XML Security Working Group Face-To-Face Meeting

16 Jul 2008


See also: IRC log


Subramanian Chidambaram (SC), Frederick Hirsch (fjh), Gerald Edgar (Gerald), Chris Solc (csolc), Konrad Lanz (klanz2), Thomas Roessler (tlr), Brian LaMacchia (bal), Hal Lockhart (hal), Bruce Rich (brich), Sean Mullan (sean), Magnus Nystrom (magnus), Anil Saldhana (anil), Rob Miller (rmiller), Juan Carlos Cruellas, Pratik Datta, Ed Simon
Frederick Hirsch
Konrad Lanz, Hal Lockhart


<trackbot> Date: 16 July 2008

1) Welcome, Attendance/Introductions, Agenda review (10:00-10:30 am, 30 min)

Hello Everyone,

<fjh> Scribe: Konrad Lanz

fjh: Introducing himself - work for Nokia, chairing this group, was chair of previous XML Security Specifications Maintenance WG. Participated in original XML Signature and Encryption working groups and XKMS. Active in OASIS, including the Board and SAML TC.

brich: intro ...

SC: intro ... working for Nokia, on SAML OpenID ...

bal: intro ... XMLSEC, WSS, ...

hal: intro ... WSS, WS-SX, SSTC - Co-Chair, Oasis Technical Advisor ...

tlr: intro ,,, team contact, means I'm your man in W3C ...

klanz2: ... XML Toolkit @ IAIK/SIC

jcc: upc ... standardization

csolc: five years in the area with adobe

gerald: client of XMLDSIG ...

sean: intro ... SUN, XML sec implementions, JSR105 ...

@all: please augment where needed ...

RESOLUTION: Dinner @21:00, all are coming

rdmiller: intro ... MITRE Supports US Dept. of Defense, daily contact with XML and XMLSEC, user perspective and best practices pperspective
... update crypto, NSA suite B

magnus: inro ... working for RSA, standardization PKCS

<rmiller> silence

setting up again

<tlr> yes, we got dropped

<tlr> sorry

lost the bridge

fjh: minutes @ every meeting
... on the irc chat
... notes during the meeting, you are encouraged to augment and correct them
... minutes are public
... minutes are in general public, n
... but we might make them private until approved
... part of the job of scribing is cleaning the minues at the end

fjh: its cumbersome to move minutes around from private to public

klanz: member-list

tlr: yes, the member list, ...

RESOLUTION: Scribe will post the minutes once edited to member-list and as soon as approved to the public-list

Subject: [minutes-draft], [minutes-approved] to be used ...

klanz2: we can then use the list searc features to list all the minutes ...

<fjh> scribe instructions http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html




fjh: volunteer for scribing, ....
We will share scribing round robin in the WG, apart from the Chair and Team contact.

2) Scribing and Minutes (10:30 - 10:45 15 min)

2a) Scribe duties and scribe selection process


2b) Scribe volunteers for F2F:

Wed morning (16 July am) - Konrad

Wed afternoon (16 July pm) - Hal

Thursday morning (17 July am) - Bruce

Thursday afternoon (17 July pm) - Sean

hal: leaving tomorrow ...

brich: thursday morning

sean: thursday afternoon

3) WG Scheduling (10:45-11:15, 30 min)

fjh: one hour to little, need two hours

3a) Teleconference Scheduling

<fjh> http://www.w3.org/2002/09/wbs/42458/xmlsec2008telco/

RESOLUTION: Tuesdays 10am ET, two hours

3b) Upcoming meetings

fjh: one more F2F, tech planary colocated
... 20-21. Oct. 2008
... What joint meeting do we need?
... EXI, XML Core,

klanz: namespace inheritance -> xml core
... enveloping signatures

<klanz22> hal: encapsulation


<scribe> ACTION: fjh to arrange joint meetings on the coordination call [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action01]

<trackbot> Created ACTION-4 - Arrange joint meetings on the coordination call [on Frederick Hirsch - due 2008-07-23].

fjh: telco starting on time, ... we start on time ... try to be on time
... charter, do we need the infoset, what to do with C14n, doe we need transforms ...

hal: need to be aware of interdependencies and conflicting goals

fjh: we need to take advantage of members as resource for editing, actions etc ....
... maintaining issues lists
... workshop results last year, went into requirements ...

that one ?: http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0006.html


hal: ECC SuiteB, (IPR ... ), no one from NIST or NSA here ?
... Encryption and Signature in hardware?

rdmiller: have contact into both areas, re SuiteB and hardware

<trackbot> ACTION-27 -- Robert Miller to contact crypto hardware and suiteB experts in NSA regarding XML Security WG and possible involvement -- due 2008-08-08 --OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/27

bal: even if do not get direct involvement, we hope we can obtain feed back ...
... on request.

