IRC log of xmlsec on 2008-10-20

Timestamps are in UTC.

06:43:25 [RRSAgent]
RRSAgent has joined #xmlsec
06:43:25 [RRSAgent]
logging to
06:43:27 [trackbot]
RRSAgent, make logs member
06:43:27 [Zakim]
Zakim has joined #xmlsec
06:43:27 [klanz2]
klanz2 has joined #xmlsec
06:43:29 [trackbot]
Zakim, this will be XMLSEC
06:43:29 [Zakim]
ok, trackbot; I see T&S_XMLSEC()2:30AM scheduled to start 13 minutes ago
06:43:30 [trackbot]
Meeting: XML Security Working Group Teleconference
06:43:30 [trackbot]
Date: 20 October 2008
06:43:57 [tlr]
zakim, who is on the phone?
06:43:57 [Zakim]
T&S_XMLSEC()2:30AM has not yet started, tlr
06:43:59 [Zakim]
On IRC I see klanz2, Zakim, RRSAgent, csolc, pdatta, tlr, bal, fhirsch3, trackbot
06:44:35 [brich]
brich has joined #xmlsec
06:45:29 [klanz2]
Hello everyone and good morning.
06:45:37 [fhirsch3]
06:45:42 [fhirsch3]
Chair: Frederick Hirsch
06:45:43 [kyiu]
kyiu has joined #xmlsec
06:46:05 [fhirsch3]
Scribe: Gerald Edgar
06:46:07 [rdmiller]
rdmiller has joined #xmlsec
06:46:12 [fhirsch3]
zakim, who is here?
06:46:12 [Zakim]
T&S_XMLSEC()2:30AM has not yet started, fhirsch3
06:46:13 [Zakim]
On IRC I see rdmiller, kyiu, brich, klanz2, Zakim, RRSAgent, csolc, pdatta, tlr, bal, fhirsch3, trackbot
06:46:35 [tlr]
zakim, call Executive_6
06:46:35 [Zakim]
ok, tlr; the call is being made
06:46:36 [Zakim]
T&S_XMLSEC()2:30AM has now started
06:46:36 [Zakim]
06:46:46 [tlr]
zakim, who is on the phone?
06:46:46 [Zakim]
On the phone I see Executive_6
06:47:09 [fhirsch3]
zakim, who is here?
06:47:09 [Zakim]
On the phone I see Executive_6
06:47:10 [Zakim]
On IRC I see rdmiller, kyiu, brich, klanz2, Zakim, RRSAgent, csolc, pdatta, tlr, bal, fhirsch3, trackbot
06:48:50 [csolc]
ScribeNick: csolc
06:52:57 [csolc]
Agenda review
06:53:04 [csolc]
Welcome all
06:54:14 [G_Edgar]
G_Edgar has joined #xmlsec
06:55:57 [bal]
bal has joined #xmlsec
06:59:03 [csolc]
Topic: Liaisons
06:59:21 [Zakim]
06:59:23 [Zakim]
06:59:23 [Zakim]
06:59:29 [tlr]
zakim, ??P4 is klanz2
06:59:29 [Zakim]
+klanz2; got it
07:00:25 [fhirsch3]
07:00:39 [csolc]
TOPIC: Minuites Approval
07:01:07 [csolc]
Resolution: 10/07 minutes are approved
07:02:00 [csolc]
Topic: Best Practices
07:03:16 [csolc]
brich: want to confirm that it will be published as first working working draft
07:03:40 [csolc]
bal: does publishing it start any w3c clock
07:03:51 [csolc]
tlr: no clock will be started
07:04:28 [klanz2]
okay, with me
07:04:54 [csolc]
Resolution: Group agrees to publish the Best Practices doc as first working draft
07:05:11 [tlr]
ACTION: thomas to prepare best practices for publication
07:05:12 [trackbot]
Created ACTION-83 - Prepare best practices for publication [on Thomas Roessler - due 2008-10-27].
07:05:26 [fhirsch3]
rrsagent, where am i?
07:05:26 [RRSAgent]
07:07:04 [csolc]
rdmiller: does he wait to send best practice to RSA
07:07:25 [csolc]
07:08:00 [csolc]
fh: wait to send doc untill tlr has doc published
07:09:37 [csolc]
Topic:Requirements updates I
07:11:01 [csolc]
ACTION-73, Title, contents update (Magnus)
07:11:01 [csolc]
07:11:04 [csolc]
ACTION-73, Title, contents update (Magnus)
07:11:04 [csolc]
07:13:11 [csolc]
bal: do we need a section on assumptions?
07:14:31 [csolc]
bal: proposals to add a section between 4 and 5 for opperation assumptions
07:14:47 [fhirsch3]
s/opperation/operational environment/
07:16:03 [csolc]
Resolution: accept the change with the addtion of the operational enviroment assumptions
07:16:25 [csolc]
Proposal for principles section
07:16:25 [csolc],
07:18:57 [fhirsch3]
remove Specialized approaches optimized for specific use cases should be
07:19:10 [fhirsch3]
07:19:38 [fhirsch3]
change "security layer independent of a security layer" to security layer independent of application layer"
07:21:12 [csolc]
fh: what are first class objects
07:21:38 [klanz2]
With what respect is that important to us, maybe add a this means sentence ...
07:21:56 [csolc]
fh: XML Signature -> XML Security
07:23:10 [csolc]
fh: first class object should be defined in the original security doc
07:24:08 [tlr]
07:24:21 [tlr]
07:24:35 [csolc]
second url is the correct one
07:25:57 [tlr]
I think that Frederick was actually looking for this one:
07:26:45 [csolc]
fh: would like to accept the proposal then edit it after.
07:28:41 [csolc]
Resolution: Accept proposed principles section with the above edits
07:28:54 [gedgar]
gedgar has joined #xmlsec
07:30:28 [csolc]
fh: may need to ensure we define requirements before we look a
07:31:30 [csolc]
ACTION: fh edit proposed principles section
07:31:30 [trackbot]
Created ACTION-84 - Edit proposed principles section [on Frederick Hirsch - due 2008-10-27].
07:32:16 [csolc]
Topic: Byte Range signatures
07:32:29 [klanz2]
TOPIC: Byte Range signatures
07:32:47 [fhirsch3]
07:34:10 [fhirsch3]
csolc: sign byte ranges of binary document since some might change others not
07:36:10 [fhirsch3]
bruce: why bytes not over bits, for binary? Bytes higher level than binary
07:38:23 [klanz2]
like LZW
07:38:41 [tlr]
q+ to note that Transforms are defined in terms of octet-streams, not bitstreams
07:39:06 [jcruella]
jcruella has joined #xmlsec
07:39:48 [Zakim]
07:39:59 [tlr]
zakim, ??P7 is jcruella
07:39:59 [Zakim]
+jcruella; got it
07:40:29 [fhirsch3]
pratik: binary can be more complicated, depending on encoding
07:40:39 [fhirsch3]
kelvin: prealocate p7 fill in for binary signing
07:40:43 [klanz2]
@Juan Carlos, are there requirements from XAdES in PDF for ByteRenges?
07:41:01 [klanz2]
07:50:03 [klanz2]
07:53:33 [klanz2]
fjh: add why it's ByteRange and not BitRange ...
07:55:13 [klanz2]
csolc, pleas add to your proposal ...
07:56:08 [bal]
bal has joined #xmlsec
07:56:17 [tlr]
tlr has joined #xmlsec
07:57:28 [klanz2]
ACTION: csolc to update the proposal on a ByteRange Transform
07:57:28 [trackbot]
Created ACTION-85 - Update the proposal on a ByteRange Transform [on Chris Solc - due 2008-10-27].
