12:11:57 RRSAgent has joined #xmlsec 12:11:57 logging to http://www.w3.org/2007/09/18-xmlsec-irc 12:11:59 RRSAgent, make logs public 12:12:00 Zakim has joined #xmlsec 12:12:02 Zakim, this will be XMLSEC 12:12:02 ok, trackbot-ng; I see T&S_XMLSEC()9:00AM scheduled to start in 48 minutes 12:12:04 Meeting: XML Security Specifications Maintenance Working Group Teleconference 12:12:06 Date: 18 September 2007 12:45:28 tlr has joined #xmlsec 12:46:29 fjh has joined #xmlsec 12:51:44 klanz2 has joined #xmlsec 12:51:57 zakim, code? 12:51:57 the conference code is 965732 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), klanz2 12:52:10 jcc has joined #xmlsec 12:53:00 Zakim, this will be XMLSEC 12:53:00 ok, jcc; I see T&S_XMLSEC()9:00AM scheduled to start in 7 minutes 12:53:30 Meeting: XML Security Maintenance Working Group Conference Call 12:54:05 Chair: Frederick Hirsch 12:54:12 Scribe: Juan Carlos Cruellas 12:54:16 Chair: Thomas Roessler 12:54:21 sorry Thomas... 12:54:32 could you post the URL for the agenda? 12:55:03 Agenda: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Sep/0013.html 12:56:27 zakim, code? 12:56:27 the conference code is 965732 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), PHB2 12:57:23 Agenda: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Sep/0013.html 12:58:16 Should I force RRSAgent, make log public, Thomas? 12:58:28 yeah, you can do that 12:58:33 Thanks 12:58:35 thanks for setting up all the bots 12:58:42 RRSAgent, make log public 12:58:59 sean has joined #xmlsec 13:00:05 T&S_XMLSEC()9:00AM has now started 13:00:12 +sean 13:00:28 +PHB 13:00:55 +??P2 13:00:57 zakim, call thomas-skype 13:00:57 ok, tlr; the call is being made 13:00:59 +Thomas 13:01:17 zakim, who is on the phone? 13:01:17 On the phone I see +1.617.876.aaaa, PHB, ??P2, Thomas 13:01:21 +??P5 13:01:24 zakim, ??P2 is jcc 13:01:24 +jcc; got it 13:01:28 +Hal_Lockhart 13:01:30 zakim, ??P5 is klanz2 13:01:30 +klanz2; got it 13:01:41 +Ed_Simon 13:01:47 zakim, aaaa is sean 13:01:47 +sean; got it 13:02:03 TOPIC: welcome 13:02:09 esimon2 has joined #xmlsec 13:02:26 TOPIC: Introduction of members / roll call 13:02:41 hal has joined #xmlsec 13:02:42 +brich 13:03:00 TOPIC Administrativia 13:03:21 tlr: asks klanz2 on minutes version 13:03:30 konrad: he has sent already. 13:03:36 brich has joined #xmlsec 13:03:38 tlr: will approve next meeting 13:04:16 tlr: remind booking hotel for November plenary, as there is a deadline 13:04:25 rdmiller has joined #xmlsec 13:04:46 tlr: 20(?) people at the workshop 13:04:58 q+ 13:05:09 ...there will be some slight changes in the final agenda. Somebody will not be able to attend 13:05:35 hal: requests shift in his presentation 13:05:49 rmiller has joined #xmlsec 13:05:54 tlr: anything else on workshop? 13:06:07 topic: action item review 13:06:31 action#26: is still open 13:06:45 +??P11 13:06:46 action#71. sean: still open. 13:07:03 zakim, ??P11 rmiller 13:07:03 I don't understand '??P11 rmiller', jcc 13:07:04 zakim, ??P11 is rdmiller 13:07:04 +rdmiller; got it 13:07:10 zakim, ??P11 is rmiller 13:07:10 I already had ??P11 as rdmiller, jcc 13:07:29 zakim, ??P11 is rmiller 13:07:29 I already had ??P11 as rdmiller, rmiller 13:07:34 action 74: no further progress 13:07:48 action 81: CLOSED 13:07:57 zakim, mute me 13:07:57 sorry, rmiller, I do not know which phone connection belongs to you 13:08:24 ACTION 82: konrad plans to close it today 13:08:31 action 83: as above 13:09:01 action 91 closed 13:10:12 bruce: on xpointers... 13:10:43 agenda+ xpointers 13:10:58 ...doc talks xpointer outside fragment URI notation whereas the test cases show URIs in this section. 