- From: Francois Daoust <fd@w3.org>
- Date: Tue, 09 Sep 2008 17:57:26 +0200
- To: public-bpwg-ct <public-bpwg-ct@w3.org>
Hi guys,
The minutes of today's call are available at:
http://www.w3.org/2008/09/09-bpwg-minutes.html
... and copied as text below.
Main points:
- we'll keep the Task Force for the time being to be able to address the
Last Call comments in a timely manner.
- the comments were assigned to the different participants. Thanks for
exposing your thoughts on the comments that were assigned to you on the
mailing-list for others to react. See the following email to get a link
to the list of comments that you need to address:
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Sep/0008.html
- Jo agreed to take on section 4.1.5 on alteration of HTTP header
values. We'll be looking for stats, and trying to tighten positions
around the modification of the User-Agent header while being looser on
the modification of other HTTP headers.
- Tom agreed to see what he could find out for comments of section
4.3.6.2 on HTTPS Link re-writing.
Francois.
09 Sep 2008
[2]Agenda
[2]
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Sep/0007.html
See also: [3]IRC log
[3] http://www.w3.org/2008/09/09-bpwg-irc
Attendees
Present
hgerlach, Francois, TomHume, Rob, Pontus, jo, SeanP
Regrets
Chair
francois
Scribe
Jo
Contents
* [4]Topics
1. [5]Introductions
2. [6]Future of the Task Force
3. [7]Sharing the workload
4. [8]Introductions (bis)
5. [9]Sharing the workload (bis)
6. [10]Section 4.1.5
7. [11]4.3.6.2 HTTPS link rewriting
8. [12]AOB
* [13]Summary of Action Items
_________________________________________________________
Introductions
francois: introduces Tom as an Invited Expert with specific mobile
development expertise to enhance representation from that side
... and to heslp reolve the last call comments
... so round the table
... I am the staff contact for BP and lead the CTTF "I am here to
help"
heiko: I work for Vodafone and own content adaptation in Vodafone
pontus: from Ericsson have been working on the CT product
rob: from Openwave responsible for OpenWeb
jo: from dotMobi, co-chair of BP and editor of CT doc
tom: I am MD of Future Platforms and increasingly involved in mobile
Web hence come across transformation
Future of the Task Force
rancois: just wanted to review this, before August we thought we
might be able to stop the TF and move the work back to the WG but
with the number of comments think it is appropriate to continue the
TF
<hgerlach> me
+1 to continuing the TF
heiko: need to get comments done asap should not keep people waiting
francois: don't think we can do it in 2 weeks but yes we seem to be
agreed
<hgerlach> +1
Sharing the workload
francois: I split the comments up between the TF members and wanted
people to be responsible so we can just get on it with it, the
allocation is random
Introductions (bis)
francois: introduces Tom to SeanP who just joined
seanp: work for novarra
tom: (per the above)
Sharing the workload (bis)
francois: was just trying to find a way to go faster rather than to
impose anything on anyone
... I left 2 unallocated to deal with today
<francois> [14]Division of the Last Call comments
[14]
http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Sep/0008.html
francois: any objections to my allocation of coments?
... person responsible to read and summarise the comment and the
position we took before, linking where appropriate, and propose
changes tot he spec or provide a rationale for saying no, etc.
<scribe> ... done on the mailing list and hence go faster on the
call?
<scribe> ... any views?
