IRC log of xmlsec on 2008-10-20

Timestamps are in UTC.

06:43:25 [RRSAgent]

RRSAgent has joined #xmlsec

06:43:25 [RRSAgent]

logging to http://www.w3.org/2008/10/20-xmlsec-irc

06:43:27 [trackbot]

RRSAgent, make logs member

06:43:27 [Zakim]

Zakim has joined #xmlsec

06:43:27 [klanz2]

klanz2 has joined #xmlsec

06:43:29 [trackbot]

Zakim, this will be XMLSEC

06:43:29 [Zakim]

ok, trackbot; I see T&S_XMLSEC()2:30AM scheduled to start 13 minutes ago

06:43:30 [trackbot]

Meeting: XML Security Working Group Teleconference

06:43:30 [trackbot]

Date: 20 October 2008

06:43:57 [tlr]

zakim, who is on the phone?

06:43:57 [Zakim]

T&S_XMLSEC()2:30AM has not yet started, tlr

06:43:59 [Zakim]

On IRC I see klanz2, Zakim, RRSAgent, csolc, pdatta, tlr, bal, fhirsch3, trackbot

06:44:35 [brich]

brich has joined #xmlsec

06:45:29 [klanz2]

Hello everyone and good morning.

06:45:37 [fhirsch3]

Agenda: http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0037.html

06:45:42 [fhirsch3]

Chair: Frederick Hirsch

06:45:43 [kyiu]

kyiu has joined #xmlsec

06:46:05 [fhirsch3]

Scribe: Gerald Edgar

06:46:07 [rdmiller]

rdmiller has joined #xmlsec

06:46:12 [fhirsch3]

zakim, who is here?

06:46:12 [Zakim]

T&S_XMLSEC()2:30AM has not yet started, fhirsch3

06:46:13 [Zakim]

On IRC I see rdmiller, kyiu, brich, klanz2, Zakim, RRSAgent, csolc, pdatta, tlr, bal, fhirsch3, trackbot

06:46:35 [tlr]

zakim, call Executive_6

06:46:35 [Zakim]

ok, tlr; the call is being made

06:46:36 [Zakim]

T&S_XMLSEC()2:30AM has now started

06:46:36 [Zakim]

+Executive_6

06:46:46 [tlr]

zakim, who is on the phone?

06:46:46 [Zakim]

On the phone I see Executive_6

06:47:09 [fhirsch3]

zakim, who is here?

06:47:09 [Zakim]

On the phone I see Executive_6

06:47:10 [Zakim]

On IRC I see rdmiller, kyiu, brich, klanz2, Zakim, RRSAgent, csolc, pdatta, tlr, bal, fhirsch3, trackbot

06:48:50 [csolc]

ScribeNick: csolc

06:52:57 [csolc]

Agenda review

06:53:04 [csolc]

Welcome all

06:54:14 [G_Edgar]

G_Edgar has joined #xmlsec

06:55:57 [bal]

bal has joined #xmlsec

06:59:03 [csolc]

Topic: Liaisons

06:59:21 [Zakim]

+??P4

06:59:23 [Zakim]

-??P4

06:59:23 [Zakim]

+??P4

06:59:29 [tlr]

zakim, ??P4 is klanz2

06:59:29 [Zakim]

+klanz2; got it

07:00:25 [fhirsch3]

http://www.w3.org/2008/10/07-xmlsec-minutes

07:00:39 [csolc]

TOPIC: Minuites Approval

07:01:07 [csolc]

Resolution: 10/07 minutes are approved

07:02:00 [csolc]

Topic: Best Practices

07:03:16 [csolc]

brich: want to confirm that it will be published as first working working draft

07:03:40 [csolc]

bal: does publishing it start any w3c clock

07:03:51 [csolc]

tlr: no clock will be started

07:04:28 [klanz2]

okay, with me

07:04:54 [csolc]

Resolution: Group agrees to publish the Best Practices doc as first working draft

07:05:11 [tlr]

ACTION: thomas to prepare best practices for publication

07:05:12 [trackbot]

Created ACTION-83 - Prepare best practices for publication [on Thomas Roessler - due 2008-10-27].

07:05:26 [fhirsch3]

rrsagent, where am i?

07:05:26 [RRSAgent]

See http://www.w3.org/2008/10/20-xmlsec-irc#T07-05-26

07:07:04 [csolc]

rdmiller: does he wait to send best practice to RSA

07:07:25 [csolc]

r/RSA/NSA

07:08:00 [csolc]

fh: wait to send doc untill tlr has doc published

07:09:37 [csolc]

Topic:Requirements updates I

07:11:01 [csolc]

ACTION-73, Title, contents update (Magnus)

07:11:01 [csolc]

http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0029.html

07:11:04 [csolc]

ACTION-73, Title, contents update (Magnus)

07:11:04 [csolc]

http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0029.html

07:13:11 [csolc]

bal: do we need a section on assumptions?

07:14:31 [csolc]

bal: proposals to add a section between 4 and 5 for opperation assumptions

07:14:47 [fhirsch3]

s/opperation/operational environment/

07:16:03 [csolc]

Resolution: accept the change http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0029.html with the addtion of the operational enviroment assumptions

07:16:25 [csolc]

Proposal for principles section

07:16:25 [csolc]

http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0074.html,

07:18:57 [fhirsch3]

remove Specialized approaches optimized for specific use cases should be

07:19:10 [fhirsch3]

avoided

07:19:38 [fhirsch3]

change "security layer independent of a security layer" to security layer independent of application layer"

07:21:12 [csolc]

fh: what are first class objects

07:21:38 [klanz2]

With what respect is that important to us, maybe add a this means sentence ...

07:21:56 [csolc]

fh: XML Signature -> XML Security

07:23:10 [csolc]

fh: first class object should be defined in the original security doc

07:24:08 [tlr]

http://www.w3.org/2008/xmlsec/Drafts/xmldsig-requirements

07:24:21 [tlr]

http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/

07:24:35 [csolc]

second url is the correct one

07:25:57 [tlr]

I think that Frederick was actually looking for this one: http://www.w3.org/TR/xmldsig-requirements

07:26:45 [csolc]

fh: would like to accept the proposal then edit it after.

07:28:41 [csolc]

Resolution: Accept proposed principles section with the above edits

07:28:54 [gedgar]

gedgar has joined #xmlsec

07:30:28 [csolc]

fh: may need to ensure we define requirements before we look a v.next

07:31:30 [csolc]

ACTION: fh edit proposed principles section

07:31:30 [trackbot]

Created ACTION-84 - Edit proposed principles section [on Frederick Hirsch - due 2008-10-27].

07:32:16 [csolc]

Topic: Byte Range signatures

07:32:29 [klanz2]

TOPIC: Byte Range signatures

07:32:47 [fhirsch3]

http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0011.html

07:34:10 [fhirsch3]

csolc: sign byte ranges of binary document since some might change others not

07:36:10 [fhirsch3]

bruce: why bytes not over bits, for binary? Bytes higher level than binary

07:38:23 [klanz2]

like LZW

07:38:41 [tlr]

q+ to note that Transforms are defined in terms of octet-streams, not bitstreams

07:39:06 [jcruella]

jcruella has joined #xmlsec

07:39:48 [Zakim]

+??P7

07:39:59 [tlr]

zakim, ??P7 is jcruella

07:39:59 [Zakim]

+jcruella; got it

07:40:29 [fhirsch3]

pratik: binary can be more complicated, depending on encoding

07:40:39 [fhirsch3]

kelvin: prealocate p7 fill in for binary signing

07:40:43 [klanz2]

@Juan Carlos, are there requirements from XAdES in PDF for ByteRenges?

