- Jef has joined
- waqas has joined
- Neustradamus has joined
- Neustradamus has left
- Neustradamus has left
- Neustradamus has joined
- waqas has joined
- Neustradamus has left
- Neustradamus has joined
- Jef has left
- Dan Siemon has joined
- Dan Siemon has left
- Jef has joined
- Jef has left
- Jef has joined
- Jef has left
- akuckartz@jabber.org has joined
- akuckartz has joined
- Zash has joined
- winfried has joined
- waqas has joined
- waqas has left
- Florian has joined
-
Florian
BrowserID talks in 4 minutes :)
-
Zash
\o/
-
dwd
Florian, You called the meeting, so you get to chair it. :-)
-
Florian
heh, ok
-
Florian
let me pull up the Wiki page at the same time
-
Florian
let's give it another 5 mins ... Ashley wanted to be here
-
Florian
and Matt
- Ashley has joined
-
dwd
Hey Ashley.
-
Ashley
hey there
-
Florian
hey
-
Ashley
how do we want to proceed?
-
Florian
I was thinking of splitting up the RFP into a few parts
-
Ashley
makes sense
-
Florian
1. Technology
-
Florian
2. Goals
- Link Mauve has joined
-
Ashley
should we have a background section?
-
Florian
3. What the XSF offers
-
Kev
Just a question ... have we ascertained that no-one has interest in doing this without the XSF paying for it?
- Tobias has joined
-
Florian
Kev: we haven't, no.
-
Kev
(I won't, so there's not an ulterior motive)
-
Florian
http://piratepad.net/CMPIY1IvOm
-
Florian
I think the thing is, we basically mention in the RFP that the XSF is willing to pay
-
Florian
at the XSF's discretion
-
Florian
so people who apply can mention that they want X amount for it
-
Kev
K.
-
Florian
and then we can decide if that's worth it, or see if we can find another amount that's mutually beneficial
- waqas has joined
-
Florian
do those 4 sections sound alright?
-
dwd
Kev, I do think we'll need to offer cash in some cases to get things done. In some cases, though, we might not need to - that's good too, of course.
-
waqas
FWIW, I for one was thinking of working on this before payment entered the discussion.
- Jef has joined
-
Florian
waqas: glad to hear :)
-
Kev
dwd: Right - I'm just raising the issue in case someone is already motivated and the introduction of cash loses us motivation.
-
Florian
Kev: I don't think offering cash would lose motivation
-
Florian
but yeah, should we go through the 4 sections?
-
Florian
starting with Background
-
Kev
Oh, I think there are plenty of cases where it would, but that's OK.
-
Kev
Yes.
-
dwd
Florian, SO the four are background, tech, goals, and what the XSF is offering?
-
Florian
yup, I think that makes sense
-
Florian
maybe time-frame?
-
Florian
however, I think that would fit into goals
-
dwd
Probably.
-
dwd
Does anyone have a clear sense of what the time-frame needs to be?
-
dwd
That is, any existing constraints? (Like, if Mozilla have a clear deadline for getting BrowserID implemented and deployed, say).
- akuckartz has left
-
Ashley
i would assume this would line up with mozilla
-
Florian
I don't see a deadline on the page linked on piratepad
-
Ashley
https://wiki.mozilla.org/Identity/Features/Sign_into_the_browser
-
Ashley
this says FF 15
-
Kev
So presumably we need something working far ahead of that.
-
waqas
Two points I'd like to raise: 1. BrowserID is browser neutral. If Mozilla ends up not integrating our work in Firefox, it would be useful to have it work regardless. A signon solution for XMPP would be valuable for the XMPP community in any case. 2. BroswerID allows a lot of freedom to the authenticating party. Captchas, oauth/facebook/twitter login could be tunneled over it without changing XMPP web apps (which happens to be a much requested feature).
-
Florian
right
-
waqas
(this was in response to Winfried Tilanus's email about risk to the XSF)
-
dwd
Right - it occured to me you also probably need an HTTP based API somewhere for the sites to hit.
-
Florian
dwd: BOSH?
-
dwd
Florian, No, I mean something the sites hit, not something the browser hits direct.
-
Florian
but let's stick with the background part for now
-
Ashley
Florian: i was just thinking we could take your board writeup as a background
-
Florian
the blogpost? sure
-
Ashley
yeah
-
Florian
alright
-
Florian
anything else for Background?
-
Florian
else let's move on to Technology :)
- Medics has joined
-
dwd
Florian, So the technology is pretty unconstrained from our poitn of view - we just want XMPP.
