IETF 83 -- Paris, France Applications Area Working Group (APPSAWG) and Applications Area General Meeting Minutes March 26, 2012 0900-1130 Room 252B Joe Hildebrand taking notes via Etherpad. Administrivia: Note Well, blue sheets, opening remarks. APPSAWG 1) Welcome of incoming AD (Barry Leiba), thanks to outgoing AD (Peter Saint-Andre) 2) Thanks to departing co-chair Jiankang Yao, welcome to incoming co-chair Murray Kucherawy. 3) Current document status: draft-ietf-appsawg-xdash - Peter Saint-Andre: Need to talk to some of the IESG members with feedback, scrub the text - Pete Resnick: Needs explanation; people are making assumptions based on their own experience and jump to conclusions, so tighten up text accordingly - Peter Saint-Andre: Not in a hurry. This mechanism dates back to 1975. draft-ietf-appsawg-mime-default-charset - Alexey Melnikov/Julian Reschke will update and prepare for IESG submission draft-ietf-appsawg-json-{patch,pointer} - still under active development draft-ietf-appsawg-malformed-mail - has been neglected due to other priorities; expect activity soon 4) Coming soon: Webfinger (PSA presenting) - like finger, but with the web - uses web linking - currently informal - acct: URI scheme, "acct" link relation - Thomas Roessler: CORS is in last call - (?): Good idea. Work going on in other orgs that reference this. - Hannes Tschofenig: People like the whole idea, but is bizarre to mandate CORS - Paul Hoffman: needs to have consensus calls, so should be in APPSAWG - Leif Johannsen: people don't have their own email servers anymore - Andrew Sullivan: when I was a kid, they told us to turn off finger, so I'm concerned about security - Dave Crocker: email is the same as it's always been. Email is good as identifier, even if there's no mailbox. Nice service to have, but needs lots of input to get correct. Might need more work than APPSAWG. Might need its own WG. - Mike Jones: (speaking as openid/oauth contributer) we don't use this; it doesn't have the right properties - John Bradley: (speaking as author of XRD) JRD is doc'd in blog post, concerned about security/privacy, needs more work before could be used in OpenID/Connect. Happiana (Mark Nottingham presents) - How to set up registries for non-geeks - Boilerplate to get started quickly, make it friendlier - Barry Leiba has work going on revising registration procedures - Anyone want to take over the doc? - Murray Kucherawy: Why is this an apps thing? - Mark Nottingham: lowest barrier to entry, affects apps folks more than most, discussed having WG, challenge is momentum - payoff is to folks outside the IETF - Disscussion list at happiana@ietf.org - w3c wiki page (http://www.w3.org/wiki/FriendlyRegistries) - Barry Leiba: belongs either in APPSAWG or own WG. Does anyone think it needs a WG? - (silence) - Alexey Melnikov: nobody will show up - Murray Kucherawy: needs cross-area review. how do we do that from APPSAWG? Can we encourage other areas to review? Show of hands? (5-6 people raise hands) - Mark Nottingham: <10 people who think it's important, not critical mass - Andrew Sullivan: Is APPSAWG for things that don't merit a WG? Will we get the right focus here? - Mark Nottingham: this is doing the laundry. creating a new WG is resources we don't have. - Andrew Sullivan: this is not the "doing the laundry" WG. - Barry Leiba: Agree. Not the intent. - Pete Resnick: Agree with Andrew on principle. However there are docs that would have been done as AD-sponsored. But we want wide-spread consensus, so having chairs with focus is important. - Peter Koch: following mailer, not buying the problem statement, much less the solution. More outreach to explain might be enough. - Barry Leiba: not enough time to get into that here - Peter Koch: this applies to more than apps. This belongs in genarea. - Barry Leiba: expect that we'll talk with other areas; let's talk to Russ. - Larry Masinter: (W3C TAG hat) overlap with W3C, having a WG might help other orgs interact. Liaison with APPSAWG is harder, due to size of mailing list. - John Klensin (via Jabber): If Happiana is moved to appsawg, with its current S/N ratio, and only a few people _really_ interested, it will make the S/N ration in appsawg worse, not improve the quality or quantity of discussion and review. Genarea could be worse -- not cross-area, but isolated (note: there's