07:41:01 [klanz2]

s/ByteRenges/ByteRanges/

07:50:03 [klanz2]

.

07:53:33 [klanz2]

fjh: add why it's ByteRange and not BitRange ...

07:55:13 [klanz2]

csolc, pleas add to your proposal ...

07:56:08 [bal]

bal has joined #xmlsec

07:56:17 [tlr]

tlr has joined #xmlsec

07:57:28 [klanz2]

ACTION: csolc to update the proposal on a ByteRange Transform

07:57:28 [trackbot]

Created ACTION-85 - Update the proposal on a ByteRange Transform [on Chris Solc - due 2008-10-27].

07:57:32 [csolc]

csolc has joined #xmlsec

07:59:29 [fhirsch3]

fhirsch3 has joined #xmlsec

07:59:36 [brich]

brich has joined #xmlsec

07:59:37 [fhirsch3]

zakim, who is here?

07:59:37 [Zakim]

On the phone I see Executive_6, klanz2, jcruella

07:59:38 [Zakim]

On IRC I see brich, fhirsch3, csolc, tlr, bal, jcruella, rdmiller, klanz2, Zakim, RRSAgent, trackbot

07:59:43 [pdatta]

pdatta has joined #xmlsec

07:59:54 [csolc]

ScribeNick:csolc

07:59:59 [pdatta]

pdatta has joined #xmlsec

08:02:45 [csolc]

chris will note why we are using byte ranges instead of bit ranges

08:02:59 [gedgar]

gedgar has joined #xmlsec

08:03:51 [klanz2]

q+

08:04:07 [fhirsch3]

tlr: add to requirement clarity on possible attacks with byte ranges

08:04:28 [fhirsch3]

fjh: please include in proposal note on not bit stream, possible limit

08:04:31 [fhirsch3]

ack tlr

08:04:31 [Zakim]

tlr, you wanted to note that Transforms are defined in terms of octet-streams, not bitstreams

08:04:36 [tlr]

q-

08:04:38 [fhirsch3]

ack klanz

08:04:51 [tlr]

that's precisely my question

08:05:00 [fhirsch3]

klanz: how are gaps handled, leave out or fill with 0s?

08:05:12 [tlr]

fill with zeroes, fill with something that's given in the transform, produce output that's byte ranges encapsulated in ASN.1, ...

08:05:16 [jcruella]

q+

08:05:20 [fhirsch3]

csolc: need to consider

08:05:21 [tlr]

(just joking, re ASN.1)

08:05:26 [fhirsch3]

klanz: pls add to proposal

08:05:32 [fhirsch3]

ack jruella

08:05:36 [rdmiller]

rdmiller has joined #xmlsec

08:05:38 [fhirsch3]

ack jcruella

08:06:18 [fhirsch3]

jcreullas: filling with 0s is modifying document, is it not

08:07:46 [fhirsch3]

csolc: transform defined, whether to 0 or compress etc

08:08:09 [gedgar]

gedgar has joined #xmlsec

08:09:33 [klanz2]

q+

08:09:34 [csolc]

klanz2: suggests that we ensure proper defaults are defined

08:09:51 [tlr]

q+

08:10:08 [fhirsch3]

ack klanz

08:10:29 [fhirsch3]

ack tlr

08:10:50 [csolc]

tlr: is there a use case for concat

08:11:08 [fhirsch3]

tls notes signing excerts vs concatenation

08:11:15 [fhirsch3]

s/excerts/excerpts

08:12:08 [fhirsch3]

bal: concat effectively via multiple references

08:12:31 [csolc]

bal: terminal transforms?

08:13:14 [csolc]

Topic: Simple Sign

08:13:16 [csolc]

Simple Signing Strawman requirements

08:13:16 [csolc]

http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0032.html

08:16:26 [brich]

q+

08:18:51 [csolc]

bal: lower level os stuff wants the minimal set of dependancy

08:19:30 [csolc]

... so if simple sign needs xpath, the more libraries you will need

08:22:32 [fhirsch3]

kelvin notes want to leverage platform, offer support at low level without pulling in xml libraries, no XPath etc

08:23:24 [csolc]

brich: you may require to set a policy instead of a max length

08:23:52 [csolc]

.. on the amount of data that is signed.

08:24:35 [fhirsch3]

fhirsch3 has joined #xmlsec

08:25:14 [fhirsch]

fhirsch has joined #xmlsec

08:25:19 [fhirsch]

zakim, who is here?

08:25:19 [Zakim]

On the phone I see Executive_6, klanz2, jcruella

08:25:20 [Zakim]

On IRC I see fhirsch, rdmiller, pdatta, brich, csolc, tlr, bal, jcruella, klanz2, Zakim, RRSAgent, trackbot

08:25:46 [fhirsch]

kelvin notes policy can be in doc rather than apps, since apps could differ

08:25:49 [csolc]

kelvin: the application tells the library the max amount of data that is allowed to be processed.

08:26:12 [fhirsch]

kelvin notes shred, dsobhect can have unsigned items added at higher layer, can break signed items already existant

08:26:43 [csolc]

pdatta: asked about text nodes

08:26:50 [fhirsch]

item - policy in signature

08:28:10 [klanz2]

Off Topic: Can someone taking care of our mainpage, take an action to update http://www.w3.org/2008/xmlsec/#lists and add "public-xmlsec-comments@w3.org" http://lists.w3.org/Archives/Public/public-xmlsec-comments/ , the need to do this is indicated by the following comment: http://lists.w3.org/Archives/Public/public-xmlsec-comments/2008Oct/0000.html

08:28:16 [Geald_Edgar]

Geald_Edgar has joined #xmlsec

08:29:25 [klanz2]

Off Topic continued, maybe also mention the old lists:

08:29:25 [klanz2]

public-xmlsec-discuss@w3.org

08:29:25 [klanz2]

http://lists.w3.org/Archives/Public/public-xmlsec-discuss/

08:29:25 [klanz2]

w3c-ietf-xmldsig@w3.org

08:29:25 [klanz2]

http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/

08:31:08 [csolc]

bal: need to keep in mind about older libraries, how can the new format be supported by older processors

08:31:34 [brich]

q-

08:33:08 [csolc]

fh: this does duplicate a number of the xades reqs

08:33:31 [jcruella]

q+

08:33:41 [csolc]

fh: declarative policy as part of the sig?

08:33:50 [klanz2]

@tlr: shall http://lists.w3.org/Archives/Public/public-xmlsec-comments/2008Oct/0000.html be forwarded to

08:33:50 [klanz2]

www-xml-canonicalization-comments@w3.org

08:33:50 [klanz2]

http://lists.w3.org/Archives/Public/www-xml-canonicalization-comments/

08:36:42 [tlr]

bal: Putting policy languages into these requirements is a can of worm.