-
Florian
right
-
Ashley
this may be a goal, but should be internet scale
-
Florian
I think that we should mention that authentication should happen in the "XMPP way"
-
Kev
Well, we want the identity bit of XMPP, while opening the door to using it for other mechanisms later.
-
Florian
as well as federation would be required for this to work
-
Florian
i.e. you can't log in on facebook.com with your Google ID if Facebook doesn't do S2S to google
-
Florian
does that make sense?
-
Zash
But the current BrowserID is based on signing tokens with a private key you hold (which in turn is signed by your provider)
- koski has joined
-
Florian
maybe let's skip to Goals first
-
Florian
and come back to technology
-
Florian
that way we know what we want to achieve :)
-
Florian
one goal is obviously authentication
-
Ashley
would being able to leverage the XMPP channel for other uses post-authentication be a goal?
-
Zash
The SignIntoBrowser mentions bookmarks and contacts
-
Florian
Ashley: I think so
-
dwd
Ashley, Yes, I think so too.
-
Florian
I think contacts
-
Florian
as well as push
-
Florian
i.e. notifications
-
Ashley
yes, notifications would be great
-
Florian
for bookmarks, that's data storage
-
Florian
can we do that somehow with PEP?
-
Florian
i.e. do we want to offer a data storage option?
-
dwd
Florian, We've *got* a bookmarks spec. :-)
-
Zash
and it mentions how to store it in PEP
-
Florian
oh, right ... yeah :D
-
Florian
ok, so let me rephrase that ...
-
waqas
This does increase the scope of the project beyond BrowserID. Would Mozilla buy into that initially?
-
Florian
do we want a data storage option, or "just" bookmark storage?
-
Kev
Florian: Do we need to constrain it? Why not be open-ended and see what response the RFP gets?
-
Florian
sure
-
Ashley
well, i think we're just talking about examples of post-auth capabilities over this channel
-
Kev
Ashley: Very probably.
-
dwd
waqas, I don't think we want to paint ourselves into a corner that doesn't include post-auth stuff.
-
Kev
To my mind what we want is:
-
waqas
Also: bookmarks storage. Readable by server admins. I'm not sure how well that would be received, as the existing Firefox bookmark sync stuff makes a point of advertising that it's always encrypted, and they can't see your data.
-
Kev
1) Primary goal: Auth/identity 2) Secondary goals: taking advantage of other data stuff. Examples would include ...
-
Ashley
fwiw, i need to head out to schlep kids to soccer
-
Kev
And see what comes back to us.
-
dwd
Kev, Seems reasonable.
-
Florian
Ashley: ok ... thanks for dropping by
-
Florian
Kev: makes sense
-
Ashley
sure, let me know what i can do to help after the fact
-
Kev
waqas: Yes. Although I don't think encrypting it is hard, assuming user-held keys of some description.
- Ashley has left
-
waqas
Yep
-
Florian
ok, does that look alright for the goals?
-
Kev
So it's a good point to include, but not a hard one to address.
-
Kev
Florian: Happy for me to poke at the pp?
- bear is late -sorry
-
Florian
sure
-
Florian
that's what it's there for :)
- MattJ has joined
-
bear
browserID is a quarterly goal for mozilla to be used by all our public facing, needs login web sites
-
bear
so that means by end of summer it will be all over moz products
-
Florian
bear: thanks for the info :)
-
bear
tbird has beta code already for "chat" and that includes xmpp
-
bear
and that beta is going to be releases this quarter also
-
Florian
so I think we should have the RFP deadline for end of May
-
Florian
and then get cracking
-
Kev
Florian: OK, I've poked the pp.
-
Florian
Kev: great :)
-
Kev
Agree/disagree/abort/fail.
-
dwd
Florian, Note that winfried said that if we want to get any funding off NLNet, that's also a June thing.
-
Florian
right
-
Kev
I'll ask this just for the sake of it...are we now scrabbling to join a party we're too late to arrive at?
-
Kev
i.e. is it feasible for us to have anything worthwhile in a timeframe that would influence the outcomes we care about?
-
bear
do we want to be clear if this is a browserid client part or also the service part?
-
Florian
Kev: I don't think it's too late, as we've got most of the technology already
-
Florian
but we need to get some fancy demos ready relatively quickly to gain attention / traction
-
bear
browserid itself just became viable the last couple of months
-
bear
the code was baking internally at moz most of the winter
-
Kev
Well, if Moz want to ship this by end June, and we have an RFP process that ends end May, that gives a month to evaluate RFPs, hire someone, get delivery and influence Moz.
