Logs for atompub, 2006-07-12

[13:28:57] --- paulehoffman@jabber.org has joined
[13:31:51] --- TimBray has joined
[13:31:59] <TimBray> Hey
[13:32:06] <paulehoffman@jabber.org> There you are.
[13:32:12] <TimBray> Never used this for jabber group before
[13:32:25] <TimBray> anyhow, one hour or two?
[13:32:39] <paulehoffman@jabber.org> One. We should be done in .75 hr
[13:32:52] <TimBray> OK, thanks.
[13:32:58] <paulehoffman@jabber.org> See you in a bit.
[13:57:02] <TimBray> haven't seen that email about the audio
[13:57:16] <TimBray> I'm being lazy, I'm sure I can find it
[13:57:58] <TimBray> oops, I lied, there it is
[13:59:22] <paulehoffman@jabber.org> http://videolab.uoregon.edu/events/ietf/ietf667.m3u
[14:44:06] <paulehoffman@jabber.org> Starting in 25 minutes
[14:45:58] --- paulehoffman@jabber.org has left: Logged out
[15:06:10] --- stpeter has joined
[15:07:32] <stpeter> ping
[15:07:33] <stpeter> pong
[15:07:41] <TimBray> hey
[15:10:01] --- leiba has joined
[15:10:04] <leiba> Hi!
[15:10:06] <TimBray> I can hear Paul's voice (very quietly)
[15:10:23] --- paulehoffman@jabber.org has joined
[15:10:32] --- tonyhansen has joined
[15:10:35] <TimBray> Hey Paul, I can hear you, but very very faintly
[15:10:44] <stpeter> he's not really speaking into the mic
[15:10:55] <TimBray> lovely
[15:11:05] <TimBray> excellent
[15:11:13] <TimBray> I'll whine if I can't hear
[15:11:17] <stpeter> ok
[15:11:38] <TimBray> Lisa there?
[15:11:47] <leiba> No
[15:12:26] <stpeter> not yet anyway
[15:12:48] --- ⎋ has joined
[15:13:36] <stpeter> I will relay questions back to the IRL room if they come up here
[15:13:52] <TimBray> use of the Atom format *and protocol* actually
[15:14:05] <stpeter> IRL = "in real life" for you non-IM people
[15:14:36] --- alexeymelnikov has joined
[15:14:46] <stpeter> Lisa has arrived :-)
[15:15:09] <stpeter> RFC 4287 finished about a year ago -- the Atom format document
[15:15:21] <stpeter> already has very wide implementation
[15:15:34] <stpeter> pretty universal in the weblog space
[15:15:59] <stpeter> very good conformance
[15:16:19] <stpeter> also among news aggregators
[15:16:23] * stpeter is channeling Paul
[15:16:32] <stpeter> now we have to finish the protocol
[15:16:44] <stpeter> Atom protocol....
[15:16:48] <TimBray> heh, you're a little ahead of the audio
[15:17:00] <stpeter> protocol runs over HTTP
[15:17:09] <stpeter> you get back a service document which describes the collections
[15:17:14] <stpeter> sorry, too fast? :-)
[15:17:34] <stpeter> you can view collections, add new items, delete items, etc.
[15:17:46] <stpeter> simple HTTP protocol for editing things that look like Atom feeds
[15:18:06] --- bernard.desruisseaux has joined
[15:18:08] <stpeter> doesn't attempt to replace WebDAV or anything else, just a single-purpose protocol
[15:18:21] <stpeter> current draft is considered to be feature complete
[15:18:29] <stpeter> probably one more rev in a few weeks
[15:18:44] <stpeter> probably will not need a working group last call
[15:18:55] <stpeter> go directly to IETF last call soonish
[15:19:05] <stpeter> one large open issue re: security
[15:19:09] --- tlr has joined
[15:19:16] <stpeter> we will discuss on the mailing list
[15:19:26] <stpeter> issue: what kind of authentication should we use?
[15:19:36] <stpeter> will do what the IETF wants us to do
[15:20:02] <stpeter> Extensions to Atom Format...