08:36:47 [tlr]

All: yes, and in the following way

08:37:08 [csolc]

ACTION: Kalvin: Clean up proposal http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0032.html

08:37:08 [trackbot]

Sorry, couldn't find user - Kalvin

08:37:24 [tlr]

ACTION: Kelvin to clean up proposal http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0032.html

08:37:24 [trackbot]

Created ACTION-86 - Clean up proposal http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0032.html [on Kelvin Yiu - due 2008-10-27].

08:37:48 [tlr]

fjh: need to clarify policy-related requirement and why we don't want to do this

08:38:41 [csolc]

bal: may need to declare what are the capabilities of the application.

08:39:19 [klanz2]

q+

08:39:38 [fhirsch]

bal: will need to declare capabilities, relevant for simple low level, or higher level apps

08:39:44 [fhirsch]

ack jcrella

08:39:48 [fhirsch]

ack jcruella

08:40:47 [fhirsch]

bal: at sig generation time declare as part of sig, that sig adhers to part of std

08:41:10 [fhirsch]

bal: verifiers can declare portions they understand

08:41:55 [fhirsch]

jcc: etsi defined language for signature policy

08:42:31 [klanz2]

@jcc do you have a link or reference ...

08:42:55 [csolc]

bal: would like to see levels for the profiles

08:42:58 [fhirsch]

bal: policy limited to statement adhere to level 0 profile, level 1 profele etc

08:43:03 [fhirsch]

s/profele/profile

08:44:05 [fhirsch]

ack klanz

08:44:33 [csolc]

klanz: public mailing lists are not easy access

08:44:38 [tlr]

ACTION: thomas to add link to comment list to public page

08:44:39 [trackbot]

Created ACTION-87 - Add link to comment list to public page [on Thomas Roessler - due 2008-10-27].

08:46:38 [klanz2]

Can you type, when you reconvene please ...

08:46:46 [Zakim]

-klanz2

08:46:51 [Zakim]

-jcruella

08:52:56 [John_Boyer]

John_Boyer has joined #xmlsec

08:56:09 [Zakim]

+John_Boyer

08:56:11 [Zakim]

-John_Boyer

08:56:11 [Zakim]

+John_Boyer

08:56:48 [Zakim]

+wellsk

09:02:43 [csolc]

csolc has joined #xmlsec

09:04:02 [csolc]

Joint Meeting with XForms (11:00 - 12:30)

09:04:05 [fhirsch3]

fhirsch3 has joined #xmlsec

09:04:16 [csolc]

Topic: Joint Meeting with XForms

09:04:26 [fhirsch3]

zakim, who is here?

09:04:26 [Zakim]

On the phone I see Executive_6, John_Boyer, wellsk

09:04:27 [Zakim]

On IRC I see fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, jcruella, klanz2, Zakim, RRSAgent, trackbot

09:05:42 [John_Boyer]

yugma web con session id is 229 481 091

09:05:55 [tlr]

tlr has joined #xmlsec

09:06:37 [fhirsch3]

zakim, who is here

09:06:37 [Zakim]

fhirsch3, you need to end that query with '?'

09:06:43 [fhirsch3]

zakim, who is here?

09:06:43 [Zakim]

On the phone I see Executive_6, John_Boyer, wellsk

09:06:44 [Zakim]

On IRC I see tlr, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, jcruella, klanz2, Zakim, RRSAgent, trackbot

09:07:26 [bal]

bal has joined #xmlsec

09:07:50 [tlr]

zakim, who is on the phone?

09:07:50 [Zakim]

On the phone I see Executive_6, John_Boyer, wellsk

09:08:04 [tlr]

klanz2?

09:08:06 [tlr]

we're back

09:08:23 [fhirsch3]

zakim, who iis here?

09:08:23 [Zakim]

I don't understand your question, fhirsch3.

09:08:28 [fhirsch3]

zakim, who is here?

09:08:28 [Zakim]

On the phone I see Executive_6, John_Boyer, wellsk

09:08:30 [Zakim]

On IRC I see bal, tlr, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, jcruella, klanz2, Zakim, RRSAgent, trackbot

09:09:23 [nick]

nick has joined #xmlsec

09:11:00 [Steeeven]

Steeeven has joined #xmlsec

09:11:23 [unl]

unl has joined #xmlsec

09:11:34 [fhirsch3]

Present+ Steven Pemberton, Ulide Lisse, Nick van den Blecken, Roland Merrick, TV Raman, Charlie Wiecha, Keith Wells, John Boyer

09:12:33 [Steeeven]

s/Bleck/Bleek

09:12:43 [unl]

s/Ulide/Ulrich

09:13:13 [csolc]

John Boyer presentor

09:13:36 [nick]

nick has joined #xmlsec

09:13:45 [Zakim]

+??P5

09:14:01 [Steeeven]

zakim, who is on the phone?

09:14:02 [Zakim]

On the phone I see Executive_6, John_Boyer, wellsk, ??P5

09:14:38 [jcruella]

zakim, ??P5 is jcruella

09:14:38 [Zakim]

+jcruella; got it

09:14:47 [kyiu]

kyiu has joined #xmlsec

09:19:57 [fhirsch3]

presentation in PDF at http://www.w3.org/2008/xmlsec/f2f-2008-10-20/xforms/XMLSignatures.TPAC2008.pdf

09:20:44 [Zakim]

-jcruella

09:21:36 [Zakim]

+??P5

09:21:58 [fhirsch3]

zakim, ??P5 is jcruellas

09:21:58 [Zakim]

+jcruellas; got it

09:24:27 [Zakim]

+??P6

09:24:36 [klanz2]

zakim, ? is klanz2

09:24:36 [Zakim]

+klanz2; got it

09:24:40 [fhirsch3]

s/presentation in PDF/XForms security presentation in PDF/

09:26:07 [fhirsch3]

me at "what if I work offline"

09:26:12 [Steeeven]

"But what if I want to work offline"

09:26:25 [fhirsch3]

s/me at .*//

09:27:52 [fhirsch3]

johnboyer: odf two types, single standalone file or zip file with many resources

09:28:27 [fhirsch3]

odf of presentation at http://www.w3.org/2008/xmlsec/f2f-2008-10-20/xforms/XMLSignatures.TPAC2008.odp

09:29:28 [fhirsch3]

tlr notes zip issue related to widget signing spec

09:30:03 [fhirsch3]

raman notes xml packaging a generic issue in w3c

09:31:24 [fhirsch3]

john notes content.xml is main xml in document, enveloped signature

09:31:34 [fhirsch3]

raman asks if xml base can be used

09:32:05 [Geald_Edgar]

It sounds as though a detatched signature has the potential of signing an information source that no longer exists

09:32:24 [klanz2]

What is the URI scheme for Zip Files, is there one?

09:32:48 [fhirsch3]

detached can only sign as binary opaque reference

09:33:21 [Geald_Edgar]

So XML is detached as a seperate unit witjhin the ODF package, but it is included in the same information resource?

