We're focusing on (a) DNT Header (b) Privacy Interest Group
18:29:16 <wycats> ... we don't have formal security reviews
18:29:23 <wycats> http://www.w3.org/Privacy/
18:29:25 <wycats> http://en.wikipedia.org/wiki/Do_Not_Track
18:29:52 <wycats> YK: Is there interest in doing security reviews?
18:29:55 <wycats> WS: The IETF does it
18:30:50 <wycats> YK: Why doesn't the W3C do it?
18:30:53 <wycats> DKA: unknown
18:31:01 <wycats> ... TBL?
18:31:13 <wycats> TBL: The TAG hasn't recommended it
18:31:21 <wycats> ... at first, it seemed like lip service
18:31:29 <wycats> ... but there have been a few times where I felt it was useful
18:31:35 <wycats> ... so I would be happy to do it
18:32:05 <wycats> YK: I'm suggesting that there is a formal security review of specs
18:32:45 <wycats> (as opposed to the lip service "security considerations" section)
18:33:08 <wycats> TBL: We do this already for accessibility and internationalization
18:33:13 <wycats> ... so maybe we should do it for security
18:34:01 <wycats> YK: I didn't enjoy doing this for JSON API
18:34:25 <wseltzer> bureaucratic hassle--
18:34:57 <wycats> http://www.iana.org/assignments/media-types/application/vnd.api+json
18:35:14 <wycats> TBL: Would have been nice if they had to write security considerations when they wrote SMTP
18:37:49 <wycats> WS: Please submit any documents that you want wider reviews on to the IG or the Workshop
18:38:04 <wycats> ... there isn't yet any specific plans for the Workshop
18:38:26 <wseltzer> http://www.strews.eu/ (EU Project)
19:03:13 <wycats> Topic: API Guide
19:03:27 <wycats> SK: Part III: Defining Object Responsibilities
19:03:56 <dka> trackbot, start meeting
19:03:58 <trackbot> RRSAgent, make logs public
19:04:00 <trackbot> Zakim, this will be TAG
19:04:00 <Zakim> ok, trackbot; I see TAG_f2f()8:30AM scheduled to start 394 minutes ago
19:04:01 <trackbot> Meeting: Technical Architecture Group Teleconference
19:04:01 <trackbot> Date: 01 October 2013
19:04:09 <wycats> SK: This stage can help find design problems
19:04:12 <dka> rrsagent, make minutes
19:04:12 <RRSAgent> I have made the request to generate http://www.w3.org/2013/10/01-tagmem-minutes.html dka
19:04:22 <wycats> ... IV: Object Interface
19:04:44 <wycats> ... this stage helps ensure consistency with the names used in the details of the APIs
19:05:33 <wycats> ... this feeds into the Platform-Specific guide
19:06:31 <wycats> DKA: Maybe we can discuss this in terms of an API like Web Audio
19:07:24 <wycats> SK: I had a push API review that we could use for this
19:07:32 <wycats> AR: I looked at it
19:08:10 <wycats> ... it seems like a good way to analyze OO APIs
19:08:21 <wycats> ... what about layering?
19:08:27 <wycats> ... how do these things relate to markup?
19:08:47 <wycats> YK: We asked for example how Web Audio related to <audio>
19:08:54 <wycats> AR: We should keep these things front and center
19:09:02 <wycats> ... because it can be easily lost when you're focused on a particular layer
19:09:34 <wycats> YK: You could imagine an HTML form of the push API
19:09:53 <wycats> SK: Push API doesn't have any elements
19:10:04 <wycats> ... it may be problematic to add elements
19:10:14 <wycats> ... there are lots of questions about how all this should work
19:10:34 <wycats> ... I cannot make assumptions about this should look
19:11:29 <wycats> YK: Not every tag has a visual representation... it's just our declarative tool of choice
19:12:12 <wycats> AR: What else?
19:12:39 <wycats> YK: What, if any, new capabilities does this proposal introduce? If none, what capabilities is it described in terms of?
19:13:35 <wycats> YK: If there isn't a direct JavaScript API for something for performance, what is the rationale?
19:13:49 <wycats> DKA: What platform invariants exist? Does this proposal violate any?
19:14:04 <marcosc> marcosc has joined #tagmem
19:14:42 <wycats> YK: We know of raciness, but also things like not leaking same origin
19:15:30 <wycats> YK: And doing things like Fetch and Service Workers may make it easier to avoid breaking Same Origin because there's a JS model for what's happening
19:15:57 <wycats> DKA: What other WGs should we be reaching out to?
19:17:56 <wycats> YK: I think we should review the Web Components family of specs
19:18:24 <wycats> ACTION Alex to invite Dmitry to present about Web Components
19:18:24 <trackbot> Created ACTION-832 - Invite dmitry to present about web components [on Alex Russell - due 2013-10-08].
19:19:52 <wycats> ACTION Yehuda to write some text about capability layering
19:19:52 <trackbot> Created ACTION-833 - Write some text about capability layering [on Yehuda Katz - due 2013-10-08].
