IRC log of xmlsec on 2008-05-20

Timestamps are in UTC.

12:46:57 [RRSAgent]: RRSAgent has joined #xmlsec
12:46:57 [RRSAgent]: logging to http://www.w3.org/2008/05/20-xmlsec-irc
12:46:59 [trackbot-ng]: RRSAgent, make logs public
12:46:59 [Zakim]: Zakim has joined #xmlsec
12:47:01 [trackbot-ng]: Zakim, this will be XMLSEC
12:47:01 [Zakim]: ok, trackbot-ng; I see T&S_XMLSEC()9:00AM scheduled to start in 13 minutes
12:47:02 [trackbot-ng]: Meeting: XML Security Specifications Maintenance Working Group Teleconference
12:47:02 [trackbot-ng]: Date: 20 May 2008
12:47:17 [fjh]: Chair: Frederick Hirsch
12:48:43 [klanz2]: klanz2 has joined #xmlsec
12:49:09 [fjh]: Agenda: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0029.html
12:50:02 [fjh]: Regrets: Thomas Roessler, Shivaram Mysore
12:51:26 [klanz2]: Hi, I'm currently in a train in Austria, so I may have dificulties to dial in using VoIP, ...
12:51:27 [klanz2]: There is no access number in Austria I could use to dial in, isn't it?
12:53:07 [sean]: sean has joined #xmlsec
12:55:20 [rdmiller]: rdmiller has joined #xmlsec
12:56:25 [Zakim]: T&S_XMLSEC()9:00AM has now started
12:56:32 [Zakim]: + +1.443.695.aaaa
12:57:10 [rdmiller]: Zakim aaa is rdmiller
12:58:01 [EdS]: EdS has joined #xmlsec
12:58:26 [brich]: brich has joined #xmlsec
12:58:30 [Zakim]: +Frederick_Hirsch
12:58:43 [fjh]: zakim, who is here?
12:58:43 [Zakim]: On the phone I see +1.443.695.aaaa, Frederick_Hirsch
12:58:44 [Zakim]: On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
12:59:00 [fjh]: zakim, aaaa is Rob Miller
12:59:00 [Zakim]: I don't understand 'aaaa is Rob Miller', fjh
12:59:07 [Zakim]: + +1.512.401.aabb
12:59:08 [fjh]: zakim, aaaa is rdmiller
12:59:08 [Zakim]: +rdmiller; got it
12:59:20 [fjh]: zakim, aabb is brich
12:59:20 [Zakim]: +brich; got it
12:59:28 [fjh]: zakim, who is here?
12:59:28 [Zakim]: On the phone I see rdmiller, Frederick_Hirsch, brich
12:59:29 [Zakim]: On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
12:59:34 [Zakim]: + +1.617.876.aacc
12:59:42 [EdS]: trying to dial in
12:59:46 [fjh]: zakim, aacc is sean
12:59:46 [Zakim]: +sean; got it
12:59:55 [fjh]: zakim, who is here?
12:59:55 [Zakim]: On the phone I see rdmiller, Frederick_Hirsch, brich, sean
12:59:57 [Zakim]: On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:00:22 [Zakim]: +Ed_Simon
13:00:22 [rdmiller]: Zakim, mute me
13:00:24 [Zakim]: rdmiller should now be muted
13:00:24 [fjh]: zakim, who is making noise
13:00:24 [Zakim]: I don't understand 'who is making noise', fjh
13:00:40 [klanz2]: I'll be on the chat and try to call in at 6) Bestpractices
13:00:45 [fjh]: zakim, who is here?
13:00:45 [Zakim]: On the phone I see rdmiller (muted), Frederick_Hirsch, brich, sean, Ed_Simon
13:00:47 [Zakim]: On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:01:12 [Zakim]: + +1.978.244.aadd
13:01:15 [klanz2]: bruce is making noise, maybe ...
13:01:26 [brich]: zakim, mute me
13:01:26 [Zakim]: brich should now be muted
13:01:43 [fjh]: zakim, aadd is jwray
13:01:43 [Zakim]: +jwray; got it
13:01:49 [fjh]: zakim, who is here?
13:01:49 [Zakim]: On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray
13:01:51 [Zakim]: On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:01:52 [pdatta]: pdatta has joined #xmlsec
13:03:31 [EdS]: John Wray to scibe on June 3.
