W3C

XML Security Specifications Maintenance Working Group Teleconference

15 Apr 2008

Agenda

See also: IRC log

Attendees

Present
Thomas Roessler, Frederick Hirsch, John Wray Rob Miller, Sean Mullan, Ed Simon, Bruce Rich, Phill Hallam-Baker, Juan Carlos Cruellas, Hal Lockhart, Pratik Datta, Shivaram Mysore, Konrad Lanz
Regrets
Chair
Frederick Hirsch
Scribe
Thomas Roessler, Frederick Hirsch

Contents

 

<trackbot-ng> Date: 15 April 2008

Administrative

Meeting Planning

<scribe> ScribeNick: tlr

<fjh> next call is 6 May

Frederick: next meeting 6 May, Shivaram to scribe
... sent material to WS-I

<fjh> WAF widget signing: http://www.w3.org/TR/widgets-digsig/

frederick: widget signing is FPWD now ...
... you may want to review latest draft ...

<fjh> minutes - http://www.w3.org/2008/04/01-xmlsec-minutes.html

minutes from last meeting

RESOLUTION: approved

<fjh> Dsig AC Reps http://www.w3.org/2002/09/wbs/33280/xmlsigper2008/

<fjh> http://www.w3.org/2002/09/wbs/33280/xmlsec2008/

frederick: please make sure your AC reps submit reviews for PER and charter
... chartering deadline is 2 may
... contacting AC reps now might be helpful
... face-to-face schedule for kick-off getting tight
... propose week of 14 July ...
... how would that work? ...

<brich> that would be a problem for me

juan carlos: would be a problem - holiday starting on the 15th

hal: first time I heard the date

<EdS> I would have to check for conflicts too.

hal: no conflicts off the top of my head
... location?

frederick: had two offers from Europe (Barcelona or Graz) ...

jcc: number?

frederick: 15-20 as wild guess

juan carlos: will check, may have some degrees of freedom

hal: Can host in Boston or Bay for < 30

frederick: please share possibilities on member-visible list, what dates work, etc.
... konrad?

konrad: umh

tlr: talked to Peter last week, he said the offer is on

pbaker: please make Tue-Thu, not Mon or Fri

frederick: reasonable

test case document

frederick: some editorial clean-up from Thomas, some content-wise from Sean

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0015.htm

sean: main change in section 3.3.4

<fjh> section 3.3.4 and fixed reference

sean: explained optional behavior for generation, mandatory for verification ...
... improved wording, added rationale, etc ...
... tried to improve readability of section

frederick: don't know if people have reviewed

<fjh> tlr: fixed markup, references, added text about conformance

<fjh> ... added sectioning for individual test cases for ease of use

(discussion about make vs ant build processes)

frederick: process for moving forward?

tlr: moratorium ends 28 April

frederick: expect to proceed with publication if don't hear by then

Relax NG schema

<fjh> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/

<fjh> tlr: request on original xmlsig list related to Open Office XML

<fjh> ... desire to have normative reference to Relax NG schema

<fjh> ... original version from Joseph Reagle on W3C site

<fjh> ... rather than having it copied, a Note might be preferable, especially since they wanted Compact Syntax which had not yet been created.

<fjh> ... Proposal, have minimal WG Note with both Relax NG full and compact syntax. Not normative document.

<fjh> ... Need WG review of Relax NG schema for correctness

http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/

<klanz2> we do not support Relax NG

<shivaram> How many support Relax NG?

RobMiller: put out call on internal list for review
... will report back if/when there's more information ...

hal: not committing anything either

<klanz2> well, we can parse what xalan can parse, but we'll always check signautre itself against xmlschema

frederick: what's your message in the chat saying?

klanz: we can try to validate a bunch of signatures against RNG schema

frederick: konrad, if there's anything immediately noticeable, please say

best practices

http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/

frederick: tried to rework what Hal and Pratik had posted into that format

pratik: on xpath, had a list of xpath expressions
... example there was complex xpath that was signing no node ...

frederick: more on nodes?

hal: need bunch of references
... plan to do 5 more or so on the topics ...
... depth, different issues ...
... there's also some controversial issues ...
... will attempt to identify where people might disagree ...
... question what's most expedient

<fjh> ws-i bsp "threats and countermeasures"

klanz2: think we should do some more referencing
... where others have done work ...
... there are some that are narrow xmldsig, some are about stuff on top of xmldsig ...
... time stamps are more broadly ...

