See also: IRC log
<noah> scribe: Noah Mendelsohn
<noah> scribenick: noah
<timbl> tx
See: http://lists.w3.org/Archives/Public/www-archive/2005Jun/att-0010/tag-directions.html
VQ: Note resolution of
httpRange-14
.... Note that Dan has offered some preliminary materials
relating to educational materials.
<Roy> http://www.w3.org/2001/tag/em27.html
DC: Was going to give talk, oft
postponed.
.... Not much is happening lately.
.... The talk will be at Park University, near Kansas City
(http://www.park.edu)
Contributions of slides would be welcome.
VQ: Idea was to put up educational materials on the web for use by others.
NM: Suggest Henry discuss at AC meeting in Montreal, to solicit contributions, offer what we have, ask for guidance on where to invest.
An acquaintance of mine wound up up spending 3 weeks teaching Web Arch because he and his students found the document so useful and interesting.
VQ: httpRange14 is done?
TBL: Did Noah try to reopen it?
NM: Well, I was suggesting there were some questions about abstract resources like namespaces.
HT: I'm still trying to figure out use of fragids and non-info resources (I.e. once you expect to give a 302)
DC: I'd put that with fragmentInXml-28
<DanC_lap> issue fragmentInXML-28
<scribe> scribe: Henry Thompson
<scribe> scribenick: ht
NM: Is a namespace an information
resource? Well, maybe. It's not like my dog, which clearly
isn't, but it's not like they NYT of 12 July, which clearly is,
either
.... Have we dug a hole here, it's not right to return 200 from
a namespace URI, but others seem OK with that.
<scribe> scribe: Noah Mendelsohn
<scribe> scribenick: noah
NM: So to be clear, I think I'm fine saying Namespaces are info resources, at least to the extent that the owner of the namespace claims there's nothing about it that isn't conveyable in a message.
VQ: Next sub-topic is web applications is there anything else we should do.
<scribe> scribe: Henry Thompson
<scribe> scribenick: ht
NM: Concerns in this area -- new
technologies, e.g. Avalon, Flash, leading to content standards
which we (the TAG) would think of as being on the web. Some of
what they're doing isn't relevant, e.g. replacing Excel, but
other stuff is, and...
.... a) what W3C does with WebApp should be competitive in some
sense with what's happening in the pure commercial sphere:
Competitive doesn't necessarily mean as good, but good enough
that the network effect boost brings it in to contention
.... b) Some of this stuff will be retrievable/retrieved by
http in the normal course of events, but the formats may not be
standards-based, or even understandable at all to
non-proprietary tools
.... c) Principle of least power is involved, as some of these,
e.g. Flash, are less declarative than they perhaps should
be
.... So on both of the fronts I think the TAG should work on,
namely making sure the web remains viable and modern, and
moving in good new directions, we should be paying attention to
this.
VQ: So you should do a report on the MS Dev conference
TBL: And then what should we do
about it
.... Produce a competitive standards-based 'product'?
NM: Well, W3C is already doing
that, in that our technologies coexist with others, right?
Among the things we need to do in situations like that is to
keep an eye on things, and monitor from the outside the extent
to which such external developments are likely to change
expectations.
.... In this case, that means tracking the external work very
closely, with attention to formats, tooling, etc.
<scribe> scribe: Noah Mendelsohn
<scribe> scribenick: noah
NM: Suggest it might be interesting to have the Rich Application workgroup look at things like what Microsoft's building in Avalon.
Lots of resources, for example: http://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/en-us/dnlong/html/fluid.asp
DC: Someone?? years ago mentioned to me that there were 3 areas we should worry about a) info exchange b) commerce c) games, entertainment, media
RF: Sony PSP firmware update gives you a really good mobile web browser.
DC: W3C should take some
realistic position about this space. SVG and Flash is
pertinent.
.... Flash is very widely deployed...is dominant computing
platform
VQ: On phones?
DC: I think there are more flash than phones.
VQ: almost every new phone is SVG enabled.
DC: still, I think we do best when we do standardization after things sort of gel. Not ahead.
HT: we have taken a huge hit as
well as rendering an important service by getting out ahead of
vendors on XML Schema. Hard to tell whether that one was a good
call.
.... still, history suggests we do better job when we do the
2nd version of a technology a bit later
DC: so, my starting position is that I'm not 100% sure working in the rich client space is pertinent for us, but I'm glad to support the membership given that they feel now is the time to invest resources.
<DanC_lap> that's a politically correct adaptation of what I said, which was: starting out, I thought there's no way W3C could produce something relevant in the rich apps space. But I gather the relevant members have heard my arguments and think W3C can be relevant, so away we go
TBL: We've tended to talk more
about formats than how to write software. Maybe the CDF space
is different.
.... maybe we should get into that space more.
NM: Yes, but I also think it's important that the bits of markup stand on their own and be as declarative as possible.
Gen'l: is there a role for the TAG here?
RF: maybe we should look at SVG & SMIL and see where it stands?
NM: to what extent should we do it vs. Rich Web App stuff.
