See also: IRC log
Sunil to scribe
assuming there are no problems, we'll approve the mintues
<tlr> Last meeting's minutes: http://www.w3.org/2006/11/14-wsc-minutes; http://www.w3.org/2006/11/15-wsc-minutes
ok, the minutes are not approved
<tlr> RESOLVED: minutes approved.
scribe: email doesn't get to MEZ as quickly as
one would expect, as her org runs pre-beta servers, so there's a possibility
of glitch...
... try to contact MEZ through some other media or go through Thomas...
<Mez> http://www.w3.org/2006/WSC/drafts/note/
<stephenF> took a peek earlier - it looks good
scribe: the above link contains the notes Tyler had put up so far...
The notes has the skeletal version, and he has put in some use cases. He'll continue to extract more content from the email and put them in the notes...
He'll send out an update when he has done that
MEZ says that we should get the content on Wiki so that's easy on Tyler...
Thomas will send out instructions either end of today or by tomorrow on how to use Wiki
The Wiki will NOT use the same username/password as their W3C username/password
MEZ says we should work on the Goals/Non-goals agenda item
<stephenF> got a ptr to that email?
MEZ has started the list in one of the email responses to Mike...
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2006Nov/0041.html
The charter, 2 days of f2f has provided enough context to discuss what is within scope and what is out
MEZ claims that the existing list seems quite uncontentious
MEZ is reading out the contents of the email...
<Zakim> malware, you wanted to ask about high-level problem description
Mike says the goal is to help the user protect themselves becoming victims of the phishing attacks, or correctly identity the biz they are sharing information with
MEZ says we should be able to get couple of use cases, before deciding either way
Mike says that with such work, we have to explain to the outside world what we are doing, what's the value of the work to the 'unsophisticated user'. He agrees, that it's little early to take a stance yet...
<Zakim> Thomas, you wanted to note it's probably ok to talk about overall goal for ourselves, and then see how far the use cases get us
Hal: has a different perspective, says phishing is an example of what we are solving.
Phishing maybe a short term problem, but we should focus solving problem in general.
Mez says tactically speaking, the problem we are solving is phishing, but strategically we are tyring to get across to layman on the browser who they are talking to.
<malware> so for the record, what I wanted to say was that I think it might benefit to consider formulating a high-level description that explains in simple terms to an unsophisticated users what problems we are trying to solve with this work.
Stephen: If there's a unsophisticated user whose user agent supports both HTTP and FTP, then how do we get it across to the user
MEZ says that what we are trying to put in the security context that is general in nature, irrespective of http/ftp
scribe: but when we get into specifics, we would like to leave out some set of protoocols in the universer...
Stephen says that if we fix all the holes in HTTP, the hackers will move to FTP.
MEZ agrees there will be holes
Stephen thinks that it might not be correct to leave out FTP as user are using general purpose User Agent
<staikos> without wasting air time, SOAP == HTTP
MEZ is looking for a place to start with
<tjh> can we formulate a use case for non-HTTP?
Mez tells Stephen to come up with a use case scenario that includes FTP
<scribe> ACTION: Stephen to come up with a use case for FTP's usage [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action01]
<trackbot> Created ACTION-32 - Come up with a use case for FTP\'s usage [on Stephen Farrell - due 2006-11-28].
<stephenF> http as biggest deal is just fine by me
scribe: MEZ says seems nobody has problems with keeping HTTP front and center...
PHB says we secure HTTP and call FTP legacy. He's happy keeping protocols like IRC, SMTP out of scope too at this point
<tlr> data: URIs?
George agrees with PHB, that FTP should be out of scope. But thinks the 'data' protocol is quite interesting
MEZ says that generally people seem to be ok with what's in scope, but folks seem to have problem with what's out of scope
scribe: we should start populating the goals/non goals section of note
Hal says that if we are putting the goals and non-goals in the document, we should be very precise.
scribe: Goals and scope are a little
different...
... the point is we are talking about is goals, but actually they are the
things within scope or out of scope...
<staikos> yes
scribe: the document has a section for goals/non-goals...