09:33:39 [Geald_Edgar]

s/witjhin/within/

09:34:59 [klanz2]

consider http://java.sun.com/javase/6/docs/api/java/net/JarURLConnection.html for referencing inside zip ... also

09:35:22 [Geald_Edgar]

perhaps the XML signature itself is created as a detached signature, but it is attached withing the ODF file.

09:36:20 [fhirsch3]

reference refers to instance document not entire xforms environment

09:36:28 [fhirsch3]

s/reference/john boyer: reference/

09:36:48 [fhirsch3]

john boyer: using reference with no uri

09:37:46 [csolc]

john wants to sign the odf doc, and since the xml signature is part of the instance data if uri="" is used it refers to the data not the odf doc

09:38:52 [csolc]

see slides for details

09:46:25 [fhirsch3]

john boyer notes at run time separate dom for recording instance data, separate document

09:46:41 [fhirsch3]

tlr- what is base uri for instance document

09:47:33 [fhirsch3]

john boyer - expect same doc reference, signature in instance document

09:47:35 [nick]

nick has joined #xmlsec

09:47:44 [fhirsch3]

zakim, who is here?

09:47:44 [Zakim]

On the phone I see Executive_6, John_Boyer, wellsk, jcruellas, klanz2

09:47:45 [Zakim]

On IRC I see nick, kyiu, unl, Steeeven, bal, tlr, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, klanz2, Zakim, RRSAgent, trackbot

09:49:46 [fhirsch3]

after run time might be serialized back with intial larger document

09:49:58 [fhirsch3]

s/after/john boyer notes after/

09:52:38 [csolc]

john - there are 3 layers, Instance data, the Model and the instance form.

09:55:00 [csolc]

john - there is a difference between the runtime of the model and the serialized version.

09:57:51 [Zakim]

+Ed_Simon

09:58:10 [csolc]

john - since the signatures are being generated at runtime - the references are relative to the containing data dom.

09:58:45 [fhirsch3]

john - separate dom for instance at run time, not serialized or incorpporated until commit, ie. temporary data until accepted

10:06:38 [csolc]

raman - all information except state information is stored in the xforms model.

10:09:00 [csolc]

roman - custom functions must also be signed.

10:10:00 [csolc]

roman - there are custom libraries that can be loaded into xforms.

10:10:22 [fhirsch3]

extensions functions are full XPath

10:12:23 [fhirsch3]

john boyer application can define context for uri

10:13:53 [csolc]

john b - a reference without a uri points to the outer most document.

10:16:11 [fhirsch3]

raman at save time, save original doc plus instance data, to enable restore

10:16:29 [fhirsch3]

john boyer - eg save template and instance data

10:18:44 [csolc]

- instance data can be inline in the doc, fetched once at startup then stored inline, or saved in a remote source

10:21:41 [fhirsch3]

) defined in terms of original document, not data document...

10:21:56 [fhirsch3]

here was defined...

10:23:13 [esimon2]

esimon2 has joined #xmlsec

10:23:28 [klanz2]

maybe XProc would be good way to explain what is going on here ... ;-)

10:28:08 [csolc]

john b - issue with repeating content.

10:28:27 [Zakim]

+ +46.7.09.41.aaaa

10:29:43 [csolc]

john b - section 4.4.3.3.4 xmlsig doc

10:30:56 [csolc]

... input to the first transform should be output of the referencing

10:31:48 [fhirsch3]

zakim, who is here?

10:31:48 [Zakim]

On the phone I see Executive_6, John_Boyer, wellsk, jcruellas, klanz2, Ed_Simon, +46.7.09.41.aaaa

10:31:50 [Zakim]

On IRC I see esimon2, nick, kyiu, unl, Steeeven, bal, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, klanz2, Zakim, RRSAgent, trackbot

10:32:31 [csolc]

... 4.4.3.3.1 counfusion on the output of a non same document reference. does it have to be an octet stream

10:32:52 [Steeeven]

zakim, country code 46?

10:32:52 [Zakim]

I don't understand your question, Steeeven.

10:34:19 [Steeeven]

+46 is Sweden

10:34:31 [fhirsch3]

john boyer - support for uri-less reference required, possible errata.

10:34:39 [fhirsch3]

konrad - can you submit test cases?

10:35:29 [fhirsch3]

bal - cannot mandate application specific feature, but should require it to be allowed

10:35:56 [klanz2]

4.3.3.4 ... The input to the first Transform is the result of dereferencing the URI attribute of the Reference element. ... 4.3.3.1 ... If the URI attribute is omitted altogether, the receiving application is expected to know the identity of the object. For example, a lightweight data protocol might omit this attribute given the identity of the object is part of the application context. This attri

10:35:56 [klanz2]

bute may be omitted from at most one Reference in any particular SignedInfo, or Manifest. ...

10:36:24 [fhirsch3]

bal - what is the interoperability point

10:36:42 [csolc]

bal - could add an imlementation note

10:37:14 [fhirsch3]

klanz your are asking that null can be passed to url resolver

10:37:44 [csolc]

r/imlementation/implementation

10:38:06 [fhirsch3]

klanz - should define own uri scheme in these cases, can then separate from work-arounds

10:41:03 [csolc]

fh - may need a uri identifier for instance data

10:41:32 [csolc]

roman - could define odf:here()

10:41:43 [fhirsch3]

avoid confusion of wether in instance data context or in committed merged document, need to be explicit with explicit URI

10:41:48 [Steeeven]

s/roman/raman/

10:41:53 [fhirsch3]

s/wether/whether

10:43:01 [csolc]

klanz: maybe should use xslt functions

10:43:33 [csolc]

john b - xslt is like poison. too complicated

10:45:12 [csolc]

john b - xslt is also an optional component to xml sigs

10:46:44 [csolc]

klanz - can xinclude be used to resolve the multiple doc issue

10:47:01 [fhirsch3]

is it possible to simplify this

10:47:07 [fhirsch3]

raman notes reflection of interactivity

10:47:25 [klanz2]

q+

10:47:29 [fhirsch3]

john notes even with zip still want node set, still have here issue, even if not here function

10:49:45 [fhirsch3]

concern with complexity, want to make security simpler, sounds complicated to have separate instance and documents, then merge and lose context.

10:50:07 [fhirsch3]

john notes interactive document case works

10:51:01 [fhirsch3]

ack klanz

10:51:11 [klanz2]

q-

10:51:45 [Zakim]

-jcruellas

10:52:21 [csolc]

fh - is it possible for xforms not to use xpath in the signatures

10:52:32 [klanz2]

is it XPath 1.0?

10:52:38 [klanz2]

I'd presume so ..

10:53:31 [fhirsch3]

john offers to summarize use case in terms of instance documents and original, serialization into single document, what is process, issues

10:53:50 [fhirsch3]

also to summarize lessons from implementation and needs regarding here etc.

10:55:00 [Zakim]

-wellsk

10:55:13 [Zakim]

- +46.7.09.41.aaaa

10:55:15 [csolc]

Thanks to the XFORMS foaks

10:55:23 [jcruella]

jcruella has joined #xmlsec

10:55:26 [Zakim]

-John_Boyer

10:55:35 [Zakim]

-klanz2

10:55:39 [jcruella]

sorry, had problems with my labtop

10:55:57 [fhirsch3]

zakim, who is here?

