IRC log of xmlsec on 2008-05-20

Timestamps are in UTC.

12:46:57 [RRSAgent]
RRSAgent has joined #xmlsec
12:46:57 [RRSAgent]
logging to http://www.w3.org/2008/05/20-xmlsec-irc
12:46:59 [trackbot-ng]
RRSAgent, make logs public
12:46:59 [Zakim]
Zakim has joined #xmlsec
12:47:01 [trackbot-ng]
Zakim, this will be XMLSEC
12:47:01 [Zakim]
ok, trackbot-ng; I see T&S_XMLSEC()9:00AM scheduled to start in 13 minutes
12:47:02 [trackbot-ng]
Meeting: XML Security Specifications Maintenance Working Group Teleconference
12:47:02 [trackbot-ng]
Date: 20 May 2008
12:47:17 [fjh]
Chair: Frederick Hirsch
12:48:43 [klanz2]
klanz2 has joined #xmlsec
12:49:09 [fjh]
Agenda: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0029.html
12:50:02 [fjh]
Regrets: Thomas Roessler, Shivaram Mysore
12:51:26 [klanz2]
Hi, I'm currently in a train in Austria, so I may have dificulties to dial in using VoIP, ...
12:51:27 [klanz2]
There is no access number in Austria I could use to dial in, isn't it?
12:53:07 [sean]
sean has joined #xmlsec
12:55:20 [rdmiller]
rdmiller has joined #xmlsec
12:56:25 [Zakim]
T&S_XMLSEC()9:00AM has now started
12:56:32 [Zakim]
+ +1.443.695.aaaa
12:57:10 [rdmiller]
Zakim aaa is rdmiller
12:58:01 [EdS]
EdS has joined #xmlsec
12:58:26 [brich]
brich has joined #xmlsec
12:58:30 [Zakim]
+Frederick_Hirsch
12:58:43 [fjh]
zakim, who is here?
12:58:43 [Zakim]
On the phone I see +1.443.695.aaaa, Frederick_Hirsch
12:58:44 [Zakim]
On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
12:59:00 [fjh]
zakim, aaaa is Rob Miller
12:59:00 [Zakim]
I don't understand 'aaaa is Rob Miller', fjh
12:59:07 [Zakim]
+ +1.512.401.aabb
12:59:08 [fjh]
zakim, aaaa is rdmiller
12:59:08 [Zakim]
+rdmiller; got it
12:59:20 [fjh]
zakim, aabb is brich
12:59:20 [Zakim]
+brich; got it
12:59:28 [fjh]
zakim, who is here?
12:59:28 [Zakim]
On the phone I see rdmiller, Frederick_Hirsch, brich
12:59:29 [Zakim]
On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
12:59:34 [Zakim]
+ +1.617.876.aacc
12:59:42 [EdS]
trying to dial in
12:59:46 [fjh]
zakim, aacc is sean
12:59:46 [Zakim]
+sean; got it
12:59:55 [fjh]
zakim, who is here?
12:59:55 [Zakim]
On the phone I see rdmiller, Frederick_Hirsch, brich, sean
12:59:57 [Zakim]
On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:00:22 [Zakim]
+Ed_Simon
13:00:22 [rdmiller]
Zakim, mute me
13:00:24 [Zakim]
rdmiller should now be muted
13:00:24 [fjh]
zakim, who is making noise
13:00:24 [Zakim]
I don't understand 'who is making noise', fjh
13:00:40 [klanz2]
I'll be on the chat and try to call in at 6) Bestpractices
13:00:45 [fjh]
zakim, who is here?
13:00:45 [Zakim]
On the phone I see rdmiller (muted), Frederick_Hirsch, brich, sean, Ed_Simon
13:00:47 [Zakim]
On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:01:12 [Zakim]
+ +1.978.244.aadd
13:01:15 [klanz2]
bruce is making noise, maybe ...
13:01:26 [brich]
zakim, mute me
13:01:26 [Zakim]
brich should now be muted
13:01:43 [fjh]
zakim, aadd is jwray
13:01:43 [Zakim]
+jwray; got it
13:01:49 [fjh]
zakim, who is here?