13:11:05 tlr: review afterwards 13:11:16 action 90 closed 13:11:17 ACTION-90 closed 13:11:17 Sorry... I don't know how to close ACTION yet 13:11:54 i can hear jcc 13:12:29 * i can hear but poorly 13:12:34 I can hear both 13:12:36 i can hear both clearly 13:12:45 i can jcc intermittently 13:12:45 I can hear evrybody 13:12:51 thanks for clarifying 13:13:30 I suspect it's a problem with my line and will drop, then reconnect. 13:13:30 zakim, drop thomas 13:13:30 Thomas is being disconnected 13:13:32 -Thomas 13:13:33 mybe type to the chat 13:13:44 zakim, call thomas-skype 13:13:44 ok, tlr; the call is being made 13:13:45 s/mybe/maybe/ 13:13:45 +Thomas 13:13:55 konrad, Sean and Juan Carlos coordinated incorporation of new material to the interop 13:13:58 please indicate on IRC if you get voicemail 13:14:11 zakim, drop thomas 13:14:11 Thomas is being disconnected 13:14:13 -Thomas 13:14:19 zakim, call thomas-781 13:14:19 ok, tlr; the call is being made 13:14:21 +Thomas 13:14:21 zakim, drop thomas 13:14:21 Thomas is being disconnected 13:14:23 -Thomas 13:14:24 ...document... from what I have seen we all have committed new versions to the cvs 13:14:26 zakim, call thomas-skype 13:14:26 ok, tlr; the call is being made 13:14:27 +Thomas 13:14:38 thomas figthing his phone ;-) 13:14:46 it's dead now 13:14:54 I cannot hear tlr 13:15:02 zakim, call thomas-skype 13:15:02 ok, tlr; the call is being made 13:15:04 +Thomas.a 13:15:18 ah! 13:15:32 -Thomas 13:16:08 konrad: the document contains enough information as to allow people to start doing interop 13:16:44 ...use firefox and they will get the output scroll bar... 13:16:55 ...they will get nicer view. 13:17:13 ACTION-91 closed 13:17:13 Sorry... I don't know how to close ACTION yet 13:17:29 q+ 13:17:46 konrad: we are allowed to introduce additional material if we identify it... 13:17:53 ack sean 13:18:01 q- 13:18:21 sean: do not see changes that he made yesterday at the document in the cvs 13:18:49 s/cvs/url in the agendta/ 13:19:11 tlr: is the html doc the problem? 13:19:16 sean: yes 13:19:17 ah, herte it is Add links to test signatures in sections 3.3.4.1 and 3.3.4.1. 13:19:24 I'll do that now 13:19:32 tlr: transform the xml to html: konrad or jcc may do it. 13:19:45 ...konrad, could you please do it? 13:20:10 action 92 sent that note, not feedback CLOSED 13:20:10 ACTION-92 done 13:20:37 action 93 konrad will do it today OPEN 13:20:38 ah! 13:20:38 ACTION-93 continued 13:20:51 q+ 13:20:58 zakim, take up agendum 1 13:20:58 agendum 1. "xpointers" taken up [from tlr] 13:21:19 I can 13:21:20 can you hear me? 13:21:20 ack jcc 13:21:23 i can hear you 13:21:25 I can hear jcc 13:21:31 I hear you, jcc 13:22:24 phone line have strange delays today 13:22:58 bruce: go to the html document testcases.html 13:23:14 build the document, sean check if your changes are there 13:23:33 http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/testcases.html 13:23:50 s/build/built/ 13:24:37 yes brich is right 13:24:44 ill just fix that now 13:24:56 s/ill/I'll/ 13:25:08 what test case? 13:25:29 argh, there seems to be a bunch of problems 13:25:50 bruce: some "#" missed when identifying values of URI fragments. 13:25:53 . 13:25:57 sean has joined #xmlsec 13:26:00 brich has joined #xmlsec 13:26:09 esimon2 has joined #xmlsec 13:26:44 q+ 13:26:46 rdmiller has joined #xmlsec 13:27:09 ack sean 13:27:15 SHOULD BE FIXED 13:27:32 @jcc done 13:28:09 bruce: all the test cases for xpointers using xpointer framework 13:29:21 action: klanz2 to fix the xpointers in the xpointer framework adding the missing "#" sign to the URI fragments 13:29:21 Created ACTION-94 - Fix the xpointers in the xpointer framework adding the missing \"#\" sign to the URI fragments [on Konrad Lanz - due 2007-09-25]. 13:29:51 ACTION: sean to generate new test signatures for xpointer 13:29:51 Created ACTION-95 - Generate new test signatures for xpointer [on Sean Mullan - due 2007-09-25]. 