10:55:57 [Zakim]

On the phone I see Executive_6, Ed_Simon

10:55:58 [Zakim]

On IRC I see jcruella, esimon2, kyiu, bal, fhirsch3, csolc, John_Boyer, Geald_Edgar, rdmiller, pdatta, brich, klanz2, Zakim, RRSAgent, trackbot

10:56:05 [csolc]

Breaking for 1 hour lunch

10:56:14 [Zakim]

+??P0

10:56:31 [jcruella]

zakim, P0 is jcruella

10:56:31 [Zakim]

sorry, jcruella, I do not recognize a party named 'P0'

10:57:42 [Zakim]

-Ed_Simon

10:57:44 [Zakim]

-??P0

10:57:45 [Zakim]

-Executive_6

10:57:45 [Zakim]

T&S_XMLSEC()2:30AM has ended

10:57:46 [Zakim]

Attendees were Executive_6, klanz2, jcruella, John_Boyer, wellsk, jcruellas, Ed_Simon, +46.7.09.41.aaaa

12:02:30 [Zakim]

T&S_XMLSEC()2:30AM has now started

12:02:37 [Zakim]

+Ed_Simon

12:03:59 [nick]

nick has joined #xmlsec

12:04:24 [nick]

nick has joined #xmlsec

12:04:31 [nick]

nick has left #xmlsec

12:05:42 [unl]

unl has joined #xmlsec

12:06:56 [esimon2]

esimon2 has joined #xmlsec

12:07:05 [unl]

unl has left #xmlsec

12:09:12 [rdmiller]

scribenick: rdmiller

12:09:17 [csolc]

csolc has joined #xmlsec

12:09:43 [Zakim]

+[IPcaller]

12:09:58 [bal]

bal has joined #xmlsec

12:10:51 [fhirsch3]

fhirsch3 has joined #xmlsec

12:10:59 [fhirsch3]

zakim, who is here?

12:10:59 [Zakim]

On the phone I see Ed_Simon, [IPcaller]

12:11:00 [Zakim]

On IRC I see fhirsch3, bal, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim, RRSAgent, trackbot

12:11:18 [jcruella]

zakim, who am I

12:11:18 [Zakim]

I don't understand 'who am I', jcruella

12:11:21 [jcruella]

zakim, who am I?

12:11:21 [Zakim]

I don't understand your question, jcruella.

12:11:22 [pdatta]

pdatta has joined #xmlsec

12:12:39 [fhirsch3]

zakim, please call xmlse

12:12:39 [Zakim]

I am sorry, fhirsch3; I do not know a number for xmlse

12:13:12 [fhirsch3]

zakim, call executive_6

12:13:12 [Zakim]

ok, fhirsch3; the call is being made

12:13:14 [Zakim]

+Executive_6

12:13:28 [fhirsch3]

zakim, who is here?

12:13:28 [Zakim]

On the phone I see Ed_Simon, [IPcaller], Executive_6

12:13:29 [Zakim]

On IRC I see pdatta, fhirsch3, bal, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim, RRSAgent, trackbot

12:13:54 [fhirsch3]

zakim, IPcaller is jcc

12:13:54 [Zakim]

+jcc; got it

12:14:29 [rdmiller]

Topic: Review XForms Discussion

12:15:26 [rdmiller]

bah: We need to clarify the application specific behavior og references that are lacking URIs

12:15:36 [rdmiller]

s/bah/bal

12:16:10 [brich]

brich has joined #xmlsec

12:16:26 [rdmiller]

fhirsch3: We need to confirm that signature verification requires an XForms application

12:17:20 [fhirsch3]

s/an XForms/a running XForms/

12:17:39 [rdmiller]

fhirsch3: John from XForms to clarify the processing model and what he needs from XMLSEC to support his implementation.

12:18:38 [rdmiller]

fhirsch3: Concern that the complexity of the XForms processing model and goals seem to run counter to those of the XMLSEC WG.

12:20:02 [G_Edgar]

G_Edgar has joined #xmlsec

12:20:30 [rdmiller]

Topic: NIST Review

12:20:39 [csolc]

http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0033.html

12:21:27 [rdmiller]

bal: Reviewed 2 documents from NIST regarding Radmomized Hashing and approved hash algorithms.

12:22:11 [rdmiller]

NIST SP800-106 Radomized Hashing

12:22:48 [rdmiller]

bal: We could use the radomization of content for references only.

12:23:26 [esimon2]

Which schema? XML Signature's or XML schemas in general?

12:24:57 [fhirsch3]

randomized hashing - modification of any hash alg to add randomization, NIST defines only for sig hash, could do for Dsig hashing

12:25:02 [fhirsch3]

of input to content

12:25:13 [fhirsch3]

bal - xml signature schema

12:25:27 [fhirsch3]

currently define hash alg and any, could define element for salt

12:25:29 [fhirsch3]

optional

12:26:34 [rdmiller]

bal: We would need to update ds:SignatureMethod.

12:27:01 [fhirsch3]

group notes oaep only defined for encryption

12:30:35 [rdmiller]

RESOLUTION: Work on ransomized hashing is a lower priority for the XMLSEC WG and will be deferred until there is a pressing need.

12:31:37 [rdmiller]

fhirsch3: At lunch there was a discussion about releasing a 3rd addition to address addition of algorithms.

12:32:17 [rdmiller]

tlr: If it affects conformance then it will need to at least be a minor edition.

12:32:29 [rdmiller]

s/addition/edition

12:33:35 [fhirsch3]

Present+ Xu Guibao

12:33:41 [Zakim]

+??P13

12:33:44 [fhirsch3]

Xu Guibao joined as observer

12:33:48 [klanz2]

zakim, ? is klanz2

12:33:48 [Zakim]

+klanz2; got it

12:35:29 [fhirsch3]

bal notes may want to deprecate sha1 in 1.1, or not but simply introduce new algs in 1.1

12:35:37 [fhirsch3]

bal notes goal not to change namespace in 1.1

12:36:12 [rdmiller]

bal: We may want to recommend in v.next that old algorithms are not used and then deprecate them in a following version.

12:37:58 [tlr]

tlr has joined #xmlsec

12:40:58 [klanz2]

q+

12:42:02 [klanz2]

q?

12:42:15 [fhirsch3]

tlr if a future version, requires versioning, then need a new namespace is a reading of this

12:42:21 [fhirsch3]

ack klanz

12:42:55 [bal]

q+

12:42:57 [fhirsch3]

q+

12:42:58 [tlr]

q+

12:43:05 [fhirsch3]

q-

12:43:24 [fhirsch3]

ack bal

12:43:38 [klanz2]

http://tools.ietf.org/html/rfc4051

12:43:47 [klanz2]

http://www.w3.org/2001/04/xmldsig-more#

12:43:52 [klanz2]

http://www.w3.org/2000/09/xmldsig#

12:44:59 [rdmiller]

bal: If something changes that breaks backward compatibility then it would require a new namespace.

12:45:52 [rdmiller]

tlr: Prepare a working draft for verion 1.1 where we add algorithms and clarify the versioning policy.

