05:47:42 RRSAgent has joined #web-bluetooth 05:47:42 logging to http://www.w3.org/2015/10/26-web-bluetooth-irc 05:48:46 rrsagent, make logs public 05:49:04 rrsagent, bookmark 05:49:04 See http://www.w3.org/2015/10/26-web-bluetooth-irc#T05-49-04 05:49:30 rrsagent, generate minutes 05:49:30 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html anssik 05:50:12 rrsagent, make minutes public 05:50:12 I'm logging. I don't understand 'make minutes public', anssik. Try /msg RRSAgent help 05:50:21 rrsagent, make logs public 05:51:11 Meeting: Web Bluetooth and Web NFC 05:51:20 rrsagent, generate minutes 05:51:20 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html anssik 05:51:51 Present+ Kenneth_Christiansen 05:52:03 Agenda: https://www.w3.org/wiki/TPAC/2015/ad-hoc-meetings#Web_Bluetooth_and_Web_NFC 05:53:16 rrsagent, generate minutes 05:53:16 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html anssik 05:58:09 aalfar has joined #web-bluetooth 05:58:14 timeless has joined #web-bluetooth 05:58:28 riju has joined #Web-bluetooth 05:58:50 RRSAgent, draft minutes 05:58:50 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html timeless 05:59:08 chair: jyasskin 05:59:10 riju has joined #web-bluetooth 05:59:43 jyasskin has changed the topic to: Web NFC and Web Bluetooth discussion 05:59:50 topic: Web Bluetooth 06:00:02 RRSAgent, draft minutes 06:00:02 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html timeless 06:00:24 present+ timeless, jyasskin, anssik, dom, kenneth_ 06:00:33 Some links: https://www.youtube.com/watch?v=tRMcMDIyIGQ, https://googlechrome.github.io/samples/web-bluetooth/, https://play.google.com/store/apps/details?id=io.github.webbluetoothcg.bletestperipheral 06:00:35 present+ aalfar 06:00:43 present+ riju 06:01:31 present+ jonathanj 06:02:43 brsun has joined #web-bluetooth 06:02:46 jocelyn has joined #web-bluetooth 06:02:51 present+ jungkee 06:02:57 present+ jocelyn 06:04:25 jungkees has joined #web-bluetooth 06:04:31 JonathanJ has joined #web-bluetooth 06:05:23 tomoyuki has joined #web-bluetooth 06:05:29 i|Some links|-> https://www.youtube.com/watch?v=tRMcMDIyIGQ Web Bluetooth API: Grumpy goes flying| 06:05:53 i|Some links|-> https://googlechrome.github.io/samples/web-bluetooth/ Web Bluetooth Samples 06:06:00 mfoltzgoogle has joined #web-bluetooth 06:06:13 jyasskin: for Bluetooth, I wanted to talk about the spec and show what we have in Google Android 06:06:22 ... get everything aired, make sure everyone is on the same page 06:06:34 [ Spec ] 06:06:44 jyasskin: it goes through the security issues, 06:06:59 ... talks about how you can access and discover devices 06:07:10 [ Security ] 06:07:26 jyasskin: first question that everyone should ask when we offer to give Web Sites access to devices is "how to make that safe" 06:07:38 ... the first thing is to give the user a chooser to let users choose what devices to have access to 06:07:47 ... gets user attention, and gives much more limited scope 06:07:55 ... we also only allow this API for https: content 06:08:01 [ Attacks ] 06:08:10 jyasskin: we worry about web pages getting access to sensitive data 06:08:17 jyasskin: we worry about web pages attacking sensitive devices 06:08:26 ... we only allow access to the GATT protocol 06:08:43 dom has joined #web-bluetooth 06:08:49 q+ 06:08:54 ... Bluetooth is divided into Classic (2.1/3) and LE (4+) 06:09:00 present+ mfoltzgoogle 06:09:39 ... there's a new protocol for LE called GATT: Generic Attribute Profile 06:09:53 ... we in Chrome only initially support BT LE (4+) 06:10:36 dom: so there is nothing in the spec that prevents it to work on classic bluetooth as long as it's on top of GATT 06:10:43 https://webbluetoothcg.github.io/web-bluetooth/#gatt-interaction 06:11:08 jyasskin: if people want me to cover GATT, I can do that now 06:11:22 ... the reason GATT expands to GATT is it's Generic + ATTribute 06:11:39 ... GATT defines a hierarchy of Services, Characteristics, Descriptors 06:11:44 ... each device has a list of Services 06:11:57 ... any semantic thing will be a service 06:12:11 ... I don't think any devices have "included services" 06:12:20 ... a characteristic has a bytestream value and a list of descriptors 06:12:46 ... characteristics could be "heartbeat measurement", "latitude", "longitude" 06:12:53 ... there's a characteristic for subscribing 06:13:27 s/characteristic/descriptor/ 06:13:56 ... Services, Included Services, Characterstics, and Descriptors all four have UUID types identifying them 06:14:06 ... one of the Descriptor types is the method for subscribing to notifications 06:14:20 ... we expose the notion of subscribing to notifications, rather than the descriptor 06:14:46 [ Security ] 06:14:58 jyasskin: because most GATTs are short values, it's easier to write a parser 06:15:06 ... we expect there will be fewer attacks 06:15:14 ... every Bluetooth device is open to the air 06:15:18 ... everyone can attack it 06:15:21 https://developer.bluetooth.org/gatt/Pages/GATT-Specification-Documents.aspx 06:15:51 Josh_Soref: is it true that they're hardened or is it hand waiving? 06:15:56 jyasskin: it's hand waiving 06:16:04 jyasskin: it's possible to identify devices 06:16:17 ... each device has an address, either immutable, or changeable 06:16:30 ... to avoid identifying devices, we don't expose the device address 06:16:38 ... it's still possible for a device to leak its identity 06:17:05 dom: a device could be part of the attack? 06:17:13 Josh_Soref: or it could be poorly implemented and leak itself 06:17:37 QQQ: can you connect to a specific device by ID? 06:17:47 jyasskin: no, the user has to choose the device from the picker 06:17:56 ... you could forcibly filter by criteria 06:18:18 ... this mitigates a piece of the privacy risk (by not exposing MAC addresses) 06:18:24 [ Discovery ] 06:18:35 jyasskin: you call requestDevice(/* filters */) 06:18:44 ... currently the spec only provides filters by UUID 06:18:54 ... looking at devices, many don't advertise services 06:18:58 ... some only provide names 06:19:07 ... we're also looking at manufacturer name 06:19:14 ... so the filter will soon include those two fields 06:19:24 dom: does that increase the fingerprinting surface? 