07:57:32 [csolc]
csolc has joined #xmlsec
07:59:29 [fhirsch3]
fhirsch3 has joined #xmlsec
07:59:36 [brich]
brich has joined #xmlsec
07:59:37 [fhirsch3]
zakim, who is here?
07:59:37 [Zakim]
On the phone I see Executive_6, klanz2, jcruella
07:59:38 [Zakim]
On IRC I see brich, fhirsch3, csolc, tlr, bal, jcruella, rdmiller, klanz2, Zakim, RRSAgent, trackbot
07:59:43 [pdatta]
pdatta has joined #xmlsec
07:59:54 [csolc]
07:59:59 [pdatta]
pdatta has joined #xmlsec
08:02:45 [csolc]
chris will note why we are using byte ranges instead of bit ranges
08:02:59 [gedgar]
gedgar has joined #xmlsec
08:03:51 [klanz2]
08:04:07 [fhirsch3]
tlr: add to requirement clarity on possible attacks with byte ranges
08:04:28 [fhirsch3]
fjh: please include in proposal note on not bit stream, possible limit
08:04:31 [fhirsch3]
ack tlr
08:04:31 [Zakim]
tlr, you wanted to note that Transforms are defined in terms of octet-streams, not bitstreams
08:04:36 [tlr]
08:04:38 [fhirsch3]
ack klanz
08:04:51 [tlr]
that's precisely my question
08:05:00 [fhirsch3]
klanz: how are gaps handled, leave out or fill with 0s?
08:05:12 [tlr]
fill with zeroes, fill with something that's given in the transform, produce output that's byte ranges encapsulated in ASN.1, ...
08:05:16 [jcruella]
08:05:20 [fhirsch3]
csolc: need to consider
08:05:21 [tlr]
(just joking, re ASN.1)
08:05:26 [fhirsch3]
klanz: pls add to proposal
08:05:32 [fhirsch3]
ack jruella
08:05:36 [rdmiller]
rdmiller has joined #xmlsec
08:05:38 [fhirsch3]
ack jcruella
08:06:18 [fhirsch3]
jcreullas: filling with 0s is modifying document, is it not
08:07:46 [fhirsch3]
csolc: transform defined, whether to 0 or compress etc
08:08:09 [gedgar]
gedgar has joined #xmlsec
08:09:33 [klanz2]
08:09:34 [csolc]
klanz2: suggests that we ensure proper defaults are defined
08:09:51 [tlr]
08:10:08 [fhirsch3]
ack klanz
08:10:29 [fhirsch3]
ack tlr
08:10:50 [csolc]
tlr: is there a use case for concat
08:11:08 [fhirsch3]
tls notes signing excerts vs concatenation
08:11:15 [fhirsch3]
08:12:08 [fhirsch3]
bal: concat effectively via multiple references
08:12:31 [csolc]
bal: terminal transforms?
08:13:14 [csolc]
Topic: Simple Sign
08:13:16 [csolc]
Simple Signing Strawman requirements
08:13:16 [csolc]
08:16:26 [brich]
08:18:51 [csolc]
bal: lower level os stuff wants the minimal set of dependancy
08:19:30 [csolc]
... so if simple sign needs xpath, the more libraries you will need
08:22:32 [fhirsch3]
kelvin notes want to leverage platform, offer support at low level without pulling in xml libraries, no XPath etc
08:23:24 [csolc]
brich: you may require to set a policy instead of a max length
08:23:52 [csolc]
.. on the amount of data that is signed.
08:24:35 [fhirsch3]
fhirsch3 has joined #xmlsec
08:25:14 [fhirsch]
fhirsch has joined #xmlsec
08:25:19 [fhirsch]
zakim, who is here?
08:25:19 [Zakim]
On the phone I see Executive_6, klanz2, jcruella
08:25:20 [Zakim]
On IRC I see fhirsch, rdmiller, pdatta, brich, csolc, tlr, bal, jcruella, klanz2, Zakim, RRSAgent, trackbot
08:25:46 [fhirsch]
kelvin notes policy can be in doc rather than apps, since apps could differ
08:25:49 [csolc]
kelvin: the application tells the library the max amount of data that is allowed to be processed.
08:26:12 [fhirsch]
kelvin notes shred, dsobhect can have unsigned items added at higher layer, can break signed items already existant
08:26:43 [csolc]
pdatta: asked about text nodes
08:26:50 [fhirsch]
item - policy in signature
08:28:10 [klanz2]
Off Topic: Can someone taking care of our mainpage, take an action to update and add "" , the need to do this is indicated by the following comment:
08:28:16 [Geald_Edgar]
Geald_Edgar has joined #xmlsec
08:29:25 [klanz2]
Off Topic continued, maybe also mention the old lists:
08:29:25 [klanz2]
08:29:25 [klanz2]
08:29:25 [klanz2]
08:29:25 [klanz2]
08:31:08 [csolc]
bal: need to keep in mind about older libraries, how can the new format be supported by older processors
08:31:34 [brich]
08:33:08 [csolc]
fh: this does duplicate a number of the xades reqs
08:33:31 [jcruella]
08:33:41 [csolc]
fh: declarative policy as part of the sig?
08:33:50 [klanz2]
@tlr: shall be forwarded to
08:33:50 [klanz2]
08:33:50 [klanz2]
08:36:42 [tlr]
bal: Putting policy languages into these requirements is a can of worm.
08:36:47 [tlr]
All: yes, and in the following way
08:37:08 [csolc]
ACTION: Kalvin: Clean up proposal
08:37:08 [trackbot]
Sorry, couldn't find user - Kalvin
08:37:24 [tlr]
ACTION: Kelvin to clean up proposal
08:37:24 [trackbot]
Created ACTION-86 - Clean up proposal [on Kelvin Yiu - due 2008-10-27].
08:37:48 [tlr]
fjh: need to clarify policy-related requirement and why we don't want to do this
08:38:41 [csolc]
bal: may need to declare what are the capabilities of the application.
08:39:19 [klanz2]
08:39:38 [fhirsch]
bal: will need to declare capabilities, relevant for simple low level, or higher level apps
08:39:44 [fhirsch]
ack jcrella
08:39:48 [fhirsch]
ack jcruella
08:40:47 [fhirsch]
bal: at sig generation time declare as part of sig, that sig adhers to part of std
08:41:10 [fhirsch]
bal: verifiers can declare portions they understand
08:41:55 [fhirsch]
jcc: etsi defined language for signature policy
08:42:31 [klanz2]
@jcc do you have a link or reference ...
08:42:55 [csolc]
bal: would like to see levels for the profiles
08:42:58 [fhirsch]
bal: policy limited to statement adhere to level 0 profile, level 1 profele etc
08:43:03 [fhirsch]
08:44:05 [fhirsch]
ack klanz
08:44:33 [csolc]
klanz: public mailing lists are not easy access
08:44:38 [tlr]
ACTION: thomas to add link to comment list to public page
08:44:39 [trackbot]
Created ACTION-87 - Add link to comment list to public page [on Thomas Roessler - due 2008-10-27].
08:46:38 [klanz2]
Can you type, when you reconvene please ...
08:46:46 [Zakim]
08:46:51 [Zakim]
08:52:56 [John_Boyer]
John_Boyer has joined #xmlsec
08:56:09 [Zakim]
08:56:11 [Zakim]
08:56:11 [Zakim]
08:56:48 [Zakim]
09:02:43 [csolc]
csolc has joined #xmlsec
09:04:02 [csolc]
Joint Meeting with XForms (11:00 - 12:30)
09:04:05 [fhirsch3]
fhirsch3 has joined #xmlsec
09:04:16 [csolc]
Topic: Joint Meeting with XForms
09:04:26 [fhirsch3]
zakim, who is here?