5) Introduction to W3C, W3C process and Tools [Thomas Roessler] (11:30 - 12:00, 30 min) am ET)


hal: heart beat requirement?

tlr: draft every three month for each deliverable

bal: Don Eastlake? IETF?

hal: Encryption not an RFC ...

tlr: minutes, we value availability over perfection
... vCal availiable for tracker items ... there is a feed

<fjh> can enter action-# to get link to it

<fjh> action-001

<tlr> action-001?

<trackbot> ACTION-1 -- Thomas Roessler to test trackbot-ng -- due 2007-04-12 -- CLOSED

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/1

NOTE: Update the association with the new Workgroup, and associate Products

<tlr> COI policy http://www.w3.org/2005/10/Process-20051014/policies.html#coi

<sean> ack

general discussion on IPR

tlr: WG notes are not covered by the IPR policy

brich: did we have any under the maintenance group?

tlr: test cases, best practices ...

hal: distinction between public review and WG issues raised?

fjh: process wise different
... external comments will be discussed ... internal one have to be specific ....
... we need to more formal to get get more review ...

tlr: use working relations and formal contact where suited ...

hal: there is a difference between getting plain feedback vs. formal feed back from other groups that might not even be existence any more ...

<scribe> ACTION: fjh to check how the formal OASIS liasion is working. [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action06]

<trackbot> Created ACTION-5 - Check how the formal OASIS liasion is working. [on Frederick Hirsch - due 2008-07-23].

hal: the conflict of interest policy is section 3.1.1 W3C process ...

<tlr> http://www.w3.org/2001/11/StdLiaison#OASIS needs update, incidentally. That's an action on me. I suspect.

<anil> zamkim, code?

9). Tools decisions and volunteers (14:00 - 15:00, 1 hr)

fjh: home page simple, if you want to enhance please do so its in cvs
... we should get a wiki, wiki didn't work to good in the past
... volunteers for main page?
... tracker, lists issues and actions ...

<jcc> FH; something that we did not used: tool for creating new issues

<anil> http://www.w3.org/2006/WSC/track/issues/200

<anil> example ^^^

<jcc> Link: www.w3.org/2008/xmlsec/track/issues/new

<jcc> FH: certain basic rules for new issues, including meaningful information categories

<jcc> details in www.w3.org/2002/ws/policy/

<jcc> actually in http://www.w3.org/2002/ws/policy/#issues

fjh: issues lists is a good tool to move issues through states

Using Tracker for Issues

<tlr> ISSUE: tracker doesn't get its e-mails through

<trackbot> Created ISSUE-2 - Tracker doesn't get its e-mails through ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/2/edit .

fjh: we need a volunteer to take responsibility of making sure external issues get on the list

Gerald: Volunteered to take care of issue Tracking

fjh: Thanks

<Zakim> anil, you wanted to mention that the spec can be updated at places with issue numbers and dealt with as and when completed

<rmiller> Rob Miller is going offline and will not return until tomorrow morning.

Charter Review

<fjh> Pratik has been working on best practices, interested in streaming

fjh: versioning policy constrains us

work on xml enc is limited to dsig compatability and algs

updates to c14n will be jointly issued by us and xml core in order to retain IPR commitments

members of the wg are encouraged to nominate other groups who we should coordinate with

thomas to act as informal liasion with IETF

hal, jcc & fjh will liaise with OASIS TCs

bruce to informally liaise with WS-Fed

need to add ebxml tcs to list of OASIS TCs

sean to investigate ebxml liasion

<scribe> ACTION: sean to investigate ebxml liasion [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action07]

<trackbot> Created ACTION-6 - Investigate ebxml liasion [on Sean Mullan - due 2008-07-23].

<scribe> ACTION: bruce to informally liaise with WS-Fed [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action08]

<trackbot> Created ACTION-7 - Informally liase with WS-Fed [on Bruce Rich - due 2008-07-23].

<anil> I am getting involved in some healthcare security standard groups (no one in particular)

hal & fjh to liaise with WS-I BSP

will use workshop mailing list to communicate with interested parties

bruce & sean to liaise with Java community

klanz: need to tradeoff between maint and major changes

... need requirements discussion first

hal: could do low impact items first, but risk of not driving adoption of later step

sean: can have actions on wg members to provide proposals on different areas

WG Project Planning

fjh: need to focus on reqs

sean: tag with risk level

fjh: do best practices and maint in parallel

bal: whan we gather reqs will see a break btw simple and hard
... then we can decide tactics
... worry about task force idea
... relatively small group

fjh: make easy decisions up front

bal: will be pressure to produce short term spec
... will be easier to get impls

tlr: have ability to split or join specs

fjh: want to defer this for now

overview of principles and reqs

fjh: principles and requirements
... valuable exercise to go through ...
... walking through slide with original requirements ...
... design for security and mitigate attacks ...
... some workshop feed-back shows that there was a *lot* of balancing going on ...
... maybe solve through profiling ...
... revisit extensibility requirements ...
... interoperability and compatibility are important, and new since we're talking about Vnext ...
... should recognize layered architecture of implementations ...
... I probably missed some principles ...

