See also: IRC log
<trackbot-ng> Date: 20 May 2008
<klanz2> Hi, I'm currently in a train in Austria, so I may have dificulties to dial in using VoIP, ...
<klanz2> There is no access number in Austria I could use to dial in, isn't it?
<rdmiller> Zakim aaa is rdmiller
trying to dial in
<klanz2> I'll be on the chat and try to call in at 6) Bestpractices
<klanz2> bruce is making noise, maybe ...
John Wray to scribe on June 3.
Next meeting is 2008 June 3.
Next F2F is in Barcelona from July 16-17
fjh: Ask your rep to register your interest
<fjh> http://lists.w3.org/Archives/Member/member-xmlsec-maintwg/2008May/0003.html
Comments from a couple of companies were incorporated into the charter.
<fjh> charter link http://www.w3.org/2008/02/xmlsec-charter.html
<fjh> home page for new xmlsec http://www.w3.org/2008/xmlsec/
Mail list not set up for new WG
Important to register for the new WG because of IPR issues.
No more comments wrt XML Sig 2ed PER
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0015.html
fjh: One additional comment after PER was to remove XSL reference.
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0023.html
RESOLUTION: Remove non-normative XSL reference in PER references
All agreed.
fjh: No more changes foreseen to PER.
<fjh> red line http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/
<fjh> explain document http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/explain.html
fjh: Looks like 2ed is
done.
... Please took a look at the explain document and the 2ed to
see if anything catches your eye.
<klanz> .
Originally, XML Signature was a joint project between W3C and IETF.
<fjh> might have to be proposed standard before draft standard
deastlak: Proposed creating 2nd
edition RFC to IETF. Donald is looking into the standards
status of XMLSIG RFC/Internet Draft/ Draft Standard.
... Might take 6 to 8 months to complete process at IETF.
... Will start looking at converting the W3C 2ed this
weekend.
fjh: Norm drafted a RELAX NG Schema.
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0005.html
<fjh> Test results from Thomas (trang to xml schema then xml lint results)
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0007.html
fjh: Two issues: how well the RELAX NG version matches the official schema; and how correct the RELAX NG schema is.
Has anyone looked at the RELAX NG version (besides Thomas)?
<brich> I haven't
<klanz> not yet ...
<rdmiller> I have some guys that are interested, but getting the time could be a problem.
<scribe> ACTION: Frederick to check on status with customer. [recorded in http://www.w3.org/2008/05/20-xmlsec-minutes.html#action01]
<trackbot-ng> Created ACTION-158 - Check on status with customer. [on Frederick Hirsch - due 2008-05-27].
Note: change action to indicate reference to RELAX NG schema
fjh: Updated draft document with material from Hal, Pratik, and Sean
<fjh> see http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0028.html
fjh: Please review Best Practices document and propose changes on list
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0022.html
pratik: checked in files wrt
denial of service (2 for retrieval method)
... retrieval method could point to itself; ways of creating
infinite loops.
... Best Practice is to ignore Retrieval Methods.
... One example is wrt XPath.
... It has 100 NS and 100 elements.
... in Xpath, it becomes 100*100 nodes.
... leads to (100*100)^2 operations
fjh: What do we next with these examples?
pratik: will provide more documentation for us to look at.
klanz: Was at workshop discussing
web services and XML Signatures.
... XML Signature could allow random access, not just
streaming.
... XML Signature could be redesigned to allow better random
access and more efficient processing.
See Konrad's post to the list
Hal: klanz's proposal is on the same motivations as Ed presented at the last F2F but Konrad's is more aligned with the current XML Signature framework.
<fjh> Hal noted that Konrad's approach might work with current standard
<fjh> Frederick noted that work on revised version of XML Signature should be deferred to upcoming WG.
klanz: what is new is that we stay within the current syntax; web services community should consider not requiring the XML Signature to be in the SOAP header.
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0026.html
fjh: Is that work for the new WG?