13:03:38 [EdS]: s/scibe/scribe/
13:04:25 [EdS]: Next meeting is 2008 June 3.
13:04:37 [Zakim]: + +1.650.506.aaee
13:04:39 [EdS]: TOPIC: Administrative Words
13:04:46 [fjh]: zakim, aaee is pdatta
13:04:46 [Zakim]: +pdatta; got it
13:04:55 [fjh]: zakim, who is here?
13:04:55 [Zakim]: On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta
13:04:57 [Zakim]: On IRC I see pdatta, brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:05:38 [EdS]: TOPIC: F2F
13:05:55 [fjh]: F2F for next WG planned. 16-17 July, Barcelona
13:06:01 [EdS]: Next F2F is in Barcelona from July 16-17
13:06:26 [EdS]: TOPIC: WG Chartering
13:06:44 [EdS]: fjh: Ask your rep to register your interest
13:06:46 [fjh]: http://lists.w3.org/Archives/Member/member-xmlsec-maintwg/2008May/0003.html
13:07:20 [EdS]: Comments from a couple of companies were incorporated into the charter.
13:07:28 [Zakim]: + +aaff
13:07:47 [fjh]: charter link http://www.w3.org/2008/02/xmlsec-charter.html
13:08:08 [fjh]: home page for new xmlsec http://www.w3.org/2008/xmlsec/
13:08:33 [EdS]: Mail list not set up for new WG
13:08:53 [deastlak]: deastlak has joined #xmlsec
13:09:01 [EdS]: TOPIC: XML Signature 2ed
13:09:04 [fjh]: zakim, who is here?
13:09:04 [Zakim]: On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta, +aaff
13:09:06 [Zakim]: On IRC I see deastlak, pdatta, brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:09:29 [fjh]: zakim, aaff is deastlak
13:09:29 [Zakim]: +deastlak; got it
13:09:42 [PHB2]: PHB2 has joined #xmlsec
13:09:59 [EdS]: Important to register for the new WG because of IPR issues.
13:10:16 [EdS]: No more comments from XML Sig 2ed PER
13:10:28 [fjh]: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0015.html
13:10:35 [Zakim]: +PHB
13:10:53 [fjh]: Additional update to remove XSL reference
13:10:59 [EdS]: fjh: One additional comment after PER was to remove XSL reference.
13:11:11 [fjh]: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0023.html
13:11:38 [EdS]: RESOLUTION: Remove non-normative XSL reference in PER references
13:11:54 [EdS]: All agreed.
13:12:18 [EdS]: fjh: No more changes foreseen to PER.
13:12:34 [fjh]: red line http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/
13:12:49 [fjh]: explain document http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/explain.html
13:12:57 [EdS]: fjh: Looks like 2ed is done.
13:13:08 [klanz]: klanz has joined #xmlsec
13:13:23 [EdS]: fjh: Please took a look at the explain document and the 2ed to see if anything catches your eye.
13:13:26 [klanz]: .
13:13:37 [EdS]: TOPIC: XML Signature 2ed RFC
13:13:57 [EdS]: Originally, XML Signature was a joint project between W3C and IETF.
13:15:29 [fjh]: might have to be proposed standard before draft standard
13:15:37 [EdS]: deastlak: Proposed creating 2nd edition RFC to IETF. Donald is looking into the standards status of XMLSIG RFC/Internet Draft/ Draft Standard.
13:16:06 [EdS]: deastlak: Might take 6 to 8 months to complete process at IETF.
13:16:56 [EdS]: deastlak: Will start looking at converting the W3C 2ed this weekend.
13:18:30 [EdS]: TOPIC: RELAX NG SCHEMA
13:18:53 [EdS]: fjh: Norm drafted a RELAX NG Schema.
13:18:56 [fjh]: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0005.html
13:19:24 [fjh]: Test results from Thomas (trang to xml schema then xml lint results)
13:19:41 [fjh]: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0007.html
13:20:54 [EdS]: fjh: Two issues: how well the RELAX version matches the official schema; and how correct the RELAX NG schema is.
13:21:17 [EdS]: Has anyone looked at the RELAX NG version?
