From W3C Wiki

19 Sep 2017

See also: IRC log


eprodrom, rhiaro, ajordan, aaronpk, tantek, sandro, cwebber


<cwebber> tantek: yeah but we're biweekly

<Loqi> ajordan: lol

<eprodrom> chairnick: eprodrom

<Loqi> Strugee made 1 edit to Socialwg/2017-09-19

can scribe

though I did leave my typing gloves at the office

<scribe> scribenick: rhiaro

last week's minutes

<eprodrom> PROPOSED: Approve as minutes for 05 Sep 2017 telcon


<rhiaro> 0 I wans't here

<cwebber> +1

<ajordan> tantek: you chaired right?

<tantek> +1

<tantek> yes

<ajordan> +1

eprodrom: do we have people who were actually there? sandro?

<Loqi> [AJ Jordan] AJ Jordan AJ Jordan at 2017-09-19T17:03:06Z (As seen today on the SocialWG call) @Christopher Allan Webber: I'm here to clack keyboards and ...

RESOLUTION: Approve as minutes for 05 Sep 2017 telcon

October meeting schedule

eprodrom: We have a proposal from tantek to continue with our every other week unless we have runover
... My concern I think we have a december ??
... We are far enough along that it's going to be up to us to mess this up. My feeling is we don't need to do more than two during October. Any objectiosn?

sandro: seems good for now

eprodrom: 3rd, 17th and 31st of October

sandro: hallowe'en meeting yay

eprodrom: when is tpac?

<Loqi> :D

tantek: the week after

<eprodrom> PROPOSED: hold telcons on 3 Oct, 17 Oct and 31 Oct 2017

<eprodrom> +1

tantek: so far we haven't decided to meet at tpac

??: Burlingate

<tantek> Burlingame

scribe: San Francisco

<tantek> "San Francisco"

<eprodrom> Burlingame

eprodrom: do we still have time to schedule for tpac?

tantek: I don't know that we have a reason to

cwebber2: I'm going, not specifically for swwg, but I'd love to hang out and talk about that stuff
... tantek suggested I set up a cg thing but I didn't
... but I'd love to if someone else organised it

eprodrom: I feel like if we booked a room and some time we would fill it up with work that we don't necessarily need to do

cwebber: a BoF meetup sounds good

<Loqi> Eprodrom made 1 edit to Socialwg/2017-09-05-minutes

RESOLUTION: hold telcons on 3 Oct, 17 Oct and 31 Oct 2017

<tantek> I can't make 10/3 FYI

<eprodrom> tantek: I think I owe you one

cwebber: I'm going to be at rebooting web of trust on Oct 3rd. I can maybe step away to be at the meeting. I also want to set expectations that I might not have that much to say because I'm representing a client all next week in DC and then I'm at rebooting web of trust, so that's going to take up a bunch of my time

<tantek> 10/17 I have conflict W3C #ab meeting

<eprodrom> People with loud keyboards, please mute

?? *typing*

<tantek> sorry

<tantek> so I'm -0

<tantek> oh well

tantek: can we consider the alternates?

eprodrom: I don't have a problem with that

<tantek> or 10/10 and 10/24?

tantek: next week also if we feel like we didn't have enough time today

<eprodrom> PROPOSED: hold telcons on 10 Oct, 24 Oct

<tantek> +1

<eprodrom> +1

<cwebber> +1


<ajordan> +1

RESOLUTION: hold telcons on 10 Oct, 24 Oct

eprodrom: and if we get to the end today and we need one on the 26th we can do that

<ajordan> eprodrom: 26 September you mean?


cwebber: Update on the test suite is that I've been working onit, had an unexpected item pushed onto the queue for it. Since Mastodon has taken the lead and a couple of other implementations are using http signatures be mandatory for server-to-server, I had to implement that
... in the process I found out the examples had a bug in them..
... but got that implemented and checked it is interoperable with another person in the channel
... I'm working on trying to get the.. I think the remaining two sections of the tests will be done at the end of october realistically
... There is one major issue that came up this week
... May be considered normative


cwebber: Seems like a clear thing to do but I'm not sure if it's normative

<Loqi> [erincandescent] #256 Content type of server-to-server request bodies unspecified

cwebber: an ommission basically
... we didn't specify the mime type in server to server
... as far as I know every implementation did this. It was just omitted. Something we should add. Not sure if it is considered normative, technically it's a requirement, but it was a bug in the spec
... does this sound normative?

