See also: IRC log
Topic 1: PrimeLife Requirements Document published
Introduction by Carine Bournez
http://www.primelife.eu/images/stories/deliverables/h5.1.1-policy_requirements-public.pdf
CB: goal is to get requirements for next generation policies
CB: got use cases and derived requirements from
it
... high level requirements, some are low level
... some about expressivity and some about data types like location
... some access control requirements, some trust requirements
... some data handling
... can't put them all in a bag, some are related
... future version may sort it differently, had no consensus yet on how to
sort
CB: Goal of the project is to design a language, this document is a basis and we'll see how many of those requirements can be achieved
HT: what has changed that new requirements are
needed
... no solutions for the IETF requirements, or solutions not deployed...
... in charge of services are not really keen on deploying
CB: orthogonal prob to design of the language in
PrimeLife
... some prototypes of services in PrimeLife that will use the language
... there is no promise that people will use it if there is no social pressure
to use privacy languages
<tlr> (looking at http://www.ietf.org/rfc/rfc3693.txt, geopriv requirements...)
CB: if there is no pressure on Social networks, they will not use it
HT: only privacy or also ACL
CB: need is not always obvious for service providers
tlr: document looks at several classes of
policies
... not understanding differences between that access and dynamic description
of the accessing party is
... more striking requirement go outside policy language and relate how policy
is managed
... geopriv is ex for data handling, there is a requirement that policy must
be revocable ..
... we know that revocation lists do not work in deployment
... general requirement of data handling policies combination with access
control
... parties of decision may enter into agreement
... bunch of requirements are fairly generic, that are all over the place
... one requirement that is less standard is the delegation one
... delegate some portion of policy to third party, trust third party
... grant this additional party the right to grant authorization
... will spend a significant amount of resources there
HT: where do you get requirements from? We had lots of those documents done in IETF and only 1% of those requirements turn out to be used
CB: we have collected use cases, each use case
contains actions
... those actions create requirements
tlr: encourage to give feedback from those who have implemented policy languages
HT: recently in Google thing had some privacy in
it. Google doesn't require any standardized approach. Very nice for them
... they can just do instead of standardizing first
CB: user facing some config and preference when
entering service, user has to understand those options in order to make the
right choice
... see flickr case with the wrong license, person did not understand the
meaning of the option
... important that the user knows what serivice and option means
... intent is not matching always the service intent
HT: User interface aspect is very important
CB: not only UI, but also a kind of normalized
interface and semantics
... currently user interface has to learn for every service where the options
are and what they mean
... all the actors have to share the way to express preferences
JanS: also cross platform mesh up
... lot of services define their own policies and trouble is to find the
common cut across those policies
... this is the policy I want to express that every service must understand
HT: User experience needs to be unified
... on access control, languages are similar in an abstract, but devil in
detail, location, presence etc
JanS: confirm this problem
... first need to approve all those service, want to do cross domain
aggregation and this doesn't work
tlr: haven't tried latitude
... match common patterns to our requirements, most of it will match
... so does the silo approach still make sense or should the preferences be
exchangeable between services?
... lot of interesting stuff still ahead.
JanS: collecting, play around and test...
... my approach too
RI: browsing over general principle
... should be semantically equivalent
<tlr> rigo: semantic equivalence...
<tlr> ... this is not meant to be limiting
<tlr> ... the goal here is (and was) not to limit this policy language by P3P semantics
<tlr> ... but having P3P semantics there as some subset
<tlr> ... want at least the expressivity of P3P
<tlr> ... maybe use P3P data in prototypes,
<tlr> ... use as hints on privacy practices
<tlr> ... real world advantage
<tlr> renato: that's fine
<tlr> rigo: not meant to limit the minds
<tlr> ... believe me, the primelife folks wouldn't let me limit them to something like that
<tlr> renato: have a past life in DRM page
<tlr> ... MPEG 21 requirements and all that
<tlr> ... it just seemed that when you have a whole list
<tlr> ... you get a language that might solve all requirements
<tlr> ... but might be over complex
<tlr> ... prioritizing?