+1 to the allocation as it stands
heiko: I think I am the only one who can't do anything with the Vary
header so would prefer not to do that
jo: I'll take 2081 and 2008
<hgerlach> +1
Section 4.1.5
<francois>
[15]http://www.w3.org/2000/06/webdata/xslt?inclusion=1&xslfile=http%
3A%2F%2Fwww.w3.org%2F2003%2F12%2Fannotea-proxy&xmlfile=http%3A%2F%2F
cgi.w3.org%2Fcgi-bin%2Ftidy-if%3FdocAddr%3Dhttp%253A%252F%252Fwww.w3
.org%252FTR%252F2008%252FWD-ct-guidelines-20080801%252F&annoteaServe
r=http%3A%2F%2Fwww.w3.org%2F2006%2F02%2Flc-comments-tracker%2F37584%
2FWD-ct-guidelines-20080801%2Fannotations#sec-altering-header-values
[15]
http://www.w3.org/2000/06/webdata/xslt?inclusion=1&xslfile=http%3A%2F%2Fwww.w3.org%2F2003%2F12%2Fannotea-proxy&xmlfile=http%3A%2F%2Fcgi.w3.org%2Fcgi-bin%2Ftidy-if%3FdocAddr%3Dhttp%253A%252F%252Fwww.w3.org%252FTR%252F2008%252FWD-ct-guidelines-20080801%252F&annoteaServer=http%3A%2F%2Fwww.w3.org%2F2006%2F02%2Flc-comments-tracker%2F37584%2FWD-ct-guidelines-20080801%2Fannotations#sec-altering-header-values
<francois>
[16]http://www.w3.org/2006/02/lc-comments-tracker/37584/WD-ct-guidel
ines-20080801/search/?responseFilter=incl§ion=sec-altering-heade
r-values&
[16]
http://www.w3.org/2006/02/lc-comments-tracker/37584/WD-ct-guidelines-20080801/search/?responseFilter=incl§ion=sec-altering-header-values&
jo: I will take on making proposed responses but first think that we
need to agree a policy
... for example I would not be averse to a document that said don't
change any headers
... but I think the members of the TF need to express views
seanp: I like it as it is, think it is practical as it is written to
meet the reality of how it is being done now as well as being
consistent with the way the group sees content developing
rob: the comments seem mainly about POSTs - is that right?
francois: hmmm, not really
rob: oops, I was reading the wrong section
... we came up with this text because we thought that altering the
user agent is a good way of getting content to a device that
otherwise would not be able to get it
<francois> jo: I don't preempt discussion on this, but the rationale
is twofold: 1. otherwise content would be blocked. I'm personally
unaware of this happening. To be fair, we should have more
statistics.
<francois> ... 2. because some people want the reformatted view.
<francois> ... Not much to say about that apart from the fact that
it may occur.
jo: I think we need to justify with some figure how frequently
servers respond with a 406 or equivalent that blocks the user
getting a response, which is the main justification for this. The
other justification, which is that the user has requested a
restructured desktop experience seems to me at least conceivable,
but to what extent do we need to accommodate that possibility?
heiko: In general I agree with Jo - but should we differentiate
between different headers - e.g. the User-Agent might be special,
other headers should probably be treated differently
... I think that the 406 is something different which is why I
mentioned earlier that we should have a white list
francois: what other headers do you think are problematical, the
section benefits from being generic
jo: I do think we should distinguish between rejection with 406
because of incompatible accepts vs incompatible User-Agents
francois: well, aaron had an action a while back about this, maybe
we should re-awaken his action
jo: sure, google would be well placed to do this if they were able,
if they aren't then we will have to do it elsewhere in the group
francois: so you're suggesting we need to test if we can be stricter
about the user agent not being changed - and continue to be strict
about the accept-* ?
[discussion about who can supply info]
seanp: I can see if we have anything on that
francois: I'll take an action to get back to aaron
jo: I can look and see if we have anyting too
<scribe> ACTION: daoust to get back to aaron from google to see if
he can get some stats for us [recorded in
[17]http://www.w3.org/2008/09/09-bpwg-minutes.html#action01]
<trackbot> Created ACTION-842 - Get back to aaron from google to see
if he can get some stats for us [on François Daoust - due
2008-09-16].
<scribe> ACTION: jo to see if he can come up with wording on this
section that might accommodate everyone [recorded in
[18]http://www.w3.org/2008/09/09-bpwg-minutes.html#action02]
<trackbot> Created ACTION-843 - See if he can come up with wording
on this section that might accommodate everyone [on Jo Rabin - due
2008-09-16].