eprodrom: it does sound like it would be normative

<tantek> perhaps normative but not substantive unless impls are not compat?

eprodrom: however from a practical standpoint I don't think it would have the same sort of effect as a normative change

sandro: is anybody going to have to change any code?

cwebber: not as far as I know, I think this is what everybody is doing

sandro: this was the implication of the spec all along we just didn't spell it out?

cwebber: right, it was in a different section

sandro: that's not normative. our spec didn't clearly communicate our belief but we didn't change our belief

tantek: this shouldn't be a surprise to anyone
... if anyone can raise an objection saying they didn't think this was a requirement we have to reassesss

sandro: http signatures. Are we talking about a normative change to require them?

cwebber: No, in practice some implementations ... we left open the auth method
... I have implemented it [in the test suite] because actual implementations will ignore the content that I send

sandro: do we have a non-normative reference about this?

cwebber: we do

<Loqi> Eprodrom made 1 edit to Socialwg/2017-09-19

<Loqi> Eprodrom made 1 edit to Socialwg/2017-10-10


cwebber: this was the result that we came to because it wasn't clear waht the future direction was. I'm still not going to say that the worl dhas completely ... basically we left two routes, one was oauth2, one was LD signatures and http signatures
... in practice http signatures has become required and the LD signatures has become optional
... it's the in-practice what's being used route that we're seeing

sandro: what do you mean the LD signatures part is optional?

cwebber: it's being used in mastodon for the use case where... say you're doing a share
... how does that server know that if it's coming from you, the other person really said that thing
... it might not be feasible for themt o go back and retreive the original easily because of complicated access control stuff
... you just want to make sure that person really said the thing that was forwarded
... in practice mastodon realised that to make this work with AP they need the signatures
... they're only being checked in mastodon's usage when someone forwards to their followers cos it was the top post in the chain
... no other case is the signature actually checked. It's not required unless you're doing that
... maybe not everyone on the cal is familar with this probelm
... it sometimes results in a problem where the top poster in a comments chain gets comments from other servers and people in the thread miss out on messages


cwebber: we worked out this forwarding mechanism that makes sure messages get sent to peoples' followers
... that use case uses LD signatures
... it's comparitively small
... I'm not sure if I'll need to implement that in the tests as well

sandro: sounds great in terms of interop. Trying to think of how to best help people who come along and read the spec right now
... they'll probably be a bit confused about what they're supposed to do

cwebber: it sounds like you're saying if it seems like things ar econverging shoudl we be nudging people?

sandro: yeahh th e two main ways are that we could take the oauth part out and just use the one that seems to be being used
... or just have section 8 be a pointer to some document maintained by the CG that can refine this going forward and maybe eventually put it into a separate spec

<tantek> +1 sandro

eprodrom: I would be really surprised if taking out.. I know tha tmastodon doens't use the c2s part. I would be surprised to remove that
... but for s2s we wouldn't have any oauth stuff, it's gonna be all signatures?

<tantek> in general we need to be converging the spec on what we know interops so we can increase chances of exiting CR sooner


eprodrom: I would love having oauth for c2s and having signatures for s2s and having that be it
... HTTP Signatures is a draft?

cwebber: ietf draft

<tantek> I think I agree with eprodrom just proposed

eprodrom: that means we can't reference it normatively?

sandro: right this whole section is non-normative
... we can't require http signatures

cwebber: I think we should leave the section non-normative and just remove the options

sandro: I don't really like the hack of marking the section as non-normative and still telling you what to do

<Zakim> tantek, you wanted to note there is something very odd with an entire non-normative section that we are depending on for interop of a specific set of features