19:21:14 <wycats> ACTION Sergey to start fleshing out an API review document
19:21:14 <trackbot> Error finding 'Sergey'. You can review and register nicknames at <http://www.w3.org/2001/tag/group/track/users>.
19:21:53 <wycats> ACTION Сергей to start fleshing out an API review document
19:21:53 <trackbot> Error finding 'Сергей'. You can review and register nicknames at <http://www.w3.org/2001/tag/group/track/users>.
19:22:07 <wycats> ACTION twirl to start fleshing out an API review document
19:22:08 <trackbot> Created ACTION-834 - Start fleshing out an api review document [on Сергей / Sergey Константинов / Konstantinov - due 2013-10-08].
19:23:04 <slightlyoff> Scribe: slightlyoff
19:24:00 <annevk> https://etherpad.mozilla.org/tagzipurls
19:24:01 <annevk> for notes
19:24:39 <slightlyoff> YK: consensus is that we need bundling for ES6 modules
19:25:05 <slightlyoff> YK: AVK came up with the idea that if you want to represent the file inside a zip, use the fragment identifier
19:25:18 <dka> Topic: Zip URLs
19:25:26 <slightlyoff> YK: ...but then AVK noted that there's an issue with it and we need to work it out.
19:26:04 <annevk> plinss: can you project http://wiki.whatwg.org/wiki/Zip#URLs maybe
19:26:08 <slightlyoff> YK: the platform uses fragments to navigate *inside* resources ( generally), but this now changes it to move fragments into part of the resource being identified
19:26:21 <slightlyoff> TBL: you shouldn't feel constrained to what HTML fragments do
19:26:28 <slightlyoff> YK: everyone's happy with fragment semantics
19:26:51 <slightlyoff> YK: when you're writing HTML that's RELATIVE to another file (say from a filesystem), it's easy:
19:26:58 <slightlyoff> YK: you do <a href="../thinger.html">
19:27:11 <slightlyoff> YK: now imagine the cluster of files lives inside a zip file
19:27:33 <slightlyoff> YK: it doesn't appear that ".." can be relative to something inside a fragment.
19:27:51 <slightlyoff> YK: the inclination was "surely this happened in XML...maybe that was solved"
19:28:05 <slightlyoff> HT: the media type defines the semantics of fragment identifiers
19:28:21 <slightlyoff> [ inaudible ]
19:29:00 <slightlyoff> AVK: if I get an HTML file with it's own media type, and now the question is "what's the URL of the document"?
19:29:10 <slightlyoff> AVK: is there an "outer URL/inner URL" boundary?
19:29:12 <dka> Noting we are also working on a capability URLs doc: https://github.com/w3ctag/capability-urls - and Yehuda and I have talked over lunch about a possibility of a "URL best practices for web applications" doc… Now we're discussing Zip URLs…
19:29:28 <slightlyoff> HT: this occurs in multipart-mime as well
19:29:56 <slightlyoff> TBL: now imagine an address space where you have fragments for things that are named by  bits of a fragment
19:30:10 <slightlyoff> HT: there's a base URI for the virtual installed location for the whole package
19:30:15 <dka> Also, see http://www.w3.org/2001/tag/doc/IdentifyingApplicationState for what the TAG has said previously on hash URIs in web app context.
19:30:28 <slightlyoff> HT: and relative URLs are relative to the package
19:30:54 <slightlyoff> YL: what about a Service Worker in the zip file that can do the resolution?
19:31:19 <slightlyoff> TBL: my suggestion was to use "/"
19:32:05 <slightlyoff> [ whiteboard example of <a href="../foo.html"> ] in a zipe with #foo.html and #bar.html
19:32:26 <slightlyoff> YK: so is the idea that there's a virtual URL?
19:32:36 <slightlyoff> AVK: yes, there's an internal addressing scheme
19:33:06 <slightlyoff> AVK: zip://..../bar.html
19:33:36 <slightlyoff> TBL: alternative design with different problems
19:33:56 <slightlyoff> TBL: http://..../foo.zip/somehting/a.html
19:34:08 <slightlyoff> AVK: how does this work?
19:34:23 <slightlyoff> TBL: 3xx redirect from the unresolveable URL to foo.zip
19:34:39 <slightlyoff> [ we need something that doesn't require server support ]
19:34:58 <slightlyoff> TBL: this has nice properties (natural URLs, etc.)
19:35:08 <slightlyoff> TBL: requires both server and client support
19:35:42 <slightlyoff> AVK : the problem with this is that we've learned that deploying anything at the HTTP layer is REALLY hard. Even CORS headers is a tall ask.
19:36:01 <slightlyoff> AVK: this is negotiation style...it's a lot harder
19:36:12 <slightlyoff> YK: it's trivial to do in rails
19:36:19 <slightlyoff> YK: you need to get it in apache
19:36:37 <slightlyoff> YK: in general we reject solutions that require .htaccess files
19:37:34 <slightlyoff> AVK: if we disregard fragment, and we disregard the redirect solution, the other ways to do it...
19:37:53 <slightlyoff> AVK: you can have nested URLs: outer URL with new scheme
19:37:57 <wycats> I am unwilling to disregard the fragment solution
19:38:23 <slightlyoff> AVK: there are some nasty problems; URLs are now a stack, zip urls require parsing changing, etc.