13:21:24 [brich]: I haven't
13:21:29 [EdS]: ... (besides Thomas).
13:21:49 [klanz]: not yet ...
13:22:21 [rdmiller]: I have some guys that are interested, but getting the time could be a problem.
13:22:37 [EdS]: ACTION: Frederick to check on status with customer.
13:22:37 [trackbot-ng]: Created ACTION-158 - Check on status with customer. [on Frederick Hirsch - due 2008-05-27].
13:23:19 [EdS]: Note: change action to indicate reference to RELAX NG schema
13:23:31 [EdS]: TOPIC: Best Practices
13:24:04 [EdS]: fjh: Updated draft document with material from Hal, Pratik, and Sean
13:24:06 [fjh]: see http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0028.html
13:24:37 [EdS]: fjh: Please review Best Practices document.
13:24:38 [fjh]: please review and propose changes on list
13:24:57 [EdS]: TOPIC: Best Practices -- Retrieval Method Looping
13:25:05 [fjh]: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0022.html
13:25:29 [Zakim]: + +43.676.550.aagg
13:25:31 [EdS]: pratik: checked in files wrt denial of service (2 for retrieval method)
13:25:53 [EdS]: pratik: retrieval method could point to itself; ways of creating infinite loops.
13:26:26 [EdS]: pratik: Best Practice is to ignore Retrieval Methods.
13:26:42 [EdS]: pratik: Other 3 files were wrt XPath.
13:26:44 [Zakim]: +Hal_Lockhart
13:27:08 [EdS]: pratik: one example has 100 NS and 100 elements.
13:27:27 [EdS]: pratik: in Xpath, it becomes 100*100 nodes.
13:27:53 [hal]: hal has joined #xmlsec
13:28:04 [EdS]: pratik: leads to (100*100)^2 operations
13:28:18 [fjh]: zakim, who is here?
13:28:18 [Zakim]: On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta, deastlak, PHB, +43.676.550.aagg, Hal_Lockhart
13:28:21 [Zakim]: On IRC I see hal, PHB2, deastlak, pdatta, brich, EdS, rdmiller, sean, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:28:50 [EdS]: fjh: What do we next with these examples?
13:29:11 [EdS]: pratik: will provide more documentation for us to look at.
13:29:22 [fjh]: zakim, aagg is konrad lanz
13:29:22 [Zakim]: I don't understand 'aagg is konrad lanz', fjh
13:29:43 [EdS]: klanz: Was at workshop discussing web services and XML Signatures.
13:29:56 [fjh]: zakim, aagg is klanz
13:29:56 [Zakim]: +klanz; got it
13:30:10 [EdS]: klanz: XML Signature could allow random access, not just streaming.
13:31:10 [EdS]: klanz: XML Signature could be redesigned to allow better random access and more efficient processing.
13:31:33 [Zakim]: -klanz
13:32:08 [fjh]: zakim, who is here?
13:32:08 [Zakim]: On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta, deastlak, PHB, Hal_Lockhart
13:32:11 [Zakim]: On IRC I see hal, PHB2, deastlak, pdatta, brich, EdS, rdmiller, sean, Zakim, RRSAgent, fjh, jwray, trackbot-ng
13:32:17 [EdS]: See Konrad's post to the list
13:32:29 [Zakim]: +klanz
13:33:16 [EdS]: Hal: klanz's proposal is on the same motivations as Ed presented at the last F2F but Konrad's is more aligned with the current XML Signature framework.
13:33:16 [fjh]: Hal noted that Konrad's approach might work with current standard
13:33:45 [fjh]: Frederick noted that work on revised version of XML Signature should be deferred to upcoming WG.
13:34:30 [EdS]: klanz: what is new is that we stay within the current syntax; web services community should consider not requiring the XML Signature to be in the SOAP header.
13:34:50 [fjh]: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0026.html
13:34:56 [EdS]: fjh: Is that work for the new WG?
13:35:06 [EdS]: Ed: Sounds to me like it is.
13:35:47 [EdS]: klanz: Thinks it would be.
13:38:00 [EdS]: Konrad to send an email to capture the technical thoughts that he just expressed.
