December 30, 2012

Reinventing the W3C TAG

This is the fourth in a series of blog posts about my personal priorities for Web standards and the W3C TAG, as part of the ongoing TAG election.

The Mission of the W3C TAG has three aspects:

  1. to document and build consensus around principles of Web architecture and to interpret and clarify these principles when necessary;
  2. to resolve issues involving general Web architecture brought to the TAG; and
  3. to help coordinate cross-technology architecture developments inside and outside W3C.

Success has been elusive:

  1. After the publication of Architecture of the World Wide Web in 2004, attempts to update it, extend it, or even clarify it have foundered.
  2. Issues involving general Web architecture are rarely brought to the TAG, either by Working Group chairs, W3C staff, or the W3C Director, and those issues that have been raised have rarely been dealt with promptly or decisively.
  3. The TAG's efforts in coordinating cross-technology architectural developments within W3C (XHTML/HTML and RDFa/Microdata) have had mixed results. Coordinating cross-technology architecture developments outside W3C would require far more architectural liaison, primarily with IETF's Internet Architecture Board but also with ECMAScript TC39.

Building consensus around principles of Web architecture

I have long argued that the TAG practice of issuing Findings is not within the TAG charter, and does not build consensus. In the W3C, the issuing of a Recommendation is the stamp of consensus. There may be a few cases where the TAG is so far in advance of the community that achieving sufficient consensus for Recommendation is impossible, but those cases should be extremely rare.

  • Recommendation: Review TAG Findings and triage; either (a) update and bring the Finding to Recommendation, (b) obsolete and withdraw, or (c) hand off to a working group or task force.

To build consensus, the TAG's technical focus should match more closely the interest of the Web community.

  • Recommendation: Encourage and elect new TAG members with proven leadership skills as well as interest and experience in the architectural topics of most interest to W3C members.
  • Recommendation: The TAG should focus its efforts on the "Web of Applications" at the expense of shedding work on the semantic web and pushing ISSUE-57 and related topics to a working group or task force.

Updating AWWW to cover Web applications, Web security and other architectural components of the modern Web is a massive task, and those most qualified to document the architecture are also likely to be inhibited by the overhead and legacy of the TAG.

  • Recommendation: Charter a task force or working group to update AWWW.

Resolving issues involving general Web architecture brought to the TAG

To resolve an issue requires addressing it quickly, decisively, and in a way that is accepted by the parties involved. The infamous ISSUE-57 has been unresolved for over five years. The community has, for the most part, moved on.

  • Recommendation: encourage Working Group chairs and staff to bring current architectural issues to the TAG.
  • Recommendation: drop issues which have not been resolved within a year of being raised.

Coordinate cross-technology architectural developments inside and outside W3C

Within W3C, one contentious set of issues involve differing perspectives on the role of standards.

  • Recommendation: The TAG should define the W3C's perspective on the Irreconcilable Differences I've identified as disagreements on the role of standards.

For coordination with standards outside of W3C:

  • Recommendation: The TAG should meet at least annually with the IETF IAB, review their documents, and ask the IAB to review relevant TAG documents. The TAG should periodically review the status of liaison with other standards groups, most notably ECMA TC39.

On the current TAG election

An influx of new enthusiastic voices to the TAG may well help bring the TAG to more productivity than it's had in the past years, so I am reluctant to discourage those who have newly volunteered to participate, even though their prior interaction with the TAG has been minimal or (in most cases) non-existent. I agree the TAG needs reform, but the platforms offered have not specifically addressed the roadblocks to the TAG accomplishing its Mission.

In these blog posts, I've offered some insights into my personal perspectives and priorities, and recommended concrete steps the TAG could take.

If you're participating in W3C:

  • Review carefully the current output and priorities of the TAG and give feedback.
  • When voting, consider the record of leadership and thinking, as well as expertise and platform.
  • Hold elected TAG members accountable for campaign promises made, and their commitment to participate fully in the TAG.

Being on the TAG is an honor and a responsibility I take seriously. Good luck to all.

December 29, 2012

W3C and IETF coordination

This is the third of a series of posts about my personal priorities for Web standards, and the relationship to the W3C TAG.