[15:20:08] <stpeter> two mailing lists...
[15:20:13] <stpeter> atom-syntax and atom-protocol
[15:21:00] <TimBray> BTW, anyone can listen at http://videolab.uoregon.edu/events/ietf/ietf667.m3u
[15:21:10] <TimBray> But Peter's doing an excellent scribing job
[15:21:18] <stpeter> probably more extensions on the way
[15:21:32] <stpeter> I won't scribe for my own presentation :-)
[15:21:43] <stpeter> Threading Extensions just approved for standards track
[15:21:46] <TimBray> Talk loud & I'll scribe :)
[15:21:49] <stpeter> heh
[15:22:09] <stpeter> seemingly not a great deal of interest in the other extensions -- no great push for the specs
[15:22:27] <stpeter> our security expert has arrived, Eric Rescorla will talk here
[15:22:34] <stpeter> I'll try to scribe but he talks fast :-)
[15:23:14] <stpeter> a few options: basic, digest, passwords, kerberos
[15:23:36] <stpeter> IESG guidance: no plaintext passwords over unencrypted transport
[15:23:49] <stpeter> if want to use basic or password in web form, must run over TLS
[15:24:00] <stpeter> alternative is digest authentication
[15:24:26] --- Lisa has joined
[15:24:30] <stpeter> basic is open to impersonation attacks
[15:24:38] <stpeter> digest is not (via sniffing)
[15:24:48] <Lisa> Hi Tim
[15:25:27] <TimBray> Hi
[15:26:31] <stpeter> dictionary attacks are possible via basic and digest
[15:26:44] <stpeter> low-entropy passwords are typical (unfortunately)
[15:27:39] <stpeter> Paul: difference between password and pre-shared secrets
[15:28:14] <stpeter> Paul: authenticators in Atom will probably be passwords rather than pre-shared secrets (in use on open internet, many users)
[15:28:37] --- bernard.desruisseaux has left
[15:28:44] --- bernard.desruisseaux has joined
[15:29:07] <stpeter> Paul: we don't know how people will want to implement the Atom publishing protocol
[15:29:55] <stpeter> e.g., browsers typically have sub-optimal interfaces for basic and digest authentication, which is one reason why people have gone with passwords via web forms
[15:30:28] <TimBray> and no desire to pushback against IETF policy
[15:30:31] <stpeter> Mark Nottingham
[15:30:36] <stpeter> Tim: yes, correct
[15:30:37] <TimBray> from the WG I mean
[15:30:43] <stpeter> MIC question from Mark
[15:30:52] <stpeter> "what would you recommend?"
[15:31:04] <stpeter> Eric: either digest or basic-over-TLS
[15:31:22] <stpeter> can we "eat the TLS bullet"?
[15:31:36] <stpeter> if so, go with that since then you have confidentiality for free
[15:32:31] --- sayrer has joined
[15:32:54] <TimBray> Also, Web authent is a moving target, and APP is expected to be long-lived.
[15:33:32] <sayrer> Digest's hash algo is incompatible with existing auth databases (like those used with web forms)
[15:33:59] <stpeter> Mark: concern about limiting implementation and deployment options
[15:34:21] <stpeter> (e.g., some services or users may be happy with cookies or plain text)
[15:34:23] <sayrer> so you have to know you're going to use it when you create your passwd file equiv
[15:34:33] <stpeter> at MIC: Ted Hardie
[15:34:47] <stpeter> Ted: difference between mandatory to implement and mandatory to deploy
[15:35:22] <stpeter> Ted: want to make sure that implementations have what they need to make thing secure
[15:35:29] <stpeter> (and interoperable)
[15:36:07] <stpeter> if particular deployments don't make the standard available, that's their option
[15:36:29] <⎋> s/make the standard available/choose to use the implemented option/
[15:36:33] <stpeter> Paul: MUST NOT send plaintext in the clear
[15:36:42] <stpeter> Ted: yes, that's a proper wording
[15:37:14] <stpeter> ok, back to Paul's slides, Eric Rescorla has left the building!