Ed: Sounds to me like it is.
klanz: Thinks it would be.
Konrad to send an email to capture the technical thoughts that he just expressed.
<fjh> Frederick - should remember this in newly chartered wg
<pdatta> +1 (ed. Pratik had written "+q" here, but I assume he meant "+1")
<scribe> ACTION: klanz2 to Draft proposal for best practices document re signed streaming content in current XML Sig syntax [recorded in http://www.w3.org/2008/05/20-xmlsec-minutes.html#action02]
<trackbot-ng> Created ACTION-159 - Draft proposal for best practices document re signed streaming content in current XML Sig syntax [on Konrad Lanz - due 2008-05-27].
hal: should focus Konrad's ideas on HTTP streaming of XML documents
<fjh> hal - simpler, possibly more impact
klanz2: Thinks we need to be careful not limit the proposal too much.
pdatta: Signing (after content) could be done is a streaming way, but not verification.
<fjh> Pratik: verification in streaming might not work, e.g. cannot know if valid until all content in memory
pdatta: Attachments also complicate things because the signature may be after the body but before the attachments.
sean: These are interesting proposals but is hesitant to put them into best practices until we have practical experience for them.
<fjh> +1
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0025.html
pdatta: Last 2 examples were
related to XSLT and too many transforms. In XSLT, one can have
nested loops. In examples, it is easy to get 100 million
iterations.
... Last example wrt c14n.
Compared XPath node set with DOM tree approach. Best to limit number of transforms and also be aware of the impract preceding transforms can have on following ones.
Pratik will send an email elaborating on this.
<scribe> ACTION: pdatta to Add more documentation to the Best Practices document for his examples [recorded in http://www.w3.org/2008/05/20-xmlsec-minutes.html#action03]
<trackbot-ng> Created ACTION-160 - Add more documentation to the Best Practices document for his examples [on Pratik Datta - due 2008-05-27].
<fjh> administrative http://www.w3.org/2007/xmlsec/Group/Overview.html
sean: has not reviewed Best Practices document yet.
<fjh> ACTION: Frederick to add link to best practices example directory to WG administrative page [recorded in http://www.w3.org/2008/05/20-xmlsec-minutes.html#action04]
<trackbot-ng> Created ACTION-161 - Add link to best practices example directory to WG administrative page [on Frederick Hirsch - due 2008-05-27].
sean: Attacks are more serious if
one validates references first, should validate signature and
keys first; should be stated in Best Practices document.
... If signature verifies, and one trusts the source, then less
likely that message would be an attack.
hal: Cannot check the signature is valid without checking the transforms. Can steal someone else's signature part to get past first check.
Sean to review Best Practices document.
<fjh> Pratik: transforms in RetrievalMethod is risk even when getting the key first, so still issue related to validating signature
pdatta: In response to Hal,
points out the transforms are checked as part of verifying the
signature.
... therefore verifying the signature first does provide some
security against DoS.
<fjh> link to denial of services directory: http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/samples/
hal: Will look into this further.
fjh: Everyone please look at Best
Practices document and continue discussion on mailing
list.
... Juan Carlos had message about time stamp practices; please
take a look at it.
<fjh> best practices draft http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
<fjh> juan carlos message: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0030.html
Action-151 is open.
Action-154 and Action-153 Open.
<fjh> XMLHttpRequest review request - please indicate if you plan to review
No official action item for XMLHttpRequest review request, but please review it.
<scribe> Closed Action-155
Close Action-155
<trackbot-ng> ACTION-155 add timestamp/nonce material from Hal Lockhart to best practices document closed
Close Action-156
<trackbot-ng> ACTION-156 incorporate Pratik update to best practices on transforms closed
Close Action-157
<trackbot-ng> ACTION-157 incorporate Sean's best practice material closed
Action-150 is still open.
Next meeting is June 3, talk to your AC rep about joining new WG.
Everyone, please review Best Practices.
<klanz2> bye bye