09:04:26 [Zakim]
On the phone I see Executive_6, John_Boyer, wellsk
09:04:27 [Zakim]
On IRC I see fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, jcruella, klanz2, Zakim, RRSAgent, trackbot
09:05:42 [John_Boyer]
yugma web con session id is 229 481 091
09:05:55 [tlr]
tlr has joined #xmlsec
09:06:37 [fhirsch3]
zakim, who is here
09:06:37 [Zakim]
fhirsch3, you need to end that query with '?'
09:06:43 [fhirsch3]
zakim, who is here?
09:06:43 [Zakim]
On the phone I see Executive_6, John_Boyer, wellsk
09:06:44 [Zakim]
On IRC I see tlr, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, jcruella, klanz2, Zakim, RRSAgent, trackbot
09:07:26 [bal]
bal has joined #xmlsec
09:07:50 [tlr]
zakim, who is on the phone?
09:07:50 [Zakim]
On the phone I see Executive_6, John_Boyer, wellsk
09:08:04 [tlr]
09:08:06 [tlr]
we're back
09:08:23 [fhirsch3]
zakim, who iis here?
09:08:23 [Zakim]
I don't understand your question, fhirsch3.
09:08:28 [fhirsch3]
zakim, who is here?
09:08:28 [Zakim]
On the phone I see Executive_6, John_Boyer, wellsk
09:08:30 [Zakim]
On IRC I see bal, tlr, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, jcruella, klanz2, Zakim, RRSAgent, trackbot
09:09:23 [nick]
nick has joined #xmlsec
09:11:00 [Steeeven]
Steeeven has joined #xmlsec
09:11:23 [unl]
unl has joined #xmlsec
09:11:34 [fhirsch3]
Present+ Steven Pemberton, Ulide Lisse, Nick van den Blecken, Roland Merrick, TV Raman, Charlie Wiecha, Keith Wells, John Boyer
09:12:33 [Steeeven]
09:12:43 [unl]
09:13:13 [csolc]
John Boyer presentor
09:13:36 [nick]
nick has joined #xmlsec
09:13:45 [Zakim]
09:14:01 [Steeeven]
zakim, who is on the phone?
09:14:02 [Zakim]
On the phone I see Executive_6, John_Boyer, wellsk, ??P5
09:14:38 [jcruella]
zakim, ??P5 is jcruella
09:14:38 [Zakim]
+jcruella; got it
09:14:47 [kyiu]
kyiu has joined #xmlsec
09:19:57 [fhirsch3]
presentation in PDF at
09:20:44 [Zakim]
09:21:36 [Zakim]
09:21:58 [fhirsch3]
zakim, ??P5 is jcruellas
09:21:58 [Zakim]
+jcruellas; got it
09:24:27 [Zakim]
09:24:36 [klanz2]
zakim, ? is klanz2
09:24:36 [Zakim]
+klanz2; got it
09:24:40 [fhirsch3]
s/presentation in PDF/XForms security presentation in PDF/
09:26:07 [fhirsch3]
me at "what if I work offline"
09:26:12 [Steeeven]
"But what if I want to work offline"
09:26:25 [fhirsch3]
s/me at .*//
09:27:52 [fhirsch3]
johnboyer: odf two types, single standalone file or zip file with many resources
09:28:27 [fhirsch3]
odf of presentation at
09:29:28 [fhirsch3]
tlr notes zip issue related to widget signing spec
09:30:03 [fhirsch3]
raman notes xml packaging a generic issue in w3c
09:31:24 [fhirsch3]
john notes content.xml is main xml in document, enveloped signature
09:31:34 [fhirsch3]
raman asks if xml base can be used
09:32:05 [Geald_Edgar]
It sounds as though a detatched signature has the potential of signing an information source that no longer exists
09:32:24 [klanz2]
What is the URI scheme for Zip Files, is there one?
09:32:48 [fhirsch3]
detached can only sign as binary opaque reference
09:33:21 [Geald_Edgar]
So XML is detached as a seperate unit witjhin the ODF package, but it is included in the same information resource?
09:33:39 [Geald_Edgar]
09:34:59 [klanz2]
consider for referencing inside zip ... also
09:35:22 [Geald_Edgar]
perhaps the XML signature itself is created as a detached signature, but it is attached withing the ODF file.
09:36:20 [fhirsch3]
reference refers to instance document not entire xforms environment
09:36:28 [fhirsch3]
s/reference/john boyer: reference/
09:36:48 [fhirsch3]
john boyer: using reference with no uri
09:37:46 [csolc]
john wants to sign the odf doc, and since the xml signature is part of the instance data if uri="" is used it refers to the data not the odf doc
09:38:52 [csolc]
see slides for details
09:46:25 [fhirsch3]
john boyer notes at run time separate dom for recording instance data, separate document
09:46:41 [fhirsch3]
tlr- what is base uri for instance document
09:47:33 [fhirsch3]
john boyer - expect same doc reference, signature in instance document
09:47:35 [nick]
nick has joined #xmlsec
09:47:44 [fhirsch3]
zakim, who is here?
09:47:44 [Zakim]
On the phone I see Executive_6, John_Boyer, wellsk, jcruellas, klanz2
09:47:45 [Zakim]
On IRC I see nick, kyiu, unl, Steeeven, bal, tlr, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, klanz2, Zakim, RRSAgent, trackbot
09:49:46 [fhirsch3]
after run time might be serialized back with intial larger document
09:49:58 [fhirsch3]
s/after/john boyer notes after/
09:52:38 [csolc]
john - there are 3 layers, Instance data, the Model and the instance form.
09:55:00 [csolc]
john - there is a difference between the runtime of the model and the serialized version.
09:57:51 [Zakim]
09:58:10 [csolc]
john - since the signatures are being generated at runtime - the references are relative to the containing data dom.
09:58:45 [fhirsch3]
john - separate dom for instance at run time, not serialized or incorpporated until commit, ie. temporary data until accepted
10:06:38 [csolc]
raman - all information except state information is stored in the xforms model.
10:09:00 [csolc]
roman - custom functions must also be signed.
10:10:00 [csolc]
roman - there are custom libraries that can be loaded into xforms.
10:10:22 [fhirsch3]
extensions functions are full XPath
10:12:23 [fhirsch3]
john boyer application can define context for uri
10:13:53 [csolc]
john b - a reference without a uri points to the outer most document.
10:16:11 [fhirsch3]
raman at save time, save original doc plus instance data, to enable restore
10:16:29 [fhirsch3]
john boyer - eg save template and instance data
10:18:44 [csolc]
- instance data can be inline in the doc, fetched once at startup then stored inline, or saved in a remote source
10:21:41 [fhirsch3]
) defined in terms of original document, not data document...
10:21:56 [fhirsch3]
here was defined...
10:23:13 [esimon2]
esimon2 has joined #xmlsec
10:23:28 [klanz2]
maybe XProc would be good way to explain what is going on here ... ;-)
10:28:08 [csolc]
john b - issue with repeating content.
10:28:27 [Zakim]
+ +
10:29:43 [csolc]
john b - section xmlsig doc
10:30:56 [csolc]
... input to the first transform should be output of the referencing
10:31:48 [fhirsch3]
zakim, who is here?