06:19:29 jyasskin: it does 06:19:38 ... manufacturing name is key-value pairs 06:19:52 ... all iBeacons broadcast the same name in Apple's namespace 06:19:57 ... and none of this is particular devices 06:20:04 Travis: what's the end result? 06:20:20 jyasskin: the browser will filter nearby devices to matching devices and then show the user a list of nearby matching devices 06:21:18 Josh_Soref: does the UI favor/highlight paired devices? 06:21:22 jyasskin: not today 06:21:38 ... let me show you Google Chrome Dev with its select 06:21:43 ... any M device supports this 06:21:51 ... I can walk around 06:22:02 ... here I'm saying get battery service, and it shows a list of devices that are nearby 06:22:25 ... right now, we show paired + discovered (thus a device will be shown twice) 06:25:08 Josh_Soref: do users really understand that pairing fully exposes everything? 06:25:43 jyasskin: we're trusting that users will understand that pairing is dangerous 06:25:54 dka: the model is origin limited per device, right? 06:25:57 jyasskin: yes 06:26:57 dka: e.g. individually pairing Skype.com vs. Hangouts would be distinct pairings? 06:26:59 jyasskin: ys 06:27:12 Josh_Soref: but if I pair Skype.com and then use Outlook.com it might work? 06:27:28 jyasskin: it currently only allows top level windows 06:27:33 ... but we need to look at iframes 06:27:40 anssik: how did Geolocation solve this? 06:27:42 dom: they didn't 06:27:47 ... I did a review 06:27:55 ... none deferred based on top level or not 06:28:09 anssik: I think it's a good idea to take a decision, or limit to top level 06:28:30 anssik: perhaps we could ask TAG 06:28:32 jyasskin: there's a proposal for a top level attribute 06:28:41 anssik: it's used for full-screen 06:28:45 dka: is there an issue? 06:28:58 ... I could open an issue in our repo to comment on this issue 06:29:05 https://github.com/WebBluetoothCG/web-bluetooth/issues/57 ? 06:29:09 jungkees: isn't this the space where secure-contexts come in 06:29:14 https://github.com/WebBluetoothCG/web-bluetooth/issues/57 mentions iframe at least 06:29:17 ... don't allow anything in non-secure contexts 06:29:28 jyasskin: we're talking about more restrictions on top of that 06:29:36 ... it already has to be a secure-context 06:29:57 mfoltzgoogle: in some of these device apis, it's challenging for there to be a human readable description 06:30:07 ... what is there for human readable? 06:30:22 jyasskin: we've punted on service descriptions, since it requires a registry of names 06:30:28 mfoltzgoogle: does BTLE have a registry? 06:30:30 jyasskin: no 06:30:34 ... if they did, we'd use it 06:30:37 q+ to ask about re-pairing 06:30:44 ... for device names, we use the device name 06:30:52 ... some don't even have names at all 06:31:00 ... we could use the BT MAC 06:31:08 ... we could specify that the device name is empty 06:31:26 ... there's also an escape hatch in the spec to allow the UA to show non matching devices 06:31:29 wonsuk_ has joined #web-bluetooth 06:31:31 ... Chrome currently doesn't 06:31:38 dom: does that have security implications? 06:32:01 Josh_Soref: the user there has to choose to shoot themselves in their foot? 06:32:10 dom: if you promise people money 06:32:25 jyasskin: if the web site wants the user to pick a particular device, they can filter for that device 06:32:37 ... if the user picks a device that doesn't have a matching service, they'll find the service isn't present 06:32:50 ... the expected service won't be there, a rejected promise, and the page won't work 06:32:56 dom: does it require a user interaction? 06:33:04 jyasskin: i'm using can-show-a-popup from HTML 06:33:18 dom: does that allow easily to repair with the same device? 06:33:46 jyasskin: i have an issue to find the devices you've selected in the past 06:33:59 ... the security model is, if you pair w/ a device, it's yours until you unpair it 06:34:07 ... there's no way to get those devices 06:34:17 dom: for users, you'd have a per-origin-id 06:34:26 jyasskin: and you'd get a list of devices you've been paired 06:35:21 Josh_Soref: I'd favor having the UA manage the memory instead of the App 06:35:31 jyasskin: our security people asked users what they expect 06:35:38 ... users expect permission pairing to last forever 06:35:51 ... a demo we have is a set of juggling balls 06:36:03 ... we're currently missing the api to request multiple 06:36:14 ... and there's no way to know if you've already paired one 06:36:24 ... i think the web site should be able to present its own UI 06:36:32 ... and the UA should be able to identify which ones you've paired 06:36:47 ... the web page could call it multiple times 06:36:53 anssik: for enumerateDevice() 06:37:13 dom: with enumerateDevices() you get the full list of available devices on the platform, with an ID for getUserMedia() 06:37:46 ... depending on the browser, typically, in chrome, once you're granted access to a microphone on an https origin, that applies to all microphones for that origin 06:37:53 Travis: are uuids hard coded into devices 06:38:04 jyasskin: yes, service uuids are kind of protocols, so uuids identify protocols 06:38:25 ... uuid is what it's called in Bluetooth, everyone expects it to be that 06:38:54 [ BluetoothGATTService ] 06:39:04 jyasskin: someone suggested that UUID uuid should be `type` 06:39:53 ... if we were designing from scratch, we would do this 06:40:13 Travis: we should be designing for the future 06:40:27 Josh_Soref: WebGL made mistakes like this, can we avoid this? 06:40:36 Travis: for the record, WebGL 2 is redesigning for this 06:40:58 mfoltzgoogle: how feasible would it be to add origin lists for devices? 