See also: IRC log
<trackbot> Date: 07 October 2008
<fjh> http://www.w3.org/2008/xmlsec/Group/Scribe-Instructions.html
<scribe> Scribe: Gerald Edgar
Norm Walsh - XML processing group
what is the implication of XML processing on encryption.
In the work by the xml processing group there were aspects of security in intial drafts, but that was taken out. The recognition of the need for inclusion was the prompt to contact this (the XMLSEC) gorup.
<brich> http://www.w3.org/TR/xproc/
In the XML Processing group, the goal is to produce a language that enables people to define a sequences of preocesses, composing processes from other proccesses.
<klanz2> http://www.w3.org/TR/xproc/#c.compare
a reference process model for xml signatures, to process a document is perhaps similar to an xproc pipeline.
<klanz2> XMLDSig Transfroms chains defines that Inputs and outputs are either, node-set data or octet streams, beside that interoperability is the limit and that's a rather hard limit ...
Xproc has an extensability model. One example is in RDF where they can define the required steps
Similarly, a security extention defining the steps for security could be done
In xProc, there are 2 kinds of steps, the first is "atomic" e.g. XSLT and the second is "compound", which is composed of other steps.
encryption and decryption could be defined as compound steps.
the XPROC group at first saw security as atomic steps, but perhaps they were more complex
is it that people adopting xproc would have to redo their processes?
Is there
open-source available for XProc?
yes - e.g. "calabash"
<klanz2> http://xmlcalabash.com/
they are attempting to make this "streamable"
there is no requirement for streamable. but a lot of the steps can steam.
Xpath as a performance issue.
there is flexability to use XPath 1 or XPath 2
most of the actions people use can use xpath 1 or xpath 2
is there a requirement for fidelity or "rountripping" mode?
what flows in the pipeline are infosets.
rather than a sequence of bytes.
<fjh> norm notes c14n would be serialization step, end of pipeline
the only step requiring the input and the out being the same is the identity step.
<fjh> norm notes implementation defined what done with document before handed to piipeline
schma validation is a step that might be done before handing the infoset to the pipeline.
<fjh> norm notes XPath serialization
all the steps have serialization options.
providing security steps to XProc will also entail specifying the required security options
<klanz2> Just, FYI .... then the
additional serialization parameters MAY affect
the output of the serializer to the extent (but only to the
extent)
that this specification leaves the output
implementation-defined or
implementation-dependent. ...
<klanz2> from our last minutes: http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0065.html
Will people learn to glue the primatives together?
The Xproc group wants people to be able to use a pipeline rather than using a library. and to make this as easy as an XSLT sylesheet. The goal is to specify a standard XProc pipeline
Norm: his view is that security is composed of compund steps.
<fjh> norm notes may want compound step plus primatives
[Konrad] is there a notion of payload?
<fjh> norm notes, no protection from inherited namespace
Norm: there is a notion of a
payload - such as in an enclosed document
... there is work to define the security steps.
... he is willing to work with us on defining the steps.
Hal: a notion of sending Xproc with a document.
Norm:this is posable,
Hal:this is a potential security hole.
<fjh> norm notes security in 2.12, can send xproc with data
Norm:there is not a notion of signing an XProc
<fjh> norm notes [they have] have tried to keep core as small number of steps, 31, spec notes how to connect them
Norm: they tried to minimize the
basic steps (to 31)
... defining security in terms of Xproc, he does not see a
problem with that.
... to define security - it is reasonable to use signed xproc.
the pipeline is an XML document, it too can be signed.
... if we define security within XProc, he thinks this would be
accepted.
fjh:this would be a good idea to meet with XProc. Perhaps an hour to talk of this.