10:31:48 [Zakim]
On the phone I see Executive_6, John_Boyer, wellsk, jcruellas, klanz2, Ed_Simon, +
10:31:50 [Zakim]
On IRC I see esimon2, nick, kyiu, unl, Steeeven, bal, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, klanz2, Zakim, RRSAgent, trackbot
10:32:31 [csolc]
... counfusion on the output of a non same document reference. does it have to be an octet stream
10:32:52 [Steeeven]
zakim, country code 46?
10:32:52 [Zakim]
I don't understand your question, Steeeven.
10:34:19 [Steeeven]
+46 is Sweden
10:34:31 [fhirsch3]
john boyer - support for uri-less reference required, possible errata.
10:34:39 [fhirsch3]
konrad - can you submit test cases?
10:35:29 [fhirsch3]
bal - cannot mandate application specific feature, but should require it to be allowed
10:35:56 [klanz2] ... The input to the first Transform is the result of dereferencing the URI attribute of the Reference element. ... ... If the URI attribute is omitted altogether, the receiving application is expected to know the identity of the object. For example, a lightweight data protocol might omit this attribute given the identity of the object is part of the application context. This attri
10:35:56 [klanz2]
bute may be omitted from at most one Reference in any particular SignedInfo, or Manifest. ...
10:36:24 [fhirsch3]
bal - what is the interoperability point
10:36:42 [csolc]
bal - could add an imlementation note
10:37:14 [fhirsch3]
klanz your are asking that null can be passed to url resolver
10:37:44 [csolc]
10:38:06 [fhirsch3]
klanz - should define own uri scheme in these cases, can then separate from work-arounds
10:41:03 [csolc]
fh - may need a uri identifier for instance data
10:41:32 [csolc]
roman - could define odf:here()
10:41:43 [fhirsch3]
avoid confusion of wether in instance data context or in committed merged document, need to be explicit with explicit URI
10:41:48 [Steeeven]
10:41:53 [fhirsch3]
10:43:01 [csolc]
klanz: maybe should use xslt functions
10:43:33 [csolc]
john b - xslt is like poison. too complicated
10:45:12 [csolc]
john b - xslt is also an optional component to xml sigs
10:46:44 [csolc]
klanz - can xinclude be used to resolve the multiple doc issue
10:47:01 [fhirsch3]
is it possible to simplify this
10:47:07 [fhirsch3]
raman notes reflection of interactivity
10:47:25 [klanz2]
10:47:29 [fhirsch3]
john notes even with zip still want node set, still have here issue, even if not here function
10:49:45 [fhirsch3]
concern with complexity, want to make security simpler, sounds complicated to have separate instance and documents, then merge and lose context.
10:50:07 [fhirsch3]
john notes interactive document case works
10:51:01 [fhirsch3]
ack klanz
10:51:11 [klanz2]
10:51:45 [Zakim]
10:52:21 [csolc]
fh - is it possible for xforms not to use xpath in the signatures
10:52:32 [klanz2]
is it XPath 1.0?
10:52:38 [klanz2]
I'd presume so ..
10:53:31 [fhirsch3]
john offers to summarize use case in terms of instance documents and original, serialization into single document, what is process, issues
10:53:50 [fhirsch3]
also to summarize lessons from implementation and needs regarding here etc.
10:55:00 [Zakim]
10:55:13 [Zakim]
- +
10:55:15 [csolc]
Thanks to the XFORMS foaks
10:55:23 [jcruella]
jcruella has joined #xmlsec
10:55:26 [Zakim]
10:55:35 [Zakim]
10:55:39 [jcruella]
sorry, had problems with my labtop
10:55:57 [fhirsch3]
zakim, who is here?
10:55:57 [Zakim]
On the phone I see Executive_6, Ed_Simon
10:55:58 [Zakim]
On IRC I see jcruella, esimon2, kyiu, bal, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, klanz2, Zakim, RRSAgent, trackbot
10:56:05 [csolc]
Breaking for 1 hour lunch
10:56:14 [Zakim]
10:56:31 [jcruella]
zakim, P0 is jcruella
10:56:31 [Zakim]
sorry, jcruella, I do not recognize a party named 'P0'
10:57:42 [Zakim]
10:57:44 [Zakim]
10:57:45 [Zakim]
10:57:45 [Zakim]
T&S_XMLSEC()2:30AM has ended
10:57:46 [Zakim]
Attendees were Executive_6, klanz2, jcruella, John_Boyer, wellsk, jcruellas, Ed_Simon, +
12:02:30 [Zakim]
T&S_XMLSEC()2:30AM has now started
12:02:37 [Zakim]
12:03:59 [nick]
nick has joined #xmlsec
12:04:24 [nick]
nick has joined #xmlsec
12:04:31 [nick]
nick has left #xmlsec
12:05:42 [unl]
unl has joined #xmlsec
12:06:56 [esimon2]
esimon2 has joined #xmlsec
12:07:05 [unl]
unl has left #xmlsec
12:09:12 [rdmiller]
scribenick: rdmiller
12:09:17 [csolc]
csolc has joined #xmlsec
12:09:43 [Zakim]
12:09:58 [bal]
bal has joined #xmlsec
12:10:51 [fhirsch3]
fhirsch3 has joined #xmlsec
12:10:59 [fhirsch3]
zakim, who is here?
12:10:59 [Zakim]
On the phone I see Ed_Simon, [IPcaller]
12:11:00 [Zakim]
On IRC I see fhirsch3, bal, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim, RRSAgent, trackbot
12:11:18 [jcruella]
zakim, who am I
12:11:18 [Zakim]
I don't understand 'who am I', jcruella
12:11:21 [jcruella]
zakim, who am I?
12:11:21 [Zakim]
I don't understand your question, jcruella.
12:11:22 [pdatta]
pdatta has joined #xmlsec
12:12:39 [fhirsch3]
zakim, please call xmlse
12:12:39 [Zakim]
I am sorry, fhirsch3; I do not know a number for xmlse
12:13:12 [fhirsch3]
zakim, call executive_6
12:13:12 [Zakim]
ok, fhirsch3; the call is being made
12:13:14 [Zakim]
12:13:28 [fhirsch3]
zakim, who is here?
12:13:28 [Zakim]
On the phone I see Ed_Simon, [IPcaller], Executive_6
12:13:29 [Zakim]
On IRC I see pdatta, fhirsch3, bal, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim, RRSAgent, trackbot
12:13:54 [fhirsch3]
zakim, IPcaller is jcc
12:13:54 [Zakim]
+jcc; got it
12:14:29 [rdmiller]
Topic: Review XForms Discussion
12:15:26 [rdmiller]
bah: We need to clarify the application specific behavior og references that are lacking URIs
12:15:36 [rdmiller]
12:16:10 [brich]
brich has joined #xmlsec
12:16:26 [rdmiller]
fhirsch3: We need to confirm that signature verification requires an XForms application
12:17:20 [fhirsch3]
s/an XForms/a running XForms/
12:17:39 [rdmiller]
fhirsch3: John from XForms to clarify the processing model and what he needs from XMLSEC to support his implementation.
12:18:38 [rdmiller]
fhirsch3: Concern that the complexity of the XForms processing model and goals seem to run counter to those of the XMLSEC WG.
12:20:02 [G_Edgar]
G_Edgar has joined #xmlsec
12:20:30 [rdmiller]
Topic: NIST Review
12:20:39 [csolc]
12:21:27 [rdmiller]
bal: Reviewed 2 documents from NIST regarding Radmomized Hashing and approved hash algorithms.
12:22:11 [rdmiller]
NIST SP800-106 Radomized Hashing
12:22:48 [rdmiller]
bal: We could use the radomization of content for references only.