06:41:09 jyasskin: I've gone to the BT SIG and tried to start that conversation 06:41:20 ... i'm confident we should do that through them rather than starting here 06:41:24 ... they weren't very receptive 06:41:30 ... it's not clear that they were very receptive 06:41:42 ... not clear if we haven't explained it well, and not sure if they understand 06:41:57 ... basic idea would be to allow device to advertise which origins which origins it's willing to talk to it 06:42:02 ... and tell it which origin is talking to it 06:42:11 ... and if multiple tabs spoke to it, we'd have to switch modes with it 06:42:17 ... useful for the web model 06:42:23 ... safe enough to do that as an opt in thing 06:42:33 ... always have to deal w/ devices that don't advertise that service 06:42:40 ... safe enough to allow devices to talk to that 06:42:56 ... and then as we talk to devices, some manufacturers will talk to SIG 06:43:02 ... also useful for native devices 06:43:16 ... you pair devices to phone, but you have multiple native apps, some safer than others 06:43:20 q+ 06:43:28 dom: what's youre relationship w/ sig? 06:43:33 s/youre/your/ 06:43:41 jyasskin: Google is part of the sig 06:43:50 ... the CG isn't 06:43:59 dom: a few years ago, we had a call with the sig 06:44:04 jyasskin: i don't know 06:44:12 ... I don't know if the CG could be part of the sig 06:44:22 dom: thinking a liaison between W3C and BT SIG 06:44:31 dka: i could see where that would be useful 06:44:39 ... get people in BT SIG talking about work going on here 06:44:47 ... what's going on w/ W3C API 06:44:56 jyasskin: it would be useful to have an official liaison 06:45:11 ... BT SIG has an Internet WG, for a router for GATT traffic, totally insecure 06:45:28 ... it would help them to have communication w/ web people, help us to have communication w/ them 06:45:33 ... i don't have the bandwidth to be that 06:45:38 dom: part of a broader conversation 06:45:49 ... about Web BT CG wants to move forward 06:45:50 mfoltzgoogle has joined #web-bluetooth 06:46:00 ... I don't think W3C could offer a Liaison for a CG 06:46:13 q- mfoltzgoogle 06:46:19 ack me 06:46:19 dom, you wanted to ask about re-pairing 06:46:21 q+ mfoltzgoogle 06:46:31 q? 06:46:35 ack timeless 06:46:48 akeranen has joined #web-bluetooth 06:47:59 Josh_Soref: I'm concerned, I buy a product, I expect to be able to use my device w/ an app of my choice, not just the broken one from my vendor 06:48:08 jyasskin: we'd like to support CORS 06:48:21 ajitomi_ has joined #web-bluetooth 06:48:22 dom: there are discussions on a hardware WG to access SE 06:48:39 ... the question of SE has whether should only connect to some origin 06:48:48 ... if the hardware guys align with the web origin model 06:49:05 jyasskin: we've been talking with Ryan Slevi 06:49:24 ... main argument for more access to BT than hardware is that BT is exposed to random radio waves 06:49:29 ... with BT LE, a lot of people aren't pairing 06:49:40 ... fitbit doesn't do BT pairing, they have their own encryption system 06:49:43 hito has joined #web-bluetooth 06:49:47 ... I haven't done the survey to make this rigorous 06:49:57 ... manufacturers are doing security w/o relying on pairing 06:50:07 dom: i thought encryption in LE was quite weak 06:50:19 jyasskin: in 4.2 it gets better, in 4.0 it's quite weak 06:50:28 ... another reason manufacturers are routing around it 06:50:39 [ BluetoothDevice ] 06:50:54 jyasskin: a BT Device has properties, vendor, ... 06:51:05 ... some are redundant with particular gat service 06:51:21 ... we have a gatt server: connnectGatt() 06:51:30 ... perhaps in some cases you don't need that (advertising?) 06:51:39 [ BluetoothGATTRemoteServer ] 06:51:45 jyasskin: this has a list of services 06:51:53 ... you query one at a time, or get all of a set 06:52:03 [ BluetoothGATTService ] 06:52:20 dom: when you gain access to a device, you get access to all services 06:52:38 jyasskin: when you call requestDevice(), you're limited to the services you asked for 06:52:57 dom: then why were you ... 06:53:10 jyasskin: we're thinking TAG 06:53:13 Josh_Soref: IANA? 06:53:25 jyasskin: the people writing the spec will probably end up designing the registry 06:53:36 ... it's tricky, there's reason to lie on the registry 06:54:05 dom: that's a way to access? 06:54:12 jyasskin: currently we have a blacklist of services, it's in github 06:54:17 ... we'd prefer a whitelist 06:54:26 ... but we'd have to be pretty permissive to let people add themselves 06:54:33 ... risk that an attacker adds a service to the whitelist 06:54:38 ... no good way of vetting 06:55:07 https://github.com/WebBluetoothCG/registries/blob/master/gatt_blacklist.txt 06:55:29 dom: you're importing this into Google Chrome? 06:55:36 jyasskin: not yet, we plan to update dynamically 06:55:46 ... get that recognized in all browsers fairly quickly 06:56:24 Josh_Soref: how do you defend against attackers who block content? 06:56:42 jyasskin: we need them to have clean access to the web fairly regularly 06:56:58 ... if you're not able to update your browser periodically, the attacker can exploit your browser 06:57:07 mfoltzgoogle: the UC in your example of pairing your wearable/heartbeat device 06:57:14 ... seems like a good fit for ServiceWorker 06:57:24 ... you don't support Transferable 06:57:43 jyasskin: we don't have the permission model for permission access to background 06:57:52 mfoltzgoogle: i'm confused 06:58:07 jyasskin: users expect that things are accessible while they're using an app 06:58:15 ... that's not true on Android 06:58:21 dom: it's better on iOS? 06:58:42 jyasskin: yes, iOS changed, it will ask you later if you "were aware that it was getting your info in the background" 06:58:42 ShaneM has joined #web-bluetooth 06:58:52 anssik: do you want to go over issues? 