13:39:08 [fjh]: Frederick - should remember this in newly chartered wg
13:40:17 [pdatta]: +q
13:40:58 [EdS]: ACTION: klanz2 to Draft proposal for best practices document re signed streaming content in current XML Sig syntax
13:40:58 [trackbot-ng]: Created ACTION-159 - Draft proposal for best practices document re signed streaming content in current XML Sig syntax [on Konrad Lanz - due 2008-05-27].
13:41:11 [sean]: q+
13:41:51 [EdS]: hal: should focus Konrad's ideas on HTTP streaming of XML documents
13:42:15 [fjh]: hal - simpler, possibly more impact
13:42:23 [fjh]: ack pdatta
13:42:32 [Zakim]: -klanz
13:42:34 [EdS]: klanz2: Thinks we need to be careful not limit the proposal too much.
13:43:24 [EdS]: pdatta: Signing (after content) could be done is a streaming way, but not verification.
13:43:25 [fjh]: Pratik: verification in streaming might not work, e.g. cannot know if valid until all content in memory
13:44:08 [EdS]: pdatta: Attachments also complicate things because the signature may be after the body but before the attachments.
13:44:28 [fjh]: ack sean
13:44:59 [EdS]: sean: These are interesting proposals but is hesitant to put them into best practices until we have practical experience for them.
13:45:33 [fjh]: +1
13:46:18 [EdS]: TOPIC: Best Practices -- Denial of Service
13:46:28 [fjh]: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0025.html
13:47:16 [EdS]: pdatta: 2 examples were related to XSLT and too many transforms. In XSLT, one can have nested loops. In examples, it is easy to get 100 million iterations.
13:47:45 [EdS]: pdatta: Last example wrt c14n.
13:49:31 [sean]: q+
13:49:58 [EdS]: Compared XPath node set with DOM tree approach. Best to limit number of transforms and also be aware of the impract preceding transforms can have on following ones.
13:50:17 [EdS]: Pratik will send an email elaborating on this.
13:50:57 [EdS]: ACTION: pdatta to Add more documentation to the Best Practices document for his examples
13:50:58 [trackbot-ng]: Created ACTION-160 - Add more documentation to the Best Practices document for his examples [on Pratik Datta - due 2008-05-27].
13:52:03 [fjh]: administrative http://www.w3.org/2007/xmlsec/Group/Overview.html
13:52:24 [fjh]: ack sean
13:52:42 [EdS]: sean: has not reviewed Best Practices document yet.
13:53:09 [fjh]: action: Frederick to add link to best practices example directory to WG administrative page
13:53:09 [trackbot-ng]: Created ACTION-161 - Add link to best practices example directory to WG administrative page [on Frederick Hirsch - due 2008-05-27].
13:53:33 [EdS]: sean: Attacks are more serious if one validates references first, should validate signature and keys first; should be stated in Best Practices document.
13:54:55 [EdS]: sean: If signature verifies, and one trusts the source, then less likely that message would be an attack.
13:56:13 [EdS]: hal: Cannot check the signature is valid without checking the transforms. Can steal someone else's signature part to get past first check.
13:56:33 [EdS]: Sean to review Best Practices document.
13:57:13 [fjh]: Pratik: transforms in RetrievalMethod is risk even when getting the key first, so still issue related to validating signature
13:58:14 [EdS]: pdatta: In response to Hal, points out the transforms are checked as part of verifying the signature.
13:58:41 [EdS]: ...therefore verifying the signature first does provide some security against DOS.
13:58:49 [EdS]: s/DOS/DoS/
13:59:06 [fjh]: link to denial of services directory: http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/samples/
13:59:12 [EdS]: hal: Will look into this further.
13:59:23 [fjh]: q?
13:59:58 [EdS]: fjh: Everyone please look at Best Practices document and continue discussion on mailing list.
14:00:44 [EdS]: fjh: Juan Carlos had message about time stamp practices; please take a look at it.
14:01:03 [fjh]: best practices draft http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
14:01:27 [fjh]: juan carlos message: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0030.html
14:01:35 [EdS]: TOPIC: Action Items Review
14:01:49 [klanz2]: klanz2 has joined #xmlsec
14:02:25 [EdS]: Action-151 is open.
14:03:06 [EdS]: Action-154 and Action-153 Open.