12:46:03 [fhirsch3]

clarify versioning in wd and see if that is acceptable to constituents, including possibly sha-1 deprecation

12:46:04 [jcruella]

q+

12:46:16 [bal]

konrad, so is your point that additional algorithms have already been defined without revving the namespace?

12:46:20 [fhirsch3]

ack tlr

12:46:25 [fhirsch3]

ack jcruella

12:47:02 [fhirsch3]

jcc notes one doc of sig semantics and one for algorithms

12:48:11 [fhirsch3]

jcc this avoids need to constantly change entire for algs

12:48:13 [rdmiller]

TOPIC: Joint Meeting with EXI

12:48:57 [herve]

herve has joined #xmlsec

12:49:05 [youenn]

youenn has joined #xmlsec

12:49:36 [fhirsch3]

Present+ John Schneider, Carine Bournez, Daniel Peintnec, Richard Kantschke

12:49:58 [fhirsch3]

jcc, can you hear?

12:49:59 [dape]

dape has joined #xmlsec

12:50:07 [esimon2]

not well; I'm quite dependent on the IRC

12:50:28 [caribou]

caribou has joined #xmlsec

12:52:10 [fhirsch3]

exi has looked at xml security in more detail

12:52:12 [brutzman]

brutzman has joined #xmlsec

12:52:39 [klanz2]

Re, Algorithm Identifiers (Last Topic) :http://www.w3.org/2007/xmlsec/Group/track/actions/150

12:52:53 [fhirsch3]

some future work is c14n work - use exi to improve performance

12:53:16 [fhirsch3]

reduce what needs to be preserved for verification, e.g. leverage typed values

12:53:52 [fhirsch3]

EXI has parameters , e.g. preserve comments, similar to c14n

12:54:14 [rdmiller]

To improve performance canonicalization with EXI could require the use of some parameters.

12:54:29 [fhirsch3]

EXI encoding for encryptoin - need to specify that encrypted content is exi encoded, encoding attribute

12:54:47 [smullan]

smullan has joined #xmlsec

12:55:53 [rdmiller]

URIs for canonicalization algs when using EXI.

12:56:02 [fhirsch3]

possibly using exe for c1n

12:56:15 [jkangash]

jkangash has joined #xmlsec

12:56:34 [rdmiller]

EXI could provide "type aware" canonicalization to improve performance.

12:57:47 [jcruella]

q+

12:58:21 [fhirsch3]

q+

12:58:52 [fhirsch3]

tom - test cases should be considered

12:59:07 [fhirsch3]

zakim, who is here?

12:59:07 [Zakim]

On the phone I see Ed_Simon, jcc, Executive_6, klanz2

12:59:09 [Zakim]

On IRC I see jkangash, smullan, brutzman, caribou, dape, youenn, herve, tlr, G_Edgar, brich, pdatta, fhirsch3, bal, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim, RRSAgent,

12:59:11 [Zakim]

... trackbot

12:59:17 [esimon2]

q+

13:01:22 [fhirsch3]

tom wanting to integrate xml security testing into exi testing, thinking about what is involved

13:01:36 [fhirsch3]

tom effort involves university development

13:02:13 [tlr]

university development?!

13:02:41 [tlr]

don: do signatures survive EXI round-tripping?

13:03:09 [tlr]

tlr: we do have signatures and signed documents that you could run through your tests.

13:03:14 [rkuntsch]

rkuntsch has joined #xmlsec

13:04:20 [fhirsch3]

bal - do two semntically equivalent xml docs do they serialize into two exi serializations?

13:04:35 [fhirsch3]

yes, when consideraing parameters

13:04:52 [fhirsch3]

s/yes/steven, yes/

13:05:06 [fhirsch3]

zakim, who is here?

13:05:06 [Zakim]

On the phone I see Ed_Simon, jcc, Executive_6, klanz2

13:05:07 [rdmiller]

s/consideraing/considering

13:05:08 [Zakim]

On IRC I see rkuntsch, jkangash, smullan, brutzman, caribou, dape, youenn, herve, tlr, G_Edgar, brich, pdatta, fhirsch3, bal, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim,

13:05:10 [Zakim]

... RRSAgent, trackbot

13:05:46 [brutzman]

recap/summary: we have an exi test suite with a corpus of several thousand documents. will be looking to ensure we have sufficient set of encrypted and/or signed documents to properly test round-trip success and interoperability by various EXI processors.

13:06:12 [fhirsch3]

steven, have option to preserve namespace info

13:06:48 [fhirsch3]

q+

13:08:27 [magnus]

magnus has joined #xmlsec

13:08:30 [rdmiller]

tlr: XML Signature is dependant on which EXI paramaters are used.

13:08:42 [pdatta]

q+

13:09:17 [tlr]

ha! Excellent news!

13:09:28 [tlr]

(I hadn't realized that EXI had done this piece of work.)

13:09:33 [rdmiller]

EXI is set to work with canonicalization and is documented in a best practices document.

13:10:00 [brutzman]

EXI Best Practices relevant to security: http://www.w3.org/XML/Group/EXI/docs/best/exi-best-practices.html#security

13:10:25 [tlr]

john: EXI has designed things to be compatible with existing canonicalizations, and there are sets of parameters which will not break XML Security.

13:10:33 [brutzman]

EXI Impacts relevant to security: http://www.w3.org/XML/Group/EXI/docs/impacts/exi-impacts.html#xml-security

13:10:38 [jschneid2]

jschneid2 has joined #xmlsec

13:10:42 [tlr]

... we're now talking about forward-looking work that would permit use of EXI with Signature.

13:12:56 [fhirsch3]

http://www.w3.org/TR/exi-best-practices/#security

13:13:47 [kyiu]

kyiu has joined #xmlsec

13:13:48 [rdmiller]

Ed Simon looked at the EXI document and not the EXI Best Practices

13:14:15 [rdmiller]

fhirsch3: We should review EXI Best Practices.

13:14:15 [fhirsch3]

ack jcc

13:14:24 [fhirsch3]

ack jcruela

13:14:30 [fhirsch3]

ack jcruellas

13:14:34 [fhirsch3]

ack jcruella

13:16:03 [rdmiller]

jcruella: EXI is not caninocalization, but serialization of canonicalization.

13:16:07 [fhirsch3]

best practice, how to use exi with existing c14n algs, using preserve algs

13:16:24 [fhirsch3]

s/preserve algs/preserve parameers

13:16:42 [fhirsch3]

exi could be used as c14n alg in future, topic for joint discussion

13:17:18 [fhirsch3]

s/exi/john wzi

13:17:26 [fhirsch3]

a/wzi/exi

13:18:04 [fhirsch3]

zakim, who is making noise?

13:18:14 [Zakim]

fhirsch3, listening for 10 seconds I heard sound from the following: jcc (49%), Executive_6 (77%)

13:18:48 [fhirsch3]

john, preserving more in exi makes it larger

13:19:22 [fhirsch3]

john, eg no need to preserve lexical values, gaining efficiency

13:20:01 [klanz2]

q+

13:20:36 [fhirsch3]

jcc should signature cover tables

13:20:56 [fhirsch3]

john, tables are implicit

13:21:11 [fhirsch3]

john, part of stream

13:21:24 [brutzman]

EXI Format 1.0, 6.3 Fidelity Options http://www.w3.org/TR/exi/#fidelityOptions lists Preserve.comments Preserve.pis Preserve.dtd Preserve.prefixes Preserve.lexicalValues

13:21:28 [fhirsch3]

ack fhirsch

13:22:32 [rdmiller]

fhirsch3: What is the performance hit of using EXI for canonicalization because of having to use the EXI parser?