19:38:41 <slightlyoff> TBL: historically that sort of thing has gone down rather badly
19:38:55 <slightlyoff> TBL: you might have had "zip:" and then a URL encoded URL
19:39:22 <slightlyoff> AVK: [ notes that FF has "jar:" ]
19:39:35 <slightlyoff> AVK: the 4th solution is to have some sort of sub-path
19:39:42 <slightlyoff> AVK: some new sort of seaparator
19:40:00 <slightlyoff> AVK: I proposed "$sub=" which would be very unique
19:40:21 <slightlyoff> AVK: everything after "$sub=" is for local processing
19:40:42 <slightlyoff> AVK: it works for polyfilling too
19:41:19 <slightlyoff> YK: I think you should be able to use whatever rules you'd sub in for stuff after "$sub=" you can use in the hash soltuion
19:41:22 <slightlyoff> AVK: nooo....
19:41:38 <twirl> twirl has joined #tagmem
19:42:00 <slightlyoff> TBL: can I put slashes in the post "$sub=" area?
19:42:04 <slightlyoff> [ yes ]
19:42:18 <slightlyoff> HT: what about a generated URI for the contents?
19:42:39 <slightlyoff> YK: can you say that the fragment is part of the base URI for that scheme?
19:42:56 <slightlyoff> AVK: what scheme? there's no scheme for the fragment
19:43:28 <slightlyoff> [ discussion about the relativeness of the mimetypes and the address-bar duality ]
19:44:05 <slightlyoff> AVK: the "$sub=" only affects the URL parser
19:44:21 <slightlyoff> AVK: what the IETF specifies isn't what we have
19:44:32 <slightlyoff> AVK: "$" is illegal...it's reserved
19:44:43 <slightlyoff> YK: not use "$"?
19:44:51 <slightlyoff> AVK: people use illegal charachters = (
19:45:11 <slightlyoff> [ backing up ]
19:45:16 <slightlyoff> PL: what's the basic usecase?
19:45:48 <slightlyoff> PL: is it something that's always going to do processing on the client? or are we hoping for smart servers that can collaborate and send the right things?
19:46:17 <slightlyoff> TBL: when people put things on the web as zips, now we've closed them off
19:46:55 <slightlyoff> [ TBL articulates an example where the server might only want to send individual files, not the whole zip ]
19:47:16 <slightlyoff> [ discussion about server assistance and what gets sent to the server ]
19:48:11 <slightlyoff> PL: the reason I asked is that I can see utility for both versions
19:48:25 <slightlyoff> PL: we might want to do a verssion that supports both
19:48:40 <slightlyoff> PL: with combinations of smart/dumb clients/servers
19:48:54 <slightlyoff> YK: for a dumb server, you need to send the extra info in a separate header
19:49:01 <slightlyoff> PL: I'm suggesting HTTP extnsions
19:49:11 <slightlyoff> YK: you still need a new separator
19:49:20 <slightlyoff> PL: if that's our goal, it rules out fragments and new schemes
19:49:23 <wycats> I am warming to the % solution
19:49:36 <slightlyoff> HT: can I present a different solution?
19:49:55 <wycats> as a new URL separator that means "don't send this to the server, but it's part of the base URI" (and maybe the rest is sent in a header)
19:50:04 <slightlyoff> HT: suppose we start at the following point: somebody requests the package, and it's got the relevenat content-type.
19:50:43 <slightlyoff> HT: the client is going to get a directory listing and what you'll get in the URL bar is something with zip://example.com/package.zip/
19:50:53 <slightlyoff> (and you get a list of URLs in the bundle)
19:51:27 <slightlyoff> HT: zip://example.org/package.zip/foo.html
19:51:35 <slightlyoff> TBL: doesnt have enough information! No delimiter
19:52:06 <slightlyoff> HT: we said we want this to work: http://e...o/package.zip#foo.html
19:52:15 <slightlyoff> TBL: you don't know where to break it up
19:52:57 <slightlyoff> [ YK and AVK discuss the public/private URL merits ]
19:53:15 <slightlyoff> YK: I'm looking at the % solution: send only the base to the server
19:53:35 <slightlyoff> AVK: % isn't popular because you can't polyfill it. 400 on apache and issues on IE and IIS
19:53:51 <slightlyoff> AVK: naked "%" is interesting as it's an extension to URL parsing
19:54:01 <slightlyoff> AVK: nobody can be using it
19:54:19 <slightlyoff> YK: polyfilling is about what old *browsers*, not old servers do
19:54:24 <slightlyoff> YK: the fragment has the same problem
19:54:28 <slightlyoff> AVK: yes
19:54:42 <slightlyoff> [ discussion about how making it work in old clients ]
19:55:05 <slightlyoff> TBL: there's always been the problem that when you introduce a new mimetype, there's download vs. understand
19:55:35 <slightlyoff> YK: in the ideal world, the old browser would send the request and the server would have a chance to send the right file
19:55:54 <slightlyoff> YK: you could unpack the file on disk next to the real zip
19:56:29 <slightlyoff> AVK: we need a delimiter, and we need something so unique that it won't conflict in data URLs
19:56:32 <slightlyoff> (etc.)