<scribe> ACTION: fjh to sceduale time with XProc group for security [recorded in http://www.w3.org/2008/10/07-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-75 - Sceduale time with XProc group for security [on Frederick Hirsch - due 2008-10-14].
fjh:no meeting next week
review the agenda for the F2F
<fjh> draft f2f agenda - http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0067.html
<fjh> http://www.w3.org/2008/xmlsec/Group/Overview.html
fjh: Do we need to cancel any meetings?
meet after the F2F? on the 4th, and 11th. Cancel the 25th of November. ( Since it is the Thanksgiving holiday in the US)
fjh:propose to cancel the 25
resolution, Cancel the meeting on the 25th of November
<tlr> my regrets for both of these
fjh: we will have 8 calls before year-end to get the deliverables out.
RESOLUTION: Cancel the meeting on the 25th of November
RESOLUTION: Cancel
the meeting of the 30th of December
resolution: Cancel the meetings on the 25th
November
... Cancel the meetings on the 25th November
... Cancel the meetings on the 30th of December 2008.
fjh: minor changes,
RESOLUTION: the minutes for the 23rd of September are approved.
fjh: meetings [have been] firmed up at the face to face
There are pointers to materials in the agenda.
<fjh> webapps http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0076.html
fjh: face to face planning. we need to have an adea of what we want to do
we meet in January [in Redwood City] the next might be in May.
<tlr> 2-6 November, Santa Clara
The next Plenery is
November 2-6 November [ In Santa Clara]
<jcruella> UPC could host if you want
We have the meeting at the plenery - so we have one more meeting to plan.
fjh: the document has been edited.
<fjh> proposal 1 - http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0068.html
Review this to address issue 55 to change "should" to "it is recommended"
there is a need to review the document carefully.
fjh:to review and approve the
document so we can publish it.
RESOLUTION: The proposal for Issue-55 is accepted
<klanz2> Not here http://lists.w3.org/Archives/Member/member-xmlsec/2008Oct/ and not here http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/
<klanz2> JCC: maybe post again your comments to the list ...
<fjh> proposal 2 - http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0069.html
FJH: issue -53 to reword the best practice - proposal 2
<jcruella> I had sent the message to another list...apologies.. I have now sent the message to the public list.
This would close Action 72
<fjh> proposal 3 - http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0070.html
RESOLUTION: To
accept the proposal for issue-55
... to accept the proposal for issue-53
<fjh> proposal 4 - ISSUE-56 Add references for timestamping proposal
RESOLUTION: To accept the proposal to update the titles of the sections
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0071.html
<jcruella> sorry... was dropped of the call....call back in few seconds
fjh: To add the references to xades in the best practices
RESOLUTION: To add the references to xades in the best practices
<fjh> proposal 5 - http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0008.html
<trackbot> ACTION-70 -- Thomas Roessler to propose disclaimer for SOTD -- due 2008-09-30 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/70
<klanz2> "XAdES_v1.3.2" "http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=21353" XML Advanced Electronic Signatures (XAdES). ETSI TS 101 903 V1.3.2 (2006-03) -> Talks about Timestamps for long term signatures ...
Thomas: The wording that should be that the best practices are not normative. It is not a recommmendation.
<tlr> ACTION-70 closed
<trackbot> ACTION-70 Propose disclaimer for SOTD closed
RESOLUTION:
Accept
the proposal from Action-70 from Thomas
... Accept the proposal from Action-70 from Thomas
<jcruella> XAdES: the reference should include the complete title... could you put an action on me for providing it?
<fjh> additional item from Bruce - http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0012.html
<scribe> ACTION: jcruella to provide the complete title of XAdES for the best practices reference [recorded in http://www.w3.org/2008/10/07-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-76 - Provide the complete title of XAdES for the best practices reference [on Juan Carlos Cruellas - due 2008-10-14].
... TO accept changes raised in terms of the corrections.
<scribe> ACTION: Thomas to deal with the titling [recorded in http://www.w3.org/2008/10/07-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-77 - Deal with the titling [on Thomas Roessler - due 2008-10-14].
<tlr> action-77?