<eprodrom> \o/

tantek: I'm trying to understand what we're trying to do with this section
... It feels like we're trying to express an expectation of a feature and yet we're trying to do it via guidence instead of normative text
... doesn't feel right

cwebber: we did already do that

tantek: the spec advertises a set of features you get if you interop. We're trying to capture features that are essential noted by folks like mastodon. Good we're listening to our implementors. But not good it's in non-normative text
... I understand why
... THe reality is that part of the spec is not the same level of maturity

sandro: the normal solution is to put that in a Note or more mutable text

cwebber: I would be fine with that
... having a document maintained by the CG is fine with me
... evan? How do you feel about having pointers to an auth doc written by the CG which is mutable but starts out recommending what's actually in practice?

eprodrom: that sounds fantastic
... I feel like it would decouple the auth part of the spec from the api part

tantek: this is for private content right

cwebber: not just. The forwarding use case .. it's most likely to protect private content becuase that' swhen you can't necessarily look it up. There are two other cases where you still want it
... you could dial back and look at it publicly if it is public. But this means you don't hav eto do that
... you can use signatures as a uniform method

<rhiaro> sounds to me like it's not required if everything is public though..

tantek: sounds like a path to this ability in the spec is how to handle private content

cwebber: verification is important. It's right that it's not required if things are public
... you could use another mechanism which is to go look at the content
... but it sitll is important that i fyou get a post to your inbox that says here's some content, you have to make sure that the contnet really is from that server, and there are two ways to do it
... if it's public you can look at it
... or in eithe rcase you can use the signature check

<eprodrom> It would make me cry, that's for sure

<cwebber> PROPOSED: Remove section 8 on Authentication and Authorization from spec, move to pointing from security considerations to a mutable document maintained by CG which includes current deployment practices (OAuth 2.0 bearer tokens for C2S, HTTP signatures and sometimes Linked Data Signatures for S2S)

<cwebber> ^_^

<tantek> o_O

<sandro> +1

<cwebber> +1

<tantek> +1

<rhiaro> +1

<eprodrom> +1

<ajordan> +1

<aaronpk> +1

RESOLUTION: Remove section 8 on Authentication and Authorization from spec, move to pointing from security considerations to a mutable document maintained by CG which includes current deployment practices (OAuth 2.0 bearer tokens for C2S, HTTP signatures and sometimes Linked Data Signatures for S2S)

<eprodrom> please mute

<ajordan> question:

<ajordan> are we specifying what type of document the CG might publish? e.g. Note?

<ajordan> fine with this either way though

eprodrom: good question

sandro: cgs can't publish notes. I think they're called reports
... if we wanted to solidify it at some point, some w3c member like mozilla could turn it into a member submission and get it formally archived at w3c

eprodrom: this seems liek the right way to do things
... anything more on AP?

cwebber: in my view we've exhausted it

tantek: the new CR got published right?

cwebber: oh yeah. Yay!

<Loqi> 😄

sandro: I just want to confirm our timeline
... particularly I'm worried about the test suite and test results
... do we have a results matrix yet?

cwebber: i didn't do that yet... implementationr eports or actual running test reports?

sandro: I mean an easy way to see how many tests are passed by implementations

cwebber: we don't have all the test suite done and I havne't been pushing people to use it, so no

sandro: we have about a month and a half to get enough test results to prove implementations

cwebber: it's gonna be difficult
... I guess I have no choice

sandro: there may be some alternative. one alternative is we don't necessarily use the test suite to prove interop. There are other ways, that's the usual one. I can imagine in the s2s thing that it might be more demonstrative to show these two systems federate by running them by hand with people watching
... that I think would suffice an dmight be less work
... make sense?

cwebber: makes sense as an option. DO you think we should hold off on this until midway through next month to say it's an optino on the table?

sandro: I'm saying don't spend all your time getting a s2s test suite if your'e afraid it's not even gonna get done
... if you know you can do it that would be great

cwebber: if there was an option for me to focus on my implementation and encouraging people to test implementations that are already happening
... that's hwo mastodon dev was mostly done, gargon and puckipedia were testing their implementations until they worked

sandro: if there are three implementations that interop that's good
... three makes the case

tantek: I'm not entirely comfortable with that
... if interop is defined by how two implementations happen to work together, there's no guarnatee we've captured those details in the normative spec

sandro: if you have three and one is written by the editor that.. that's the same guarantee as if the test suite aligns with the spec
... if the editor is making an implementation and that interops with two external ones, that's a good case we have interop
... and I think s2s testing is really hard

tantek: right about that

aaronpk: I would have beend one with websub and micropub a looottt sooner...

