Re: coordination call minutes for review

[Thomas Roessler <tlr@w3.org>]

Thanks, Robert -- I think this mostly clarifies things.

John, I'm still curious about the specific concern you alluded to during the call.

Thanks,
--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)







On 2012-03-05, at 22:23 +0100, Robert Sparks wrote:

> All (but particularly John and Thomas) -
> 
> First, I'd like to reiterate that the service provider ID discussion
> is exceedingly unlikely to come up in webrtc. (I'm still a little at
> loss for what led to the concern? Is there a chance this got confused
> with the identity provider concept?)
> 
> That said, I went to find the messages that I said I would point to,
> and found they are not in as concise a place as I remembered.
> 
> This message from Richard is one of the first, and captures the idea
> <http://www.ietf.org/mail-archive/web/dispatch/current/msg03701.html>
> There was quite a bit of discussion on the thread that message started,
> and some of that moved to a thread on the RAI list, ending near here:
> <http://www.ietf.org/mail-archive/web/rai/current/msg01265.html>
> These threads have not resulted in consensus to act.
> 
> The DRINKS working group received a related liaison from the ITU.
> This was their response:
> <http://www.ietf.org/mail-archive/web/drinks/current/msg01045.html>
> 
> Does this give you enough of a toe-hold?
> 
> RjS
> 
> On 2/28/12 5:25 PM, Peter Saint-Andre wrote:
>> Please send your feedback in the next ~48 hours so we can make these
>> public. Thanks!
>> 
>> ###
>> 
>> W3C/IETF Coordination Call
>> February 28, 2012
>> 
>> Participants:
>> 
>> Gonzalo Camarillo (GC)
>> Stephen Farrell (SF)
>> John Klensin (JCK)
>> Philippe Le Hegaret (PLH)
>> Mark Nottingham (MNOT)
>> Pete Resnick (PR)
>> Peter Saint-Andre (PSA)
>> Robert Sparks (RJS)
>> Thomas Roessler (TLR)
>> 
>> Agenda:
>> 
>> 1. HTTP/2.0 / recharter of IETF HTTPBIS WG
>> 2. Web authentication (see lively discussion triggered by #1)
>> 3. Concerns about the "CA system"
>> 4. IETF IRI WG / W3C i18n Core WG / URL processing spec
>> 5. WebSocket extensions / HYBI WG recharter
>> 6. Update on work in IETF WebSec WG and W3C WebAppSec WG
>> 7. SIP provider identity - does it matter for WebRTC?
>> 8. Crypto API chartering, Identity meetings in Paris
>> 9. Paris IETF / IAB plenary
>> 10. Next meeting
>> 11. Any Other Business
>> 
>> Notes:
>> 
>> 1. HTTP Recharter
>> 
>> MNOT: SPDY came out ~1 year ago, gained significant momentum in late
>> 2011. Mark reached out to implementer community. Lots of interest and
>> positive feedback. Mark worked on strawman charter and socialized it
>> with Mike Belshe / SPDY folks, IETF ADs, W3C TAG, etc. Implementation is
>> accelerating. Concern that input is needed sooner rather than later. Has
>> been put before the IESG. Idea is to solicit proposals for HTTP/2.0 in
>> the next few months. Open process to ensure that we're not just taking
>> on SPDY, other approaches are welcome.
>> 
>> PSA: Any coordination issues with W3C/IETF here?
>> 
>> MNOT: Should make sure that HTML and HTTP/2.0 are well-coordinated.
>> 
>> PLH: Are there specific people we need to get involved or specific
>> issues related to HTML5 and HTTP/2.0?
>> 
>> MNOT: No specific concerns here, probably involve Yves.
>> 
>> TLR: Concur about involving Yves.
>> 
>> 2. Web Authentication
>> 
>> PSA: Lots of discussion over time, not clear that we have all the right
>> people at the table yet.
>> 
>> SF: I think it's gotten better. Might be useful to develop some
>> experimental approaches / new auth schemes.
>> 
>> TLR: Could you provide a summary of the discussion?
>> 
>> SF: During external review of the proposed recharter, I raised the issue
>> of perhaps developing new / better HTTP authentication approaches. This
>> gives people an opportunity to introduce proposals to work on that
>> during the work on HTTP/2.0. If so, the work would happen in HTTPBIS;
>> for non-adopted, interesting proposals, we might decide to form an
>> initiative in the IETF Security Area to work on experimental proposals
>> (so they are not critical path for HTTP/2.0.)
>> 
>> TLR: Are there any implementers strongly interested here?
>> 
>> SF: We won't know until we see concrete proposals.
>> 
>> 3. CA Concerns
>> 
>> PSA: Could TLR/PLH fill us in?
>> 
>> TLR: No obvious venue for a productive conversation. Some ideas for the
>> W3C to form an initiative, also discussions at IETF (therightkey mailing
>> list). One additional piece: notion among some in the W3C community that
>> the DNS is more brittle than others think it is.
>> 
>> PR: What parts do people think are brittle?
>> 
>> TLR: Concerns not as well-defined as I'd like them to be.  But heads-up,
>> that discussion is going on.
>> 
>> PR: My slightly snarky response to the CA problem is the existence of
>> the DANE WG effort at the IETF. I personally feel like it could solve
>> the problem.
>> 
>> SF: DANE can change/improve stuff, but might not fix it.
