Convene

Renatio Iannella welcomed everybody and presented the agenda. He asked about further points for the agenda. Ashok suggested to have phone conferences on a regular basis.

<scribe> Agenda: http://www.w3.org/Policy/pling/wiki/2008-04-16

wiki review

renato: use cases, standards, other groups, interesting cases
... that's been documented, a bunch of people have been adding ...
... hasn't been much new very recently ...
... still looking for more use cases ...
... interesting to work out, who is using policies, what are the issues ...
... 21 policy-related specs listed ...
... quite a list of initiatives ...
... decide how to continue work, capture information ...
... any more analysis we want to do ...
... look in depth at policy standards, map into use cases ...
... that's something we should be looking at ...
... would like to get feeling about what we should focus on ...
... floor's open ...

HannesT: one comment, two-fold -- use cases, many interesting ...
... but often don't require standardized mechanism ...
... more convenient from deployment point of view not to standardize ...
... stuff looking nice on paper, but suffers from lack of use cases that critically need standardized work ...
... other comment about setup of this (and similar) groups is that things are very research-driven ...
... that's nice, too, but doesn't really help to get deployment ...
... abstract focus or usefulness for deployment?

renato: want to get as many industrial-strength use cases and experience as we can
... obviously, much work going on in research ...
... maybe Marco wants to comment on policies in the commercial world

marco: focus in understanding how some of the R&D can be applied in solutions and standards efforts ...
... that has been the angle I was coming from ...
... interesting use cases that require standards etc ...
... could be interesting to understand enterprise complexity driven use cases ...
... major issues of coordinating policies consistently ...
... would expect to get more use cases, real world constraints on that ....
... R&D and commercial perspectives ...

Ashok: using WS-Policy, extensively in web services products
... has started to become quite popular and prevalent ...
... difficulty is that it's really not a very good specification ....
... lots of things that it doesn't speak about, lots of holes in it ...
... what to do as follow-up?
... try and start other standards activity to fill those holes?
... or what?

renato: who's "we" here

ashok: working for Oracle, also involved with other companies
... do interops -- Oracle, MS, IBM, BEA ...
... all of these are using WS-Policy within their products ...

marco: interesting; federated services and idm, or also for enterprise / organizational purposes?
... e.g., access control
... what's the range

ashok; not using ws-policy to control access to data

scribe: ws-policy not quite right for that ...
... there, using things like XACML ...
... what we are using WS-Policy for, very specifically ...
... using it to specify, basically, three things ...
... security, reliability, ...

hannesT: business application

ashok: important use case to specify security policy

marco: capturing what you said and exposing it further

Ashok: can do

HannesT: ... internally use formal policies ....
... no standardized interface -- typically, policies are simple ...
... raises the question what is really used ...
... implementing things is one story, using them is yet another one ...

Ashok: why do we require standard?
... when I as an Oracle client want to work with MS server ...
... have to be able to write policy for server ...
... if we have standard representation, can feed to server ...
... and configure clients to work with that server

marco: agree -- framework -- not necessarily new standard as outcom
... one of major problems is not deployment of policies, but come to integrated view ...
... consistent behavior of policies ...
... not so common in federated IDM ..
... but in big organizations, there's so many deployments of policy enforcement and decision points ...
... integrated view whether policies are implementing business objectives is usefu ....

hannest: was at the workshop; one crucial problem is that applications we have currently aren't standardized
... difficult to make automated reasoning over behavior ...
... don't want to formalize everything; separate issue ...
... exploring use cases better is interesting; looking forward to Ashok's writeup

peterd: there are some gaps; do think a useful exercise would be along the lines of what ITU did with IDM 18 months ago
... assess specs that we have now ...
... wiki is not yet thorough enumeration ...
... put them in taxonomy
... federated policy fabrics ...

rigo: hannes, can you write up your concern?
... policy languages seem hip, lots of organizations starting new things ...
... silos and islands ...
... need another module for doing this and that ....
... filling gaps doesn't really require new language, maybe just plug things together ...

hannes: most of issues aren't lack of technical functionality, but lack of deployment incentive

rigo: yes, ,that's a concern. At some point of time, have to see why deployment inentive isn't sufficient

hannes: will post thoughts

renato: the more we can document and capture gaps and experiences, one of the roles of this group is to discuss holes and issues ...
... lots of policy issues with social networks, facebook, flickr ...

hannest: actually not allowed to put people photos online without explicit consent
... real-life policy; people don't realize ...

renato: yeah... Virgin Mobile case used photo for advertising ...
... need model release before posting on billboard ...
... in some cases, simply a matter of making implicit assumptions explicit ...
... if someone sees a photo on facebook, download it ...
... facebook has some privacy settings ...
... when photo leaves facebook compound, can do as you like ...

hannest: would be nice to attach policies to photos
... can accomplish using creative commons ...
... sth similar for location in IETF ...
... attach flags to location information ...
... do I allow to redistribute location ...
... already too complicated ...

renato: use cases, wiki

renato: will put virgin mobile scenario in use case

rigo: renato, there's speaker queue on irc
... first of all, hannes, problem in the virgin case was that there was cc license ...
... now the courts are seeking argumentation to prohibit the use ...
... because it was unexpected ...
... a bit behind; have 10 cases floating around ...
... where people are unaware of risks in using photos ...
... photos of people, etc ...
... other cases where finality of data was extended ..
... using video surveillance to deal with dog excrement on shoes (and carpet) ...
... one of the cases that Piero reported is that, if people would realize the audience they are sending things to, they would behave differently ...
... (a) how do I manage governance of my data in backend ...
... (b) what can I do to help users realize what they are doing? ...
... separate things; both in scope here

hannes: would be interesting to see these examples ...
... mostly dealing with social networks ...
... analysis how things could help ...
... came across use case in Germany recently ...
... StudiVZ - students and scool kids ...
... teacher evaluation ...
... no accountability for person doing evaluation ...