06:59:03 jyasskin: i think the free-form discussion has been good 06:59:12 ... I can also show a video 06:59:18 RRSAgent, draft minutes 06:59:18 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html timeless 06:59:28 https://www.youtube.com/watch?v=tRMcMDIyIGQ 06:59:38 present+ ShaneM 06:59:45 dka has joined #web-bluetooth 06:59:51 present+ Dan Appelquist 07:00:35 present+ Ari_Keranen 07:00:52 present+ brsun 07:01:31 i|Some links|-> https://play.google.com/store/apps/details?id=io.github.webbluetoothcg.bletestperipheral https://play.google.com/store/apps/details?id=io.github.webbluetoothcg.bletestperipheral 07:02:26 rrsagent, draft minutes 07:02:26 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html timeless 07:03:30 s|Some links: https://www.youtube.com/watch?v=tRMcMDIyIGQ, https://googlechrome.github.io/samples/web-bluetooth/, https://play.google.com/store/apps/details?id=io.github.webbluetoothcg.bletestperipheral| 07:04:36 s|https://play.google.com/store/apps/details?id=io.github.webbluetoothcg.bletestperipheral|BLE Peripheral Simulator 07:04:46 rrsagent, draft minutes 07:04:46 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html timeless 07:05:24 q+ 07:06:07 i|[ Spec ]|topic: Web Bluetooth specification 07:06:10 i|[ Spec ]|-> https://webbluetoothcg.github.io/web-bluetooth/ Web Bluetooth 07:07:33 i|[ Security ]|topic: Web Bluetooth security 07:07:38 i|[ Security ]|-> https://webbluetoothcg.github.io/web-bluetooth/#security-and-privacy Security and privacy considerations 07:15:11 dka has joined #web-bluetooth 07:19:26 jyasskin has joined #web-bluetooth 07:20:09 i|[ Security ]|topic: Web Bluetooth Attacks on devices 07:20:12 mfoltzgoogle has joined #web-bluetooth 07:20:17 s/topic: Web Bluetooth Attacks on devices// 07:20:29 i|[ Attacks ]|topic: Web Bluetooth Attacks on devices 07:21:01 i|[ Attacks ]|-> https://webbluetoothcg.github.io/web-bluetooth/#attacks-on-devices Attacks on devices 07:21:28 ShaneM has joined #web-bluetooth 07:21:37 dka: Physical Web? 07:21:47 topic: Web Bluetooth General Roadmap 07:22:05 jyasskin: you can't implement the physical web scanner in the current api 07:22:27 ... I filed a TAG issue ... the notion of a referring device 07:22:37 ... both NFC and Bluetooth and USB could open a web page in response to a device 07:22:48 ... if the user has chosen to open a web page, they shouldn't get a redundant device 07:22:56 ... there should be a way to say "here's the device that opened you" 07:23:09 ... initially we could have a Navigator.requestingDevice... 07:23:21 ... user clicks the device in their list, web page opens, and can communicate with the device 07:23:23 dka: interesting 07:23:27 jyasskin: roadmap... 07:23:30 ... scanning 07:23:41 tomoyuki has joined #web-bluetooth 07:23:42 ... - being able to figure out what devices are nearby, we have an idea for how to do that permision 07:23:49 s/mision/mission/ 07:23:56 ... - upgrading from scanned to permission 07:24:02 riju has joined #web-bluetooth 07:24:04 ... background -- from a ServiceWorker 07:24:18 ... acting as a Bluetooth peripheral, possibly over the classic protocol 07:24:40 Josh_Soref: why do you care about Classic v. LE 07:25:06 jyasskin: sorry, I meant: 07:25:12 ... acting as a Bluetooth peripheral 07:25:23 ... separately: acting as a Bluetooth classic peripheral 07:25:33 ... we'll do these after we do the easier pieces 07:25:38 ajitomi has joined #web-bluetooth 07:25:41 dka: the issue around physical web, i didn't understand that flow 07:25:46 ... is that part of the normal ideas? 07:25:56 ... my understanding was you'd have a BTLE advertising a URL 07:26:14 ... once you start a thing, you open a url, you're done w/ the device 07:26:24 ... but you're imagining the web page to maintain a connection to the device 07:26:26 jyasskin: yes 07:26:30 ... imagine the happy meal toy 07:26:38 ... a turtle w/ a couple of LEDs and can play a bit of audio 07:26:44 ... it advertises a physical web url 07:26:52 ... it has BT but not Cell/WiFi 07:27:01 ... the web page has "be happy"/"be sad"/"be green" 07:27:08 ... you control your happy meal toy from your phone 07:27:23 dom: the assumption is that clicking the url gives you permission to interact with the device 07:27:41 jyasskin: security is that clicking it has established something to communicate with it 07:27:49 ... but it's a physical web device, it's granting its concent 07:28:11 Josh_Soref: what's the range of physical web 07:28:37 jyasskin: 100ft 07:28:42 ... range is pretty far 07:28:53 s/100ft/100m/ 07:28:53 Zoltan has joined #web-bluetooth 07:29:28 Josh_Soref: i'm worried about devices 07:29:57 jyasskin: you can build the antenna and attack 07:30:24 shayne: are devices identical? 07:30:35 jyasskin: it's possible to make several chips that are truely identical 07:30:38 ... but two probably couldn 07:30:42 s/... but two probably couldn// 07:30:49 ... but two probably couldn't coexist near eachother 07:31:06 jocelyn: you mentioned act as a sever 07:31:11 s/sever/server 07:31:14 jyasskin: you guys have that 07:31:27 ... there's advertise and act as a server 07:31:37 ... a physical web beacon only needs to advertise, it doesn't need to serve 07:31:43 dom: for standardization 07:31:53 ... have you made any progress on moving to a WG? 07:32:00 jyasskin: i don't think anyone objects to moving to a WG 07:32:06 ... we're about to have a second implementation 07:32:10 ... Chrome isn't finished 07:32:18 ... I think we'd be totally happy going to a WG 07:32:23 dom: DAP is rechartering 07:32:30 ... I guess you'd rather be in Web Platform 07:32:34 jyasskin: I think so 07:32:40 dom: Web Platform just rechartered 07:32:56 jyasskin: we should get on their queue for getting in 07:33:11 Travis: they have a process for pulling things in, and the charter is only one year 07:33:20 jyasskin: I'm not the whole CG, but I think a lot of it is here 07:33:26 ... does anyone think we should stay as a CG? 07:33:27 zkis has joined #web-bluetooth 07:33:33 dka: I'd hope to see implementations out there 07:33:39 present+ zkis 07:34:05 dka: I'd hate to see people slowing down their implementation based on "oh wait, it'll be a WG, we should wait for LC" 07:34:23 anssik: I think we should be able to Fast Track, it's better than FPWD 07:34:33 dom: moving to WG is better than being effective CR 07:34:42 dka: the controversy around the TPAC App 07:34:55 ... giving everyone connected with this, some additional justification for making this happen 07:35:02 ... remove technical barriers 07:35:13 jyasskin: I think they want the scanning api 07:35:35 dka: features like these are what people in native app community point to 07:35:41 ... we don't have this, we don't have that 07:35:49 ... message needs to be, we have this or it's coming 07:35:59 jyasskin: I don't think moving to a WG is going to slow anything down 07:36:09 Josh_Soref: people mentioned beacons 07:36:32 jyasskin: a subsequent version of this standard should support scanning for beacons 07:36:48 dka: Chrome on Android and iOS can scan/notify you about physical web beacons 07:36:56 ... that's different from advertising beacons 07:37:19 mfoltzgoogle: for physical web UC, do you anticipate the platform to discover, and then launch a web app prepared w/ this 07:37:36 ... if you support that w/ presentation api, your api changes, from scanning to allow UA to present a Promise 07:37:47 jyasskin: hook in this API is navigator.bluetooth.requestingDevice 07:37:57 ... tells you what caused your page to load, like "referrer" 07:38:02 ... no need for an event 07:38:09 dom: do you have that in presentation API? 07:38:26 mfoltzgoogle: presentation doesn't, but it has an event "your page is connected to a presentation" 07:38:29 anssik: it's a boolean 07:38:36 ... you have screens, or you don't 07:38:39 ... a precheck 07:38:50 JonathanJ3 has joined #web-bluetooth 07:38:53 ... join our meeting Th/Fr to discuss more 07:39:11 mfoltzgoogle: a web developer to use this has to have pretty intimate knowledge of exact attributes exposed by a service 07:39:28 minami has joined #web-bluetooth 07:39:30 ... is it consistent enough across manufacturers, do you expect people to use it directly or wrap? 07:39:39 riju has joined #web-bluetooth 07:39:41 jyasskin: i think both, I think people will use libraries to abstract it 07:39:52 ... our developer relations person has built web components that abstract it 07:39:58 ... there will be libraries 07:40:13 ... when two manufacturers expose the same data with different services 07:40:26 ... requestDevice() allows that, you can allow a list of services or'd 07:40:39 JonathanJ3: do you need anything for 4.2? 07:40:47 jyasskin: we don't think there's anything extra you need? 07:40:58 ... there's the beginning of a stream for tethering, we're not doing that yet 07:41:04 ... the rest would be underneath 07:41:10 topic: Web NFC 07:42:25 s/chair: jyasskin/chair: jyasskin, anssik 07:42:35 anssik: plan was to go through TAG feedback 07:42:40 ... valuable concrete proposals 07:42:44 ... thanks Travis for the feedback 07:42:52 ... we can start w/ a quick overview of the spec 07:43:01 ... only a handful of people have seen the spec 07:43:14 topic: Web NFC Spec 07:43:14 https://w3c.github.io/web-nfc/ 07:43:35 kenneth_: idea is to expose NFC functionality to web developers 07:43:40 ... in a web friendly fashion 07:43:46 ... not doing everything you can do w/ NFC 07:43:51 ... we looked at NDEF 07:44:02 ... write tag (image, json, text), and read that back 07:44:05 ... basic UC 07:44:15 anssik: does everyone here know what NFC is? 07:45:03 kenneth_: first spec ver is reading/writing data to passive tags 07:45:23 ... then passing (one off) data to another phone 07:46:32 shalamov has joined #web-bluetooth 07:46:36 RRSAgent, draft minutes 07:46:36 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html timeless 07:47:15 present+ shalamov 07:48:16 [ Demo ] 07:48:26 anssik: there was a NFC UC demod by riju reading/writing tags 07:48:37 ... another is pushing data between active devices (mobile devices) 07:48:45 ... another is handover to another wireless connection type 07:48:51 ... nfc->BT/WiFi 07:48:54 ... payment 07:49:07 kenneth_: we haven't looked at those UCs 07:49:12 dom: the api doesn't cover that 07:49:26 kenneth_: the api covers reading, writing, pushing data to a peer 07:49:50 [ NFCSecure ] 07:50:10 kenneth_: when we started looking at WebNFC, the idea was that it should be easy to use, and not have prompts 07:50:23 ... when we looked at NFC, we said that it should write the domain and path 07:50:39 dom: there have been a number of discussions on whether origin should be complete 07:50:49 ... i wonder if by doing this here, you're hitting one of the reasons 07:51:04 kenneth_: by using the path, when you listen to message, you give a path with wildcards 07:51:16 anssik: host on w3c.github.io 07:51:22 ... you have per directory/per path separation 07:51:41 kenneth_: NFC is inherently not very secure 07:51:52 ... like writing on a piece of paper and putting it in their home 07:52:04 ... if someone writes it w/ web, they could read+write it w/ native app 07:52:16 ... if you want to make it secure, you have to use certificates or similar on top of it 07:52:20 [ NFCAPI ] 07:52:46 anssik: navigator.nfc (being discussed) 07:52:57 ... .requestAdapter() 07:53:03 ... we got feedback on that 07:53:07 Josh_Soref: i'd object to that name 07:53:18 anssik: NFCAdapter 07:53:38 kenneth_: .watch() -- subscribe to what you want to listen for 07:53:43 ... .pushMessage() where you send to a tag 07:53:50 ... they're all Promise based 07:54:01 ... there's also a cancel, because Promises don't have cancelable yet 07:54:23 anssik: url, 07:54:32 ... there's kind + type, those aren't very clear 07:54:50 dom: limited to your domain 07:55:04 kenneth_: if you want to opt into reading non origin bound (legacy), you can 07:55:12 anssik: NFCRecord 07:55:27 Travis: is there a practical limit on tags? 07:55:33 kenneth_: some 4MB, some 50k 07:55:40 ... it would reject a promise if it doesn't fit 07:55:53 anssik: NFCRecord is what's recorded in the tag 07:56:42 kenneth_: there's something called "MyFair" (Phillips) 07:56:52 ... the 4 types are basically company specific 07:56:57 MiFare 07:57:07 dom: it gives you a range 07:57:13 s/MyFair/MiFare 07:57:43 Travis: no reason to have an api to ask for space available 07:58:47 kenneth_: to access some of the storage on some of these types 07:58:53 ... there are extra protocols 07:58:57 ... we haven't looked at exposing that 07:59:05 ... from what i've heard, it's very complex 07:59:12 anssik: we're abstracting all that out 07:59:22 dom: isn't that an interop nightmare? 