12:23:26 [esimon2]
Which schema? XML Signature's or XML schemas in general?
12:24:57 [fhirsch3]
randomized hashing - modification of any hash alg to add randomization, NIST defines only for sig hash, could do for Dsig hashing
12:25:02 [fhirsch3]
of input to content
12:25:13 [fhirsch3]
bal - xml signature schema
12:25:27 [fhirsch3]
currently define hash alg and any, could define element for salt
12:25:29 [fhirsch3]
12:26:34 [rdmiller]
bal: We would need to update ds:SignatureMethod.
12:27:01 [fhirsch3]
group notes oaep only defined for encryption
12:30:35 [rdmiller]
RESOLUTION: Work on ransomized hashing is a lower priority for the XMLSEC WG and will be deferred until there is a pressing need.
12:31:37 [rdmiller]
fhirsch3: At lunch there was a discussion about releasing a 3rd addition to address addition of algorithms.
12:32:17 [rdmiller]
tlr: If it affects conformance then it will need to at least be a minor edition.
12:32:29 [rdmiller]
12:33:35 [fhirsch3]
Present+ Xu Guibao
12:33:41 [Zakim]
12:33:44 [fhirsch3]
Xu Guibao joined as observer
12:33:48 [klanz2]
zakim, ? is klanz2
12:33:48 [Zakim]
+klanz2; got it
12:35:29 [fhirsch3]
bal notes may want to deprecate sha1 in 1.1, or not but simply introduce new algs in 1.1
12:35:37 [fhirsch3]
bal notes goal not to change namespace in 1.1
12:36:12 [rdmiller]
bal: We may want to recommend in that old algorithms are not used and then deprecate them in a following version.
12:37:58 [tlr]
tlr has joined #xmlsec
12:40:58 [klanz2]
12:42:02 [klanz2]
12:42:15 [fhirsch3]
tlr if a future version, requires versioning, then need a new namespace is a reading of this
12:42:21 [fhirsch3]
ack klanz
12:42:55 [bal]
12:42:57 [fhirsch3]
12:42:58 [tlr]
12:43:05 [fhirsch3]
12:43:24 [fhirsch3]
ack bal
12:43:38 [klanz2]
12:43:47 [klanz2]
12:43:52 [klanz2]
12:44:59 [rdmiller]
bal: If something changes that breaks backward compatibility then it would require a new namespace.
12:45:52 [rdmiller]
tlr: Prepare a working draft for verion 1.1 where we add algorithms and clarify the versioning policy.
12:46:03 [fhirsch3]
clarify versioning in wd and see if that is acceptable to constituents, including possibly sha-1 deprecation
12:46:04 [jcruella]
12:46:16 [bal]
konrad, so is your point that additional algorithms have already been defined without revving the namespace?
12:46:20 [fhirsch3]
ack tlr
12:46:25 [fhirsch3]
ack jcruella
12:47:02 [fhirsch3]
jcc notes one doc of sig semantics and one for algorithms
12:48:11 [fhirsch3]
jcc this avoids need to constantly change entire for algs
12:48:13 [rdmiller]
TOPIC: Joint Meeting with EXI
12:48:57 [herve]
herve has joined #xmlsec
12:49:05 [youenn]
youenn has joined #xmlsec
12:49:36 [fhirsch3]
Present+ John Schneider, Carine Bournez, Daniel Peintnec, Richard Kantschke
12:49:58 [fhirsch3]
jcc, can you hear?
12:49:59 [dape]
dape has joined #xmlsec
12:50:07 [esimon2]
not well; I'm quite dependent on the IRC
12:50:28 [caribou]
caribou has joined #xmlsec
12:52:10 [fhirsch3]
exi has looked at xml security in more detail
12:52:12 [brutzman]
brutzman has joined #xmlsec
12:52:39 [klanz2]
Re, Algorithm Identifiers (Last Topic) :
12:52:53 [fhirsch3]
some future work is c14n work - use exi to improve performance
12:53:16 [fhirsch3]
reduce what needs to be preserved for verification, e.g. leverage typed values
12:53:52 [fhirsch3]
EXI has parameters , e.g. preserve comments, similar to c14n
12:54:14 [rdmiller]
To improve performance canonicalization with EXI could require the use of some parameters.
12:54:29 [fhirsch3]
EXI encoding for encryptoin - need to specify that encrypted content is exi encoded, encoding attribute
12:54:47 [smullan]
smullan has joined #xmlsec
12:55:53 [rdmiller]
URIs for canonicalization algs when using EXI.
12:56:02 [fhirsch3]
possibly using exe for c1n
12:56:15 [jkangash]
jkangash has joined #xmlsec
12:56:34 [rdmiller]
EXI could provide "type aware" canonicalization to improve performance.
12:57:47 [jcruella]
12:58:21 [fhirsch3]
12:58:52 [fhirsch3]
tom - test cases should be considered
12:59:07 [fhirsch3]
zakim, who is here?
12:59:07 [Zakim]
On the phone I see Ed_Simon, jcc, Executive_6, klanz2
12:59:09 [Zakim]
On IRC I see jkangash, smullan, brutzman, caribou, dape, youenn, herve, tlr, G_Edgar, brich, pdatta, fhirsch3, bal, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim, RRSAgent,
12:59:11 [Zakim]
... trackbot
12:59:17 [esimon2]
13:01:22 [fhirsch3]
tom wanting to integrate xml security testing into exi testing, thinking about what is involved
13:01:36 [fhirsch3]
tom effort involves university development
13:02:13 [tlr]
university development?!
13:02:41 [tlr]
don: do signatures survive EXI round-tripping?
13:03:09 [tlr]
tlr: we do have signatures and signed documents that you could run through your tests.
13:03:14 [rkuntsch]
rkuntsch has joined #xmlsec
13:04:20 [fhirsch3]
bal - do two semntically equivalent xml docs do they serialize into two exi serializations?
13:04:35 [fhirsch3]
yes, when consideraing parameters
13:04:52 [fhirsch3]
s/yes/steven, yes/
13:05:06 [fhirsch3]
zakim, who is here?
13:05:06 [Zakim]
On the phone I see Ed_Simon, jcc, Executive_6, klanz2
13:05:07 [rdmiller]
13:05:08 [Zakim]
On IRC I see rkuntsch, jkangash, smullan, brutzman, caribou, dape, youenn, herve, tlr, G_Edgar, brich, pdatta, fhirsch3, bal, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim,
13:05:10 [Zakim]
... RRSAgent, trackbot
13:05:46 [brutzman]
recap/summary: we have an exi test suite with a corpus of several thousand documents. will be looking to ensure we have sufficient set of encrypted and/or signed documents to properly test round-trip success and interoperability by various EXI processors.
13:06:12 [fhirsch3]
steven, have option to preserve namespace info
13:06:48 [fhirsch3]
13:08:27 [magnus]
magnus has joined #xmlsec
13:08:30 [rdmiller]
tlr: XML Signature is dependant on which EXI paramaters are used.
13:08:42 [pdatta]
13:09:17 [tlr]
ha! Excellent news!
13:09:28 [tlr]
(I hadn't realized that EXI had done this piece of work.)
13:09:33 [rdmiller]
EXI is set to work with canonicalization and is documented in a best practices document.
13:10:00 [brutzman]
EXI Best Practices relevant to security:
13:10:25 [tlr]
john: EXI has designed things to be compatible with existing canonicalizations, and there are sets of parameters which will not break XML Security.