RF: I.e. we should try to learn why things like SVG have not had more traction to date. Find out whether it's a technical issue.
DC: but it's all about timing. We can't rewrite history.
NM: should I take an action to ask Dean Jackson what they're doing in terms of tracking external developments in the Rich App space.
DC: well, I sort of did
that.
.... Yes, Dean has looked at things like Avalon vs. SVG in some
details. I believe the proposal for the Rich App group accounts
for building something realistic.
VQ: end of discussion of Rich apps.
DC: I had action, not yet
linkable, but I'll just give you this update here.
.... In the web, authentication is orthogonal to naming. You
can always safely give out names. Access may or may not
succeed.
.... Basic authentication has a design error. In the same
number of round trips we could have done challenge/response,
but instead of sending password in the clear.
.... Digest authentication addresses this with digest-based
challenge response.
.... The server sends you some large pseudo-random number, that
you hash with your passord, in a way that the server can
check.
.... Kerberos style authentication is 3rd party. Avoids n by m
key sharing between services and clients.
.... digest authentication
RF: WebDav does
DC: anyone use WebDav?
HT: Yes, iCal.
DC: When server supplies 401 insufficient credentials, you get a dialog that asks for user and password.
HT: doesn't support "only give me
a few characters"
.... they ask for 1st, 4th chars of my password.
<DanC_lap> NM: at the recent Microsoft conference, I saw they're working on a big new UI for managing credentials
<DanC_lap> (missing SSL slide)
DC: providers use forms with <input type="password">. ISP policies make it cheaper to buy a website if you use this approach, but it's weak due to passwords in clear, unless you're also using SSL/HTTPS.
NW: takeaways...SSL is expensive to get and expensive to run
DC: right. It's overkill for just
keeping passwords out of cleartext.
.... users put off by entering user name and password in any
case
.... claim 90% of users give up when asked for
authentication
HT: would be interested to know whether anyone has done a server to validate that intuition
DC: claim only few big services
get to do this
.... I would like to get it to the point to which it's
"criminal" to entice people to send passwords in the
clear.
.... so, I want to make the alternative more practical
<DanC_lap> http://www.w3.org/TR/1999/NOTE-authentform-19990203
DC: the submission at http://www.w3.org/TR/1999/NOTE-authentform-19990203 says that we should use digest authentication at the place where password prompters give "*****", and a logout button.
TBL: why is this in XForms (I.e. as opposed to somewhere else)?
DC: Because you need new markup to support it.
TBL: does logout just delete cookies?
DC: there is a setting on Firefox
that says no cross-site cookies. Has good uses for obscure
cases.
.... It would be nice to have signed web pages, not just
secured connections..
.... I want this in part for non-repudiation: you can prove I
sent you this page.
NM: yes, but be a little careful.
You really have to design this stuff to solve real world
problems:
.... first of all, you often want to sign just a part of a page
or form, e.g.. the contract itself, but not the chrome around
it.
.... secondly, if there as an XSLT or other form mechanism
separate from the content, you need to sign not just the piece
parts, but the combination, as well as some indication of how
they were composed to make the page you saw.
DC: ...{scribe got a bit
behind}...
.... some stuff about livejournal {?scribe?} anti-spam
stuff
Scribe: Dan discusses slides at: http://www.w3.org/2005/09dc-edi/web-auth.html (click to advance through slides)
>> Dan will paste link to technical details here before minutes are public <<
Scribe: The link Dan wanted to paste is: http://www.openid.net
DC: so, that's my review of state
of the art
.... a number of cool things. I could keep my identity in the
open id space while switching authenticators.
TBL: can we use this for email? SMTP explain might return someone's openid/
DC: you could encourage everyone who runs an SMTP server to also have web server exporting open-id pages.
TBL: yes, but then you have to map email addresses to HTTP URIs
DC: interestingly, they already
let you elide the http://www part of a URI.
.... note that there is a growing set of communities that don't
use email as heavily as we do. They use IM, etc.
VQ: Thank you Dan, for the update
on your action.
.... is there anything else we should do regarding
security?
DO: I've written up several examples, exploring the different ways state is managed in Web apps. The example I chose was security. Maybe Dan and I should coordinate.
DC: Please send a pointer. Sounds interesting.
DO: Is that an interesting example? Relating stateful and stateless models? Hmm. I guess you'd have to see it to decide.
DC: Please send it.
<scribe> ACTION: Dan to review materials on stateful application models to be sent by Dave Orchard. Relate to authentication work. [recorded in http://www.w3.org/2005/09/20-tagmem-irc]
DC: I'd still like to promote
open id.
.... I also think the Paul Leach's work (see link above) is
still pertinent.
<DanC_lap> ACTION: DanC to turn "state of the art in auth slides [http://www.w3.org/2005/09dc-edi/web-auth.html ]" into draft finding [recorded in http://www.w3.org/2005/09/20-tagmem-irc]
<timbl> Morning draft minutes: 2-tagmem-irc-minutes.html
Meeting is adjourned.