13:30:34 bruce: unclear for xpointer framework test cases whether the canonincalization is 1.0 or 1.1 13:31:22 well there is a RECOMMENDATION for c14n1.1 in the spec 13:31:32 in the section for reference generation 13:31:43 sean has joined #xmlsec 13:31:45 q+ 13:31:47 q+ 13:32:02 ack klanz2 13:32:02 +1 to konrad 13:32:12 The ds:Reference for enveloped signatures will contain two Transform elements, namely; the enveloped signature transform and the one indicating canonical XML 1.0 (these test cases are not designed to deal with canonical XML 1.1). The ds:Reference for enveloping signatures will contain only the second one. 13:32:20 ack sean 13:32:59 ack tlr 13:32:59 bruce: agreed 13:33:22 brich has joined #xmlsec 13:33:46 tlr: should not we have the same test cases for c14n1.1? 13:33:55 updated '#' issues in http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/testcases.html#TestCases-SchemaBasedXPointers press shift reload 13:35:29 q+ 13:35:43 ack sean 13:35:48 juan carlos: xpointer framework test cases were requested without looking at the cannonicalization... 13:36:10 sean: these test cases should use canonicalization 1.1 13:36:32 q+ 13:36:37 ack jcc 13:36:46 The ds:Reference for enveloped signatures will contain two Transform elements, namely; the enveloped signature transform and the one indicating canonical XML 1.0 (these test cases are not designed to deal with canonical XML 1.1). The ds:Reference for enveloping signatures will contain only the second one. 13:37:20 q+ 13:37:25 q? 13:38:01 May I propose to use two references one using 1.0 and one using 1.1 if this has value in the defined testcases to demonstrate some difference 13:38:17 if not let's just use 1.1 13:38:38 ack sean 13:38:40 q+ 13:39:04 sean: should move away from 1.0 13:39:05 ack klanz2 13:39:50 konrad: worth to use both... in order to go deeper in behaviour. 13:40:00 tlr: people support using 1.1 13:40:26 bruce: support 1.1. Either one would be OK. Do not see difference in process 13:40:45 q+ 13:41:22 q+ 13:41:23 tlr: we agree that canonicalization 1.1 should be present 13:41:27 RESOLUTION: xpointer test cases to be changed to c14n 1.1 13:41:55 ack klanz2 13:42:15 action: klaz2 to switch xpointer test cases to c14n1.1 13:42:15 Sorry, couldn't find user - klaz2 13:42:22 action: klanz2 to switch xpointer test cases to c14n1.1 13:42:22 Created ACTION-96 - Switch xpointer test cases to c14n1.1 [on Konrad Lanz - due 2007-09-25]. 13:44:14 is the way the xpointer test cases are designed xml:base tested as well ? 13:45:05 esimon2 has joined #xmlsec 13:45:29 I will try IRC one more time; if it fails again, I'll just stay on the phone. 13:45:35 iu just looked into the cvs it is not having xml:base attributes 13:45:45 s/having/have/ 13:45:49 fjh2 has joined #xmlsec 13:45:54 s/iu/I/ 13:46:08 no that's it 13:46:20 topic: Section 3.3, Implicit/Explicit rules 13:46:27 http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/ 13:46:31 tlr: section 3.3 13:46:57 konrad: three new test cases checking implicit and explicit indication of canonicalization algorithms 13:47:37 ...some test that should use 1.1 actually do not mention any algorithm, which by defalut means that they use 1.0 13:48:02 Topic: Section 3.5 DNs 13:48:08 http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/ 13:48:26 http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/testcases.html#TestCases-DistinguishedName 13:48:40 sean: the test cases for this part are completed 13:48:56 ...changed the way they were specified quite a bit and appreciate any comment on that... 13:49:27 ..for the second part implemented 3 of the cases that seem to be the most important ones... 13:49:48 Update to the XPointer test cases: 13:49:48 The ds:Reference for enveloped signatures will ebventually contain two Transform elements, namely; the enveloped signature transform and the conversion from node set data to octet stream (canonical XML 1.1). 