action-843+ (the section in question being 4.1.5)
4.3.6.2 HTTPS link rewriting
<francois>
[19]http://www.w3.org/2000/06/webdata/xslt?inclusion=1&xslfile=http%
3A%2F%2Fwww.w3.org%2F2003%2F12%2Fannotea-proxy&xmlfile=http%3A%2F%2F
cgi.w3.org%2Fcgi-bin%2Ftidy-if%3FdocAddr%3Dhttp%253A%252F%252Fwww.w3
.org%252FTR%252F2008%252FWD-ct-guidelines-20080801%252F&annoteaServe
r=http%3A%2F%2Fwww.w3.org%2F2006%2F02%2Flc-comments-tracker%2F37584%
2FWD-ct-guidelines-20080801%2Fannotations4.6.3
[19]
http://www.w3.org/2000/06/webdata/xslt?inclusion=1&xslfile=http%3A%2F%2Fwww.w3.org%2F2003%2F12%2Fannotea-proxy&xmlfile=http%3A%2F%2Fcgi.w3.org%2Fcgi-bin%2Ftidy-if%3FdocAddr%3Dhttp%253A%252F%252Fwww.w3.org%252FTR%252F2008%252FWD-ct-guidelines-20080801%252F&annoteaServer=http%3A%2F%2Fwww.w3.org%2F2006%2F02%2Flc-comments-tracker%2F37584%2FWD-ct-guidelines-20080801%2Fannotations4.6.3
<francois>
[20]http://www.w3.org/2006/02/lc-comments-tracker/37584/WD-ct-guidel
ines-20080801/search/?responseFilter=incl§ion=sec-https-link-rew
riting&
[20]
http://www.w3.org/2006/02/lc-comments-tracker/37584/WD-ct-guidelines-20080801/search/?responseFilter=incl§ion=sec-https-link-rewriting&
francois: we got lots of comments and the comments are about saying
that HTTPS links should not be re-written in any circumstances as it
is a man in the middle attack
... either we say this is not allowed or we stick to the text we
have amended a bit
... positions and volunteers to address these comments?
sean: we have a pretty good statement in the document - if you
outlaw this you can't get to your mail etc. - a lot of the comments
refer to banks but there are a lot of other sites that you can't go
to which have less security requirements
francois: I don't have a clear position, I understand both the need
and the danger
<hgerlach> maybe just add "towards "server and user" at the end
francois: if anything I'd say it just should not be allowed
... but agree that some applications don't have to be that secure
... any more thoughts?
... anyone want to take this on?
tom: one of the difficulties here is that it pushes an understanding
of the mechanisms on to the user who probably doesn't understand
what is going on
<hgerlach> yes, but this is the same with a native browser e.g.
firefox
tom: not even clear on the web now, with regular desktop browsers
francois: agree, what do you think would help ref the user
tom: yes, good idea, but can't think of an easy way to do this
avoiding malicious attacks in the context of a mobile device
francois: how about noting that and thinking about it, can I assign
you the comments
... a fresh look at the section by someone who did not participate
in the previous discussions
<dom> re https, the web security context guidelines might have some
useful definitions and ideas to solve that problem:
[21]http://www.w3.org/TR/2008/WD-wsc-ui-20080724/
[21] http://www.w3.org/TR/2008/WD-wsc-ui-20080724/
<Zakim> rob, you wanted to echo Sean's comment; many websites use
HTTPS login even though the content isn't sensitive. As Tom says,
the end-user somehow makes a decision about what is
rob: there is a difference between logging in to hotmail, where
everything subsequent to login is done in the plain anyway
... there is an education of the end-users to do, to allow them to
use some kind of login that uses https for that kind of thing, but
not use it for banking, I don't think we should ban this completely
francois: but shouldn't we put the load on the CP in that if they
don't need https they shouldn't use it
... but there is more than that - https is used to protect content
in both cases
sean: I agree with most of what Rob says - https is secure from the
user to the operator then from operator to Content Provider - so if
you trust your operator you are probably OK if not you should not be
using HTTPs through a proxy
jo: points out that Dom pasted the link:
[22]http://www.w3.org/TR/2008/WD-wsc-ui-20080724/
[22] http://www.w3.org/TR/2008/WD-wsc-ui-20080724/
francois: we should take a look at this
AOB
francois: we seem to have assigned all the comments so go ahead and
discuss on the mailing list
<hgerlach> great, bye!;-)
Summary of Action Items
[NEW] ACTION: daoust to get back to aaron from google to see if he
can get some stats for us [recorded in
[23]http://www.w3.org/2008/09/09-bpwg-minutes.html#action01]
[NEW] ACTION: jo to see if he can come up with wording on this
section that might accommodate everyone [recorded in
[24]http://www.w3.org/2008/09/09-bpwg-minutes.html#action02]
[End of minutes]
_________________________________________________________
Minutes formatted by David Booth's [25]scribe.perl version 1.133
([26]CVS log)
$Date: 2008/09/09 15:21:10 $
[25] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[26] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 9 September 2008 15:57:59 UTC