14:03:45 [fjh]: XMLHttpRequest review request - please indicate if you plan to review
14:04:01 [EdS]: No official action item for XMLHttpRequest review request, but please review it.
14:04:23 [EdS]: Closed Action-155
14:04:30 [EdS]: Close Action-155
14:04:30 [trackbot-ng]: ACTION-155 add timestamp/nonce material from Hal Lockhart to best practices document closed
14:04:39 [EdS]: Close Action-156
14:04:39 [trackbot-ng]: ACTION-156 incorporate Pratik update to best practices on transforms closed
14:04:50 [EdS]: Close Action-157
14:04:50 [trackbot-ng]: ACTION-157 incorporate Sean's best practice material closed
14:05:13 [Zakim]: -PHB
14:05:19 [EdS]: Action-150 is still open.
14:05:47 [EdS]: TOPIC: Administration - Closing Words
14:06:07 [EdS]: Next meeting is June 3, talk to your AC rep about joining new WG.
14:06:31 [EdS]: Everyone, please review Best Practices.
14:06:32 [Zakim]: -Hal_Lockhart
14:06:38 [Zakim]: -brich
14:06:43 [klanz2]: bye bye
14:06:45 [pdatta]: pdatta has left #xmlsec
14:06:50 [Zakim]: -pdatta
14:07:06 [Zakim]: -jwray
14:07:09 [fjh]: Zakim, list participants
14:07:09 [Zakim]: As of this point the attendees have been +1.443.695.aaaa, Frederick_Hirsch, +1.512.401.aabb, rdmiller, brich, +1.617.876.aacc, sean, Ed_Simon, +1.978.244.aadd, jwray,
14:07:12 [Zakim]: ... +1.650.506.aaee, pdatta, +aaff, deastlak, PHB, +43.676.550.aagg, Hal_Lockhart, klanz
14:07:16 [Zakim]: -sean
14:07:56 [fjh]: Present: Ed Simon, Pratik Datta, Donald Eastlake, Frederick Hirsch, Hal Lockhart, Bruce Rich, Konrad Lanz, Phill Hallam-Baker, John Wray, Rob Miller, Sean Mullan
14:08:13 [fjh]: Zakim, list participants
14:08:13 [Zakim]: As of this point the attendees have been +1.443.695.aaaa, Frederick_Hirsch, +1.512.401.aabb, rdmiller, brich, +1.617.876.aacc, sean, Ed_Simon, +1.978.244.aadd, jwray,
14:08:17 [Zakim]: ... +1.650.506.aaee, pdatta, +aaff, deastlak, PHB, +43.676.550.aagg, Hal_Lockhart, klanz
14:08:24 [fjh]: RRSAgent, make log public
14:08:34 [fjh]: RRSAgent, generate minutes
14:08:34 [RRSAgent]: I have made the request to generate http://www.w3.org/2008/05/20-xmlsec-minutes.html fjh
14:10:01 [Zakim]: -Frederick_Hirsch
14:10:02 [Zakim]: -Ed_Simon
14:10:07 [Zakim]: -rdmiller
14:10:09 [Zakim]: -deastlak
14:10:10 [fjh]: zakim, who is here?
14:10:11 [Zakim]: On the phone I see no one
14:10:12 [Zakim]: On IRC I see klanz2, PHB2, deastlak, brich, EdS, rdmiller, sean, Zakim, RRSAgent, fjh, trackbot-ng
14:10:14 [Zakim]: T&S_XMLSEC()9:00AM has ended
14:10:16 [Zakim]: Attendees were +1.443.695.aaaa, Frederick_Hirsch, +1.512.401.aabb, rdmiller, brich, +1.617.876.aacc, sean, Ed_Simon, +1.978.244.aadd, jwray, +1.650.506.aaee, pdatta, +aaff,
14:10:18 [Zakim]: ... deastlak, PHB, +43.676.550.aagg, Hal_Lockhart, klanz
14:10:49 [klanz2]: @desatlak, have you seen the request about whirlpool?
14:10:55 [klanz2]: for RFC 4051?
14:12:10 [deastlak]: No.
14:23:33 [klanz2]: klanz2 has joined #xmlsec
14:59:18 [tlr]: tlr has joined #xmlsec
16:19:53 [Zakim]: Zakim has left #xmlsec