tantek: the big concern is because the editor is doing both there are assumptions that are not reflected

sandro: that's why you have those two other implementations

tantek: at that point the third implementation might as well be the test suite rather than a third implementation

sandro: if you want to call it the test suite sure, but it wouldn't be doing the same thing as what a test suite would do because it would be driven by hand

tantek: I don't think tha'ts accurate to call it a validator
... we noted it as such as a distinction from a regular implementation

sandro: I think the AP s2s test suite / validator, we can think creatively about it
... it doesn' thave to be a thing you can connect to and run automatically

tantek: I think driven by hand is fine. No requirement for automation

sandro: the standard I just specified is lower than what i was saying before because it doens't invovle puckipedia and mastodon talking to each other

tantek: you're saying we define interoperation by checking that these two interop. We need a textual description of what should happen when you runt wo implementatiosn against each other. That's a test suite.
... You can't avoid documenting hte epxected result

sandro: agreed

cwebber: There's some good news
... When I initially was working on the test suite, I implemented this promty thing that asked you questions
... and the response was you don't want to give people that many prompts
... I can start implementing and see if it can be automated, and if I can't I can have it be a bunch of questions that people can respond to
... and accomplish that way faster

sandro: sounds good

tantek: that's a better approach

<cwebber> sure did

cwebber: knowing that I think we have a safe way forward
... I'll switch to the prompty question direction if automatiion doesn't work

ajordan: if we're going down the prompty path, which seems fine, after we ship a rec I think it would be nice to go back and make that stuff automated, to make new implementations easier

cwebber: the path will still be left open to code i nthe automated tests


eprodrom: status

<eprodrom> Someone has background chatter going on

<eprodrom> rhiaro: jinx

<eprodrom> Please mute if you're not on

aaronpk: we have a couple of issues that popped up since ralph started looking


<Loqi> [sandhawke] #125 Hash Algorithm Selection

aaronpk: the biggest one is the hashing algorithm thing

<ajordan> OK I gotta go to class but just want to say that I've finally been sending stuff to ben_thatmustbeme

<ajordan> nothing major, lots of clarifications merged

aaronpk: essentially PuSH had only specified sha1 as the only valid hash algorithm. A while ago we had added other algorithsm and sha1 is mostly broken now
... but then there was a concern that servers and the hub need a way to negotiate which algorithm to use, which is a rather large new mechanism to add

<ajordan> bye all! thanks for a good (partial) meeting

aaronpk: the current proposal is to drop all the new algorithms from the spec, goign back to the way it was in PuSH and then mention that we may add new algorithms as an extension so we can actually better specify how these algorithms are negotiated
... is that fair sandro?

sandro: I was not proposing formally dropping the other 3
... that struck me as hard to do without restarting CR

aaronpk: I guess I was assumign that the... oh you're right the proposed text doens't drop th eother three
... that leaves it in the same sort of undefined state

sandro: i"m not thrilled with the undefined state but I think tha'ts the most expedient way forward

aaronpk: julien's comment is that it's not a big deal to use a weak hash beacuse if you're also using https there are a lot of layers to break before you can take advantage of a weak hash

sandro: and also if the callback url is secret that also protects you

aaronpk: yeah right
... there's a bunch of layers that are useful even if you have no secret, no hash

sandro: julien's wrong though
... *reads from issue*
... the attacker is trying to alter the content
... not read it
... but as long as it's over https, you could put the secret in cleartext in the packet and it would be fine
... you'd still have to break tls to get through that

aaronpk: the suggestion is to drop the undefined extension
... makes sense to me
... and we don't bother with the rest of the issue?

sandro: I think so. If somebody wants to go ahead and write otu that formal extension
... I think the two reasonable options are my proposed text, or we specify the extension now and do another quick cr

aaronpk: that seems like a pretty drastic thing to be adding

sandro: my guess is nobody has the energy to do that

tantek: I lost track

sandro: I'm not advocating define the negotiation mechanism now
... tha twould be too much work

tantek: which spec change are you advocating?