13:49:54 ..the rest seem not to explicitly check the RFCs but only thigns nice to test 13:50:36 topic: xml:id, :lang, ... implementation status 13:50:40 same 13:50:48 not yet for xpointer and dname 13:50:48 sean: dropped material on these test case s in the cvs 13:51:03 bruce dropped signatures on xml:base and verified signatures from sean. 13:51:36 jcc: try to drop some material during this week 13:52:33 rdmiller has joined #xmlsec 13:52:51 topic: Best Practices 13:52:58 topic Best Practices 13:53:08 testing 13:53:19 q+ 13:53:43 ack klanz 13:54:09 maybe type a few notes to the chat 13:54:25 esimon2: three months ago we discussed the DNs encoding and reversibility 13:54:39 ed: encoding rules /issue of reversibility / security considerations /trying to get corrwect certificate 13:54:53 ... are the reversibility issues 13:55:12 ... sean & ed: attrubute type makes a difference 13:55:18 ... sean mentioned some questions, like if the attributetype makes a difference and whether 13:55:25 ...there could be an attack on that... 13:55:28 could there be an attack, when a different certificate sneaks in 13:55:36 ..or you get a different certificate... 13:56:13 sean: does anyone follow the PKIX group progress? 13:56:37 http://www.imc.org/ietf-pkix/mail-archive/msg04986.html 13:56:40 konrad updated the document in terms of xpointers 13:56:51 q? 13:57:09 ack jcc 13:57:41 q+ 13:58:06 ack klanz 13:58:14 juan carlos: should be considered in the future 13:58:26 konrad: substituion attacks could be possible... 13:59:09 q+ 13:59:12 konrad: strict rules for requesting certificates... should not this disminish the danger? 13:59:52 sean: it is also a matter of accuracy: with ASN1 you are exactly referring the right certificate... 14:00:16 s/sean/ed 14:00:50 ack hal 14:00:56 konrda: substitution attacks are managed outside XMLDSIG (XAdES, for instance ensure data from the certificate so that substitution may be detected) 14:01:03 -klanz2 14:01:08 dialing in again 14:01:13 zakim, code? 14:01:13 the conference code is 965732 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), tlr 14:01:19 sean: review the whole RFC of encoding DNs... 14:01:44 +??P20 14:01:54 zakim, ??P20 is klanz2 14:01:54 +klanz2; got it 14:02:08 sean: what we are doing in XMLDSIG is requiriung reversibility to a spec that did not pursued tahat 14:02:27 ...we could come up witha mechanisms that grants that there is no loss of information in either way... 14:02:30 is this ismilar to xml encoding rules? 14:02:40 next XMLDSIG versiohn should incorporate this feature 14:02:44 s/isimilar/similar/ 14:03:16 q+ 14:03:19 hal: in Web services security... referring to a certificate is not easy ... and doing a DN comparison is something commonly done... 14:03:23 q+ 14:03:46 sean: something to investigate in the next months to come 14:03:52 -Hal_Lockhart 14:03:53 ack klanz2 14:03:57 ack klanz 14:03:59 q- 14:04:49 ed: interesting to explore this reversibility between ASN.1 and XML for DNs. 14:04:56 q+ 14:05:04 ack jcc 14:05:52 tlr: what I heard seems to go farther than best practices 14:06:09 ... and could be a relevant item for a future working group 14:06:32 ed: will not be present in workshop but yes in November, in Boston 14:06:39 q+ 14:07:09 +Hal_Lockhart 14:07:13 maybe its worth to point from the wiki to the minutes 14:07:21 tlr: should we add this into the wiki? 14:07:30 ack jcc 14:07:35 hal has joined #xmlsec 14:08:09 ed: enough with the minutes...we will have to deal with this in the future 14:08:23 topic: decryption transform 14:08:24 I will be dialing into the WorkShop next week though I will not be there in person. 