13:23:38 [klanz2]

Is there something like in memory EXI as well that expands to APIs like DOM or XPATH on the fly?

13:25:27 [fhirsch3]

question is whether the startup and shutdown time for EXI is too expensive when only performing single sign or verify...

13:25:45 [fhirsch3]

answer is that schema load can take time, but exi is also able to save internal compiled form

13:25:48 [rdmiller]

john: Performance would be based on initial load and number of schemas used.

13:25:54 [fhirsch3]

bal asks about memory footprint

13:26:13 [fhirsch3]

john, string tables but can be limited

13:26:46 [fhirsch3]

john, serialize xml doc or set of xml fragments, which are individual elements + attributes

13:28:23 [fhirsch3]

bal cannot replace c14n with it directly due to input requirement, not a nodeset as input

13:28:24 [klanz2]

Ordered NodeSet ....

13:29:06 [fhirsch3]

bal possible issue if unparented nodeset allowed, would need to be considered

13:29:28 [fhirsch3]

ack esimon

13:30:23 [esimon2]

http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0005.html

13:30:27 [fhirsch3]

ed asks re importance of native formatted signatures

13:31:41 [fhirsch3]

ed, e.g. sign exi format without converting to xml for signing

13:32:53 [G_Edgar]

G_Edgar has joined #xmlsec

13:34:10 [G_Edgar]

I am wondering what might be the impact of "pluggable codecs" on this? I wonder since "pluggable codecs are negotiated.

13:34:41 [brutzman]

XBC was predecessor of EXI group. XML Binary Characterization Use Cases http://www.w3.org/TR/xbc-use-cases

13:34:56 [fhirsch3]

ack pdatta

13:35:23 [fhirsch3]

pratik - does exi preserve ordering

13:35:27 [rdmiller]

ACTION: esimon to look at the EXI use cases.

13:35:27 [trackbot]

Sorry, couldn't find user - esimon

13:35:39 [esimon2]

try esimon2

13:35:42 [fhirsch3]

john, always preserves ordering of elements, not attributes

13:36:13 [rdmiller]

ACTION: esimon2 to lookk at the EXI use cases

13:36:13 [trackbot]

Created ACTION-88 - Lookk at the EXI use cases [on Ed Simon - due 2008-10-27].

13:36:53 [fhirsch3]

john, attribute order can be preserved as part of serializion, might need switch in EXI for writing out attribute order

13:37:13 [G_Edgar]

Are attribute orders part of any Codec?

13:37:14 [fhirsch3]

action 88 is on test cases

13:37:14 [trackbot]

Sorry, couldn't find user - 88

13:37:44 [G_Edgar]

+q

13:37:50 [fhirsch3]

john, also keep track of encoding options

13:38:14 [fhirsch3]

pratik canonicalization often last step to digest, hence space benefits may not be valuable

13:38:27 [anil]

anil has joined #xmlsec

13:38:47 [brutzman]

upon decompressing an EXI document, element order is preserved but attribute order is not (as specified in XML Infoset). nevertheless it is possible to reapply canonicalization upon recreation of the XML document from EXI. perhaps EXI should add a switch to preserve canonicalization upon decompression. this would seem to be necessary in order to preserve signature.

13:39:10 [fhirsch3]

john, can serialize direct from model to exi, not necessarily via xml

13:39:25 [fhirsch3]

... hence faster

13:40:15 [fhirsch3]

ack klanz

13:40:36 [fhirsch3]

exi implementation can offer different modes, e.g. from DOM, SAX etc. open source exisits

13:41:55 [rdmiller]

john: EXI is not designed to be an in memory represenation but specifici parts of the EXI strream can be referenced using self contained sub-trees.

13:41:55 [fhirsch3]

john, exi is interchange format, can have self-contained subtrees, meetin requirements for random access

13:42:16 [rdmiller]

s/specifici/specific

13:42:26 [fhirsch3]

q?

13:43:14 [rdmiller]

john: If not preserving namespace declarations EXI stores the qualified names direclty which is the full identity of the URI.

13:46:34 [fhirsch3]

ack G_Edgar

13:47:20 [fhirsch3]

disallow plugabble codecs

13:47:41 [klanz2]

Could we have some pointers to implemtations/Implementation Reports for EXI

13:47:52 [klanz2]

I'd be interested finding one that offers a DOM API

13:49:04 [klanz2]

http://lists.w3.org/Archives/Public/public-exi/2008Sep/0001.html

13:49:21 [Zakim]

-jcc

13:49:32 [Zakim]

-klanz2

14:00:06 [Zakim]

+ +1.781.515.aaaa

14:00:22 [magnus]

zakim, magnus is aaaa

14:00:22 [Zakim]

sorry, magnus, I do not recognize a party named 'magnus'

14:01:12 [klanz2]

zakim, aaaa is magnus

14:01:12 [Zakim]

+magnus; got it

14:09:30 [fhirsch3]

zakim, who is here?

14:09:30 [Zakim]

On the phone I see Ed_Simon, Executive_6, magnus

14:09:31 [Zakim]

On IRC I see anil, G_Edgar, magnus, jkangash, smullan, brutzman, caribou, dape, herve, brich, pdatta, fhirsch3, csolc, esimon2, jcruella, rdmiller, klanz2, Zakim, RRSAgent,

14:09:34 [Zakim]

... trackbot

14:10:18 [bal]

bal has joined #xmlsec

14:11:18 [esimon2]

I'm back.

14:11:34 [tlr]

tlr has joined #xmlsec

14:13:04 [rdmiller2]

rdmiller2 has joined #xmlsec

14:13:45 [Zakim]

+??P15

14:13:56 [jcruella]

juan carlos

14:14:28 [jcruella]

zakim, P15 caller is jcruella

14:14:28 [Zakim]

I don't understand 'P15 caller is jcruella', jcruella

14:14:43 [caribou]

me http://www.ermitage-du-riou.fr/french/company/gastronomy.asp

14:14:55 [jcruella]

zakim, P15 caller is jcc

14:14:55 [Zakim]

I don't understand 'P15 caller is jcc', jcruella

14:15:05 [bal]

zakim, +P15 is jcc

14:15:05 [Zakim]

sorry, bal, I do not recognize a party named '+P15'

14:15:11 [jcruella]

zakim, +P15 caller is jcc

14:15:11 [Zakim]

I don't understand '+P15 caller is jcc', jcruella

14:15:12 [bal]

zakim, P15 is jcc

14:15:13 [Zakim]

sorry, bal, I do not recognize a party named 'P15'

14:15:28 [jcruella]

zakim, +P15 caller is jcruella

14:15:28 [Zakim]

I don't understand '+P15 caller is jcruella', jcruella

14:15:50 [bal]

zakim, ??P15 is jcc

14:15:50 [Zakim]

+jcc; got it

14:16:11 [jcruella]

thanks!!