<Giles> ratemyteacher.co.uk

<Giles> teachers leave as a result...

hannes: went to court, is still there ...
... will send uri

giles: one of the biggest issues with photos on social network sites is ...
... tagging -- you can now tag photos with somebody else's profile on facebook ...
... put their e-mail address in the tag ...
... no policy / way of saying "i don't want people to tag photos with my profile" ...
... issue of policies on social networks is bigger problem ...
... no export format for profiles ...
... no way to export access preferences either ...

<peterd> dataportability group is looking at suggestions for profile representation normalizations

hannes: ...

giles: could be sticky policies

hannes: they encourage people to say whatever they want, no real identity behind ...
... practical limitations ...

giles: in sth like facebook, only friends can acces sdata ...
... they recently changed it so you have granular control ...
... who can access which fields ...
... you can't export that information, however ...
... lock-in with facebook ...
... google pushing OpenSocial API ...

marco: same for linkedIn

giles: whole issue of exporting access control policies, delegating them
... if you look at open mashup apis ...
... we have a group that works on Web 2 security ...
... big issue is that you can't send your access control preferences transitively through set of services ...

tlr: do we know to what extent the granular policy interfaces are used, at facebook?

<rigo> tr: extension of facebook, have you any idea how many people are changing settings in their profile?

giles: will find out

renato: anybody else?

marco: maybe we should create a new page that collects issues

<rigo> who will create those pages?

<rigo> MC: create page with OpenIssues

<scribe> ACTION: renato to start issues list [recorded in http://www.w3.org/2008/04/16-pling-minutes.html#action01]

<rigo> call it OpenIssues

giles: some more comments ...
... can't remember who it was -- somebody mentioned what ITU has been doing in terms of idm ...
... doing survey of policy languages owuld be extremely useful ...
... having that as a public directory would be very interesting ...
... useful piece of work ...
... also, some more use cases ...
... from ENISA perspective, have been working a lot on authentication policies ...
... describe what is high/low/medium level of authentication ...
... conditions that are required to issue authentication tokens ...
... maybe could write something there ...
... also, found on level of human-readable security policies ...
... there is need for standard way to express them ...

<scribe> ... ongoing initiative to collect best practices for security policies ...

Giles_Hogben:: can download or collect security policies / practices from many different companies ...
... figure out what are best practices ...
... there is no standard way to express these; would be useful to have one ....

<rigo> this is kind of P3P for Security Policies

hannest: ITU-T IDM study -- what specifically did they do?
... that applies to policy space?

giles: they started with write-up what's out there
... extended that
... uri in a sec

<scribe> ACTION: Giles to circulate ITU-T URI one of deliverables was gap analysis [recorded in http://www.w3.org/2008/04/16-pling-minutes.html#action02]

hanenst: gap analysis means comparing things
... what did they compare to what?

giles: have to check

<rigo> and to send also the extended list from ENISA with GAP analysis

giles: there was a status quo description document, then requirements
... have to check ...

peterd: there was ucr document that was mapped into gap analysis
... gap analysis had lots of things there, lots of things missing ...

<Giles> http://wiki.enisa.europa.eu/index.php?title=Electronic_Identity_Directory

peterd: telecommunications infrastructure heaviness ...

hannest: look at these cases?
... sometimes, gaps are artificial ...
... due to artificial requirements ...

peterd: a bit of both

giles uri above is the description of the idm standards

scribe: doesn't include requirements ...

<peterd> http://www.itu.int/ITU-T/studygroups/com17/fgidm/

hannest: is link going to be in minutes?

renato: irc log will become minutes

rigo: will transform minutes into readable form

hannest: good luck

renato: would like to move on to item 2
... anything else about current activity?

liaisons?

renato: goal is to help other projects / groups / communities to share info more broadly
... share information about policy activities ...
... four informations listed here
... JTC1/SC27 WG5?

<rigo> tlr: some email exchange and will follow up further

tlr: some initial e-mail exchange, need to follow up further

renato: will follow up, see whether we can progress
... primelife?

rigo: start-up phase
... will be a bit till it contributes ...
... hope that project deliverables can be contributed to PLING ...
... would encourage us to accept that ...

renato: prime was succesful, would be happy to have link to that group
... concordia?

tlr: umh... not remembering anything in particular re liaison

peterd: major interop event at RSA, WS-Trust, etc

renato: keep on agenda
... next one was picos
... on marco
... anything else that we should be aware of?

hannest: some work in the communications future program at MIT
... maybe useful to drop them a note
... can get in touch with person who is organizing this
... have to drop off now
... anything else?

peterd: there was some SIP policy work going on at IETF, don't know about disposition most recently
... will try and post to the list later today ...

renato: if there's more, send to list
... we're getting close to time ...

upcoming events

renato: WWW 2008 next week in Beijing
... panel on policy-aware web there
... see www.www2008..org ...
... also, will give lightning talk at W3C AC meeting ...
... quick overview of what's going on ...
... also, planning to have f2f at technical plenary week in OCtober ...

<rigo> it will be in Mandelieu

renato: any other events worth noting?

<rigo> TPAC in October: http://www.w3.org/2008/10/TPAC/

renato: if there are relevant things, please add to list and wik

<rigo> 20 October - 24 October 2008

aob

next meeting

<boabjohn> Good time here!

renato: note that we've got people from all corners of the globe; insight into useful times

<Ashok> I suggest we use this time!

rigo; 8am Eastern probably a good slot

renato: any feelings about every forthnight or every month?

rigo: once a month largely sufficient at the moment

giles: ack