<tlr> http://www.w3.org/2008/xmlsec/f2f-2008-07-16/rqmts/2008-07-12-xmlsec-rqmts.ppt

RESOLUTION: have a list of principles as basis for work

bal: needed both principles and usecases

klanz: may find things which are incompatible with principles
... principles SHOULD be followed

bal: principles may be in conflict

review of workshop

hal: propose 4 categories: security, performance, new features, operational errors

fjh: how should we process workshop papers?

bal: create reading groups

<bal> and schedule a few workshop papers/presentations for discussion each week during the conf call
review batch for each call to generate issues and suggestions

klanz: possibility of requesting profile of xslt?

<tlr> XSL is being chaired by Sharon Adler, IBM

<tlr> http://www.w3.org/2006/06/XML/xsl.html

klanz: noted that might need xslt transform to be able to sign including the whitespace generated by transform

bal: xsl came in as a part of web arch
... need to take a look at actual use
... maybe need to drop things which cause security problems
... may not need to carry forward all requirements from orginal dsig

klanz: most of our customers use XSLT

<EdS> XSLT can also be used as a means to collect and meld data from a variety of sources before hashing.

<fjh> review original requirements of dsig

bal: RDF was a requirement at W3C at that time

<pdatta> can you share the URL for this original requirements document

<fjh> http://www.w3.org/TR/xmldsig-requirements

bal: 3.2-4 was a reaction to CMS limitations
... 3.2 supports compound documents

<tlr> look at pkcs1 in 6.4.2

<tlr> it includes an identifier for the hash algorithm

<tlr> (rsa-sha1 algorithm)

general uncertainty about purpose of 3.3 point 3; likely interpretation: data in XML Signature takes precedence over data in crypto blob

Presentation by Magnus


hal: notes support for derived keys in various ws* specs, should consider those requirements and attempt to unify

hal: use cases?

magnus: not really there, indeed

brich: derived keys that WS-SecureConversation makes use of

... can proposal be extended to cover use cases there?

... are that will have to be done sooner or later

magnus: do not see why not; maybe take this conversation offline

hal: specs using derived keys are wss username token, ws-trust, ws-securitypolicy

... and ws-secureconversation

brich: bulk in secure conversation

not latest: http://www.oasis-open.org/specs/index.php#wssecconv1.3

Editors and volunteers

fjh: editor per spec vs. editor team
... should use XMLSPEC
... need to set up properly to use ant
... compatable with any XSLT stream
... already have editors for best practices

<tlr> ACTION: thomas to read this action's number [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action09]

<trackbot> Created ACTION-8 - Read this action's number [on Thomas Roessler - due 2008-07-23].

<scribe> ACTION: gerald to test Issues entry and list generation [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action10]

<trackbot> Sorry, couldn't find user - gerald

<scribe> ACTION: tlr to fix Tracker [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action11]

<trackbot> Created ACTION-9 - Fix Tracker [on Thomas Roessler - due 2008-07-23].

RESOLUTION: No call on July 22nd or 5 August.

... No call on Aug 5

Best Practices Document Overview

<tlr> for context: http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/

<klanz2> http://www.w3.org/TR/xmldsig-core/#sec-Secure

<klanz2> reviewing 8.1.1 - 8.1.3 : A quote from 8.1.3: Some applications might operate over the original or intermediary data but should be extremely careful about potential weaknesses introduced between the original and transformed data.

RESOLUTION: Accept Best Practices as a Work Item, based on previous work

bal: need to consider best practices for new specs

<bal> and whether some of these turn into a processing model for applications verifying sigs

RESOLUTION: Pratik to continue editing best practices document

konrad: does best practice require implementation experience?

hal: should be sure it works

<scribe> ACTION: fjh to update wg page to include issues link [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action12]

<trackbot> Created ACTION-10 - Update wg page to include issues link [on Frederick Hirsch - due 2008-07-23].

bruce: put non-normative info in back of spec, could have best practices there as well


tlr: process, once approved add to errata document, but non-normative until new edition published

... decide on update of REC when appropriate, enough docs

... not update REC or red-line at this time

<fjh> WG should review the errata and we will decide whether to approve on next call

<fjh> document section link http://www.w3.org/TR/xml-c14n11/#Example-DocSubsetsXMLAttrs

<fjh> issue link http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Jun/0021.html

<klanz2> http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec-102

<klanz2> http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec2-102