13:10:33 [brutzman]
EXI Impacts relevant to security:
13:10:38 [jschneid2]
jschneid2 has joined #xmlsec
13:10:42 [tlr]
... we're now talking about forward-looking work that would permit use of EXI with Signature.
13:12:56 [fhirsch3]
13:13:47 [kyiu]
kyiu has joined #xmlsec
13:13:48 [rdmiller]
Ed Simon looked at the EXI document and not the EXI Best Practices
13:14:15 [rdmiller]
fhirsch3: We should review EXI Best Practices.
13:14:15 [fhirsch3]
ack jcc
13:14:24 [fhirsch3]
ack jcruela
13:14:30 [fhirsch3]
ack jcruellas
13:14:34 [fhirsch3]
ack jcruella
13:16:03 [rdmiller]
jcruella: EXI is not caninocalization, but serialization of canonicalization.
13:16:07 [fhirsch3]
best practice, how to use exi with existing c14n algs, using preserve algs
13:16:24 [fhirsch3]
s/preserve algs/preserve parameers
13:16:42 [fhirsch3]
exi could be used as c14n alg in future, topic for joint discussion
13:17:18 [fhirsch3]
s/exi/john wzi
13:17:26 [fhirsch3]
13:18:04 [fhirsch3]
zakim, who is making noise?
13:18:14 [Zakim]
fhirsch3, listening for 10 seconds I heard sound from the following: jcc (49%), Executive_6 (77%)
13:18:48 [fhirsch3]
john, preserving more in exi makes it larger
13:19:22 [fhirsch3]
john, eg no need to preserve lexical values, gaining efficiency
13:20:01 [klanz2]
13:20:36 [fhirsch3]
jcc should signature cover tables
13:20:56 [fhirsch3]
john, tables are implicit
13:21:11 [fhirsch3]
john, part of stream
13:21:24 [brutzman]
EXI Format 1.0, 6.3 Fidelity Options lists Preserve.comments Preserve.pis Preserve.dtd Preserve.prefixes Preserve.lexicalValues
13:21:28 [fhirsch3]
ack fhirsch
13:22:32 [rdmiller]
fhirsch3: What is the performance hit of using EXI for canonicalization because of having to use the EXI parser?
13:23:38 [klanz2]
Is there something like in memory EXI as well that expands to APIs like DOM or XPATH on the fly?
13:25:27 [fhirsch3]
question is whether the startup and shutdown time for EXI is too expensive when only performing single sign or verify...
13:25:45 [fhirsch3]
answer is that schema load can take time, but exi is also able to save internal compiled form
13:25:48 [rdmiller]
john: Performance would be based on initial load and number of schemas used.
13:25:54 [fhirsch3]
bal asks about memory footprint
13:26:13 [fhirsch3]
john, string tables but can be limited
13:26:46 [fhirsch3]
john, serialize xml doc or set of xml fragments, which are individual elements + attributes
13:28:23 [fhirsch3]
bal cannot replace c14n with it directly due to input requirement, not a nodeset as input
13:28:24 [klanz2]
Ordered NodeSet ....
13:29:06 [fhirsch3]
bal possible issue if unparented nodeset allowed, would need to be considered
13:29:28 [fhirsch3]
ack esimon
13:30:23 [esimon2]
13:30:27 [fhirsch3]
ed asks re importance of native formatted signatures
13:31:41 [fhirsch3]
ed, e.g. sign exi format without converting to xml for signing
13:32:53 [G_Edgar]
G_Edgar has joined #xmlsec
13:34:10 [G_Edgar]
I am wondering what might be the impact of "pluggable codecs" on this? I wonder since "pluggable codecs are negotiated.
13:34:41 [brutzman]
XBC was predecessor of EXI group. XML Binary Characterization Use Cases
13:34:56 [fhirsch3]
ack pdatta
13:35:23 [fhirsch3]
pratik - does exi preserve ordering
13:35:27 [rdmiller]
ACTION: esimon to look at the EXI use cases.
13:35:27 [trackbot]
Sorry, couldn't find user - esimon
13:35:39 [esimon2]
try esimon2
13:35:42 [fhirsch3]
john, always preserves ordering of elements, not attributes
13:36:13 [rdmiller]
ACTION: esimon2 to lookk at the EXI use cases
13:36:13 [trackbot]
Created ACTION-88 - Lookk at the EXI use cases [on Ed Simon - due 2008-10-27].
13:36:53 [fhirsch3]
john, attribute order can be preserved as part of serializion, might need switch in EXI for writing out attribute order
13:37:13 [G_Edgar]
Are attribute orders part of any Codec?
13:37:14 [fhirsch3]
action 88 is on test cases
13:37:14 [trackbot]
Sorry, couldn't find user - 88
13:37:44 [G_Edgar]
13:37:50 [fhirsch3]
john, also keep track of encoding options
13:38:14 [fhirsch3]
pratik canonicalization often last step to digest, hence space benefits may not be valuable
13:38:27 [anil]
anil has joined #xmlsec
13:38:47 [brutzman]
upon decompressing an EXI document, element order is preserved but attribute order is not (as specified in XML Infoset). nevertheless it is possible to reapply canonicalization upon recreation of the XML document from EXI. perhaps EXI should add a switch to preserve canonicalization upon decompression. this would seem to be necessary in order to preserve signature.
13:39:10 [fhirsch3]
john, can serialize direct from model to exi, not necessarily via xml
13:39:25 [fhirsch3]
... hence faster
13:40:15 [fhirsch3]
ack klanz
13:40:36 [fhirsch3]
exi implementation can offer different modes, e.g. from DOM, SAX etc. open source exisits
13:41:55 [rdmiller]
john: EXI is not designed to be an in memory represenation but specifici parts of the EXI strream can be referenced using self contained sub-trees.
13:41:55 [fhirsch3]
john, exi is interchange format, can have self-contained subtrees, meetin requirements for random access
13:42:16 [rdmiller]
13:42:26 [fhirsch3]
13:43:14 [rdmiller]
john: If not preserving namespace declarations EXI stores the qualified names direclty which is the full identity of the URI.
13:46:34 [fhirsch3]
ack G_Edgar
13:47:20 [fhirsch3]
disallow plugabble codecs
13:47:41 [klanz2]
Could we have some pointers to implemtations/Implementation Reports for EXI
13:47:52 [klanz2]
I'd be interested finding one that offers a DOM API
13:49:04 [klanz2]
13:49:21 [Zakim]
13:49:32 [Zakim]
14:00:06 [Zakim]
+ +1.781.515.aaaa
14:00:22 [magnus]
zakim, magnus is aaaa
14:00:22 [Zakim]
sorry, magnus, I do not recognize a party named 'magnus'
14:01:12 [klanz2]
zakim, aaaa is magnus
14:01:12 [Zakim]
+magnus; got it
14:09:30 [fhirsch3]
zakim, who is here?
14:09:30 [Zakim]
On the phone I see Ed_Simon, Executive_6, magnus
14:09:31 [Zakim]
On IRC I see anil, G_Edgar, magnus, jkangash, smullan, brutzman, caribou, dape, herve, brich, pdatta, fhirsch3, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim, RRSAgent,
14:09:34 [Zakim]
... trackbot
14:10:18 [bal]
bal has joined #xmlsec
14:11:18 [esimon2]
I'm back.