13:01:49 [Zakim]
On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray
13:01:51 [Zakim]
On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:01:52 [pdatta]
pdatta has joined #xmlsec
13:03:31 [EdS]
John Wray to scibe on June 3.
13:03:38 [EdS]
s/scibe/scribe/
13:04:25 [EdS]
Next meeting is 2008 June 3.
13:04:37 [Zakim]
+ +1.650.506.aaee
13:04:39 [EdS]
TOPIC: Administrative Words
13:04:46 [fjh]
zakim, aaee is pdatta
13:04:46 [Zakim]
+pdatta; got it
13:04:55 [fjh]
zakim, who is here?
13:04:55 [Zakim]
On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta
13:04:57 [Zakim]
On IRC I see pdatta, brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:05:38 [EdS]
TOPIC: F2F
13:05:55 [fjh]
F2F for next WG planned. 16-17 July, Barcelona
13:06:01 [EdS]
Next F2F is in Barcelona from July 16-17
13:06:26 [EdS]
TOPIC: WG Chartering
13:06:44 [EdS]
fjh: Ask your rep to register your interest
13:06:46 [fjh]
http://lists.w3.org/Archives/Member/member-xmlsec-maintwg/2008May/0003.html
13:07:20 [EdS]
Comments from a couple of companies were incorporated into the charter.
13:07:28 [Zakim]
+ +aaff
13:07:47 [fjh]
charter link http://www.w3.org/2008/02/xmlsec-charter.html
13:08:08 [fjh]
home page for new xmlsec http://www.w3.org/2008/xmlsec/
13:08:33 [EdS]
Mail list not set up for new WG
13:08:53 [deastlak]
deastlak has joined #xmlsec
13:09:01 [EdS]
TOPIC: XML Signature 2ed
13:09:04 [fjh]
zakim, who is here?
13:09:04 [Zakim]
On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta, +aaff
13:09:06 [Zakim]
On IRC I see deastlak, pdatta, brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:09:29 [fjh]
zakim, aaff is deastlak
13:09:29 [Zakim]
+deastlak; got it
13:09:42 [PHB2]
PHB2 has joined #xmlsec
13:09:59 [EdS]
Important to register for the new WG because of IPR issues.
13:10:16 [EdS]
No more comments from XML Sig 2ed PER
13:10:28 [fjh]
http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0015.html
13:10:35 [Zakim]
+PHB
13:10:53 [fjh]
Additional update to remove XSL reference
13:10:59 [EdS]
fjh: One additional comment after PER was to remove XSL reference.
13:11:11 [fjh]
http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0023.html
13:11:38 [EdS]
RESOLUTION: Remove non-normative XSL reference in PER references
13:11:54 [EdS]
All agreed.
13:12:18 [EdS]
fjh: No more changes foreseen to PER.
13:12:34 [fjh]
red line http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/
13:12:49 [fjh]
explain document http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/explain.html
13:12:57 [EdS]
fjh: Looks like 2ed is done.
13:13:08 [klanz]
klanz has joined #xmlsec
13:13:23 [EdS]
fjh: Please took a look at the explain document and the 2ed to see if anything catches your eye.
13:13:26 [klanz]
.
13:13:37 [EdS]
TOPIC: XML Signature 2ed RFC
13:13:57 [EdS]
Originally, XML Signature was a joint project between W3C and IETF.
13:15:29 [fjh]
might have to be proposed standard before draft standard
13:15:37 [EdS]
deastlak: Proposed creating 2nd edition RFC to IETF. Donald is looking into the standards status of XMLSIG RFC/Internet Draft/ Draft Standard.
13:16:06 [EdS]
deastlak: Might take 6 to 8 months to complete process at IETF.
13:16:56 [EdS]
deastlak: Will start looking at converting the W3C 2ed this weekend.
13:18:30 [EdS]
TOPIC: RELAX NG SCHEMA
13:18:53 [EdS]
fjh: Norm drafted a RELAX NG Schema.
13:18:56 [fjh]
http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0005.html
13:19:24 [fjh]
Test results from Thomas (trang to xml schema then xml lint results)
13:19:41 [fjh]
http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0007.html
13:20:54 [EdS]
fjh: Two issues: how well the RELAX version matches the official schema; and how correct the RELAX NG schema is.
13:21:17 [EdS]
Has anyone looked at the RELAX NG version?