19:56:38 <slightlyoff> YK: is that important?
19:56:43 <slightlyoff> AVK: useful for feature testing
19:56:47 <slightlyoff> YK: make a blob!
19:57:01 <slightlyoff> YK: we need to find a char that's supported by old browser
19:57:03 <slightlyoff> s
19:57:05 <Yves> See semicolon https://tools.ietf.org/html/rfc3986#section-3.3
19:57:24 <Yves> [[
19:57:24 <Yves> For
19:57:24 <Yves>    example, the semicolon (";") and equals ("=") reserved characters are
19:57:24 <Yves>    often used to delimit parameters and parameter values applicable to
19:57:25 <Yves>    that segment.
19:57:26 <Yves> ]]
19:57:33 <slightlyoff> TBL: old browser, new server...
19:57:57 <slightlyoff> YK: we could say the new semantics are "%", but that "$sub=" is equivalent
19:58:04 <slightlyoff> HT: what about "|"
19:58:30 <slightlyoff> [ can't use ';' ]
19:58:44 <slightlyoff> YK: need something illegal that no browser sends or doesn't occur in the corpus of the web
19:59:08 <annevk> Yves: ; and = work fine in URLs today
19:59:25 <annevk> Yves: people use = in the query string for sure
19:59:46 <slightlyoff> [ discussion about unpacking for compat ]
19:59:52 <slightlyoff> AVK: we need to require a mime type
20:00:08 <slightlyoff> AVK: otherwise sites that upload zip files become vulnerable to attacks
20:00:20 <Yves> something like /foo.zip;sub=root/blah.html would be usable, even illegal characters might be on the web today
20:00:30 <slightlyoff> AVK : if they host zip files which have HTML in it, no they are subject to XSS via the HTML inside the zips
20:00:41 <slightlyoff> PL: does zip content need to be a different origin?
20:00:43 <slightlyoff> YK: can't be
20:00:58 <slightlyoff> TBL: do you wnat to say within a site that some bits are different origins?
20:01:33 <slightlyoff> YK: polyfilling is an interesting constraint that can help us tie-break...so what's in tie?
20:01:37 <slightlyoff> YK: TBL hates "%"
20:01:56 <slightlyoff> AVK: "%!" would work, but you can't just have "%"
20:02:26 <slightlyoff> YK: so semantics are, [base]%![location in zip]
20:02:36 <slightlyoff> YK: the base is sent to the server
20:02:50 <slightlyoff> YK: and you send a new header with [location in zip]
20:03:10 <slightlyoff> PL: an old client w/ an old server, would pass the whole thing to the server and 404
20:03:22 <slightlyoff> PL: old client / new server might do the right thing
20:03:38 <slightlyoff> YK: the reason I want a different separator is that righ tnow we have 2 semantics : thing to be sent and thing to be reserved
20:03:48 <slightlyoff> YK: but it turns out you really want both
20:04:06 <slightlyoff> PL: what I like is that you send the second half in an additional header
20:04:16 <slightlyoff> TBL: why is "?...." weird?
20:04:25 <slightlyoff> AVK: it's the query string....
20:04:35 <slightlyoff> TBL: right, servers lop it off and send the zip file
20:05:05 <slightlyoff> [ discussion of servers throwing away stuff after "?" for static assets ]
20:05:19 <slightlyoff> YK: sort of works and is semantically reasonable....emperical question
20:05:34 <slightlyoff> YK: IRL, it already has these semantics
20:05:43 <slightlyoff> YK: how does ".." resolve with "?"?
20:05:50 <plinss> ‽
20:05:53 <slightlyoff> [ it jumps behind the "?" ]
20:06:06 <annevk> plinss: if only URLs were not bytes
20:06:09 <slightlyoff> TBL: my requirements are that I should be able to link within, without, and out with an abs URL
20:06:12 <dka> ¿
20:06:28 <slightlyoff> YK: "%!" is appealing
20:06:35 <slightlyoff> AR: what's the case aginst "%!"?
20:06:47 <slightlyoff> AVK: doesn't work in IE...IE doesn't parse the URL
20:06:55 <slightlyoff> YL: changing URL parsing on server is unpossible
20:07:03 <dka> ¶
20:07:14 <dka> ∑
20:07:15 <slightlyoff> AVK: most of the solutions require that sort of change
20:07:19 <annevk> bytes people, URLs are bytes
20:07:21 <plinss> ?!
20:07:30 <annevk> :-)
20:07:31 <dka> £
20:07:47 <annevk> http://example.org/zip^_^image.jpg
20:08:05 <slightlyoff> TBL: if I wasn't so enamoured with clean specs, what I'd do is send things, look for 404s, and then look for the zip on disk
20:08:19 <slightlyoff> AVK: "%!" fails the OldIE test
20:08:34 <slightlyoff> YK: what about "$!"?
