<LisaSeemanKest> Also take a look at https://tag.w3.org/workmode/
<scribe> scribe: becka11y
<LisaSeemanKest> https://github.com/w3c/personalization-semantics/issues/132
Lisa: No meeting next week, US Presidents’ holiday; let’s get action assigned so we can keep moving forward
Charles: need to go over issue 132 before we ask for tag review
<LisaSeemanKest> https://github.com/w3ctag/design-reviews/issues/465
JF: not sure of a specific format, just need explainer to cover all of the items in this issue
Lisa: make a draft that follows
the example in the link above and open an issue for the
TAG
... let’s review issue 132; it looks like we have added a
summary; what else is still needed
Charles: WebRTC TAG request includes a self review of security - we need to finish that
<LisaSeemanKest> https://tag.w3.org/workmode/
JF: What do we want to submit to TAG?
<LisaSeemanKest> https://github.com/w3ctag/design-reviews/issues/465
Lisa: above link is how to work
with the TAG; we need to open an issue with the tag (similar to
the link above)
... want to request TAG review of explainer and module 1
... need to do security self review
Charles: we should finish
security review today
... reviews issue 132 - seems like we have covered most of
these - any disagreements?
Lisa: looks like we have - perhaps ask Michael and Roy for a review
JF: only thing we might be
lacking is stake holder feedback
... weakest link is no implementations, yet
Lisa: but implementations are more important for CR
JF: but we want initial signals of public support; ongoing conversations with software companies; we have proof of concept examples, we should point to that
Charles: we have already published the FPWD, so add stakeholder info to the issue we create to the TAG
Lisa: need to make a draft of what we will send to the TAG and discuss on the mailing list
<JF> +1
+1
<sharon> +1
<CharlesL> +1
<LisaSeemanKest> ACTION: lisa to make text for tag issue review
<trackbot> Created ACTION-39 - Make text for tag issue review [on Lisa Seeman-Kestenbaum - due 2020-02-17].
<scribe> ACTION: Lisa to make the draft request for review of explainer and Module 1 from TAG
<trackbot> Created ACTION-40 - Make the draft request for review of explainer and module 1 from tag [on Lisa Seeman-Kestenbaum - due 2020-02-17].
<LisaSeemanKest> https://github.com/w3c/personalization-semantics/issues/131
Lisa: security review is issue 131
Charles: What info might this
feature expose private info to web sites? User agent and
perhaps a proxy server
... personalization info will need to be shared between user
and proxy server
JF: add that we envision a
subscription model - security concern is between user and
service provider, we are just providing the tools to enable
personalization
... will update the description and send to Charles and CC to
list;
Charles: 2.2 is spec. exposing
the min. amount of info necessary to implement feature
... reads from issue: “Since the same semantic information will
be sent to all users and it will be acted upon by either the
local user agent or proxy server there is no exposing of
information."
<CharlesL> 2.2. Is this specification exposing the minimum amount of information necessary to power the feature?
<CharlesL> original: Since the same semantic information will be sent to all users and it will be acted upon by either the local user agent or proxy server there is no exposing of information.
JF: (types comment that scribe missed)
<JF> Since the same semantic information will be sent to all users and it will be acted upon the individual user's user-agent stack. There is no exposing of private information information.
<JF> The same semantic information will be sent to all users and it will be acted upon the individual user's user-agent stack. There is no exposing of private information information.
<CharlesL> 2.3. How does this specification deal with personal information or personally-identifiable information or information derived thereof?
<CharlesL> Original: Personal preferences the user requires on how a webpage is presented to them will be something that the third party user agent or proxy server acting upon our semantic information will need to deal with on protecting PI and PII information. Our specification does not expose any of this information.
JF: reverse the sentences.
<JF> Our specification does not expose any of this information. Personal preferences for how a webpage will be rendered issomething that the third party user agent or proxy server acting upon our semantic information will need to deal with, while protecting PI and PII information.
<JF> Our specification does not expose any of this information. Personal preferences for how a webpage will be rendered is something that the third party user agent or proxy server acting upon our semantic information will need to deal with, while protecting PI and PII information.
<CharlesL> 2.4. How does this specification deal with sensitive information?
<CharlesL> Original: This specification does not address how sensitive information should be handled. As a data format, no API is proposed to expose data to the web and therefore no mechanism is proposed to protect such distribution.
JF: Add that HTTPS is recommended
as normal procedure but not required by this
specifiication
... HTTPS just prevents man in the middle attacks;
Charles: how does that affect a proxy server
JF: I make all the connections via the proxy server
<JF> Standard recommendations to connect via HTTPS is still recommended, and has no impact on this specification.
<CharlesL> add this to the end.
JF: add this addn. sentence at the end
<CharlesL> 2.5. Does this specification introduce new state for an origin that persists across browsing sessions?
<CharlesL> original: This specification does not directly allow browsers to persist state across sessions. While downloaded content could contain state about a user, no mechanism is provided by the specification for a website to access that downloaded content
Lisa: just leave it a the first sentence
JF; just remove “While downloaded content could contain state about a user” this part, start new sentence at No
<CharlesL> New: This specification does not directly allow browsers to persist state across sessions. No mechanism is provided by the specification for a website to access any downloaded content
Lisa: Why not leave at just the first sentence?
<JF> to maintain a persistent state
Lisa: it’s less ambiguous to just have the 1st sentence.
<CharlesL> This specification does not directly allow browsers to maintain a persistent state.
JF: +1 to Lisa with updated text
<CharlesL> New: This specification does not directly allow browsers to maintain a persistent state across sessions.
<LisaSeemanKest> +1
<CharlesL> 2.6. What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?