<fjh> wider sense - e.g. application usage of xml signature

klanz2: xpath and canonicalization are narrower ...
... think there's a natural partition ...

<fjh> narrow sense - detail of xml signature standard itself

hal: agree there's a logical division, not sure how easy to do
... and how useful to the reader ...
... I'd think you'd always want to put in a time stamp ...

<fjh> question of defining roles, target audience for individual best practices

hal: some of the other concerns only a few people will run into ...

klanz: some applications might simply assume "signature was made during validity period"
... some points here go into PKI validation ...
... time stamping belongs there, too ...

frederick: there are different audiences

hal: want to talk about references
... what we learned doing in WSS ...
... what things turned out to be bad ideas ...
... are deprecated ..
... lots of stuff around that ...

<fjh> need to discuss referencing

<fjh> acc jcc

jcc: what are the plans for the production of best practices
... do we expect people to provide material, and people may comment on the material ...
... what's the expectation?

frederick: two aspects to this question
... first one, what's WG process
... second one, what are the broader implications
... this is obviously a draft ...
... need agreement in the WG ...
... trying to put something down, then correct ...
... as opposed to inching toward it piecewise ...
... do stuff on list, get it started ...
... so, please comment ...
... broader question - how play out in general community ...
... is it important for us to get external feedback?
... e.g., WS-I, OASIS?
... what's the right process

<hal> +1

<shivaram> I would suggest an informal notice to all of these groups and have them comment on public mailing list. We can then invite them as needed.

<klanz2> tlr: Intended to be a Note

<klanz2> ... we can do a Deliverable like this in the next WG even without having it in the charter (process wise)

<fjh> tlr: can start and hand off to follow on WG

<klanz2> tlr: we can make working drafts to notes

<fjh> tlr: can produce version, can publish as public WD to have continued by follow on wg, and seek external input

jcc: personal feeling is that external review would be extremely useful
... e.g., etsi has time-stamp related formats on top of dsig

<klanz2> http://lists.w3.org/Archives/Public/public-xmlsec-comments/

klanz2: can we use the comments mailing list?
... for people to send input?

tlr: yes

<fjh> tlr: this list is appropriate

frederick: will take a bit of time to have an initial version that we're comfortable with
... can start public review at that point ...
... something to do before we have to worry about that ...
... sounds like we don't have a problem ...
... main thing is to write down things we've learned in this group ...

hal: 3-5 more mails of the same size, then might want to flush that out
... speaking to what JCC said, looking forward to comment ...
... would be surprised if I got it all right ...
... another point, very true and general comments can end up being unintelligible ...

frederick: yes, value of concrete examples

<jcc> Sorry, was kicked off

klanz: think this is a good thing to lead us from this group to the next one

<jcc> dialing again

frederick: anything else on best practices
... also, anybody who has material to contribute, please send to public list ...
... hoping to make progress on draft between now and next call ...

action item review

trackbot-ng, close ACTION-147

<trackbot-ng> ACTION-147 Update the test cases document; polish for publication as a Note closed

<fjh> see http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0010.html

trackbot-ng, close ACTION-148

<trackbot-ng> ACTION-148 Send comments to EXI group as circulated to the XMLSEC closed

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0009.html

trackbot-ng, close ACTION-149

<trackbot-ng> ACTION-149 Clarify DName testing in test case document closed

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0015.html

ACTION-150?

<trackbot-ng> ACTION-150 -- Phillip Hallam-Baker to distribute a draft regarding identifiers registry -- due 2008-04-15 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/150

http://www.w3.org/2007/xmlsec/Group/track/actions/pendingreview

trackbot-ng, close ACTION-121

<trackbot-ng> ACTION-121 Fix CR/LF issue for test case 103 closed

trackbot-ng, close ACTION-126

<trackbot-ng> ACTION-126 Check consistency of 4.3.3.1 and references closed

trackbot-ng, close ACTION-127

<trackbot-ng> ACTION-127 Propose change to charter draft that opens encryption, in a limited way closed

aob

frederick: reminders again: Please ask AC representatives to complete questionnaires on XML Signature PER and Security Activity/XMLSec chartering. Also work on list for Best Practices before next call, and review of Relax NG schemas.

frederick: RNG schema
... prod ac reps
... review best practices

adjourned

<fjh> Scribe: Thomas Roessler, Frederick Hirsch