Internet Applications = Web Applications

For better or worse, the Web is becoming the universal Internet application platform. Traditionally, the Web was considered just one of many Internet applications. But the rise of Web applications and the enhancements of the Web platform to accommodate them (HyBi, RTCWeb, SysApps) have further blurred the line between Web and non-Web.

Correspondingly, the line between IETF and W3C, always somewhat fuzzy, has further blurred, and made difficult the assignment of responsibility for developing standards, interoperability testing, performance measurement and other aspects.

Unfortunately, while there is some cooperation in a few areas, coordination over application standards between IETF and W3C is poor, even for the standards that are central to the existing web: HTTP, URL/URI/IRI, MIME, encodings.

W3C TAG and IETF coordination

One of the primary aspects of the TAG mission is to coordinate with other standards organizations at an architectural level. In practice, the few efforts the TAG has made have been only narrowly successful.

An overall framework for how the Web is becoming a universal Internet application platform is missing from AWWW. The outline of architectural topics the TAG did generate was a bit of a mish-mash, and then was not followed up.

The current TAG document Best Practices for Fragment Identifiers and Media Type Definitions, is narrow; the first public working draft was too late to affect the primary IETF document that should have referenced it, and is likely to not be read by those to whom it is directed.

There cannot be a separate "architecture of the Internet" and "architecture of the Web". The TAG should be coordinating more closely with the IETF Internet Architecture Board and applications area directorate.

Web Standards and Security

This is the second in a series of posts about my personal priorities for the W3C Technical Architecture Group.

Computer security is a complex topic, and it is easy to get lost in the detailed accounts of threats and counter-measures. It is hard to get to the general architectural principles. But fundamentally, computer security can be thought of as an arms race:  new threats are continually being invented, and counter-measures come along eventually to counter the threats. In the battle between threats and defense of Internet and Web systems, my fear is that the "bad guys" (those who threaten the value of the shared Internet and Web) are winning. My reasoning is simple:  as the Internet and the Web become more central to society, the value of attacks on Internet infrastructure and users increases, attracting organized crime and threats of cyber-warfare.

Further, most reasoning about computer security is "anti-architectural":  the exploits of security threats cut across the traditional means of architecting scalable systems—modularity, layering, information hiding. In the Web, many security threats depend on unanticipated information flows through the layer boundaries. (Consider the recently discovered "CRIME" exploit.) Traditional computer security analysis consists of analyzing the attack surface of a system to discover the security threats and provide for mitigation of those threats.

New Features Mean New Threats

Much of the standards community is focused on inventing and standardizing new features. Because security threats are often based on unanticipated consequences of minor details of the use of new features, security analysis cannot easily be completed early in the development process. As new features are added to the Web platform, more ways to attack the web are created. Although the focus of the computer security community is not on standards, we cannot continue to add new features to the Web platform without sufficient regard to security, or to treat security as an implementation issue.

Governance and Security

In many ways, every area of governance is also an area where violation of the governance objectives has increasing value to an attacker. Even without the addition of new features, deployment of existing features in new social and economic applications grows the attack surface. While traditional security analysis was primarily focused on access control, the growth of social networking and novel features increases the ways in which the Web can be misused.

The W3C TAG and Security

The original architecture of the Web did not account for security, and the W3C TAG has so far had insufficient expertise and energy to focus on security. While individual security issues may be best addressed in working groups or outside the W3C, the architecture of the Web also needs a security architecture, which gives a better model for trust, authentication, certificates, confidentiality, and other security properties.

Governance and Web Standards

I promised I would write more about my personal priorities for W3C and the W3C TAG in a series of posts. This is the first. Please note that, as usual, these are my personal opinions. Comments, discussion, disagreements welcome.

A large and growing percentage of the world depends on the Internet as a critical shared resource for commerce, communication, and community. The primary value of the Internet is that it is common: there is one Internet, one Web, and everyone on the planet can communicate with everyone else. But whenever there is a shared resource, opportunities for conflict arise—different individuals, groups, companies, nations, want different things and act in ways that threaten this primary value. There are endless tussles in cyberspace, including conflicts over economics, social policy, technology, and intellectual property. While some of the conflicts are related to "whose technology wins," many are related to social policy, e.g., whether Internet use can be anonymous, private, promote or allow or censor prohibited speech, protect or allow use of copyrighted material.