13:21:24 [brich]
I haven't
13:21:29 [EdS]
... (besides Thomas).
13:21:49 [klanz]
not yet ...
13:22:21 [rdmiller]
I have some guys that are interested, but getting the time could be a problem.
13:22:37 [EdS]
ACTION: Frederick to check on status with customer.
13:22:37 [trackbot-ng]
Created ACTION-158 - Check on status with customer. [on Frederick Hirsch - due 2008-05-27].
13:23:19 [EdS]
Note: change action to indicate reference to RELAX NG schema
13:23:31 [EdS]
TOPIC: Best Practices
13:24:04 [EdS]
fjh: Updated draft document with material from Hal, Pratik, and Sean
13:24:06 [fjh]
see http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0028.html
13:24:37 [EdS]
fjh: Please review Best Practices document.
13:24:38 [fjh]
please review and propose changes on list
13:24:57 [EdS]
TOPIC: Best Practices -- Retrieval Method Looping
13:25:05 [fjh]
http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0022.html
13:25:29 [Zakim]
+ +43.676.550.aagg
13:25:31 [EdS]
pratik: checked in files wrt denial of service (2 for retrieval method)
13:25:53 [EdS]
pratik: retrieval method could point to itself; ways of creating infinite loops.
13:26:26 [EdS]
pratik: Best Practice is to ignore Retrieval Methods.
13:26:42 [EdS]
pratik: Other 3 files were wrt XPath.
13:26:44 [Zakim]
+Hal_Lockhart
13:27:08 [EdS]
pratik: one example has 100 NS and 100 elements.
13:27:27 [EdS]
pratik: in Xpath, it becomes 100*100 nodes.
13:27:53 [hal]
hal has joined #xmlsec
13:28:04 [EdS]
pratik: leads to (100*100)^2 operations
13:28:18 [fjh]
zakim, who is here?
13:28:18 [Zakim]
On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta, deastlak, PHB, +43.676.550.aagg, Hal_Lockhart
13:28:21 [Zakim]
On IRC I see hal, PHB2, deastlak, pdatta, brich, EdS, rdmiller, sean, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:28:50 [EdS]
fjh: What do we next with these examples?
13:29:11 [EdS]
pratik: will provide more documentation for us to look at.
13:29:22 [fjh]
zakim, aagg is konrad lanz
13:29:22 [Zakim]
I don't understand 'aagg is konrad lanz', fjh
13:29:43 [EdS]
klanz: Was at workshop discussing web services and XML Signatures.
13:29:56 [fjh]
zakim, aagg is klanz
13:29:56 [Zakim]
+klanz; got it
13:30:10 [EdS]
klanz: XML Signature could allow random access, not just streaming.
13:31:10 [EdS]
klanz: XML Signature could be redesigned to allow better random access and more efficient processing.
13:31:33 [Zakim]
-klanz
13:32:08 [fjh]
zakim, who is here?
13:32:08 [Zakim]
On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta, deastlak, PHB, Hal_Lockhart
13:32:11 [Zakim]
On IRC I see hal, PHB2, deastlak, pdatta, brich, EdS, rdmiller, sean, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:32:17 [EdS]
See Konrad's post to the list
13:32:29 [Zakim]
+klanz
13:33:16 [EdS]
Hal: klanz's proposal is on the same motivations as Ed presented at the last F2F but Konrad's is more aligned with the current XML Signature framework.
13:33:16 [fjh]
Hal noted that Konrad's approach might work with current standard
13:33:45 [fjh]
Frederick noted that work on revised version of XML Signature should be deferred to upcoming WG.
13:34:30 [EdS]
klanz: what is new is that we stay within the current syntax; web services community should consider not requiring the XML Signature to be in the SOAP header.
13:34:50 [fjh]
http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0026.html
13:34:56 [EdS]
fjh: Is that work for the new WG?
13:35:06 [EdS]
Ed: Sounds to me like it is.
13:35:47 [EdS]
klanz: Thinks it would be.
13:38:00 [EdS]
Konrad to send an email to capture the technical thoughts that he just expressed.