<tlr> rigo: feedback -- it's too complex
<tlr> giles: there needs to be some brutal surgery
<Giles> I didn't say surgery....
<tlr> rigo: language design will see cuttning
<tlr> giles, in that case I heard you wrong
<tlr> giles: doesn't fall into trap of making solutions into requirements
<tlr> ... that's good
<tlr> giles: looking at SN use case
<tlr> ... there is one use case missing
<tlr> ... "browsing profiles"
<tlr> ... also, policies based on reputation of contacts
<tlr> giles: also, "anonymous credentials" -- how's that a use case?
<tlr> ... not a solution?
<tlr> rigo: send mail?
<tlr> giles: corporate security policies -- relates to privacy through trust policies, or relevant otherwise?
AM: wondering they had looked at security
languages, trust languages, rather than starting over again
... if there is something they could start with it could be quicker
CB: we have not explored security area at all
... we may still look into it.
GH: you do have a section on security language
AM: suggestion to help you as a starting point
CB: we have explored requirements, but not the
languages
... the same for anon credentials, because they think we can achieve more
features with anon credentials, but this is a bad thing to do
... not chosing solution beforehand
<scribe> ACTION: Giles and Ashok to send their comments on the requirements document to the public pling lists [recorded in http://www.w3.org/2009/02/11-pling-minutes.html#action01]
RI: I was supposed to pester media
annotations.
... looking to the use case requirements document that they just released
... realised that they have no use case for rights information
... they seem to agree to my comments, but nothing happend
RW: please send me email so I can address that internally
RI: haven't given me enough information so that I could do a useful comment
<scribe> ACTION: Renato to send summary of media annotations WG exchanges to PLING list and Rigo for further W3C action [recorded in http://www.w3.org/2009/02/11-pling-minutes.html#action02]
RI: all other actions are done
======================================
UNKNOWN_SPEAKER: inform PLING of possible P3P
extensions for social networks
... it is good that we get more and more request
CB: in follow up to the WS there is a discussion
for an XG on Social networks
... public discussions in public-social-webtalk@w3.org
... encourage participating there
RI: issues are so huge that the XG would take years to resolve them
CB: if the charter is too big, please tell them
RI: did already send email
======================================
all other items are standard
should add updates to the wiki
=========================================
JanS: preparing empirical research in services, still half a year to go before getting results
tlr: WS in Dec in London, bunch of people talked
about APIs,
... typical use case is location on mobile device
... webapp that access caller book
... interest in mobile community to use html, javascript, xml as cross
platform application development platform
... what kind of security policies are used for this: question for the WS
... it started being based on XACML, than moved elsewhere, some opportunity to
standardize
... but a move to exchange these policies, not yet another access control
language
<tlr> http://www.w3.org/2008/security-ws/report
tlr: but some framework on how to exchange policy
information between those devices
... feedback welcome
RI: no comments for thomas
... ODRL version 2, new draft will be out in 2 weeks
... concordia?
tlr: not currently following
RI: conferences?
tlr: PrivacyOS in Berlin on 1-3 April
<tlr> http://www.privacyos.eu/
RI: next call will be 11 March
next call double check the time
This is scribe.perl Revision: 1.133 of Date: 2008/01/18 18:48:51 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Found ScribeNick: rigo Found Scribe: rigo Inferring ScribeNick: rigo Default Present: +30281039aaaa, Rigo, Giles, +358.504.87aabb, Hannes, Thomas, Ashok_Malhotra, Renato, Jan, Carine Present: +30281039aaaa Rigo Giles +358.504.87aabb Hannes Thomas Ashok_Malhotra Renato Jan Carine WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Got date from IRC log name: 11 Feb 2009 Guessing minutes URL: http://www.w3.org/2009/02/11-pling-minutes.html People with action items: ashok giles renato[End of scribe.perl diagnostic output]