a separate mailing list) Certified Electronic Mail - Interoperability is a challenge among these country-specific certified email systems (some use HTTP/SOAP, other SMTP) - One example of such a system was documented informationally in RFC 6109 - John Levine: draft is long/complicated: it's a niche for high-value mail. Maybe this should be a parallel mail system. Worth a look, since for some communities, they're going to do this anyway so we can have this as a plugin into existing MUAs. We might not have the expertise due to legal issues. - Ted Hardie: (village idiot hat) - would you want to develop a standardized method for account registration? If not, how can you determine if the registration requirements are of sufficient quality? - Paul Hoffman: worry about same things as Ted. Half of these people think that mail isn't the right starting point, and won't participate anyway. This might be a waste of time. Another approach may be lots of documentation. In 20-25 years when people realize that we need to cross CA/Country/registration boundaries, they'll have what they need. - Speaker: if we invent something else, even more interop problems - Paul Hoffman: Having that table allows people to choose. Doc in I-D, not PPT, please. - Dave Crocker: the strategic questions are more interesting than these tactical ones. Will this attract the consumers of this work? Have to worry about usablity as well as technical. Have to have the sense that the market will care if we do this work. There are patents here. Because we use email so informally, we forget that other people need formal mechanisms like this. Is this worth pursing? Is there a technical path? Next step: recruit intrest from adopters. - Ned Freed (via Jabber): Nonrepudiation of delivery is a *much* more difficult problem than most of these systems allow for. - Pete Resnick (via Jabber): So, it is not so much that Internet email doesn't have the facilities, but they are not all put together appropriately in a single package. - Ned Freed (via Jabber): Well, it depends on what set of capabilities you're after. We've got lots of stuff for nonrepudiation of origin - so many that the problem is figuring out the one to use. - Pete Resnick (via Jabber): Non-repudiation of receipt could be done with the same mechanisms over MDN. - Ned Freed (via Jabber): Er, no. The problem is you have to have a trusted agent to generate the MDN. - John Klensin (via Jabber): Agree with Ned (and please incorporate his comment). The other issue is that a lot of the non-repudiation problem is a national law and recognition problem. Not clear that IETF is the right place to solve this. I'd much rather see a solid job comparing approaches than yet another one. - Pete Resnick (via Jabber): Ah, right. - Ned Freed (via Jabber): Emphatic agreement with John. - Randall Gellens (via Jabber): You probably also need to be able to say that if you don't get a delivery receipt, then the message wasn't delivered - Ned Freed (via Jabber): FWIW, there are two ways to do nonrepudiation of delivery. The simple one involves a trusted third party. You send the mail to them, they encrypt, then send to the recipient. The recipient only gets the key after they produce a signed hash, proving they got the message. There's also a way to do it without a trusted third party, but it's nasty and complex and I don't want to type it all. - John Klensin (via Jabber): I hate to say this, but this might be a better topic for ITU-T, just because of the interaction with/between national laws, etc. Spam reporting - Draft put forward by an OMA WG as an Individual I-D; Liaison Statement from OMA asking for assistance developing it - John Levine: Needs input from OMA, WebMail providers say if we spec it, they'll implement - Peter Saint-Andre: OMA asked us to do this, why can't they write the drafts and participate instead of trying to task us. - Alexey Melnikov: Zoltan asked us nicely - Barry Leiba: Zoltan was active in LEMONADE, so probably not characterized appropriately - Ned Freed (via Jabber): I hate it on an aesthetic level, but there is no doubt that there's an audience for it. - Randall Gellens: spent time at OMA. Simple extensions to allow MUA to give feedback directly while the message is still in context on server. Wrote drafts long time ago. - Murray Kucherawy: would you be willing to