13:39:08 [fjh]
Frederick - should remember this in newly chartered wg
13:40:17 [pdatta]
+q
13:40:58 [EdS]
ACTION: klanz2 to Draft proposal for best practices document re signed streaming content in current XML Sig syntax
13:40:58 [trackbot-ng]
Created ACTION-159 - Draft proposal for best practices document re signed streaming content in current XML Sig syntax [on Konrad Lanz - due 2008-05-27].
13:41:11 [sean]
q+
13:41:51 [EdS]
hal: should focus Konrad's ideas on HTTP streaming of XML documents
13:42:15 [fjh]
hal - simpler, possibly more impact
13:42:23 [fjh]
ack pdatta
13:42:32 [Zakim]
-klanz
13:42:34 [EdS]
klanz2: Thinks we need to be careful not limit the proposal too much.
13:43:24 [EdS]
pdatta: Signing (after content) could be done is a streaming way, but not verification.
13:43:25 [fjh]
Pratik: verification in streaming might not work, e.g. cannot know if valid until all content in memory
13:44:08 [EdS]
pdatta: Attachments also complicate things because the signature may be after the body but before the attachments.
13:44:28 [fjh]
ack sean
13:44:59 [EdS]
sean: These are interesting proposals but is hesitant to put them into best practices until we have practical experience for them.
13:45:33 [fjh]
+1
13:46:18 [EdS]
TOPIC: Best Practices -- Denial of Service
13:46:28 [fjh]
http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0025.html
13:47:16 [EdS]
pdatta: 2 examples were related to XSLT and too many transforms. In XSLT, one can have nested loops. In examples, it is easy to get 100 million iterations.
13:47:45 [EdS]
pdatta: Last example wrt c14n.
13:49:31 [sean]
q+
13:49:58 [EdS]
Compared XPath node set with DOM tree approach. Best to limit number of transforms and also be aware of the impract preceding transforms can have on following ones.
13:50:17 [EdS]
Pratik will send an email elaborating on this.
13:50:57 [EdS]
ACTION: pdatta to Add more documentation to the Best Practices document for his examples
13:50:58 [trackbot-ng]
Created ACTION-160 - Add more documentation to the Best Practices document for his examples [on Pratik Datta - due 2008-05-27].
13:52:03 [fjh]
administrative http://www.w3.org/2007/xmlsec/Group/Overview.html
13:52:24 [fjh]
ack sean
13:52:42 [EdS]
sean: has not reviewed Best Practices document yet.
13:53:09 [fjh]
action: Frederick to add link to best practices example directory to WG administrative page
13:53:09 [trackbot-ng]
Created ACTION-161 - Add link to best practices example directory to WG administrative page [on Frederick Hirsch - due 2008-05-27].
13:53:33 [EdS]
sean: Attacks are more serious if one validates references first, should validate signature and keys first; should be stated in Best Practices document.
13:54:55 [EdS]
sean: If signature verifies, and one trusts the source, then less likely that message would be an attack.
13:56:13 [EdS]
hal: Cannot check the signature is valid without checking the transforms. Can steal someone else's signature part to get past first check.
13:56:33 [EdS]
Sean to review Best Practices document.
13:57:13 [fjh]
Pratik: transforms in RetrievalMethod is risk even when getting the key first, so still issue related to validating signature
13:58:14 [EdS]
pdatta: In response to Hal, points out the transforms are checked as part of verifying the signature.
13:58:41 [EdS]
...therefore verifying the signature first does provide some security against DOS.
13:58:49 [EdS]
s/DOS/DoS/
13:59:06 [fjh]
link to denial of services directory: http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/samples/
13:59:12 [EdS]
hal: Will look into this further.
13:59:23 [fjh]
q?
13:59:58 [EdS]
fjh: Everyone please look at Best Practices document and continue discussion on mailing list.
14:00:44 [EdS]
fjh: Juan Carlos had message about time stamp practices; please take a look at it.
14:01:03 [fjh]
best practices draft http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
14:01:27 [fjh]
juan carlos message: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0030.html
14:01:35 [EdS]
TOPIC: Action Items Review
14:01:49 [klanz2]
klanz2 has joined #xmlsec
14:02:25 [EdS]
Action-151 is open.
14:03:06 [EdS]
Action-154 and Action-153 Open.