20:09:04 <slightlyoff> [ discussion of ".." vs. "?" ]
20:09:22 <slightlyoff> Yves: +1
20:09:44 <slightlyoff> AVK: so this can't happen after the query string?
20:09:48 <slightlyoff> [ yes ]
20:09:50 <dka> q?
20:10:11 <slightlyoff> AVK: thre are downlod services that treat the full URL as the addres
20:10:24 <slightlyoff> [ relative URLs vs query strings ]
20:10:35 <slightlyoff> [ what about "$!" ? ]
20:10:41 <timbl> [ discussion of ".." vs. "?" ∀ values of ..]
20:10:59 <slightlyoff> AVK: haven't looked at that
20:11:09 <slightlyoff> YK: has to not fail on old IE
20:11:17 <slightlyoff> AVK: and has to work with data URLs?
20:11:23 <slightlyoff> YK: seems like a good tiebreaker?
20:11:37 <slightlyoff> AVK: at what level in the URL parser does this enter?
20:11:46 <slightlyoff> YK: URL parsers need to see it as part of the delimiter
20:12:02 <slightlyoff> [ data: questions ]
20:12:18 <slightlyoff> AVK: data: urls do have query strings
20:12:30 <slightlyoff> AVK: we could do that, but htne you don't get the zip out of it
20:13:00 <slightlyoff> AR: love that you're gonna be base64 encoding the zip ;-)
20:13:33 <slightlyoff> YK: turns out that the limits stick us with a new delimiter that works in old browsers...preferably not alphaneumeric
20:13:52 <slightlyoff> TBL: the architecture of URLs is that there are these chunks...
20:14:22 <slightlyoff> TBL: things that are being sent to various parties but not others...lots of stuff is built on this...and worried that this is new
20:14:53 <slightlyoff> YK: doesn't break infrastructure because new browsers won't be sending broken stuff into the wild and old browsers might, but that's the price for supporting them
20:15:20 <slightlyoff> YK: thought there was a binary choice between sending and not sending to the server, but it turns out there's a union option
20:15:33 <slightlyoff> YK: proposal is a new URL delimiter
20:15:46 <slightlyoff> YK: [before]$![after]
20:15:53 <slightlyoff> YK: [before] is sent to server
20:15:59 <slightlyoff> YK: [after] is sent in a new header
20:16:11 <slightlyoff> [ what about query strings? does it break 'em? ]
20:16:21 <slightlyoff> PL: should be part of the query string if it's going to break them
20:16:35 <marcosc> marcosc has joined #tagmem
20:16:47 <slightlyoff> [ discussion about ".." relative to "?" ]
20:17:36 <slightlyoff> [ polyfill case ]
20:17:48 <slightlyoff> YK: it really is a new semantic, so you actually need new syntax
20:17:57 <slightlyoff> HT: you're not gonna get it until HTTP 2
20:18:02 <slightlyoff> YK: why not? this is a client behavior
20:18:14 <slightlyoff> [ seems old browsers send "$" ]
20:18:24 <slightlyoff> (encoded or not?)
20:18:29 <slightlyoff> AVK: not encoded in gecko
20:19:03 <slightlyoff> YK: wanting somthing that's a delimiter and doesn't send stuff to the server, it means we need to change URLs
20:19:05 <slightlyoff> AR: agree
20:19:16 <slightlyoff> TBL: what about "/$/" ?
20:19:29 <slightlyoff> TBL: it'll 404 on an old server
20:19:43 <slightlyoff> YK: if it's not used on the web, seems fine
20:19:55 <slightlyoff> YK: do we agree on the shape of the solution?
20:20:15 <slightlyoff> HT: would like to see something that thinks about what it means to add contains to the ontology of client/server interaction
20:20:20 <slightlyoff> [ that's what this is ]
20:20:41 <slightlyoff> TBL: one of the things about having a "/" is that...if you have lots of icons, you could just 303 to the zipfile anyway
20:21:00 <slightlyoff> HT: I do want the nesting..and we're not going to get that = \
20:21:26 <slightlyoff> HT: I want a way to say I want you to start the whole resolution over again...mounting a zipfile as a filesystem analogy
20:21:36 <slightlyoff> YK: I thinks that's what this delimiter propsal does
20:21:45 <slightlyoff> TBL: you want the base URL to be somewhere else?
20:21:46 <slightlyoff> HT: yeah
20:23:00 <slightlyoff> YL: new clients will have separate logic for redirects inside zips...need to identify the main content of the file
20:23:10 <slightlyoff> (HALP, scribe error)
20:23:37 <slightlyoff> TBL: the whole tag is labouring under the burden of getting a change to apache...trying to get mimetypes added...etc.
20:23:51 <slightlyoff> TBL: apache doesn't change until IETF stability...then a long lag
20:24:01 <Yves> server http://www.example.com/foo.zip/bar.html return a CL ttp://www.example.com/foo.zip#bar.html, new clients will recognize that the "container" is a zip and fetch it for further resolution
20:24:11 <slightlyoff> TBL: it'd be nice to have a zip-aware apache module...
20:24:23 <slightlyoff> YK: I think that'll happen, but we should also support low-fideltiy modes
20:24:53 <slightlyoff> TBL: you could unwrap..