Shared resources in conflict, unregulated, are ultimately unsustainable. The choices for sustainability are between voluntary community action and enforced government action; if community action fails, governments may step in; but government action is often slow to move and adapt to changes.

As the recent kerfuffle over ITU vs. "multi-stakeholder" governance of the Internet shows, increased Internet regulation is looming. If the Internet community does not govern itself or provide modes of governance, varying national regulations will be imposed, which will threaten the economic and social value of a common Internet. Resolving conflict between the stakeholders will require direct attention and dedicated resources.

Governance and W3C

Standards and community organizations are a logical venue for addressing most of Internet governance conflicts. This is primarily because "code is law":  the technical functioning of the Internet determines how governance can work, and separating governance from technology is usually impossible. Further, the community that gathers at IETF and W3C (whether members or not), are the most affected.

I think W3C needs increased effort and collaboration with ISOC and others to bring "governance" and "Web architecture for governance" to the forefront.

Governance and the W3C TAG

The recent TAG first public working draft, "Publishing and Linking on the Web" is an initial foray of the W3C TAG in this space. While some may argue that this work exceeds the charter of the TAG, I think it's valuable work that currently has no other venue, and should continue in the TAG.

December 13, 2012

I Invented the W3C TAG :)

As a few of you know, W3C TAG elections are upon us. While this is usually a pretty boring event, this year it's been livened by electioneering.  I don't have a long platform document prepared ("stand on my record"), but I'll write some things about where I think web standards need to go.... But first a bit of history:

I invented the W3C TAG. At least more than Al Gore invented the Internet. I was Xerox' AC representative when I started on the W3C Advisory Board, and it was in 2000 that I and Steve Zilles edited the initial TAG charter.  I think a lot of the details (size, scope, term limits, election method) were fairly arbitrarily arrived at, based on the judgment of a group speculating about the long-term needs of the community. I prioritize a focus on architecture, not design; stability as well as progress; responsibility to the community; a role in dispute resolution. The TAG has no power: it's a leadership responsibility; there is no authority.

And the main concern then, as now, is finding qualified volunteers who can actually put in the work needed to get "leadership" done.

In a few future blog posts I'll outline what I think some of the problems for the Web, W3C, and the TAG might be. I'll write more on

1. Governance. Architectural impact of legislative, regulatory requirements.
2. Security. In the arms race, the bad guys are winning.
3. Coordination with other standards activities (mainly IETF Applications area), fuzziness of the boundary of the "web".

Questions? Please ask (here, twitter, www-tag@w3.org)

Update 12/16/2012 ... I didn't invent the TAG alone 

Doing a little more research:

It's easy to find earlier writings  and talks about Web Architecture. At the May 2000 W3C advisory committee meeting,  I was part of the discussion of whether Architecture needed a special kind of group or could be completed by an ordinary working group. I think the main concern was long-term maintenance.
By the 6/9/2000 Advisory Board meeting, the notion of a "Architecture Board" was part of the discussion. An initial charter was sent out by Jean-Francois Abramatic to the Advisory Board  8/11/2000 6:02 AM PST.

Steve Zilles sent a second proposed charter (forwarded to the AB 8/14/2000 08:35PST) with cover note:
The attached draft charter is modelled on the structure of the Hypertext CG charter. This was done for completeness. Much of the content is based on notes that I took during the discussion with Larry Masinter refered to above, but the words are all mine. The Background section is my creation.  The mission is based on our joint notes. The Scope is mostly my creation, but, I belive consistent with    our discussion. The Participants section has most of what we discussed.  I tried to capture the intent of what Jean-Francios wrote, but I did not borrow any of the words because I was using a different outline. My apologies if I failed in that respect.
While I contributed to the definition of the TAG and many of the ideas in the TAG charter, others get "invention" credit as well.

An Architecture Working Group... 

Reading the discussions about the TAG made me wonder if it's time to reconsider an "architecture working group" whose sole responsibility is to develop AWWW2.  There's a lot of enthusiasm for an AWWW2,  can we capture the energy without politicizing it? Given the poor history of the TAG in maintaining AWWW, perhaps it should be moved out to a more focused group (with TAG participation encouraged).