14:08:37 http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Aug/0012.html 14:09:10 @ED, maybe you'd like to add the DNAME Reversibility topic here 14:09:19 http://www.w3.org/2007/xmlsec/wiki/CharterDevelopmentForSignatureEncryption 14:10:13 tlr: proposal for modifying decryption transform... hanging for number of days.. what people think? 14:10:19 ... any interest on that now? 14:11:30 any, luck with alex sanin ? 14:11:36 tlr: as we have not been able ot progress on this issue it might happen that we drop the issue 14:11:39 q+ 14:12:06 konrad: asks if tlr has been in contact with Aleksej (implementer) 14:12:14 + +017814aaaa 14:12:26 zakim, aaa is fjh2 14:12:26 sorry, fjh2, I do not recognize a party named 'aaa' 14:12:38 zakim, +017814aaaa is fjh2 14:12:38 +fjh2; got it 14:13:27 we can close the actions to update the xpointer test cases I think 14:13:30 topic: Recommendation for regression tests? 14:13:41 tlr: come back to item 6 14:14:03 q+ 14:14:06 tlr: should interop progression tests? to incorporate xmlsig former tests conveniently updated? 14:14:22 q- 14:14:49 konrad: almost impossible to update former tests in xmlsig for incorporating c14n1.1 there 14:15:02 Thomas -- I keep getting cut off IRC; please send me the raw version after the meeting ends so I can write up something re the reversibility issue re Konrad's suggestion. Thanks, Ed 14:15:02 q+ 14:15:14 konrad: proposes to leave them as they are as legacy test cases 14:15:16 q- 14:15:16 q- klanz 14:15:17 ack sean 14:15:36 sean: doable, they have tools that already created all of them 14:15:53 sean: could modify them to nsert c14n1.1 in them... 14:16:01 tlr: it could be useful 14:16:21 q+ 14:16:40 bruce: not sure...not familiar with these tests so not able to assess their difficulty 14:16:41 ack sean 14:17:02 sean: would not be expecting the others generatign signatures, but verifying them 14:17:16 konrad: agree with sean if we keep this informally. 14:18:29 +1 14:19:10 jcc +1 14:19:29 tlr: sean could generate these signatures and verification test cases could be performed on them 14:19:39 sean: will generate and drop them in the cvs 14:20:10 bruce: is it possible to know the format so that we may prepare the test framework? 14:20:38 sean: propose to generate the merlin 23 signature (the big one) with the c14n11 canonicalization there 14:20:55 ...only the big one, not the rest 14:20:56 q+ 14:21:07 ack klanz2 14:22:21 konrad: sean mentioned some test cases that never were tested...would it be worth to do something on them at the interop? 14:22:37 also for the ok if we have time list 14:22:49 -jcc 14:22:55 I can hear you okay 14:23:02 tlr: need for an agenda bit more formal 14:23:18 sorry was dropped...could anybody take mintes while I reconnect? 14:23:26 tlr: interop, any other business? 14:24:08 q+ 14:24:08 zakim, mute me 14:24:09 +??P2 14:24:10 sorry, tlr, I do not know which phone connection belongs to you 14:24:14 zakim, unmute me 14:24:14 sorry, tlr, I do not know which phone connection belongs to you 14:24:15 q- 14:24:32 whois it 14:24:47 zakim ??P2 is jcc 14:24:51 zakim, ??P2 is jcc 14:24:51 +jcc; got it 14:26:28 frederick: other participants? 14:26:32 klanz2: comment mailing list? 14:26:39 tlr: public-xmlsec-comments 14:26:43 q- 14:27:18 Action to tlr to create a small sction on the public page referring to the comments mailing list plus some list to relevant material 14:27:45 ACTIONS: frederick to point addtl participants at comment mailing list 14:28:02 how many are there? 14:28:08 fredewrick? 14:28:29 s/fredewrick/Frederick/ 14:28:35 tlr: question on organizational issues. 14:28:48 very few registration so far. 14:28:51 just me 14:29:05