MEZ says Goals/Non-goals is right for the document and not sure we need scope/out of scope
<malware> where F00 is (in this case), base64-encoded GIF data
<malware> oh
Hal can you please type your example of goals/non-goals scope/out-of-scope
<malware> then:
<malware> just thinking and suggests that perhaps at a high level, we may be saying that we are trying to help users correctly evaluate the identity of an online business in order to decide if that business is worthy of trust (that is, decide if they want to exchange personal information with that online business)
<Paul> HTTP is a protocol on the wire, but a lot of the attacks that we talk about are display issues. For example, manipulation of the chrome, or obscured URLs. So should HTML be in the scope?
<malware> the 'data' protocol that staikos mentions is e.g., '<img src="data:image/gif;base64,F00"/>
<staikos> tlr: should fix that logging :)
MEZ says there are two aspects that are within scope. i) security context, definitely protocols are within context, ii) protecting from chrom manipulation, hence DHTML is within scope
<Paul> So we want to nail the use cases before we write to specific a scope statement.
<Mez> I think it's iterative; some people like the abstract scope then the concrete use cases, some the other way around
tyler says, we should have a scope/out-of-scope section, as it will help the patent attorneys
<Paul> I agree with PHB.
PHB, I am missing the subtlety, can you please type in what you just said
<Paul> I think the scope should be driven more by use cases than jumping to a protocol discussion.
<malware> I believe I agree with PHB's distinction about statement of "goals" being at a higher level of abstraction than "scope"
MEZ says we should someone drafting the goals/non-goals (more abstract) and have someone draft the use cases (the more concrete)
<stephenF> MEZ's plan sounds good, but makes me wonder when we get to closure on those
<Mez> in 2 minutes...
<tlr> ACTION: hallam-baker to draft goals / non-goals section [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action02]
<trackbot> Created ACTION-33 - Draft goals / non-goals section [on Phillip Hallam-Baker - due 2006-11-28].
<scribe> ACTION: PHB draft the Goals/Non-Goals [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action03]
<tlr> ACTION: zurko to draft scope/out-of-scope [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action04]
<trackbot> Created ACTION-34 - Draft scope/out-of-scope [on Mary Ellen Zurko - due 2006-11-28].
mez is trying to verify if there's any section of the note as drafted by tyler, that is under explored or sections are missing completely
scribe: the action items that are most imp are
scope/non-scope, use cases and foundation principles
... she doubts that we have good use case coverage...
mez asks thomas, should we have a meeting next week?
thomas says that traditionally we don't have meeting during AC meeting, suggest we skip next meeting and have the next one on Dec 5th
<staikos> I have a full-day meeting Dec 5
post Dec 1 will be good, as lots of actions are due by then
<malware> I'll be in Boston on Dec. 5 for XML 2006
Mike is fine with Dec 5
RESOLUTION: The next phone meeting will be on Dec 5th, same time (10am EST).
Hal asks how action items get closed
Thomas says that his pref is that action items not get closed promptly. As we go forward, during meetings we actually decide that an action has been resolved, and we close them then
thomas is trying to bring up list of action items and see if we can close them...
<malware> I checked XML 2006 schedule. 10am sessions on Dec. 5 are about XQuery and w3C XML Schema, both of which I am glad to miss :)
Action 1 is closed
<tlr> http://www.w3.org/2006/WSC/track/actions/3
make action 3 out of scope (as it's related to sandboxing).
<malware> About the XPath/XQuery question, I think Staikos' point on the list (about it essentially being no different from Javascript) was right.
<stephenF> yes, to what thomas said
<tlr> ACTION: thomas to open issue for xpath/xquery in/out-of scope [recorded in http://www.w3.org/2006/11/21-wsc-minutes.html#action05]
<trackbot> Created ACTION-35 - Open issue for xpath/xquery in/out-of scope [on Thomas Roessler - due 2006-11-28].
action 10, mike, rejected the action.
hal suggests we close action 12, enumerating the context.
thomas asks do we have agreement that action 12 has been discussed sufficiently?
<tjh> shouldn't then the action close once the info is in the wiki?
<tlr> ACTION-12 to be closed; done at the meeting; see http://www.w3.org/2006/WSC/security-context-info-sources
<Mez> Tim, only if Hal really deserved to own it.
action 14 is duplicate is something else
action 28, minute cleanup, action 31, produce a skeletal doc, done.
scribe: the only one that needs more attention is action 35...