See also: IRC log
Should we need to have a meeting next week on May 13th?
No. But, it will be held on May 20, 2008
<fjh> minutes approval http://www.w3.org/2008/04/15-xmlsec-minutes.html
RESOLUTION: Minutes from April 15, 2008 approved
<tlr> will remove draft from April 15 minutes and publish the same
http://lists.w3.org/Archives/Member/w3c-ac-forum/2008AprJun/0022.html
Note: All please have your AC reps to complete the questionnaire
pdatta: question on the questionnaire about intention of implementations - are we held responsible for this?
Thomas responds that answers are never made public and is just infomational to understand interest in implementation and adoption
<tlr> tlr: no, the purpose of that question is to enable The Director to make an informed judgment whether there is critical mass for moving ahead.
<tlr> ... that is obviously about the intention with which you go into this, not about a formal product commitment, or anything like that ...
JCC: if # of people <25/30, it should not be a problem to host. Nt much of a constraint in terms of dates 15-17 July
klanz2 can also host the meeting in Graz
<tlr> RESOLUTION: editorial fixes as outlined in 6a and 6c accepted
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0033.html
fjh: References for namespaces and Unicode - fixing errata and clarification - shall we update this
<klanz2> http://www.w3.org/XML/xml-V10-4e-errata#E10
<tlr> ick, this sounds nasty
klanz2: implementation may have to do something like this: 1.1 doc may be processed as 1.0 doc if there is no namespace
<klanz2> http://www.w3.org/XML/xml-V10-2e-errata#E16
klanz2: There is direct use of
RFC 3986, but no normative reference
... There was no consistent usage of namespace in namespaces
1.0. and namespaces 1.1 There could be some breaking changes
depending on how the character sets are handled
Shivaram suggests that we should add a note that at the point of writing the spec, we see the following issues ...
tlr: if we see that the change causes implementation differences, then we should be hesitant to make the change
<klanz2> ie. namespaces 1.0 have no namespace undeclarations
<klanz2> I think by adopting this we, implicitly define XPath datamodel for a subset of XML 1.1, which is good, isn't it?
<klanz2> this subset of xml 1.1 is the one not using namespace undeclarations 1.1?
<tlr> no, we don't make that definition. The erratum says that an XML 1.0 processor can treat certain documents as XML 1.0 even though are called XML 1.1 IF they do not use non-XML 1.0 features.
<tlr> So we are not updating it to permit XML 1.1 documents.
<klanz2> @tlr fine with me ...
If we are working on this issue, then who is going to be working on this?
Konrad, FJH, TLR?
<klanz2> So what we say is then the subset of xml 1.1 with namespaces 1.1, that does not use namespace undeclreations is treated as an xml 1.0 ...
I would suggest Konrad to write this snippet as he seems to be more aware of this impact
and then send the snippet to XML WG for review
klanz2: what is the impact on conformance for markup?
tlr suggests that we talk to the coordination group as it is not specific to XML Signature and it affects the parser
I would suggest checking with others before making resolution
<scribe>
<scribe> ACTION: tlr to write assumptions to references update [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action02]
<trackbot-ng> Created ACTION-152 - Write assumptions to references update [on Thomas Roessler - due 2008-05-13].
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0034.html
Proposal by FJH to leave this alone
Pdatta: remove the reference to Unicode
<brich> +1
RESOLUTION: Remove the Unicode reference
<tlr> http://www.w3.org/2005/10/Process-20051014/tr.html#errata
tlr: according to process document, if there is an errata for a normative spec, then they would not impact conformance for that version of this specification, but, the errata must be included in the next version and hence would be in conformance as per process then
<klanz2> +1 to tlr for fourth edition
<tlr> PROPOSED RESOLUTION: update xml reference to 4e, namespaces to 2e
<fjh> update xml reference to 4th edition and namespace reference to 2nd edition
<brich> +1, makes sense given the Process...errata reference
RESOLUTION: update xml reference to 4th edition and namespace reference to 2nd edition
<tlr> trackbot-ng, close ACTION-152
<trackbot-ng> ACTION-152 Write assumptions to references update closed
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0005.html
<klanz2> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/att-0005/dsig.rnc
Norm has noted that the RNG schema provided has little testing and review
FJH: looking for volunteers to look at this
<klanz2> What's the time frame for this?
Who uses RNG in the group?
<klanz2> We dont use RNG ...
<klanz2> http://xml.apache.org/xalan-j/apidocs/javax/xml/XMLConstants.html#RELAXNG_NS_URI
<pdatta> I will give it a try too
klanz2 will give it a try
Thanks to David for suggesting Norm and Norm for the RNG work
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0004.html
If WG memebers have comments, please send them to the list.
<klanz2> http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415/#security
<fjh> http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/testcases.html
<fjh> Proposed Resolution to accept shortname "xmldsig2ed-tests"
+1
RESOLUTION: accept
shortname "xmldsig2ed-tests"
... publish test case document with the short name
"xmldsig2ed-tests"
ACTOIN: fjh to make the transition request
<scribe> ACTION: tlr to make the publication of test case document happen [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action03]
<trackbot-ng> Created ACTION-153 - Make the publication of test case document happen [on Thomas Roessler - due 2008-05-13].
<fjh> ACTION: fjh to make transition request for test case document [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action04]
<trackbot-ng> Created ACTION-154 - Make transition request for test case document [on Frederick Hirsch - due 2008-05-13].
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0018.html
http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0026.html
http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0018.html
hal does not have cycles to become an editor, but, can contribute
RESOLUTION: accept material from Hal as input to document
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/att-0000/00-part
signing XML vs signing Binary
<klanz2> Do people know that ? http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt
<klanz2> Should be a rich source of dont's ;-)
<klanz2> http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_bh07.pdf,
<klanz2> http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf, and
<klanz2> http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_Handout.pdf.
<klanz2> FJH: had this here http://www.w3.org/2007/09/25-xmlsec-minutes
<fjh> konrad suggests putting all best practices into document, even if conflicting, then review together and resolve
<fjh> +1
<klanz2> +1 to hal
<fjh> hal suggestes having security considerations and performance sections, since security not obvious
RESOLUTION: accept Pratik's input as input material
<pdatta> most of my comments are derived from Brad Hill's presentations
have CVS access so that folks can check in examples, tests cases, etc into the Best Practices section on the repository
Pratik had a look at Sean's input - http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0029.html
RESOLUTION: accept Sean's input for best practices
all of them are still open
<EdS> I volunteer to scribe.
<tlr> fjh: proposed to skip next week, next call on the 20th
Next Meeting: May 20, 2008
<klanz2> aob?
EDS will be the scribe for May 20 meeting
<klanz2> xmldsig-more?
<fjh> phil upate http://lists.w3.org/Archives/Member/member-xmlsec-maintwg/2008Apr/0004.html
<klanz2> iana registry
<klanz2> http://lists.w3.org/Archives/Member/member-xmlsec-maintwg/2008Apr/0005.html