<CharlesL> his specification does not expose any data to an origin. But, see 2.8, below.
JF: remove the but clause
<CharlesL> remove the 2.8
<CharlesL> 2.7. Does this specification allow an origin access to sensors on a user’s device
<CharlesL> No.
Lisa: I think they are talking about device access (2.6)
<CharlesL> 2.8. What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.
<CharlesL> This specification does not expose any additional information to an origin. Note that it may reference other documents (for example, HTML) that could expose data. Since this specification does not alter the processing model for those other formats, it does not introduce any new data exposure.
Lisa: what is meant by other documents?
Charles: I was thinking about symbols
JF: our spec could alter the processing of author provided CSS through ...
<JF> This specification does not expose any additional information to an origin. Note that it may reference other documents (for example, HTML) that could expose data. This specification MAY alter the processing model for other formats (i.e. CSS properties) for user-requested augmentation.
<JF> RFC 2119
JF: when invoking MAY, SHOULD, etc to comply with standard RFC-2119
<CharlesL> 2.8. What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.
<CharlesL> This specification does not expose any additional information to an origin. Note that it may reference other documents (for example, HTML) that could expose data. Since this specification does not alter the processing model for those other formats, it does not introduce any new data exposure.
<JF> RFC 2119 here: https://tools.ietf.org/html/rfc2119
JF: it may load addn. script
Lisa: doesn’t enable new script notation; we aren’t enabling scripts, we are just giving them something to run off of
JF: not facilitating a new script language, is enabling a new script execution
<JF> This specification provides additional sematic information that user or user-agents scripts can use to trigger page personalizaton and transformations. No new technologies are invoked by this specification.
<JF> This specification provides additional semantic information that users or user-agents scripts can use to trigger page personalizaton and transformations. No new technologies are invoked by this specification.
<CharlesL> 2.10. Does this specification allow an origin to access other devices?
<CharlesL> No.
<CharlesL> 2.11. Does this specification allow an origin some measure of control over a user agent’s native UI?
<CharlesL> The specification itself does not provide a mechanism for overriding native UI. It is expected that implementations of this specification could allow such control, but such implementations would simply be web apps, which are not defined by this spec.
Lisa: out of scope for us
JF: unless device is a full web
app?
... thought we were alread on 2.11
<LisaSeemanKest> The specification itself does not provide a mechanism for overriding native UI. It is expected that implementations of this specification could allow such control, but such implementations would simply be web apps, which are not defined by this spec.
Now discussing 2.11:
<CharlesL> The specification itself does not directly provide a mechanism for overriding native UI. It is expected that implementations of this specification could allow such control, but such implementations would simply be web apps, which are not defined by this spec.
JF: add the word directly - specification does not directly provide...
<LisaSeemanKest> 2.12. What temporary identifiers might this this specification create or expose to the web?
<LisaSeemanKest> No temporary identifiers are created.
<CharlesL> 2.12. What temporary identifiers might this this specification create or expose to the web?
<CharlesL> No temporary identifiers are created.
JF: word this one like 2.11
<CharlesL> The specification itself does not directly provide a mechanism for creating temporary identifiers.
<CharlesL> 2.13. How does this specification distinguish between behavior in first-party and third-party contexts?
<CharlesL> This specification does not change the processing model of the resources it references, therefore it does not distinguish between first and third parties. The user agent or proxy server acting upon the semantic markup may reference third party resources such as symbols and that user agent/proxy server would handle the privacy/security implications.
JF: third party contexts refers
to ads, etc. is an edge case in the distractions
... does not directly distinguish between the behaviors
Lisa: but provides semantics that may imply the difference
<LisaSeemanKest> but provideds sematics that may be used to imply first party or third party contnet
<JF> The specification itself does not directly distinguish between behavior in first-party and third-party contexts. However author-supplied data MAY have an impact on some 3rd-party content.
<JF> The specification itself does not directly distinguish between behavior in first-party and third-party contexts. However author-supplied data MAY imply andhave an impact on some 3rd-party content (i.e. simplification)
Lisa: saying something is an ad might imply it is a 3rd party and be culled out
<CharlesL> 2.14. How does this specification work in the context of a user agent’s Private Browsing or "incognito" mode?
<CharlesL> Since this specification does not alter the UA processing model for documents, it has no impact on private mode.
Lisa: can we say not intended to alter
JF: it does intend to alter but makes no distinction between private and public browsing
<CharlesL> 2.15. Does this specification have a "Security Considerations" and "Privacy Considerations" section?
<CharlesL> No, we will bring this up and reference the following:
Charles: will need to add these security and privacy considerations into our spec
<JF> ACTION on JF to add and modify bullet 2.1 @ https://github.com/w3c/personalization-semantics/issues/131
<trackbot> Error finding 'on'. You can review and register nicknames at <https://www.w3.org/WAI/APA/task-forces/personalization/track/users>.
<CharlesL> 2.16. Does this specification allow downgrading default security characteristics?
<CharlesL> Unsure what this means.
Charles: 2.16 - no idea what this one means
<JF> ACTION JF to add and modify bullet 2.1 @ https://github.com/w3c/personalization-semantics/issues/131
<trackbot> Created ACTION-41 - Add and modify bullet 2.1 @ https://github.com/w3c/personalization-semantics/issues/131 [on John Foliot - due 2020-02-17].
Lisa: start a thread on 2.16 on the list
rrsagent make minutes
This is scribe.perl Revision: 1.154 of Date: 2018/09/25 16:35:56 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/list/Lisa/ Present: LisaSeemanKest Becka11y Roy JF CharlesL janina Found Scribe: becka11y Inferring ScribeNick: Becka11y WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 10 Feb 2020 People with action items: lisa WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]