-
dwd
bear, I think we need both parts, don't we?
-
bear
moz *internally* is pushing for this
-
Kev
s/Moz to ship this/ship this to Moz/
-
bear
but publicly it's now part of the privacy/persona push that they haven't (or are starting) to push
-
bear
so we are just a bit ahead of the wave
-
bear
dwd - I agree
-
Florian
yeah, we need both
-
Florian
but I think the service side exists
-
Florian
as we're just using XMPP, people have Google Accounts
-
Kev
Florian: Probably does, but saying we need both in the RFP makes it clear.
-
Florian
ah, right
-
dwd
bear, We also need to ensure that either the browserid site-side verification can "pass through" to a XMPP based system, or else that a site could hit a browserid verifier specific to that domain.
-
MattJ
bear, but are we - as in, do we have time to develop proof-of-concepts, etc.?
-
Kev
If the RFPs come back saying "We just use XMPP server as-is".
-
Kev
+then that's great.
-
dwd
bear, I have to say I prefer the latter. Otherwise the browserid.org service can monitor all the sign-ins...
-
bear
yes - my hope/goal in this is that xmpp can be used as a site-side verifier
-
Florian
ah, dwd, you added Compatibility with BrowserID ...
-
bear
mattj - I personally think we are. knowing how moz internals work, they are rarely on time with delivery goals
-
Florian
do we want that, or do we want to define a "new" BrowserID?
-
Kev
bear: Which is useful, thnks.
-
MattJ
bear, shocking :P
-
bear
I would hate if this ends up being a NIH clone of BrowserID
-
dwd
Florian, We want a verifier that's compatible. I don't preclude *other* verifiers...
- bear likes how dwd said it
-
Florian
:)
-
koski
+1 what dwd said
-
dwd
Florian, That is, we want a verifier that works - potentially - exactly how the existing POST to https://browserid.org/ works, but if there's an "XMPP way", that's also cool. An option here is to encode additional magicks into the Assertion that tell the site about verifier services to use.
-
bear
I will admit that my bias is that xmpp implements browserid - it would help by adding another open source product that supports the tech which will help Mozilla push it
-
Kev
"XMPP implements browserid" - what does that mean?
-
dwd
bear, You want browserid for signing to XMPP as well? A browserid SASL mech?
-
Kev
In language we can put into the RFP :)
-
Florian
:)
-
bear
yes, but i'm trying not to influence the current enthusiasm or derail it
-
Kev
This is a completely opposite problem I think, isn't it?
-
bear
having never even tried to implement one, I don't know
-
Kev
I'm completely outside my comfort zone with webish stuff.
-
bear
but yes, I suspect it is
- bear smacks his own hand for even bringing it up
- dwd would note that a browserid SASL mech is pretty simple.
-
dwd
But yeah, different (opposite) problem.
-
Kev
Although has fun recursive effects.
-
Kev
I assert, signing into kev@... that I'm me using browserid, for which I assert I'm me using kevin@...
- bear laughs
-
Florian
lol
-
Kev
(Completely pointless as we could do this without browserid, but still ...:)
-
Florian
ok, do we have all the information we want in the PP?
-
dwd
Not quite, hang on.
-
dwd
bear, Is there anyone at Mozilla that would be able to publically work with the XSF (and the guys actually doing this coding)?
-
bear
anyone on the browserid team - they are very open
-
waqas
That would be very useful
-
bear
#identity channel on irc.mozilla.org
-
dwd
Can't they use XMPP?!
-
bear
irc is very much part of mozilla's dna
- dwd would like to design a retrovirus to recode that.
-
bear
agree
-
Florian
heh
-
bear
new ways of doing group communication have come and gone, but irc always remains
-
waqas
Good thing no-one suggested IRC for BrowserID. Or did they?
-
dwd
waqas, Authenticate yourself using an unauthenticated network!
-
bear
hell, if we could give them a browserid auth'd xmpp - irc gateway ...
-
Kev
BrowserID by nickserv. Sounds good to me.
-
waqas
dwd, I'm sure it has been tried
-
dwd
OK. FInal question...
-
dwd
How is the XSF going to decide who gets paid?
-
Florian
I think that's something the board should do
-
dwd
I don't think the Board is qualified to do more than ratify decisions made by more technical people, to be honest.
-
Florian
maybe Board + Council?
-
bear
we should get the tech council to rank any contenders and if we have the enjoyable problem of having too many to pick...
