All - The minutes from the WAF WG's 30 January VoiceConf on Access
Control are available at the following and copied below:
<http://www.w3.org/2008/01/30-waf-minutes.html>
WG Members - if you have any comments, corrections, etc., please send
them to the public-appformats mail list before February 6; otherwise
the minutes will be considered approved.
Regards, Art Barstow
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
Web Application Formats Working Group Teleconference
30 Jan 2008
[2]Agenda
[2] http://lists.w3.org/Archives/Public/public-appformats/
2008Jan/0305.html
See also: [3]IRC log
[3] http://www.w3.org/2008/01/30-waf-irc
Attendees
Present
Art, Anne, Dave, Thomas, Jonas, Hixie_(IRC)
Regrets
Chair
Art
Scribe
Art
Contents
* [4]Topics
1. [5]Review Agenda
2. [6]Requirements and UCs
3. [7]Requirement #1
4. [8]Requirement 3
5. [9]Requirement #4
6. [10]Requirement #6
7. [11]Requirement #9
8. [12]Requirement #10
9. [13]Requirement #12
10. [14]Requirement #13
11. [15]AOB
* [16]Summary of Action Items
_________________________________________________________
<trackbot-ng> Date: 30 January 2008
<scribe> Scribe: Art
<scribe> ScribeNick: ArtB
Review Agenda
AB: reserve 5 mins for AOB
Requirements and UCs
<tlr> argh
<tlr> sorry
AB: no comments on 2, 5, 7, 8, 11
... comments on 1, 3, 4, 6, 9, 10, 12
... not sure about #13
JS: I made comments on #13
AvK: I've addressed those comments
AB: propose we record agreement on 2, 5, 7, 8, 11 and 13
... OK?
DO: not sure everyone has reviewed them
AB: we've had two weeks now and in this agenda and the last I asked
people to submit comments in advance of the meeting
JS: I didn't receive many replies, mostly from Art
<dorchard> DO: I'm worried that people have reviewed some of the
requirements and their conversations are focused on those, not on
all.
AB: propose we recored agreement on 2, 5, 7, 8, 11 and 13
<dorchard> DO: so the concern is that the absence of discussion
isn't consensus.
AB: any objections?
TR: I want to remove #13 since it has been changed
DO: wonder about #5; think it was bundled in other conversations
JS: Jon may have had a counter-proposal for #5
DO: I don't object to the others but not #5
TR: I have some concenrs about #5 too but mostly editorial
<sicking>
[17]http://lists.w3.org/Archives/Public/public-appformats/2008Jan/02
50.html
[17] http://lists.w3.org/Archives/Public/public-appformats/
2008Jan/0250.html
AB: propose we record agreement on 2, 7, 8, 11
<sicking> contains feedback to 5
<Hixie> could i ask a quick process question? what happens if we
can't get consensus on these requirements?
<tlr> I *think* number 5 means "mechanism MUST apply to any media
type". If that's the case, that's great, but I'd like the text to
read that way
AB: any objections to that proposal?
[No objections]
RESOLUTION: requirements 2, 7, 8, 11 have agreement
AB: then we keep trying to get consensus
Requirement #1
<anne> "then we keep trying to get consensus" was a reply from Art
to Hixie's question
<Hixie> so i could block progress indefinitely by simply never
allowing consensus to form?
TR: I'm looking at a Jan 22 version
AvK: I don't want to revise requirements text; I don't want to do
this
... now but via e-mail
AB: I don't think we are getting closure via e-mail
TR: re 1.1., authentication isn't the issue but Authorization is
<tlr> Some servers authorize any requests that can reach the server.
TR: also have a problem with the last paragraph in 1.1 but I can
take that to e-mail
<tlr> "Although anyone..." includes somewhat inaccurate diagnosis of
current state; happy to take that to e-mail
<scribe> ACTION: Thomas submit an input for requirement 1.1
[recorded in
[18]http://www.w3.org/2008/01/30-waf-minutes.html#action01]
<trackbot-ng> Created ACTION-158 - Submit an input for requirement
1.1 [on Thomas Roessler - due 2008-02-06].
<tlr> "Should not be possible to issue..." -- motivate with UPNP
TR: I can supply an input for 1.2
<Hixie> due feb 6th?
<Hixie> that's a week from now!
<scribe> ACTION: Thomas submit an input for requirement 1.2
[recorded in
[19]http://www.w3.org/2008/01/30-waf-minutes.html#action02]
<trackbot-ng> Created ACTION-159 - Submit an input for requirement
1.2 [on Thomas Roessler - due 2008-02-06].
DO: re 1.2, I thought the Atom people had objected to that
requirement
<tlr> DO: atom folks objected against that one?
<tlr> hixie, that's the default due date
<tlr> this one needs to say "should not be possible to issue
unauthorized cross-site POST"...
JS: I think we need to qualify 1.2
[missed JS' explicit proposal to append a qualification to 1.2]
<Hixie> wait now we're arguing about the precise _wording_ of these
requirements?!