help? - Randall Gellens: yes, but not much time. There can be a simple mechanism. END APPSAWG, BEGIN APPAREA BoF Previews: 1) SCIM - Morteza Ansari: Thursday morning. LDAP good for enterprises. Identity in the cloud. Enterprises need to provision identities inot the cloud. Some work done at Open Web Foundation. Want a "real" standard. Parties are open to moving change control, IPR here. - Jim Gullivan: Want to support. Draft in ?area. Changing identity in the cloud is complementary to his draft. - Alessandro Vesely: What is the difference between SCIM & OpenID & WebFinger - Morteza Ansari: This is about managing a collection of identities, synchronizing on-prem directory with service provider - Hannes Tschofenig: WebFinger is a discovery mechanism. SCIM/OAuth difference, OAuth is about secure transfer 2) WEIRDS - Andrew Sullivan: another BoF, no agreement on charter. There may be work gets done. Not judging whether work will be chartered 3) ANTITRUST - John Levine: Does the IETF need an anti-trust policy? 4) RFCFORM - Heather Flanagan: Lightening BoF format. 4 people. 7 mins each (giggles). Lots of discussion on list. Not to make a decision, but to inform the new RFC editor, so we can actually make some progress. 5) RPSREQS - Paul Hoffman: how can we make the remote participation actually work? Let's keep track of what happens this week in that space. - Sebastian ?: is this related to work of IETF, or could it be used by other orgs? - Paul Hoffman: IETF only 6) I2AEX Infrastructure to Application Exposure - Came out of ALTO work 7) NVO3 New WGs of interest SPFbis Email miscellany WG? - Pete Resnick: maybe we should do a SPAM-related Email Extensions WG, but maybe expand to all email-related stuff. Spinning up a WG is too much overhead for some of these topics, but we're trying to make that easier, and APPSAWG should not be a dumping ground. - Dave Crocker: ok to spin up mail WG as a dumping ground? - Pete Resnick: SPAM is relatively closed set. Mail dumping ground wouldn't make me happy either. - Dave Crocker: with that clarification, I'm onboard, but that list isn't all spam. Agree that the bar is too high for a new WG. Let's make sure there's a good line around the list. - Barry Leiba: this is the list of mail-related stuff, not the stuff that we necessarily want to work on - Patrick Linskey: Spam can't be sovled without an overarching look at mail - Pete Resnick: solving spam isn't the intent. working on these particular spam-related mail mechanisms together might be interesting, the problem to solve is work on them together. - John Klensin (from Jabber): Pete, the way to make spinning up a WG easy starts with making killing them easy, IMO. If one could say "demonstrate progress in X months or die" and get rid of "we got a WG and therefore are entitled to have our work published/standardized (no matter how weak)" and be serious about it, a lot of the dynamic would change. - Pete Resnick: we'll try to be meaner - Dave Crocker: spam can't be solved (like can't solve crime). some of the problems in mail may make the problem worse, but every try hasn't worked. - Murray Kucherawy: worried we might need to do this for web as well, perhaps this is a short-term issue - Pete Resnick: if we can come up with sane topic areas, would rather do that than use APPSAWG, when possible. Will take to list to get more input - Summary: having email miscellany in appsawg is just as viable (and problematic) as having separate email miscellany wg. Pete will consider this advice. Other sessions of interest SAAG: everyone should attend - Peter Saint-Andre: have we reported on WebSec (etc) to SAAG? - Barry Leiba: we should get the SEC AD's to add to the list - Half the room intends to attend - Barry Leiba: for IESG, how do we do a better job of cross-area (JOSE, OAuth, PLASMA, etc.). We'll use this forum to keep you updated. RTCWEB - Ted Hardie: joint work with W3C. Folks mostly working on signalling. Conflict with ? and SCIM. First session is more important wrt identity Others - Pete Resnick: Apps folks should peek into HOMENET. The things they are doing will affect us. PCP for example. PCP allows opening firewall pinholes using simple UDP. It would have helped if there was apps input, since apps are the ones that are going to use it. We tend not to show up, and need to. - Randall Gellens: can you give