-
Kev
I'm trying to think of better ways than relying on Council for this, but am struggling to think of something fair.
-
dwd
The Council could. Or the Board could pick a set of bodies to do the selection.
-
Kev
Some faux-Council chosen by Board is more contentious but probably also more reasonable.
-
bear
each bounty item should have a clear spec - so that it's a simple checklist to see if they met the requirements
-
Florian
dwd: that might be a possibility too ... as that would allow us to maybe get input from Mozilla people as well
-
dwd
Kev, I don't think we can reasonably achieve actual fairness.
-
Florian
i.e. we can have someone from the Mozilla BrowserID team give his input on the projects
-
dwd
Florian, Good point, I'd not thought of that.
-
bear
once we get the rfp in place, I can definitely ask if one of them would like to help be a tech reviewer
-
Florian
so, I'd say the Board should go out and find a group of maybe 5 people, comprising of Council / Board and "industry experts" :)
-
MattJ
and they need to not be people who might submit a proposal themselves (obviously)
-
Florian
I think it's important to have at least 1 board and 1 council member on it though, as the aim is to push forward XMPP
-
Florian
MattJ: correct
-
dwd
MattJ, I'm not sure that's needed. They can't be asking for cash, though they could be offering to do the work gratis.
-
Florian
dwd: fair point
-
Kev
Sure it is.
-
Kev
You can't preclude someone else getting paid.
-
Florian
Kev: huh?
-
Kev
Matt suggested people judging the proposals shouldn't be people themselves submitting proposals. Dave said that was ok if the proposals weren't paid. I said it wasn't.
-
Florian
I think it is
-
Kev
(As choosing your own project precludes someone else getting paid for theirs)
-
Florian
right
-
Florian
hence what Dave said makes sense
-
Florian
they can be on the judging panel if their project idea is not being compensated by the XSF
-
bear
I think Kev is worried that a judge might pick their own gratis work to avoid the XSF from having to pay the bounty
-
bear
or the appearance that is happening
-
Florian
well, the XSF will accept all gratis work
-
Kev
bear: Not that, actually, but a) the appearance is horrid and b) There's more benefit to the winner here than just getting paid.
-
Florian
or at least I think it should
-
dwd
Kev, Right, I suppose it's worth avoiding if possible.
-
Florian
we don't have a limited amount of slots for projects
-
Kev
If a consultant got selected by the XSF to do this, the work went into Mozilla off the back of that, etc., that's a hell of an advert for that consultant. Worth more than the amount we would have paid, I suspect.
-
bear
yes, moz tends to hire folks who are good contributors
-
bear
(as contractors or staff)
-
Florian
hmm, ok
-
Florian
so should we not allow that, or just prefer not to have that
-
Kev
Florian: A bit like if it was left up to the Council Chair to select an official XMPP library - Swiften's available free, so it's fine for me to choose that :)
-
Florian
Kev: right
-
Kev
I think we should avoid it.
-
Florian
ok
-
Kev
I don't think we have so many people on Board/Council who'll be putting their names down for this.
-
bear
yes, when money is involved, we should be 110% clear of those kind of implications
-
Florian
"Jury member can't submit a project."
-
bear
do we want to even begin to say what OS licenses should be used?
-
Florian
hmm
-
Kev
bear: License of the XSF's choice, to be decided later.
-
bear
then we need to be clear that they are giving the XSF all rights to the code
-
Kev
We're going to want something entirely permissive.
-
Florian
right
-
Florian
anyone want to add that to the Legal Mumbo Jumbo section?
-
Kev
I'd suggest two-clause BSD or MIT, although three-clause BSD is probably OK.
- bear is a fan of MPLv2
-
bear
but I can how others may not be ;)
-
Kev
I'd like something more permissive than that if we're looking at stumping up money for this.
- bear nods
-
Florian
I think that the way bear put it is fine
-
Florian
the XSF gets ownership as this can be seen as contract work
-
Florian
i.e. we're paying people
-
Florian
and the free work can be seen as donations
-
Florian
so I think that makes sense and gives us freedom
-
bear
we may need to get peter to run this by whatever lawyer the xsf uses
-
Florian
right
-
Kev
Right.
-
dwd
I have to admit I don't care - in many respects I'd like to avoid assignment if at all possible.
-
Florian
ok, I think we have a good start though
-
dwd
I think requiring a very liberal license is adequate.
