Administrivia:

What captive portal is:
  really cute monkey?
Why are they used?
  eyeballs for access control
  other reason?
How?
  volunteers to write this up from WG charter/goals
Plan
  define what is cp
  why would one use one
  design some proto widgets and publish RFCs
What is meant by "onboarding is out of scope"?
  trying to not do Eduroam, etc.


Mark Nottingham:
  Preamble: if we do this too well, folks will use it rather than
    less rigorous means of onboarding users to the network
  draft-nottingham-capport-problem
    2.1 notification use case has seen less discussion, needs more?
    3 issues with CPs
      Non-Browser Clients: some folks may not want IoT/non-human
      devices to get out, so CP breaking this is a "feature"



  Jason Livingood: if usability is issue with CP, we can help; if
    someone truly hates CP, probably no help/consensus
  Stuart Cheshire: is this an effort just to sell CP implementations,
    where might we solicit opinions (hospitality industry conventions,
    NANOG, etc?)
  Mike Bishop: browser can't be intercepting over broadband
    transmission, need captive browser. some CPs require own app or own
    page but captive browser bypasses this, so what are goals of CP
    vendors and are they at odds with WG goals
  Dan Wing: different CPs work very differently and there are lots of
    them. user incentives need to be addressed
  Mark Nottingham: easier to get this in small number of OSs and hoping CPs will
    work to that spec rather than trying to change all CPs one by one
  Dan Wing: agrees, much like "behave" WG. we need to try to specify,
    throw on wall, see what sticks with vendors
  jabber: target 90% of cps trying to do right thing, don't worry about
    bad actors




 Jason Livingood: how does operator/comcast use CP
    (slides-95-capport-00.pdf)
    rfc6108: web notification for non service interrupting events
      web push may be a solution, ala cellular amber alerts, etc.
      hard to do when service provider doesn't own edge gear
    range of possible devices to be tested for activation argues for
      standardization to cut down testing needed
    ekr: seems to be a way for provider to get in my face in ways
      customers haven't asked for. how do you opt out?
    Jason Livingood: we should do opt-in/opt-out as an option for CPs, need
      multiple ways to contact customer in case they don't supply phone,
      don't answer email, etc.
    Dave Dolson: seem to require IP based solutions?
    jabber: WFA hotspot seems to solve this, how much is this just lack of
      deployment
    Jason Livingood: wifi vs non-wifi require different solutions
    Alex Roscoe: will be doing some of this but CPs do offer more
      branding choices so will still use some at comcast.
    possible security consideration: we should enumerate some of the
      flaws in existing implementations

Volunteer for 1st draft at protocol goals per WG charter

  ekr asks:
    are CP cooperating with this effort? (they seem willing maybe)
    do they need to be modified? (most likely yes)
    are CPs actively hostile to this effort? (seems to not be the case)
  jabber: if there was a clear, non-https signalling method, CPs would
    be happy because this would be easier for them
  joke: can we just repurpose 80 as captive portal detection since we're
    done with it?
  Alex: CPs have improved and are harder to defeat
  sandboxing: repeat users may not be id'ed because mac addr changes and
    user gets put into sandbox with no previous state.
  dave d: can browser can help keep state to make better CP experience
    when CP doesn't always keep state well
  Dan Wing: MAC randomization causing CP ID fail unlikely because real mac
    used when connecting to SSID
  tom pauly: is this definition of what client does, CP server does,
    both? i.e. protocol definition with detection or CP server definition
  Martin Thompson: both needed
  detection and protocol/server should be two different docs
  Mike b: better signalling to device that its in CP/sandbox and
    needs to do something may give better user experience. if CP is
    trying to hide that you're in a CP, arms race results
  rfc 7710 referenced
  should have both nonbrowser and brower spec in client but difficult to
    accomplish
  news flash: there may be bad CP implementations. film at 11
  ekr: you can't over-ride user preference and display things user
    doesn't want to see, plugins/code will be written so that something
    makes web page go away without being seen by user
  jason: how we decide which CPs are bad and which are not and still do
    open standard
  ekr: browsers will be set to overcome/ignore CP to not annoy user and
    user won't see page/content from CP
  ??: must have balance between users who don't mind CPs, ads, etc. and
    those who want none of this
  Warren Kumari: as we secure the internet and use encryption, CPs will find it
    harder and harder to intercept, perhaps this will encourage them to
    following WG developed standards
  jabber: deployment timeframes, is this endless task
  jabber: solving https should be priority for group
  ??: if we want/need info from network but get more than we want from
    some "bad" actors, how do we deal with that? with DHCP, extra info can
    just be dumped
  Jason Livingood: let's do this iteratively, started with simplest case