20:24:57 <slightlyoff> (inaudible)
20:25:27 <slightlyoff> HT: agree that this covers all teh viable proposals...the idea that you need a new delimiter
20:26:06 <slightlyoff> HT: a mechanism whereby a new syntactic signal strips a part of a URI and puts it in a header...that seems like the only thing that talks about nesting containers
20:26:26 <slightlyoff> DKA: what's the proposed TAG output?
20:26:30 <slightlyoff> [ none ]
20:26:34 <slightlyoff> DKA: are we sure?
20:26:45 <slightlyoff> DKA: a summary? a note?
20:26:46 <timbl> If you use a /$/  then 1) new clients can just fetch the zip & DTRT.  2) old clients will work if EITHER the server has been hacked to be smart and 303 to the zip file OR someone has unzipped the thing into a directory called $
20:26:48 <slightlyoff> YK: a note seems good
20:26:58 <slightlyoff> timbl: agree
20:27:20 <slightlyoff> [ agreement about a note ]
20:27:49 <timbl> s/timbl:/timbl,/
20:27:57 <slightlyoff> ACTION wycats draft a note regarding constraints and decisions regarding zip URLs
20:27:58 <trackbot> Created ACTION-835 - Draft a note regarding constraints and decisions regarding zip urls [on Yehuda Katz - due 2013-10-08].
20:28:18 <slightlyoff> q+
20:28:48 <timbl> If you use a /  then 1) new clients cannot just fetch the zip so they may have to use an algorithm on old servers, nut on a new server they get a 303  2) old clients will work if EITHER the server has been hacked to be smart and 303 to the zip file OR someone has unzipped the thing into a directory called $
20:28:55 <slightlyoff> AR: do these compose? is parsing specified as left-to-right?
20:28:58 <slightlyoff> YK: yes
20:29:27 <slightlyoff> PL: yes, it should just work
20:29:33 <slightlyoff> AVK: you need to repeat the delimiter
20:29:37 <slightlyoff> [ yes, of course ]
20:30:17 <slightlyoff> PL: one of the things I was considering...smart client and server let you compose arbitrary URLs with these deimilters and the server might be able to help you zip things up with arbitrary paths
20:30:42 <slightlyoff> PL: these delimiters should be equivalent to a slash for caching, etc.
20:30:48 <slightlyoff> TBL: that's why I like "/"
20:30:56 <slightlyoff> PL: right, but I need a way to signal that this one is special
20:31:26 <slightlyoff> TBL: analogus: instead of having a domain name in the wrong order, thought through inverting domain names... /org/example/...
20:31:39 <slightlyoff> TBL: would have been extra work, but nice for lots of reasons
20:31:48 <slightlyoff> TBL: would like this to be clean in that way
20:32:00 <slightlyoff> TBL: an appealing property
20:32:26 <slightlyoff> YK: the syntax isn't expressive enough to help smart server do the Right Thing (TM)
20:32:50 <slightlyoff> PL: the protocol about what sort of response I get from what sort of server needs to be specified
20:33:00 <slightlyoff> AVK: for now we don't need to do the server part
20:33:07 <slightlyoff> YK: we need to say that there's a header
20:33:19 <slightlyoff> HT: no 303 needed...it's a mediatype solution
20:33:33 <slightlyoff> YL: you need a container type
20:33:45 <timbl> s/TM)/™/
20:34:01 <slightlyoff> PL: if the server only sends one resource, it needs to send the right mimetype
20:34:47 <slightlyoff> [ discussion about navigating around inside a zip ]
20:35:13 <slightlyoff> HT: does apache give you header-based hooks?
20:35:23 <slightlyoff> PL: rewrite rule
20:36:00 <slightlyoff> HT: so a vanilla apache will work...don't need to rev the server to get this to work...a sysadmin can do this
20:36:43 <slightlyoff> TBL: right. There are 2 levels. The .htaccess level...not obvious how easy that is to make it work
20:37:01 <slightlyoff> TBL: can't look at the file tree since there isn't one
20:37:29 <slightlyoff> HT: uncovered a difference in media type expectations: does this work with any zipfile?
20:37:54 <slightlyoff> TBL: I'm hearing a requirement that zip files be usable without hassle
20:38:13 <slightlyoff> AVK: that was the plan but it's not clear we can do that security-wise
20:38:24 <slightlyoff> AVK: new problems...cache-manifest issue
20:38:51 <slightlyoff> AR: can we solve this with cors?
20:39:22 <slightlyoff> [ no, same-origin all the time ]
20:39:26 <slightlyoff> YK: need a new opt-in
20:40:26 <slightlyoff> SK: do we care about encrypted zip files?
20:40:33 <slightlyoff> [ maybe? ]
20:40:44 <slightlyoff> YK: what about the username/passwd URL features?
20:40:56 <slightlyoff> AVK: no, but we need to talk about the format...what do we support
20:41:13 <slightlyoff> AVK: and there is some ork on the fetch side about how long things  persist, are cached, etc.