<trackbot> ACTION-77 -- Thomas Roessler to deal with the titling -- due 2008-10-14 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/77
<scribe> ACTION: Pratik will add the time stamp reference to the best practices [recorded in http://www.w3.org/2008/10/07-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-78 - Will add the time stamp reference to the best practices [on Pratik Datta - due 2008-10-14].
<scribe> ACTION: fjh to address Action-53, Action-55 and action-70 [recorded in http://www.w3.org/2008/10/07-xmlsec-minutes.html#action05]
<trackbot> Created ACTION-79 - Address Action-53, Action-55 and action-70 [on Frederick Hirsch - due 2008-10-14].
<fjh> jcc notes best practice 1 and 3
Juan Carlos: Best practice 1 and 3 to substitute terms
<jcruella> Best Practice 1: Mitigate denial of service attacks by executing potentially dangerous operations only after authenticating the signature.
<fjh> jcc notes text talks about building trust
<jcruella> Best Practice 3: Establish trust in the verification/validation key.
<fjh> jcc notes duplication
<fjh> jcc suggestion changing title of bp #1 only after estabishing trust in the key
<jcruella> Best Practice 1: Mitigate denial of service attacks by executing potentially dangerous operations only after establishing trust in the verification/validation key
<jcruella> and eliminate best practice 3.
<jcruella> Step 1 fetch the verification key and establish trust in that key
fjh: edit the document that we can look at a complete draft rather than scattered proposals and fragments.
<fjh> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
<fjh> WebApps SHA-1 Algorithm
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0077.html
take a look at the message on the mailing list - profiling on SHA-1
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0000.html
<klanz2> http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0000.html
<fjh> provide proposal on list regarding transform primitives
<fjh> konrad suggests having simple transforms that can be implemented in parallel
<fjh> konrad suggests they be idempotent
Konrad: a collection of simple transforms potentially to be executed in parrallel
Konrad: XPROC is much powerful than
we need for signatures
... he is seeking simplification
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0003.html
what happens if an XML docuemnt incloudes a references to an XML name space and its effects on cononicalization
Konrad: problems with a data model underneath c14n with xpath
<fjh> Hoylen
<tlr> ACTION: konrad to propose answer to http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0003.html [recorded in http://www.w3.org/2008/10/07-xmlsec-minutes.html#action06]
<trackbot> Created ACTION-80 - Propose answer to http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0003.html [on Konrad Lanz - due 2008-10-14].
<scribe> ACTION: klanz2 to provide an answer from hoylen [recorded in http://www.w3.org/2008/10/07-xmlsec-minutes.html#action07]
<trackbot> Created ACTION-81 - Provide an answer from hoylen [on Konrad Lanz - due 2008-10-14].
RESOLUTION: that all pending actions are closed
<tlr> ACTION-4 closed
<trackbot> ACTION-4 Arrange joint F2F meetings closed
<tlr> ACTION-19 closed
<trackbot> ACTION-19 Evaluate Issues and Actions for appropriate placement closed
<klanz2> http://www.w3.org/TR/xml-c14n.html#ProcessingModel
<klanz2> To finish processing L, simply process every namespace node in L, except omit namespace node with local name xml, which defines the xml prefix, if its string value is http://www.w3.org/XML/1998/namespace.
<tlr> ACTION-65 closed
<trackbot> ACTION-65 Document use case and semantics of byte-range signatures. closed
<tlr> ACTION-67 closed
<trackbot> ACTION-67 Edit best practices to implement Scott's and his own changes; see http://www.w3.org/2008/09/23-xmlsec-irc#T14-20-33 closed
<tlr> ACTION-68 closed
<trackbot> ACTION-68 Implement http://www.w3.org/2008/09/23-xmlsec-irc#T14-25-06, http://www.w3.org/2008/09/23-xmlsec-irc#T14-24-47 closed
<tlr> ACTION-72 closed
<trackbot> ACTION-72 Contribute synopsis for each best practice closed