examples of the sorts of problems HOMENET might have? - Pete Resnick: finding DNS, two routes, how to deal? intarea tends to punt on what apps do - Raj Patel: Another area is Multiple Interfaces (MIF). How do we expose that to apps and allow them to make decisions - Paul Hoffman: DANE: app-specific DNSSEC stuff. Please look at IETF last call - Dave Crocker: for things that need apps clue, should be required by ADs on source areas directly. Should be louder than "if you care, show up" - Peter Saint-Andre: when we wre co-ADs, we talked about buddy system, there are challenges involved in that, but we need to keep getting better - Murray: other ADs may be willing to help Other Items 5226bis (IANA considerations doc) - Barry Leiba: goes with happiana, may tweak registration policies, encourages using most relaxed policy that makes sense 5333bis (IANA reg of enum for calendering) - Bernie Hoeneisen: i inherited from someone who left to join Doctors Without Borders, can anyone pick this up from me? can anyone help? - (lots of finger pointing at Alexey) Alexey will begrudingly help - Paul Hoffman: we can help DWB by finishing this draft Virtualized Applications problem statement (Kepeng Li) - Pete Resnick: what can we do to help w/ protocols - Pete Resnick: (follow-up) is there anything like X, what's the distinciton? - Speaker: similar, but need standarization for interoperability (that can't be what he said) - Roberto Peon: there's limited bandwidth. Does this solution cause more harm than good? - Thomas Roessler: browsers exist on almost all devices. What isn't addressed by those technologies? - Speaker: for non-web apps - Barry Leiba: if we should decide to work on this, we have to make sure we're not making the problem worse, what goes on the wire? Email spam from IPv6 - Scale issues - Barry Leiba: what is ASRG doing about this? - John Levine: nothing. How do we get access to data? - Dave Crocker: we may have to go this way. There are already some whitelists from IPv4. What work is required by IETF? Terry will have more by Vancouver. This is important, so would be nice to get direction. There has been no anti-spam focus at the IETF as background. - Andrew Sullivan: "short term" makes me nervous Mailing list for financial protocols - Barry Leiba: no real support. Does anyone think we should NOT give them a mailer? - Dave Crocker: Walter is the only poster - Barry Leiba: Jorge Timón has also posted - Dave Crocker: it wasn't productive conversation. like the topic, but "no" - Paul Hoffman: compare with PEC? The kind of thing that we can contribute early isn't useful, we might be able to help guide, but giving them a mailer gives too much IETF imprimatur, they should write a draft first - Peter Saint-Andre: he submitted 2 drafts, but no discussion. - Barry Leiba: his goal was to collect the people on his end, and bring them closer to the IETF. The bar is low for creating a mailing list. - Murray Kucherawy: why do they want an IETF mailer - Barry Leiba: he thinks trying to do this in the banking industry won't work, since they've got status quo - Andrew Sullivcan: this is only a mailing list. if people want to discuss at the IETF, we should encourage that. Don't have faith it will work in this case, but we should be welcoming - Dave Crocker: a policy that says we give a list to anyone is reasonable, but another policy might be to say there must be clarity and community of interest - Barry: people can get a list anywhere - John Klensin (via Jabber): I don't know what is going on here, but IETF mailing lists have been used in the past to end-run other processes and then claim IETF endorsement for whatever is said on that list. So I guess I'm another "no" without more clarification. - Barry: Good point. (I think this means he's going to say "no") HTTP/2.0 (Peter Saint-Andre) - Quasi-BoF - New work for HTTPbis, thursday afternoon 1510 - Paul Hoffman: we aren't talking about drafts, please read the charter AOB - Paul Hoffman: DNS API folks met last night. 7-8 different APIs exist. No deployed API that matches current requirments. No real progress yet. Not IETF-y yet, both API, and requirements seem to change. e.g. DANE changed what is needed. - Matt Miller: C interfaces flounder because the people who do these things are DNS people, not apps people. - Andrew Sullivan: what Matt said is true