<Hixie> good lord
<anne> What was minuted above about me is not true. I said that I
don't want to be the author of the requirements. I'm fine with
editing. I also objected to discussing the requirement text and
discussing comments on requirements already posted to the mailing
list.
<Hixie> i also object to discussing the requirements at this point
<Hixie> it's months past the time to discuss requirements
<dorchard> It should not be possible to cross site non-safe
operations priort to an authorization check performed.
<Hixie> all we're doing is delaying the specs that depend on this
<anne> I'd also like to point out that I can't actually edit the
document while being on the call and that all detailed sugestions
have not at all been minuted! It would be much better if people
actually e-mail the list.
<anne> So all tlr's comments are lost.
AB: we can delete 1.2; we could assign someone to "champion it"
<dorchard> Proposal: It should not be possible to perform cross-site
non-safe (in HTTP, POST/PUT/DELETE) operations prior to an
authorization check being performed
DO: I made a proposal
osal #2
<anne> (I'm not trying to attack the minutetaker fwiw, just saying
that this doesn't really work.)
DO: I made proposal #2
<tlr> tlr: let's go with DO's rpoposal, modulo minor wordsmithing on
list
TR: I can live with David's #2 proposal modulo some word smitthing
<tlr> close ACTION-159
<trackbot-ng> ACTION-159 Submit an input for requirement 1.2 closed
JS: I'm OK with David's #2 proposal
<Hixie> i do not agree with that proposal
<Hixie> because i do not believe we should be discussing this in the
first place
Hixie, if you want to participate in this meeting please join the
voice conference
<Hixie> i do not have access to a phone here
<Hixie> (literally the closest phone to here is about 35 minutes
away)
AB: can you make the sub-bullet's numbered?
AvK: if you send me an e-mail requesting so
<scribe> ACTION: barstow submit a request to get the subbullets
numbered [recorded in
[20]http://www.w3.org/2008/01/30-waf-minutes.html#action03]
<trackbot-ng> Created ACTION-160 - Submit a request to get the
subbullets numbered [on Arthur Barstow - due 2008-02-06].
Requirement 3
TR: I think there are typical configs that require root privs
... should be worded in a positive way rather than negative
... We need to know the capabilities that are needed for the policy
deployer
... As worded, it doesn't help us at all.
... Also wonder if this is for XML only content or other content too
<sicking> sorry on, phone
AB: Jonas, any comments I think you are the author
JS: I can come up with a proposal; hope we don't get a bunch of
additional feedback
DO: yes, "typical" here is too open
<scribe> ACTION: Jonas submit a proposal for req #3 [recorded in
[21]http://www.w3.org/2008/01/30-waf-minutes.html#action04]
<trackbot-ng> Created ACTION-161 - Submit a proposal for req #3 [on
Jonas Sicking - due 2008-02-06].
<tlr> same applies to 4
Requirement #4
AvK: I made a mistake in my response to TR and I will follow-up on
e-mail
TR: this also talks about "typical"
... prefer to have it worded in a positive way rather than a list of
negative things
DO: I tend to agree with TR
<tlr> avk: I agree that req 4 is about XML stuff, won't propose new
text
AB: is anyone willing to champion this requirement?
... we could delete it
JS: we could change "typical" to Apache
TR: not clear what the real req is
DO: agree this req is not clear
AvK: why do we need to be so precise?
DO: we will continue to have ambiguity if the reqs aren't clear
<tlr> as phrased, I think it means "to be able to authorize
cross-origin access to the content of an XML file that's served, it
should be sufficient to be able to write to that XML file"
<tlr> If that's not what it means, I'd like to understand *what* it
means.
JS: I can propose a rewording I think will be helpful
<dorchard> right, tlr, I think that's close..
<sicking> Must able to deploy support for cross-site GET requests
without having to use server-side scripting (such as PHP, ASP, or
CGI) on IIS and Apache.
JS: no, that's not quite right Thomas
TR: we need an e-mail discussion on this
... again, think the negative list is a good way to write the
requirement
AvK: but that would lead to specifying a solution
JS: I don't want to force people to have to write programs to use
this stuff
<dorchard> So, Thomas, you want something like: Must able to deploy
support for cross-site GET requests by modifying the content of the
resource or HTTP Headers.
<tlr> dorchard, right
<tlr> maybe the right answer also involves something about these
things possibly being static.
<scribe> ACTION: Jonas start an e-mail thread about req #4 [recorded
in [22]http://www.w3.org/2008/01/30-waf-minutes.html#action05]
<trackbot-ng> Created ACTION-162 - Start an e-mail thread about req
#4 [on Jonas Sicking - due 2008-02-06].
Requirement #6
<tlr> I'm just very worried about "shouldn't need to program", as I
might need to program in certain deployments.
<dorchard> I have to drop off for about 5 minutes before lunch
disappears.
TR: needs clarification of wording
... "on a per-resource basis" can be mis-leading
<tlr> "It should be possible to configure distinct cross-site
authorization policies for different target resources that reside
within the same origin"
<tlr> sth like that
AB: Jonas, are you OK with that?
JS: yes
AvK: probably
AB: OK
... propose we go with TR's rewording
... any objections?