14:11:34 [tlr]
tlr has joined #xmlsec
14:13:04 [rdmiller2]
rdmiller2 has joined #xmlsec
14:13:45 [Zakim]
14:13:56 [jcruella]
juan carlos
14:14:28 [jcruella]
zakim, P15 caller is jcruella
14:14:28 [Zakim]
I don't understand 'P15 caller is jcruella', jcruella
14:14:43 [caribou]
14:14:55 [jcruella]
zakim, P15 caller is jcc
14:14:55 [Zakim]
I don't understand 'P15 caller is jcc', jcruella
14:15:05 [bal]
zakim, +P15 is jcc
14:15:05 [Zakim]
sorry, bal, I do not recognize a party named '+P15'
14:15:11 [jcruella]
zakim, +P15 caller is jcc
14:15:11 [Zakim]
I don't understand '+P15 caller is jcc', jcruella
14:15:12 [bal]
zakim, P15 is jcc
14:15:13 [Zakim]
sorry, bal, I do not recognize a party named 'P15'
14:15:28 [jcruella]
zakim, +P15 caller is jcruella
14:15:28 [Zakim]
I don't understand '+P15 caller is jcruella', jcruella
14:15:50 [bal]
zakim, ??P15 is jcc
14:15:50 [Zakim]
+jcc; got it
14:16:11 [jcruella]
14:18:35 [rkuntsch]
rkuntsch has joined #xmlsec
14:19:28 [jkangash]
XBC use cases:
14:19:47 [Zakim]
14:19:49 [rdmiller]
john: Usecases are XBC and usecases are on the EXI webpage as part of the testing framework.
14:19:50 [klanz2]
zakim, ? is klanz 2
14:19:50 [Zakim]
I don't understand '? is klanz 2', klanz2
14:20:04 [klanz2]
zakim, ? is klanz2
14:20:04 [Zakim]
+klanz2; got it
14:20:08 [csolc]
note: for xmlsec to use EXI as a canonicalization alg, EXI would have to add as part of the spec a rule on what order attributes are written out.
14:21:30 [rdmiller]
fhirsch3: We may want to think about using EXI for canonicalization and how it may improve XML Signature performance.
14:25:06 [rdmiller]
fhirsch3: Case number 1 is increase XMLSec for instances that are not aware of EXI.
14:26:43 [youenn]
youenn has joined #xmlsec
14:26:44 [rdmiller]
fhirsch3: Case number 2 is to improve XMLSec within EXI.
14:27:14 [esimon2]
Ideally, want to EXI doc before encrypting.
14:28:00 [anil]
anil has left #xmlsec
14:28:05 [klanz2]
Re Previous Discussaion: There might be similarites between "transform primitives" and what EXI calls the things you do not care about ...
14:28:41 [rdmiller]
john: XML Enc may not be able to take advantage of the performance increase of EXI without significant pain.
14:28:58 [Zakim]
14:29:10 [magnus]
Did we just loose the conference bridge?
14:29:11 [klanz2]
you lost the connection
14:29:14 [esimon2]
the phone line seems dead
14:29:27 [jcruella]
I also lost connection
14:29:29 [fhirsch3]
zakim, call executive_6
14:29:29 [Zakim]
ok, fhirsch3; the call is being made
14:29:30 [Zakim]
14:29:42 [jcruella]
OK... it works again
14:31:13 [klanz2]
[s1] <EncryptedData xmlns=''
14:31:13 [klanz2]
14:31:13 [klanz2]
[s2] <EncryptionMethod
14:31:13 [klanz2]
14:31:13 [klanz2]
[s3] <ds:KeyInfo xmlns:ds=''>
14:31:14 [klanz2]
[s4] <ds:KeyName>John Smith</ds:KeyName>
14:31:16 [klanz2]
[s5] </ds:KeyInfo>
14:31:18 [klanz2]
[s6] <CipherData><CipherValue>DEADBEEF</CipherValue></CipherData>
14:31:20 [klanz2]
[s7] </EncryptedData>
14:31:27 [klanz2]
Maybe use another Algorith Identifier
14:31:42 [klanz2]
14:32:08 [klanz2]
14:32:14 [klanz2]
or similar
14:33:29 [fhirsch3]
consideration of using mimetype attribute
14:33:41 [klanz2]
14:34:05 [fhirsch3]
note two areas, 1st use of exi to improve xml security, here for c14n in signature worth consideration
14:34:19 [fhirsch3]
second, integration with exi tighter
14:34:21 [anil]
anil has joined #xmlsec
14:34:49 [fhirsch3]
main pain point in exi is encryption due to size of cipherdata, from xml, here exi first then encryptoin would help
14:35:01 [fhirsch3]
14:35:22 [rdmiller]
14:36:05 [rdmiller]
john: EXI could possibly be used with XML Enc as it is with a minor tweak to identify the encrypted data as EXI.
14:37:28 [esimon2]
14:38:14 [brutzman]
brutzman has joined #xmlsec
14:38:41 [fhirsch3]
ack esimon
14:39:50 [rdmiller]
john: Mapping from XML for XML encryption to EXI is relatively straight forward.
14:41:12 [rdmiller]
john: the work to allow EXI as a canonicalization method should benefit both the XMLSEC and EXI WGs.
14:42:20 [rdmiller]
bal: Supporting XML Enc within EXI will require a change to XML Enc, ref section 4.2.
14:44:11 [rdmiller]
fhirsch3: We understand how to support EXI for XML Enc, but need to be mindful of interoperability.
14:45:06 [rdmiller]
fhirsch3: We also need to work the W3C Rec process.
14:45:49 [rdmiller]
john: No current pressing need for EXI from the XMLSEC WG.
14:46:05 [rdmiller]
pdatta: We cannot use a MIME type directly.
14:46:35 [rdmiller]
fhirsch3: We were discussing using a new type element.
14:47:06 [magnus]
14:47:40 [pdatta]
bal: EXI could define a new types EXIelement
14:48:03 [klanz2]
14:48:05 [pdatta]
bal: this can be done outside XML Encryption spec
14:48:13 [klanz2]
<attribute name='Type' type='anyURI' use='optional'/>
14:48:14 [klanz2]
<attribute name='MimeType' type='string' use='optional'/>
14:48:14 [klanz2]
<attribute name='Encoding' type='anyURI' use='optional'/>
14:48:59 [fhirsch3]
ack magnus
14:49:31 [klanz2]
14:49:53 [fhirsch3]
discussion, use type attribute, uri defined by EXI team and processing rules
14:49:56 [fhirsch3]
ack klanz
14:49:56 [pdatta]
jakko: does EXI need both EXIelment and EXIContent, probably not because EXI does not propobably support mixed content , so only EXIElment is ok
14:50:10 [rdmiller]
fhirsch3: EXI should define the URI and processing rules for XML Enc support.
14:50:41 [brutzman]
wondering, where is the test/examples corpus for XMLSEC mentioned earlier today?
14:50:50 [klanz2]
Process decrypted data if Type is unspecified or is not 'element' or element 'content'.
14:50:50 [klanz2]
1. The cleartext octet sequence obtained in Step 3 MUST be returned to the application for further processing along with the Type, MimeType, and Encoding attribute values when specified. MimeType and Encoding are advisory. The Type value is normative as it may contain information necessary for the processing or interpration of the data by the application.
14:50:50 [klanz2]
2. Note, this step includes processing data decrypted from an EncryptedKey. The cleartext octet sequence represents a key value and is used by the application in decrypting other EncryptedType element(s).
14:51:00 [fhirsch3]
in this case EXI) to interpret
14:51:38 [fhirsch3]
if not element or elementcontent then exi can interpret
14:52:26 [fhirsch3]
bal exi takes care of decryption, into dom then exi
14:52:36 [pdatta]
bal: XML encryption spec says that if type is not element or content, then hand it back to application, is EXI the application ?