14:03:45 [fjh]
XMLHttpRequest review request - please indicate if you plan to review
14:04:01 [EdS]
No official action item for XMLHttpRequest review request, but please review it.
14:04:23 [EdS]
Closed Action-155
14:04:30 [EdS]
Close Action-155
14:04:30 [trackbot-ng]
ACTION-155 add timestamp/nonce material from Hal Lockhart to best practices document closed
14:04:39 [EdS]
Close Action-156
14:04:39 [trackbot-ng]
ACTION-156 incorporate Pratik update to best practices on transforms closed
14:04:50 [EdS]
Close Action-157
14:04:50 [trackbot-ng]
ACTION-157 incorporate Sean's best practice material closed
14:05:13 [Zakim]
-PHB
14:05:19 [EdS]
Action-150 is still open.
14:05:47 [EdS]
TOPIC: Administration - Closing Words
14:06:07 [EdS]
Next meeting is June 3, talk to your AC rep about joining new WG.
14:06:31 [EdS]
Everyone, please review Best Practices.
14:06:32 [Zakim]
-Hal_Lockhart
14:06:38 [Zakim]
-brich
14:06:43 [klanz2]
bye bye
14:06:45 [pdatta]
pdatta has left #xmlsec
14:06:50 [Zakim]
-pdatta
14:07:06 [Zakim]
-jwray
14:07:09 [fjh]
Zakim, list participants
14:07:09 [Zakim]
As of this point the attendees have been +1.443.695.aaaa, Frederick_Hirsch, +1.512.401.aabb, rdmiller, brich, +1.617.876.aacc, sean, Ed_Simon, +1.978.244.aadd, jwray,
14:07:12 [Zakim]
... +1.650.506.aaee, pdatta, +aaff, deastlak, PHB, +43.676.550.aagg, Hal_Lockhart, klanz
14:07:16 [Zakim]
-sean
14:07:56 [fjh]
Present: Ed Simon, Pratik Datta, Donald Eastlake, Frederick Hirsch, Hal Lockhart, Bruce Rich, Konrad Lanz, Phill Hallam-Baker, John Wray, Rob Miller, Sean Mullan
14:08:13 [fjh]
Zakim, list participants
14:08:13 [Zakim]
As of this point the attendees have been +1.443.695.aaaa, Frederick_Hirsch, +1.512.401.aabb, rdmiller, brich, +1.617.876.aacc, sean, Ed_Simon, +1.978.244.aadd, jwray,
14:08:17 [Zakim]
... +1.650.506.aaee, pdatta, +aaff, deastlak, PHB, +43.676.550.aagg, Hal_Lockhart, klanz
14:08:24 [fjh]
RRSAgent, make log public
14:08:34 [fjh]
RRSAgent, generate minutes
14:08:34 [RRSAgent]
I have made the request to generate http://www.w3.org/2008/05/20-xmlsec-minutes.html fjh
14:10:01 [Zakim]
-Frederick_Hirsch
14:10:02 [Zakim]
-Ed_Simon
14:10:07 [Zakim]
-rdmiller
14:10:09 [Zakim]
-deastlak
14:10:10 [fjh]
zakim, who is here?
14:10:11 [Zakim]
On the phone I see no one
14:10:12 [Zakim]
On IRC I see klanz2, PHB2, deastlak, brich, EdS, rdmiller, sean, Zakim, RRSAgent, fjh, trackbot-ng
14:10:14 [Zakim]
T&S_XMLSEC()9:00AM has ended
14:10:16 [Zakim]
Attendees were +1.443.695.aaaa, Frederick_Hirsch, +1.512.401.aabb, rdmiller, brich, +1.617.876.aacc, sean, Ed_Simon, +1.978.244.aadd, jwray, +1.650.506.aaee, pdatta, +aaff,
14:10:18 [Zakim]
... deastlak, PHB, +43.676.550.aagg, Hal_Lockhart, klanz
14:10:49 [klanz2]
@desatlak, have you seen the request about whirlpool?
14:10:55 [klanz2]
for RFC 4051?
14:12:10 [deastlak]
No.
14:23:33 [klanz2]
klanz2 has joined #xmlsec
14:59:18 [tlr]
tlr has joined #xmlsec
16:19:53 [Zakim]
Zakim has left #xmlsec