sandro: the one that's described in issue 125
... remove one sentence and replace it with those two sentences

tantek: and that leaves an opportunity for a later spec to say something?

sandro: yeah

<sandro> In the future, an extension may be specified allowing subscribers to indicate which algorithms they can use for validation. As of this writing, most hubs sign with SHA-1, despite its known cryptographic weakness, in order to be interoperable with older subscribers.

aaronpk: it explicitly says we should define the algorith selection as an extension

tantek: aaronpk can you take that up as a CG item? Create an issue? make sure it continues

aaronpk: yeah

sandro: put the timeline as around the time TLS is broken..

<sandro> PROPOSED: Resolve websub #125 by accepting proposal as written

aaronpk: resolution on proposed text?

<eprodrom> +1

<rhiaro> +1

<aaronpk> +1

<sandro> +1

<cwebber> +1

<tantek> +1

RESOLUTION: Resolve websub #125 by accepting proposal as written

tantek: the text sandro put does touch on a security vulnerability, could you include a list item in security & privacy considerations that calls it out explicitly?

aaronpk: good idea

sandro: yeah
... and I think if the CG puts together an editor's note type thing in github we could probably link to that as an example
... when the rec actually goes out
... that's a reason to write up a draft for the extension in the next few weeks if somebody feels motivated
... 124. We have this content negotiation solution we came up with a while ago. Richard the i18n guy pointed out there's language negotiation too
... and he's asking if we forgot or chose not to do it
... and could we do something about it
... I think the answer is we forgot and should include text saying for either content type negotiation or language negotiation you should be doing the same thing
... I think that solves the problem

eprodrom: next step?

sandro: ben has suggested some text

aaronpk: I want to rephrase that slightly but it has the idea

sandro: sounds good to me
... shall we delegate to aaron to adopt something similar to ben's text and say we'll try to also get richard's approval but I don't think we need to

<sandro> PROPOSED: Resolved websub #124 with something like but actual wording up to editors

<Loqi> [dissolve] Suggested text

<Loqi> For practical purposes, it is important that the rel=self URL only offers a single representation. As the hub has no way of knowing what mime-type or language may have been requested by the subscriber upon discovery, it would not be...

<sandro> (it's non-normative -- it's explaining what's implied already)

<sandro> +1

<aaronpk> +1

<rhiaro> +1

<eprodrom> +1

eprodrom: any objections?
... anyone still thinking?

<tantek> +1

RESOLUTION: Resolved websub #124 with something like but actual wording up to editors

<Loqi> [dissolve] Suggested text

<Loqi> For practical purposes, it is important that the rel=self URL only offers a single representation. As the hub has no way of knowing what mime-type or language may have been requested by the subscriber upon discovery, it would not be...

sandro: can we have another resolution to request PR?

tantek: good idea, with the new approvals

<cwebber> +1

<eprodrom> PROPOSED: Advance Websub to PR upon completion of issues #124 and #125

<erincandescent> Hmm, why does #124 not propose the option of multiple hubs? :P

<sandro> +1

<cwebber> +1

<Loqi> Tantekelik made 1 edit to Socialwg/2017-09-19

<rhiaro> +1

<eprodrom> +1

<tantek> +1

<aaronpk> +1

RESOLUTION: Advance Websub to PR upon completion of issues #124 and #125

sandro: aaronpk can you do these changes today? it would be nice to get this stuff off

aaronpk: yeah

tantek: and update the changelog

aaronpk: yep

eprodrom: that wrap sthings up for websub?


Post type discovery

tantek: nothing this week


tantek: I think ajordan submitted a bunch of patches and ben merged some of them but we dno't have aj or ben


rhiaro: Nothing to report

SWICG update

cwebber: only thing is that we have a new member of the group who is excited about anti abuse stuff
... so we should discuss that next week

tantek: cwebber can you email Coralie Mercier requesting space and time at tpac for the social cg

scribe: THe CG has enough stuff to discuss
... We could also do a break out

eprodrom: I think that concludes

tantek: next meeting in 3 weeks, 10th October

<eprodrom> trackbot, end meeting