>> 
>> TLR: Personally I think we need to start thinking about / working on
>> things like JavaScript APIs for some of this.
>> 
>> SF: One wrinkle is that there are more unreliable registrars than
>> unreliable CAs.
>> 
>> JCK: If you look at it in terms of percentages, it's ugly all around.
>> 
>> TLR: DANE appears to perhaps limit the attack surface. Also, this is a
>> much longer discussion.
>> 
>> TLR: Changing topics, the CA/Browser Forum is discussing whether to form
>> a more open venue for work on this topic and is soliciting proposals:
>> http://cabforum.org/index.html
>> 
>> SF: Is there concrete W3C planning here?
>> 
>> TLR: Not yet. Counter-question: is there concrete planning at the IETF?
>> 
>> SF: Not yet, other than therightkey@ietf.org discussion list, but the
>> proposals there are not yet stable and need more work before they can be
>> reviewed more widely. Perhaps a W3C community group?
>> 
>> TLR: Might be worth discussing the possibility of a workshop or, yes, a
>> community group.
>> 
>> 4. IRI
>> 
>> PSA: i18n Core WG has agreed to review the IRI WG documents starting
>> around the time of IETF83.
>> 
>> JCK: ICANN IDN work important in this context.  Note that, if ICANN
>> declares that some sets of names are to be considered/ treated as
>> "equal", anything based on comparisons of URIs or IRIs moves from "hard
>> and not necessarily reliable" into "surreal".
>> 
>> ACTION: PSA to pull together IRI / IDN folks for discussion around IETF
>> 83, additional discussion later.
>> 
>> Useful participants: folks on this call, Thomas Narten, Suzanne Woolf,
>> Dave Thaler, Andrew Sullivan, Gervase Markham, Klensin, Faltstrom.
>> Maybe Vint, maybe Steve Crocker.
>> 
>> TLR: Where do we stand on the HTML5 / IRI front?
>> 
>> PSA: See http://dvcs.w3.org/hg/url/raw-file/tip/Overview.html - based on
>> conversation with Mike Smith the other day, it is a bit early to provide
>> detailed feedback on that spec now.
>> 
>> 5. WebSocket Extensions
>> 
>> PSA: HYBI WG has been rechartered, we might want to make sure that we
>> continue coordination between HYBI WG and WebApps WG.
>> 
>> PLH: Main blocker now is tests, but progress is ongoing there.
>> 
>> 6. WebSec / WebAppSec
>> 
>> PSA: New version of Strict Transport Security.
>> 
>> TLR: Discussion of clickjacking and Content Security Policy, trying to
>> get CORS done, reasonable intensity of work. Reasonably confident that
>> things are going well.
>> 
>> 7. SIP Provider Identity and WebRTC
>> 
>> TLR: There was discussion about having an IANA registry for SIP
>> providers. Do we have a sense of the use case?
>> 
>> RJS: I don't think you need to worry about it. The proponents for the
>> SPID idea itself are continuing to pursue the idea, and I'll point you
>> to the messages where they have making their motivating arguments. I
>> have not seen any desire to bring this up in the WebRTC.
>> 
>> JCK: Please loop me in on this.
>> 
>> 8. W3C Crypto API
>> 
>> TLR: WG is under review by Advisory Community, still working to find an
>> additional co-chair. Expect approved charter in relatively near future.
>> Other issue is relationship to OAuth, OpenID Connect, possibility for
>> additional and broader work. Side meeting at IETF 83 in Paris.
>> 
>> SF: Scheduled on the Thursday lunch break (1130-1300) in room 252A, just
>> before the OAuth WG session.
>> 
>> PSA: Stephen, do you see any coordination issues from the IETF side?
>> 
>> SF: Definitely interest in seeing crypto in the browsers. Existence of
>> such an API could have an impact in the future on OAuth design etc.
>> 
>> TLR: Also note OpenID connect meeting Sunday, overlapping with training
>> sessions
>> 
>> 9. IETF 83 / IAB Plenary
>> 
>> TLR: Do we have insights into the agenda for the IAB Plenary? I've heard
>> it's related to web security.
>> 
>> SF: We don't have details yet.
>> 
>> PSA: Who will be there?
>> 
>> TLR: Me part of the time, Philippe, Dominique for RTCWeb, Harry Halpin
>> is local, Wendy Seltzer for a few days, Yves might be there too. I also
>> expect a number of TAG members to be there since they are meeting in
>> Europe the next week. Might be good to have a separate discussion about
>> that with Yves and Larry.
>> 
>> ACTION: Thomas to check in with Yves on TAG activities at IETF.
>> 
>> 10. Next Meeting
>> 
>> ~4-5 weeks after IETF 83? Week of April 23rd or 16th might work. To
>> coordinate on the list.
>> 
>> 11. Any Other Business
>> 
>> PLH: Possibility of HTML meeting in May/June timeframe.
>> 
>> TLR: There's been some discussion about impact of application work such
>> as WebRTC on lower layers of the network, best practices for network
>> usage, etc. Is this a general topic that comes up on the IETF side of
>> the discussion or should there be some coordination here? There is a
>> community group at http://www.w3.org/community/networkfriendly/
>> 
>> PR: Move to hallway discussion in Paris.
>> 
>> END
>> 
>> ###
>> 
>> 
>> 
>