14:53:14 [rdmiller]
fhirsch3: Using EXI for canonicalization will require further work outside of this meeting.
14:55:07 [pdatta]
john: three things a) using EXI for canonicalization, b) define new algorithm URI for EXI canoncailzation, c) new type for Encryption EXIelement
14:56:01 [rdmiller]
fhirsch3: Performance measurements regarding the use of EXI for canoniclaization would be helpful.
14:57:04 [rdmiller]
EXI does have a test framework for measuring compression and decompression that is a Java based framework.
14:57:18 [rdmiller]
It can measure both Java and C++
14:58:21 [tlr]
ACTION: thomas to update homepage with information test suites
14:58:21 [trackbot]
Created ACTION-89 - Update homepage with information test suites [on Thomas Roessler - due 2008-10-27].
14:59:38 [brutzman]
The EXI test corpus is online at
15:01:08 [brutzman]
The EXI test corpus is hosted at Naval Postgraduate School in Monterey
15:01:22 [rdmiller]
fhirsch3: It may make sense to have a joint EXI XMLSEC session at the next XMLSEC F2F (13-14 January 2009).
15:01:53 [brutzman]
The EXI test corpus is based on Japex - "Japex is a simple yet powerful tool to write Java-based micro-benchmarks."
15:03:47 [pdatta]
john: In the case where the fidelity is not important - e.g. in web services an EXI bases canonicalization will be advantageous
15:04:31 [rdmiller]
fhirsch3: What is the benefit of EXI users to use EXI canonicalization?
15:04:42 [pdatta]
bal: in web services fidelty is important - shred and reconstruct use cases
15:04:56 [rdmiller]
john: We have some information based on a customer experiment that was done in 2006.
15:07:25 [rdmiller]
fhirsch3: Do the benefits of using EXI for canonicalization outweigh the costs for adding everything needed to process EXI?
15:08:38 [pdatta]
fhirsch3: Using EXI for canoncalization adds more dependent libraries - need to evaluate this
15:11:29 [jkangash]
jkangash has left #xmlsec
15:13:03 [dape]
dape has joined #xmlsec
15:13:04 [brutzman]
15:13:27 [dape]
dape has left #xmlsec
15:14:04 [youenn]
youenn has joined #xmlsec
15:14:29 [klanz2]
Please find answer to Sue Hoylen's Question:
15:18:23 [rdmiller]
TOPIC: Hoylen Response
15:18:31 [klanz2]
15:21:39 [caribou]
caribou has left #xmlsec
15:21:41 [klanz2]
15:22:25 [rdmiller]
fhirsch3: The response looks reasonable.
15:23:13 [rdmiller]
RESOLUTION: Konrad's response to Sue Hoylen is fine and Konrad will send it.
15:25:32 [rdmiller]
RESOLUTION: Add Hal's Web Services info into the requirements doc.
15:26:36 [rdmiller]
ACTION: kyiu to provide a draft for the requirements document of the simple signing requirements.
15:26:37 [trackbot]
Created ACTION-90 - Provide a draft for the requirements document of the simple signing requirements. [on Kelvin Yiu - due 2008-10-27].
15:27:47 [rdmiller]
ACTION: jcruella to provide a draft for the requirements document for long term signatures.
15:27:47 [trackbot]
Created ACTION-91 - Provide a draft for the requirements document for long term signatures. [on Juan Carlos Cruellas - due 2008-10-27].
15:33:54 [rdmiller]
TOPIC: Web Apps Prep
15:33:55 [tlr]
15:34:53 [herve]
herve has left #xmlsec
15:35:04 [rdmiller]
tlr: WebApps is writing a profile of XML Signature for signing widgets.
15:36:53 [rdmiller]
tlr: WebApps want to know what set of algorithms should be mandatory?
15:38:32 [klanz2]
15:38:54 [klanz2]
15:39:28 [klanz2]
15:40:11 [klanz2]
15:40:11 [klanz2]
15:40:31 [klanz2]
15:40:34 [klanz2]
15:43:03 [klanz2]
15:43:23 [fhirsch3]
15:43:35 [rdmiller]
ACTION: kyiu to make a proposal for Issue 59.
15:43:35 [trackbot]
Created ACTION-92 - Make a proposal for Issue 59. [on Kelvin Yiu - due 2008-10-27].
15:45:03 [klanz2]
15:45:11 [magnus]
For HMAC, there are also some identifiers in RFC 4231
15:46:41 [klanz2]
15:46:49 [klanz2]
that is the expired draft ...
15:47:34 [tlr]
I propose seeking review by the IETF security directorate.
15:48:25 [fhirsch3]
15:48:50 [klanz2]
We MUST not forget about this one that was added to the expired draft ...
15:48:50 [klanz2]
15:48:50 [klanz2]
15:49:21 [rdmiller]
pdatta: I recommend adding a table for recommendations regarding bit strength.
15:49:45 [rdmiller]
bal: I recommend not doing that and pointing to the relevant NIST doc.
15:50:07 [klanz2]
can we make sure all the URIs and references we have here in the minutes, are revisited by the person taking the action of collecting this stuff
15:51:55 [rdmiller]
4051 covers all of the algorithms that are not covered elswhere, but does not point to the ones that are covered.
15:51:59 [fhirsch3]
summary, can answer widgets re alg identifiers using sha256 uri from encryption for reference hashing and rsa-sha256 from 4051
15:53:10 [rdmiller]
bal: Who will implement the checks for WebApps?
15:55:28 [rdmiller]
TOPIC: Action Review
15:56:13 [rdmiller]
fhirsch3: All actions items can be closed.
15:56:34 [klanz2]
bye everyone ...
15:56:44 [magnus]
15:56:52 [rdmiller]
Recessing until tomorrow morning.
15:57:01 [Zakim]
15:57:30 [esimon2]
15:57:45 [Zakim]
15:57:50 [jcruella]
bye have a nice dinner !!
15:58:03 [Zakim]
15:58:05 [klanz2]
bye every one
15:58:13 [Zakim]
15:58:26 [rdmiller]
Zakim, list participants
15:58:26 [Zakim]
As of this point the attendees have been Ed_Simon, Executive_6, jcc, klanz2, +1.781.515.aaaa, magnus
15:58:33 [fhirsch3]
recess until tomorrow, thank you
15:58:35 [rdmiller]
RRSAgent, make log member
15:58:52 [rdmiller]
RRSAgent, generate minutes
15:58:52 [RRSAgent]
I have made the request to generate rdmiller
15:59:06 [rdmiller]
Zakim, bye
15:59:06 [Zakim]
leaving. As of this point the attendees were Ed_Simon, Executive_6, jcc, klanz2, +1.781.515.aaaa, magnus
15:59:06 [Zakim]
Zakim has left #xmlsec
16:03:03 [fhirsch3]
Present+ Jaakko Kangasharju, Taki Kamiya, Bede Mccall, Youenn Fabuet, Herve Ruellan, Don Brutzman
16:03:53 [fhirsch3]
Present+ John Boyer, Steven Pemberton, Ultide Lisse, Nick Van den Blecken, Roland Merrick, TV Raman, Charlie Wiecha
16:04:16 [fhirsch3]
Present+ Keith Wells
16:04:42 [fhirsch3]
observers included Bede, Youenn, Herve, Xu
16:05:09 [fhirsch3]
RRSAgenda, generates minutes
16:05:25 [fhirsch3]
RRSAgent, generate minutes
16:05:25 [RRSAgent]
I have made the request to generate fhirsch3
16:08:26 [bal]
bal has joined #xmlsec