20:41:45 <slightlyoff> AVK: [inaudible] pinning []
20:41:51 <slightlyoff> AR:? ?
20:41:59 <slightlyoff> AVK: you need to keep the zip alive for some amount of time
20:42:16 <slightlyoff> AVK: don't want to throw it away quickly
20:42:28 <slightlyoff> HT: what we're looking for is a "super slash"
20:42:50 <slightlyoff> HT: what we want it to mean is "this is something that redirects...to understand this you ahve to unpack to proceed"
20:42:52 <marcosc> marcosc has joined #tagmem
20:43:08 <slightlyoff> TBL: I prefer a clean hierarchy
20:43:20 <slightlyoff> TBL: "//" was a mistake
20:43:30 <slightlyoff> TBL: it shoudl have been /com/microsoft/.....
20:43:49 <slightlyoff> TBL: there's level-breaking here...things that aren't really hierarcies
20:44:25 <slightlyoff> HT: taht's what they're proposing...assimilating it to the notion of slash is reasonable...we can't use "/" as such....
20:46:55 <slightlyoff> [ missed it...sorry ]
20:47:05 <slightlyoff> HT: TBL is saying "/" will work
20:47:16 <slightlyoff> YK: you can't disambiguate
20:47:25 <slightlyoff> HT: how does the client know?
20:47:30 <slightlyoff> TBL: it gets a redirection
20:47:48 <slightlyoff> HT: example.org/foo.zip/index.html
20:48:56 <slightlyoff> [ discussion of 303 solution ]
20:49:07 <slightlyoff> TBL: pushing back...why not the server solution?
20:49:45 <slightlyoff> YK: in my dayjob, I do write servers, and while I'd love it for servers to be the answer, but it's not tennable
20:49:51 <slightlyoff> YK: e.g., github pages
20:49:54 <slightlyoff> TBL: a sad case
20:50:00 <slightlyoff> YK: millions of things on it!
20:50:35 <slightlyoff> AVK: shouldn't have taken mimetypes out of the body = (
20:50:57 <slightlyoff> [ argument about archeology ]
20:51:56 <slightlyoff> (whimsical debate about polyglot zip/html)
20:52:03 <slightlyoff> YK: what about the mimetype? sniffing?
20:52:16 <slightlyoff> AVK: sniffing doesn't support all file types
20:52:23 <annevk> http://fetch.spec.whatwg.org/#zip-resource-types
20:52:48 <slightlyoff> AVK: you can't sniff css, html, xml, ...
20:52:56 <slightlyoff> AVK: so you use the extension
20:55:01 <slightlyoff> AR: you need to not have a manifest...it imperils the streaming
20:55:54 <slightlyoff> YK: surprised and nervous about .png being different inside a zip file
20:56:02 <slightlyoff> YK: what if it's a GIF?
20:56:16 <slightlyoff> AVK: image rendering system ignores the mimetype already...no worries
20:56:33 <slightlyoff> YK: if you take a bunch of content and zip it up, want it to behave the same
20:56:47 <slightlyoff> YK: want the manifest to help me avoid weird behavior
20:56:59 <slightlyoff> AVK: we could, but I don't want to
20:58:11 <slightlyoff> AR: type comes through use
20:58:20 <slightlyoff> YK: existing content may be relying on the quirks
20:58:31 <slightlyoff> YK: and make break if you zip it up
20:58:47 <slightlyoff> TBL: the server could do a request to itself and bundle up responses
20:59:04 <slightlyoff> AVK: we should consider the complexity budget
20:59:11 <slightlyoff> YK: but we're adding a new thing...a new semantic
20:59:25 <slightlyoff> YK: the extension dominating is something we've never had before
20:59:34 <slightlyoff> YK: and this has new semantics
20:59:45 <slightlyoff> AVK: the alternative is a manifest
21:00:02 <slightlyoff> YK: these semantics are new
21:00:09 <slightlyoff> AVK: so is zip
21:00:17 <slightlyoff> AVK: sniffing is not sensible, it doesn't cover all bases
21:01:12 <slightlyoff> AR: what actually breaks?
21:01:43 <slightlyoff> AVK: pain text in an iframe...what should it do?
21:02:03 <slightlyoff> TBL: different behavior for same file at two locations
21:02:19 <annevk> SVG without a MIME type won't work in <img>
21:02:32 <slightlyoff> SK: we're losing content type and encoding and we can't detect the charset
21:02:36 <slightlyoff> AVK: you can
21:02:44 <slightlyoff> YK: we try hard, but it's not 100%
21:03:54 <slightlyoff> DKA: we have a system like this...widget
21:04:05 <slightlyoff> DKA: it has it's own URI spec for internal resources
21:04:13 <slightlyoff> HT: why aren't you using multi-part mime?
21:05:00 <slightlyoff> [ charset, text/plain discussion ]
21:05:49 <dka> Just for your bedtime reading, the Widget family of specifications: http://www.w3.org/2008/webapps/wiki/WidgetSpecs
21:05:55 <slightlyoff> thanks!