[15:37:32] <stpeter> Atom protocol status
[15:37:43] <stpeter> ready for IETF Last Call this month
[15:37:49] <stpeter> WG still tweaking
[15:38:18] --- cyrus_daboo has joined
[15:38:24] <TimBray> no
[15:38:30] <TimBray> Lisa: No
[15:38:35] <stpeter> Lisa: for the record as an individual....
[15:38:44] <stpeter> Lisa: concerned about the number of things that are left up to agents
[15:38:49] <stpeter> e.g., last modified header
[15:38:59] <stpeter> concerned about interoperability
[15:39:17] <stpeter> Paul: concern that could have protocol change or that we should be giving advice?
[15:40:13] <stpeter> Paul: can you list your concerns and send them to the mailing list?
[15:40:17] <stpeter> Lisa: yes
[15:40:47] <TimBray> FWIW, I'm less worried... HTTP seems robust against variability in this space (mostly)
[15:41:16] <⎋> e-tags, in particular, do seem to get hit by things here--see the e-tag discussion in re: caldav
[15:41:23] <⎋> for a recent example
[15:42:36] <TimBray> Granted
[15:44:00] <TimBray> *wonders if the problems arise when you step outside the safe bounds of GET/POST/PUT*
[15:44:43] <TimBray> We've had a couple of low-key ones, people on IRC
[15:44:45] <Lisa> I think it happens when you step outside the bounds of GET + display -- that is, when you start to get into semantic interpretation by richer clients.
[15:45:22] <stpeter> Paul: Atom in other working groups
[15:45:23] <⎋> opposablethumbs.tld would be a good domain name
[15:45:31] <stpeter> heh, yeah, probably taken already
[15:45:36] <TimBray> It's a cool party trick: you can demonstrate the APP using 'curl' and it usually Just Works.
[15:45:46] <stpeter> Paul: no big problems have been found in the past year
[15:45:54] --- cabo has joined
[15:45:55] <stpeter> Paul: being used as an API format
[15:46:10] <⎋> the .com is "1 of 670,000 premium domains!"
[15:46:15] <TimBray> Ning, AOL, etc.
[15:46:28] <TimBray> All running APP implementations in production
[15:46:34] <stpeter> by API is meant a generalized XML data format
[15:46:43] * stpeter presents
[15:47:30] --- jladwig has joined
[16:01:44] * stpeter finishes
[16:02:41] <⎋> I was wondering why all the updates disappeared
[16:02:49] <⎋> talking & typing hard to do...
[16:03:15] <stpeter> question from MIC: Atom-Over-XMPP IDs, what is the relation to Atompub IDs? SHA-1 hash etc., but (Ted) perhaps should maintain or include Atompub-ID to help with duplicate suppression
[16:05:10] <TimBray> Yes, you *better* maintain the entry IDs. If two things have the same ID, they're the same entry.
[16:05:58] --- leiba has left
[16:06:11] <stpeter> yes, we maintain those down in the Atom entry
[16:06:32] <TimBray> the id/updated pair should really be able to drive most dispatching decisions
[16:06:33] <tlr> I'd think it's better to maintain them on both layers -- why invent new IDs on the outer area...
[16:06:41] <tlr> gah, not area, layer, sorry
[16:06:49] --- tlr has left
[16:06:50] --- Lisa has left: Logged out
[16:07:10] --- bernard.desruisseaux has left
[16:07:22] --- cabo has left: Logged out
[16:07:23] <paulehoffman@jabber.org> And the meeting closed.
[16:07:29] <TimBray> bye
[16:07:35] --- sayrer has left
[16:07:43] --- TimBray has left
[16:07:47] --- alexeymelnikov has left
[16:07:48] --- mnot has joined
[16:07:56] <stpeter> howdy!
[16:09:00] --- cyrus_daboo has left
[16:10:25] --- mnot has left
[16:11:59] --- ⎋ has left: Logged out
[16:16:08] --- stpeter has left
[16:18:13] --- paulehoffman@jabber.org has left
[17:06:12] --- tonyhansen has left
[17:15:07] --- LOGGING STARTED