-
bear
dwd - true, just avoiding some messy downstream issues if we say "xsf owns all" and then we assign it a BSD license
-
Florian
bear: right
-
Florian
ok, I think we have a good start here
-
bear
hmm, but I will defer to the lawyer because I can see a scenario where doing that opens us up to more grief
-
Florian
I'd say the next step is to write this up properly ...
-
Florian
on the wiki
-
Florian
any volunteers?
-
Kev
I'd prefer liberal license to assignment, FWIW, but hills, etc.
-
Florian
I'm happy to write the background / what xsf can offer and legal part
- bear flips and joins dwd and kev
-
bear
do we need to do more than just cut-n-paste this into a concept/outline page?
-
Florian
I think we should write this up
-
dwd
bear, My problem with assignment is that in the UK, for example, it requires a formal Statutory Instrument, whereas in Canada, you cannot enforce an assignment clause before the fact - it's just legally a bit of a minefield.
-
bear
dwd - understood, I changed my mind about it as I thought about it more than a few seconds
-
bear
florian - i'll start transfering it to the wiki
-
Florian
alright
-
bear
most of it will be brought over the same, just will fill in some words
-
Florian
as I said, I'm more than happy doing the texts for Background, what xsf offers and legal stuff
-
bear
cool
-
Florian
would be great if some people could sit down and write up the 2 other parts
-
dwd
Any volunteers?
-
bear
let me get this first draft on the wiki
-
Florian
http://wiki.xmpp.org/web/BID-RFP
-
Florian
anyone willing to write Technology / Goals?
-
Kev
I'm not offering to do anything for fear that I won't complete it.
-
bear
both of those are part of the etherpad - they just need filling out with more detail
-
dwd
Right, I'll do some work over it.
-
Florian
dwd: awesome, thanks :)
-
Florian
so one last thing ... time?
-
Florian
should we say, all written up by wednesday?
-
Florian
and then another meeting here?
-
dwd
We can do that, I think.
-
Florian
alright ....
-
Florian
AOB?
-
dwd
But maybe arrange the meeting time on a list, to ensure we get everyone who wants to come here.
-
Florian
dwd: sure
-
Florian
alright, I think with 1h30m ... it's time to end :)
-
dwd
Florian, Thanks!
-
Florian
thanks all!
-
Florian
I'll send a mail to the list later
-
Florian
members, jdev, standards, jadmin
-
bear
ok, wiki now has the etherpad contents
-
Florian
great!
-
Florian
thanks bear
-
Florian
thanks all !
-
Florian
Next meeting wednesday ... tbc
-
bear
thanks
-
Kev
Ta.
- Florian has left
- koski has left
- Jef has left
- Jef has joined
- Jef has left
- Jef has joined
- Jef has left
- Jef has joined
- winfried has left
- waqas has joined
- Medics has left
- Tobias has joined
-
Jef
Young man, there's a place you can go
-
Jef
Young man, there's a place you can go
-
Jef
You can stay there and I'm sure you will find Many ways to have a good time
-
Jef
It's fun to stay at the X.S.F
-
Jef
It's fun to stay at the X.S.F
-
Jef
They have everything for young men to enjoy
-
Jef
They have everything for young men to enjoy
-
dwd
Jef, I think you'll find that XMPP is a better acronym for YMCA parodies.
-
dwd
Or IETF, or indeed any four letter acronym.
-
Jef
lol
-
MiGri
;)
-
Kev
Eeee Tee Ell Aaay
-
bear
in some ways I am glad I had no idea what he was referencing
- Tobias has joined
- waqas has joined
- Zash has left
- Jef has joined
- waqas has joined
- Neustradamus has joined
- Neustradamus has left
- Neustradamus has left
- Neustradamus has joined
- waqas has joined
- Neustradamus has left
- Neustradamus has joined
- Jef has left
- Dan Siemon has joined
- Dan Siemon has left
- Jef has joined
- Jef has left
- Jef has joined
- Jef has left
- akuckartz@jabber.org has joined
- akuckartz has joined
- Zash has joined
- winfried has joined
- waqas has joined
- waqas has left
- Florian has joined
- Ashley has joined
- Link Mauve has joined
- Tobias has joined
- waqas has joined
- Jef has joined
- akuckartz has left
- Medics has joined
- koski has joined
- Ashley has left
- MattJ has joined
- Florian has left
- koski has left
- Jef has left
- Jef has joined
- Jef has left
- Jef has joined
- Jef has left
- Jef has joined
- winfried has left
- waqas has joined
- Medics has left
- Tobias has joined
- Tobias has joined
- waqas has joined
- Zash has left