RESOLUTION: Anne will change the wording as Thomas proposed
Requirement #9
TR: I'm uneasy talking about the adminstrator
... should be able to override auth without changing an entity in an
HTTP response
JS: not exactly
... there are many solutions to satisfy this
... the PI requires a deny clause
TR: don't want to change the entity body of the HTTP response
AB: the first sentence seems like the only "normative" part
JS: second sentence is normative too
<tlr> Entity Body is the right one
<sicking> i'd be ok with "Must not require that the server filters
the entity body of the resource in order to deny cross-site access
to all resources on the server"
<sicking> or change "filters" to "modify"
AB: what do you think of that proposal?
TR: OK
DO: looks OK but need to think about it more
... e.g. need to factor in the OPTIONs and non-GET discusssions
AB: propose we accept JS's new wording with the 2 substitutions
... any objections?
DO: don't agree to a formal resolution
JS: would like a one week on the review on any reqs that have been
changed
DO: I agree
JS: need to get actions done ASAP
AB: agree!
<scribe> ACTION: Anne add Jonas proposed change for Req #9 and add
in the 2 substituions he proposed [recorded in
[23]http://www.w3.org/2008/01/30-waf-minutes.html#action06]
<trackbot-ng> Created ACTION-163 - Add Jonas proposed change for Req
#9 and add in the 2 substituions he proposed [on Anne van Kesteren -
due 2008-02-06].
Requirement #10
<anne> why didn't we discuss open issues?
<anne> they were also on the agenda
TR: I think we're pretty close on this
<DaveO> Anne, I don't think we are done agenda item #3: Requirements
<anne> ArtB?
<scribe> ACTION: Thomas submit a proposed edit for Req #10 [recorded
in [24]http://www.w3.org/2008/01/30-waf-minutes.html#action07]
<trackbot-ng> Created ACTION-164 - Submit a proposed edit for Req
#10 [on Thomas Roessler - due 2008-02-06].
Requirement #12
TR: issue with requests coming from other servers
... also issue with IIS
... think we need to say less actually
JS: agree but informative example could be useful
<tlr> req 12: Should be compatible with commonly used HTTP
authentication and session management mechanisms
<tlr> (i.e., HTTP authentication and cookies)
<scribe> ACTION: Jonas submit a new proposal for req #12 reflecting
Thomas' proposal [recorded in
[25]http://www.w3.org/2008/01/30-waf-minutes.html#action08]
<trackbot-ng> Created ACTION-165 - Submit a new proposal for req #12
reflecting Thomas' proposal [on Jonas Sicking - due 2008-02-06].
<sicking> I.e. on an IIS server where authentication and session
management is generally done by the server before ASP pages execute
this should be doable also for requests coming from cross-site
requests. Same thing applies to PHP on Apache.
Requirement #13
TR: this needs more review
... it is totally different than it was one week ago
AOB
AB: call next week
TR: I cannot attend next week
<DaveO> I can make next week
AB: meet anyhow?
DO: what about Hixie?
AB: let's plan to have a call next week
TR: make sure Mike can be on the call
AB: good point
<scribe> ACTION: barstow make sure Mike Smith can attend next week's
call [recorded in
[26]http://www.w3.org/2008/01/30-waf-minutes.html#action09]
<trackbot-ng> Created ACTION-166 - Make sure Mike Smith can attend
next week's call [on Arthur Barstow - due 2008-02-06].
<Hixie> DaveO: my opinion is that these telecons are a waste of
time.
AB: meeting adjourned
Summary of Action Items
[NEW] ACTION: Anne add Jonas proposed change for Req #9 and add in
the 2 substituions he proposed [recorded in
[27]http://www.w3.org/2008/01/30-waf-minutes.html#action06]
[NEW] ACTION: barstow make sure Mike Smith can attend next week's
call [recorded in
[28]http://www.w3.org/2008/01/30-waf-minutes.html#action09]
[NEW] ACTION: barstow submit a request to get the subbullets
numbered [recorded in
[29]http://www.w3.org/2008/01/30-waf-minutes.html#action03]
[NEW] ACTION: Jonas start an e-mail thread about req #4 [recorded in
[30]http://www.w3.org/2008/01/30-waf-minutes.html#action05]
[NEW] ACTION: Jonas submit a new proposal for req #12 reflecting
Thomas' proposal [recorded in
[31]http://www.w3.org/2008/01/30-waf-minutes.html#action08]
[NEW] ACTION: Jonas submit a proposal for req #3 [recorded in
[32]http://www.w3.org/2008/01/30-waf-minutes.html#action04]
[NEW] ACTION: Thomas submit a proposed edit for Req #10 [recorded in
[33]http://www.w3.org/2008/01/30-waf-minutes.html#action07]
[NEW] ACTION: Thomas submit an input for requirement 1.1 [recorded
in [34]http://www.w3.org/2008/01/30-waf-minutes.html#action01]
[NEW] ACTION: Thomas submit an input for requirement 1.2 [recorded
in [35]http://www.w3.org/2008/01/30-waf-minutes.html#action02]
[End of minutes]