07:59:31 anssik: if you target the types defined in NFC forum 07:59:58 ... I think we're missing that normative reference to the NFC spec 08:00:11 ... we wanted to set the bar based on what's out there 08:00:22 ... common ground based on available implementations 08:00:35 riju: the demo for this app was 137bytes, using nfc-type-2 08:01:17 dom: why do you need the promise for watch? 08:01:32 kenneth_: the reason is for how to deal w/ permissions and exceptions 08:01:41 anssik: return something, and user rejects ? -- permission 08:01:56 kenneth_: well "UAs 'could' implement a permission prompt" 08:03:13 anssik: `obtain watch permission` 08:04:01 jyasskin: we've had disagreement between sicking and slightlyoff on this 08:04:40 anssik: for forward compatibility reasons, we want to return a Promise 08:04:47 ... even if it isn't really necessary today 08:05:02 q? 08:05:09 ack mfoltzgoogle 08:05:23 mfoltzgoogle: NFCMessage encapsulates multiple records instead of an NFCMessage? 08:05:28 anssik: that was TAG Feedback 08:05:38 mfoltzgoogle: this seems fairly different from other apis 08:05:39 NFCMessage is multiple records 08:05:46 ... perhaps Streams API? 08:05:59 anssik: I think Streams developed after this API was developed 08:06:09 ... we decided we wouldn't make progress if we blocked on Streams 08:06:14 s/on this/on this: sicking thinks the spec should call out everywhere the UA might show a dialog; slightlyoff thinks we should use Promises on more things so UAs can start showing dialogs in the future if we realize we need more prompts./ 08:06:14 ... we should revisit Streams 08:06:26 kenneth_: what's the status of streams in chrome? 08:06:27 streams would not be fit here, since developers likely want to control NFC record structure 08:06:28 jyasskin: i don't know 08:06:41 Topic: TAG feedback on NFC 08:06:57 https://github.com/w3ctag/spec-reviews/blob/master/2015/10/nfc-feedback.md 08:07:07 anssik: we opened issues for each one 08:07:11 https://github.com/w3c/web-nfc/issues 08:07:43 anssik: thanks Travis 08:07:47 ... we're booked until 6pm 08:08:09 dom: Meetup presentations start at 7pm, demos between 6pm and 7pm 08:08:19 Travis: you've talked about some of this in your introduction 08:08:25 ... you can scroll to General Thoughts 08:09:28 ... I didn't know anything about NFC before jumping into this 08:09:54 ... I thought the spec was very good, well designed, integrated a lot of relatively new specs, surprising 08:10:00 ... it felt like a WD 08:10:03 ... kudos 08:10:14 ... helpful to see the level of depth into the protocol level of NFC 08:10:22 ... clear that the authors knew what they were talking about 08:10:36 ... level of depth to allow a web based api to interoperate w/ a native hardware device that spoke NFC 08:10:50 ... but it started to look like a foreign language very quickly w/ the NDEF records 08:10:59 ... took a while to build a mental model 08:11:10 ... high level, it's reading/writing strings 08:11:26 ... there are two UCs here 08:11:38 ... 1. interoperate w/ a Tag written via non web app 08:11:54 ... so you need access to some of these lower level primitives 08:12:06 ... 2. I have a string and want to write i 08:12:10 s/write i/write it/ 08:12:18 ... could we make the simple things simple and the hard things possible 08:12:24 ... I liked bringing the origin into the possible 08:12:35 ... I want to do the simple thing, it's there, it just works 08:12:43 ... security model made a lot of sense 08:12:54 kenneth_: with the default arguments, it should be possible to do simple things 08:13:05 ... you shouldn't need to know what the mime types are 08:13:13 ... maybe we could improve that by having better examples 08:13:28 anssik: we should highlight the preferred examples 08:13:40 ... maybe in web context, this technology would be used differently from native 08:13:50 Travis: thinking about XHR 08:14:14 ... it lets you do simple things, send text, get responses, you can do advanced things (working w/ headers), but you don't have to know HTTP headers 08:14:49 kenneth_: you can do that... 08:15:02 dom: is an NFCRecord like a blob? 08:15:12 anssik: we use `nointerface` 08:15:33 tomoyuki has joined #web-bluetooth 08:15:35 anssik: we should make sure we optimize for the common UC 08:15:39 ... e.g. giving default types 08:15:55 Travis: do you need to type out JSON v. Text? 08:16:02 ... there's a JSON parser in the platform 08:16:13 dom: does JSON need to be typed somewhere? 08:16:22 kenneth_: the original idea was postMessage 08:16:25 ... and serializing 08:16:27 +q 08:16:31 Travis: that could work 08:16:33 s/+q/q+ 08:16:42 If we want to support developers controlling the structure of NDEF records, we do need to expose this. You can write Text in many different ways. 08:16:43 dom: who came up w/ the types? 08:16:55 kenneth_: we didn't want to use the NFC types 08:17:22 Travis: HTML defined the structured clone algorithm 08:17:36 ... in indexedDB, you write stuff in, and you get the stuff out 08:17:46 ... it seems like yours could be another client to that 08:17:52 kenneth_: it was my original idea 08:18:13 ... I think annevk and zkis 08:18:29 but then goodbye to the simple API - would we trust libraries for doing all NFC specific stuff? 08:18:32 ... if you want to interoperate w/ a native app 08:18:45 dom: would that work w/ the web origin? 