21:06:37 <dka> Widgets URI scheme: http://www.w3.org/TR/widgets-uri/
21:06:55 <ht> TBL: Whatever determines how the server would serve a document (wrt Content-type and charset) should also be what a server will include in a 'zip' file
21:08:46 <slightlyoff> AR: crazy idea: let service worker hve access to unzipping APIs and let it do this
21:09:21 <ht> AR, That works best if we take TBL's suggestion and just use /
21:09:28 <slightlyoff> TBL: similar problem in another space...serving some things up raw...tables in the data area
21:09:33 <slightlyoff> ht: true
21:10:01 <slightlyoff> TBL: and we mostly don't use FTP servers...we just use HTTP servers
21:10:24 <ht> s/ht: true/ht, true/
21:11:28 <slightlyoff> AR: what about subsetting? only a few mime types allowed
21:11:34 <slightlyoff> [ no ]
21:11:58 <slightlyoff> TBL: manifest is appealing because you can introduce new mime types on old servers
21:12:42 <slightlyoff> AR: perhaps zip won't work?
21:12:47 <slightlyoff> YK: not sure...
21:13:01 <slightlyoff> [ SVG and image ]
21:13:29 <slightlyoff> TBL: suppose we say the zip mimetype, there's this set of extensions that map to mime types
21:13:35 <ht> I hear two positions: No manifest, but some combination of sniffing and context-of-use will determine (most) media types, vs. manifest (at the beginning)
21:13:45 <slightlyoff> [ that's annevk's proposal ]
21:13:55 <slightlyoff> YK: you can't just zip things up
21:14:05 <slightlyoff> YK: now you have to put stuff in extensions
21:14:12 <slightlyoff> s/put stuff/fix/
21:14:24 <dka> q?
21:14:29 <slightlyoff> q-
21:14:45 <slightlyoff> [ discussion about constraint of zipping up a dir ]
21:15:11 <slightlyoff> [ we don't have locale to fall back on ]
21:15:34 <slightlyoff> AVK: I'm ok with a manifest...stuff that's not in the manifest will be application/octet-stram
21:15:38 <ht> Actually, it was revisiting the point wrt "zipping up a dir" that relative URIs should continue to work
21:15:43 <slightlyoff> YK: so css has to be in the manifest?
21:15:46 <slightlyoff> AVK: yes
21:16:21 <ht> W/o a manifest, no-one has come up with a way to guarantee charset
21:18:09 <slightlyoff> AR: nail in right-click argument's coffin: ordering for right-click case is likely tobe very bad, making things slow
21:18:21 <slightlyoff> AR: in that case, why not multipart mime?
21:18:24 <slightlyoff> YK: hrm....
21:18:42 <slightlyoff> YK: we need to arrrive at a format that lets us have multiple http documents with their headers
21:19:02 <slightlyoff> HT: you can zip a multipart mime file
21:20:12 <ht> or, as others seem to prefer, gzip
21:20:17 <slightlyoff> not sure why I try to participate
21:20:46 <dka> Another red herring for the fire: http://en.wikipedia.org/wiki/Web_ARChive
21:21:13 <dka> And another: http://en.wikipedia.org/wiki/Webarchive
21:21:22 <dka> One more: http://en.wikipedia.org/wiki/Mozilla_Archive_Format
21:21:29 <slightlyoff> I was going to say that it'd be really nice to have an API that deals in terms of WS Response objects and a map
21:21:49 <timbl> Due to the temporary shutdown of the federal government,
21:21:50 <timbl> the Library of Congress is closed to the public and researchers beginning October 1, 2013 until further notice.
21:22:41 <timbl> Who can keep a copy of the LoC in case the USG goes down?  Wikileaks?
21:22:50 <timbl> http://www.loc.gov/home2/shutdown-message.html
21:23:10 <ht> ar, what changes if you move 'down' to the HTTP Response layer?  What's better there?
21:23:40 <ht> I guess you get the Transfer Encoding vs. Charset Encoding distinction. . .
21:24:08 <slightlyoff> ht: I don't think a ton...except that we hve this nice API symmetry
21:25:28 <slightlyoff> AVK: now we need to define the format if we use multipart-mime
21:25:37 <slightlyoff> TBL: isn't there content-disposition?
21:28:15 <slightlyoff> [ lots of discussion about zipping, multipart mime...etc. ]
21:28:18 <ht> AR: I don't want to zip the imaages in a bundle
21:28:30 <slightlyoff> thanks ht
21:28:45 <slightlyoff> sorry for failing at the scribing
21:28:53 <ht> Various: multipart-mime allows that some parts are zipped, and some aren't -- use content-encoding: zip/gzip/...
21:28:55 <slightlyoff> calling for help in filling in the last 20 min
21:30:15 <dka> ajourned
21:30:21 <slightlyoff> \o/
21:30:24 <dka> rrsagent, make minutes
21:30:24 <RRSAgent> I have made the request to generate http://www.w3.org/2013/10/01-tagmem-minutes.html dka
21:32:38 <jrees> jrees has joined #tagmem
21:33:23 <annevk> annevk has joined #tagmem
23:02:19 <marcosc> marcosc has joined #tagmem
23:28:48 <marcosc> marcosc has joined #tagmem