08:18:53 kenneth_: the web origin would be ignored by native 08:19:04 Travis: also, Transferable isn't interoperable 08:19:28 ... but JSON is standardized enough 08:19:43 kenneth_: cloning isn't standardized 08:19:57 Josh_Soref: perhaps you should record in the spec why you didn't go that way, so people don't need to ask again 08:20:09 riju: originally we thought we'd use an object 08:20:19 ... but some wanted to only want to watch a url 08:20:25 we could have a separate md on rationale, just like Web Bluetooth 08:20:32 ... but if you use an object, you have to extract the data again 08:20:47 kenneth_: with a small tutorial, it's quite simple, people will figure it out 08:21:01 Travis: "filtering" in general 08:21:13 ... what value does that bring to someone coming in and looking at a tag 08:21:20 ... how do I know what to look for if i've never seen it before 08:21:26 kenneth_: filtering is more for the case 08:21:40 ... like, us at intel, we have a lot of paths, and we don't control all of them 08:21:48 ... I could say "i don't want to see stuff I don't understand" 08:21:55 Travis: this isn't me communicating w/ the tag 08:22:10 ... it's me interoperating w/ my laptop, and I have a host of information there, and I want to scope it down 08:22:11 filtering helps you to implement more efficiently an interaction system using NFC, when you know how you want to use NFC 08:22:16 kenneth_: only what you were writing 08:22:41 dom: I have 10 NFC tags in front of me, and only one of them has data I wrote 08:22:49 ... browser only bother me when there's a tag I wrote 08:22:53 Travis: ok, that makes sense 08:23:49 Josh_Soref: you're missing the example of two apps from the same site 08:24:06 riju: filtering based on data (json) 08:24:16 kenneth_: originally, it was just URL, I don't remember when it got added 08:25:35 Josh_Soref: you're missing the prose explaining that you have 3 NFC tags on a table, with three different kinds of data, and an app that only wants to know about a tag if it has a certain kind of data 08:25:48 Travis: kind was a media type 08:26:08 kenneth_: the names came from annevk 08:26:20 riju: it was mediaType before 08:26:31 anssik: one kind is used in MediaTrack 08:26:44 kenneth_: `kind` came from annevk 08:26:51 Travis: conflict of TAG members 08:28:36 jyasskin: this could navigator.nfc.requestWatch() / navigator.nfc.requestPush() 08:28:51 ... nfc doesn't give the right hook for permission 08:29:26 Travis: geolocation does have a namespace 08:30:05 dom: for Media, we have navigator.mediaDevices.{} 08:30:37 see https://github.com/w3c/web-nfc/issues/67 08:32:48 q+ jyasskin 08:33:06 jyasskin: the reason we have an adapter is for development purposes 08:33:22 s/jyasskin/kenneth/ 08:34:19 jyasskin: the same problem shows up in Bluetooth also 08:34:26 ... you could have two Radios 08:34:37 ... there's one interface, it uses both radios to accomplish the action 08:34:46 ... if in the future, we should be able to add a way to enumerate 08:34:55 anssik: I plus one that approach 08:35:04 ... we should optimize for the assumption which adapter 08:35:10 ... isn't important 08:35:15 kenneth_: but it needs to be a promise 08:35:19 anssik: and they are a promise 08:35:36 [ anssik explains how to fix the spec ] 08:37:04 dom: don't i need to know which adapter 08:37:16 jyasskin: it should listen on both radios 08:37:25 ... and it should try to write on both 08:37:38 ... it should stop successfully once one successfully writes 08:37:43 ... top level publishes to all 08:37:50 ... and maybe later an advanced api 08:37:56 wait, this is not how NFC works 08:38:00 dom: I agree to make things simple, as simple as they should be 08:38:22 Josh_Soref: it doesn't matter. UAs and hardware can do this 08:40:19 zkis: Which piece doesn't work with NFC? 08:40:32 q- jyasskin 08:41:00 anssik: people seem to be interested in getting rid of the adapter abstraction 08:41:09 ... zkis could you follow the discussion on irc? 08:41:16 ... could you explain why the adapter abstraction is needed? 08:41:22 ... what is the UC/limit? 08:41:33 zkis: the notion of representing the physical entity is important 08:41:47 ... you may have an internal NFC adapter, and one via USB, you may want to choose which one to use 08:41:52 ... you could have a default, trusted on the platform 08:41:59 ... but it would be good to know which you're using 08:42:05 anssik: the proposal is to merge these together 08:42:10 ... from jyasskin to use all the radios 08:42:13 ... at the same time 08:42:22 ... if you're watching, the user doesn't care which is closest to the tag(s) 08:42:32 ... and in writing, the one that is faster does the operation 08:42:41 ... making the api simpler for the common UC, where you only have one radio 08:42:58 zkis: I'm not sure you can physically touch the tags at the same time 08:43:03 ... usually you could do what jyasskin is asking 08:43:11 jyasskin: are you worried about the race condition? 08:43:15 zkis: there's no such race 08:43:22 ... there's some range for NFC, based on the adapter 08:43:34 ... but I was talking about two tags, one per adapter 08:43:47 jyasskin: you have some race with which took affect first, most of the time it won't happen 08:43:52 ... we shouldn't complicate the API for the common case 08:44:01 dom: first to succeed, if one 08:44:09 jyasskin: two tags, two adapters, what happens? 08:44:11 ... it picks one 08:44:25 ... watch could only resolve once 08:44:30 ... push, it could push both 08:44:39 kenneth_: you might get both pushes 08:44:45 jyasskin: yes, but the user asked for it 08:44:53 Travis: in my feedback, I don't propose merging that way 08:45:16 ... I was just saying that you choose the adapter, which if it were sync ... 08:45:24 ... it seemed one step too far removed 08:45:42 anssik: so, rename method, and move it one level up 08:47:01 Josh_Soref: does it kill the model to let the UA know that there are tags present? 08:47:15 jyasskin: I don't think the API allows the UA to know that, it just allows you to publish 08:47:20 kenneth_: I don't think it's a problem 08:47:26 ... I'd be ok with that 08:47:45 anssik: I'm not hearing full consensus in the room 08:47:51 dom: i'm unconvinced 08:48:21 navigator.requestNFC() would be fine, returning a Promise 08:49:48 anssik: the proposal from Travis was well received 08:50:06 ... we may need to keep this open 08:50:19 https://github.com/w3c/web-nfc/issues/66 08:50:22 kenneth_: can we get you guys go to the issue? 08:50:25 ... and comment 08:50:40 dom: +1 on navigator.requestNFC over nfc.requestAdapter() 08:51:09 ack mfoltzgoogle 08:51:18 mfoltzgoogle: I compared the UC doc w/ the spec 08:51:25 ... i was hard to see how the user bootstrapped something 08:51:35 ... in the museum UC, I wasn't sure how I bootstrapped 08:51:47 ... do I need to have an app? 08:51:48 https://w3c.github.io/web-nfc/use-cases.html#reading-generic-information-in-a-museum 08:51:53 ... does the app open itself? 08:52:17 ... if the UA sees a tag and there's a tab elsewhere for it, do i foreground that tab? 08:52:24 ... similarly for P2P 08:52:35 ... the spec doesn't include more about what prompts to include 08:52:45 ... but maybe more text about what prompting could happen in those UCs 08:52:57 kenneth_: we haven't looked at the bootstrapping 08:53:04 ... we could probably bootstrap w/ URLs 08:53:14 ... need to think about it more and write some spec text 08:53:24 zkis: most phones have default behavior for tag types 08:53:31 ... usual action is open browser 08:53:42 ... we could open that page 08:53:49 ... maximal from this 08:54:00 ... this interferes w/ the basic behavior on the tag 08:54:12 dom: by default a url on a tag results in opening the url 08:55:33 Josh_Soref: could you have a .requestedTag ? 08:55:43 mfoltzgoogle: if the Android platform does a good job on that, it could 08:55:47 ... a platform dependent feature 08:55:53 kenneth_: very interesting to explore 08:56:29 Travis: when you call .pushMessage() 08:56:34 ... the api takes a list of NFCRecords 08:56:55 ... ok, if that was asked already... 08:57:13 mfoltzgoogle: it seemed like you had an NFCMessage object, or use a Stream 08:57:40 kenneth_: this makes it easier from JS 08:58:03 Travis: in some cases you need a record, but taking a `string or Sequence<...>` 08:59:16 riju: a few asked about pushMessage for Tags v. Peers 08:59:35 Travis: two very separate scenarios 08:59:44 ... you could have at most two thing in flight 08:59:50 ... is it an expanding set of things? 09:00:10 dom: why does the method need the target? 09:00:59 zkis: "it has a history" 09:01:22 ... in native APIs, we have very different ways to communicate to tags v. peers 09:01:42 anssik: and you can't look at the environment 09:02:46 zkis: that works for tags, but not for peers 09:02:59 Travis: "that's all you need" 09:03:14 zkis: you have to know in advance what you're touching 09:03:33 jyasskin: if the api didn't distinguish between tags and peers 09:03:39 ... calling write wrote to the next thing you're near 09:03:50 ... and calling read read from the next thing you're near 09:04:01 ... the developer doesn't seem to care 09:04:07 s/.../dom:/ 09:04:21 anssik: for push target, was there a default "any" 09:04:28 s/anssik/riju/ 09:04:35 anssik: we used to have "any" as a target 09:04:41 ... zkis, why did it lose that? 09:04:57 jyasskin: i think the was spec didn't have the notion that you had two pushes and had contradictions 09:05:03 ... to make the distinctions he removed any 09:05:09 ... but if we collapse the two, it just works 09:05:29 kenneth_: it comes from the fact that on android, we have an api "whenever a tag comes near my device: write this" 09:05:38 ... but they're both async, if you want to write two 09:05:44 ... but is that a valid UC? 09:05:49 anssik: I'm struggling a bit still 09:05:56 ... why does a web developer deciding 09:06:01 kenneth_: I could promise-write 09:06:09 ... push target for a device, send some kind of data 09:06:17 .... push target for a tag, write something differently 09:06:23 s/..../.../ 09:06:30 ... maybe i have timeouts 09:06:46 anssik: developers want to push different things 09:06:57 dom: in most cases you'd want to write to either a tag or device 09:07:02 ... very few cases where you care 09:07:13 ... that you want to make a distinction is unclear 09:07:35 anssik: I haven't heard a UC for this 09:07:40 Josh_Soref: me neither 09:07:58 anssik: we want to hear a good UC for two pushes in flight w/ long timeout, one for peer, one for tag 09:08:03 ... if there's a strong UC for that, then ok 09:09:07 anssik: I'll take an ACTION to either find a UC or ask for this to be collapsed 09:09:29 ... by removing the target option entirely 09:10:00 anssik: I see more people in this room who aren't part of this group 09:10:09 ... you can join here 09:10:16 topic: Joining NFC CG 09:10:20 https://www.w3.org/community/web-nfc/ 09:10:27 topic: NFC Implementation Status 09:10:36 https://github.com/w3c/web-nfc/ 09:10:46 anssik: thanks Travis for coming here to give feedback to the group 09:10:55 ... and thanks for your work in the TAG on doing reviews 09:11:14 kenneth_: would you be interested in implementing this? 09:11:20 ... who should I talk to? 09:11:37 Travis: you could talk to me, I think we have some C# exposure, but not to the web 09:11:41 Shameless pitch for the Web Bluetooth CG too: https://www.w3.org/community/web-bluetooth 09:11:43 q? 09:12:51 anssik: I spoke w/ paul adden about NFC 09:13:01 dom: any plan for WG migration? 09:13:10 anssik: yes, I thought there'd be an effort 09:16:52 anssik: and thanks Josh_Soref for scribing 09:16:59 RRSAgent, draft minutes 09:16:59 I have made the request to generate http://www.w3.org/2015/10/26-web-bluetooth-minutes.html timeless 10:33:33 jyasskin has joined #web-bluetooth 11:18:39 ShaneM has joined #web-bluetooth 12:25:44 ShaneM has joined #web-bluetooth 12:45:37 agaldos has joined #web-bluetooth 13:07:36 Zakim has left #web-bluetooth 13:15:08 dka has joined #web-bluetooth 13:26:46 jyasskin has joined #web-bluetooth 13:40:54 mfoltzgoogle has joined #web-bluetooth 14:24:09 jyasskin_ has joined #web-bluetooth 14:29:26 jyasskin has joined #web-bluetooth 14:32:18 jyasskin has joined #web-bluetooth 14:39:47 jyasskin has joined #web-bluetooth 14:44:49 jyasskin_ has joined #web-bluetooth 18:36:12 zkis has joined #web-bluetooth 19:13:23 ShaneM has joined #web-bluetooth 19:59:06 jyasskin has joined #web-bluetooth 20:39:22 jyasskin has joined #web-bluetooth 20:44:28 He4dShOt- has joined #web-bluetooth 21:31:10 jyasskin has joined #web-bluetooth 23:28:45 ShaneM has joined #web-bluetooth 23:29:35 aalfar has joined #web-bluetooth 23:35:07 jyasskin has joined #web-bluetooth