14:18:35 [rkuntsch]

rkuntsch has joined #xmlsec

14:19:28 [jkangash]

XBC use cases: http://www.w3.org/TR/xbc-use-cases/

14:19:47 [Zakim]

+??P16

14:19:49 [rdmiller]

john: Usecases are XBC and usecases are on the EXI webpage as part of the testing framework.

14:19:50 [klanz2]

zakim, ? is klanz 2

14:19:50 [Zakim]

I don't understand '? is klanz 2', klanz2

14:20:04 [klanz2]

zakim, ? is klanz2

14:20:04 [Zakim]

+klanz2; got it

14:20:08 [csolc]

note: for xmlsec to use EXI as a canonicalization alg, EXI would have to add as part of the spec a rule on what order attributes are written out.

14:21:30 [rdmiller]

fhirsch3: We may want to think about using EXI for canonicalization and how it may improve XML Signature performance.

14:25:06 [rdmiller]

fhirsch3: Case number 1 is increase XMLSec for instances that are not aware of EXI.

14:26:43 [youenn]

youenn has joined #xmlsec

14:26:44 [rdmiller]

fhirsch3: Case number 2 is to improve XMLSec within EXI.

14:27:14 [esimon2]

Ideally, want to EXI doc before encrypting.

14:28:00 [anil]

anil has left #xmlsec

14:28:05 [klanz2]

Re Previous Discussaion: There might be similarites between "transform primitives" and what EXI calls the things you do not care about ... http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0000.html

14:28:41 [rdmiller]

john: XML Enc may not be able to take advantage of the performance increase of EXI without significant pain.

14:28:58 [Zakim]

-Executive_6

14:29:10 [magnus]

Did we just loose the conference bridge?

14:29:11 [klanz2]

you lost the connection

14:29:14 [esimon2]

the phone line seems dead

14:29:27 [jcruella]

I also lost connection

14:29:29 [fhirsch3]

zakim, call executive_6

14:29:29 [Zakim]

ok, fhirsch3; the call is being made

14:29:30 [Zakim]

+Executive_6

14:29:42 [jcruella]

OK... it works again

14:31:13 [klanz2]

[s1] <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'

14:31:13 [klanz2]

Type='http://www.w3.org/2001/04/xmlenc#Element'/>

14:31:13 [klanz2]

[s2] <EncryptionMethod

14:31:13 [klanz2]

Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/>

14:31:13 [klanz2]

[s3] <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>

14:31:14 [klanz2]

[s4] <ds:KeyName>John Smith</ds:KeyName>

14:31:16 [klanz2]

[s5] </ds:KeyInfo>

14:31:18 [klanz2]

[s6] <CipherData><CipherValue>DEADBEEF</CipherValue></CipherData>

14:31:20 [klanz2]

[s7] </EncryptedData>

14:31:27 [klanz2]

Maybe use another Algorith Identifier

14:31:42 [klanz2]

s/Algorith/Algorithm/

14:32:08 [klanz2]

http://www.w3.org/2008/10/exi/xmlenc#tripledes-cbc

14:32:14 [klanz2]

or similar

14:33:29 [fhirsch3]

consideration of using mimetype attribute

14:33:41 [klanz2]

http://www.w3.org/TR/xmlenc-core/#sec-EncryptedType

14:34:05 [fhirsch3]

note two areas, 1st use of exi to improve xml security, here for c14n in signature worth consideration

14:34:19 [fhirsch3]

second, integration with exi tighter

14:34:21 [anil]

anil has joined #xmlsec

14:34:49 [fhirsch3]

main pain point in exi is encryption due to size of cipherdata, from xml, here exi first then encryptoin would help

14:35:01 [fhirsch3]

mimetype

14:35:22 [rdmiller]

s/encryptoin/encryption

14:36:05 [rdmiller]

john: EXI could possibly be used with XML Enc as it is with a minor tweak to identify the encrypted data as EXI.

14:37:28 [esimon2]

q+

14:38:14 [brutzman]

brutzman has joined #xmlsec

14:38:41 [fhirsch3]

ack esimon

14:39:50 [rdmiller]

john: Mapping from XML for XML encryption to EXI is relatively straight forward.

14:41:12 [rdmiller]

john: the work to allow EXI as a canonicalization method should benefit both the XMLSEC and EXI WGs.

14:42:20 [rdmiller]

bal: Supporting XML Enc within EXI will require a change to XML Enc, ref section 4.2.

14:44:11 [rdmiller]

fhirsch3: We understand how to support EXI for XML Enc, but need to be mindful of interoperability.

14:45:06 [rdmiller]

fhirsch3: We also need to work the W3C Rec process.

14:45:49 [rdmiller]

john: No current pressing need for EXI from the XMLSEC WG.

14:46:05 [rdmiller]

pdatta: We cannot use a MIME type directly.

14:46:35 [rdmiller]

fhirsch3: We were discussing using a new type element.

14:47:06 [magnus]

queue+

14:47:40 [pdatta]

bal: EXI could define a new types EXIelement

14:48:03 [klanz2]

http://www.w3.org/TR/xmlenc-core/#sec-EncryptedType

14:48:05 [pdatta]

bal: this can be done outside XML Encryption spec

14:48:13 [klanz2]

<attribute name='Type' type='anyURI' use='optional'/>

14:48:14 [klanz2]

<attribute name='MimeType' type='string' use='optional'/>

14:48:14 [klanz2]

<attribute name='Encoding' type='anyURI' use='optional'/>

14:48:59 [fhirsch3]

ack magnus

14:49:31 [klanz2]

q+

14:49:53 [fhirsch3]

discussion, use type attribute, uri defined by EXI team and processing rules

14:49:56 [fhirsch3]

ack klanz

14:49:56 [pdatta]

jakko: does EXI need both EXIelment and EXIContent, probably not because EXI does not propobably support mixed content , so only EXIElment is ok

14:50:10 [rdmiller]

fhirsch3: EXI should define the URI and processing rules for XML Enc support.

14:50:41 [brutzman]

wondering, where is the test/examples corpus for XMLSEC mentioned earlier today?

14:50:50 [klanz2]

Process decrypted data if Type is unspecified or is not 'element' or element 'content'.

14:50:50 [klanz2]

1. The cleartext octet sequence obtained in Step 3 MUST be returned to the application for further processing along with the Type, MimeType, and Encoding attribute values when specified. MimeType and Encoding are advisory. The Type value is normative as it may contain information necessary for the processing or interpration of the data by the application.

14:50:50 [klanz2]

2. Note, this step includes processing data decrypted from an EncryptedKey. The cleartext octet sequence represents a key value and is used by the application in decrypting other EncryptedType element(s).

14:51:00 [fhirsch3]

in this case EXI) to interpret

14:51:38 [fhirsch3]

if not element or elementcontent then exi can interpret

14:52:26 [fhirsch3]

bal exi takes care of decryption, into dom then exi

14:52:36 [pdatta]

bal: XML encryption spec says that if type is not element or content, then hand it back to application, is EXI the application ?

14:53:14 [rdmiller]

fhirsch3: Using EXI for canonicalization will require further work outside of this meeting.

14:55:07 [pdatta]

john: three things a) using EXI for canonicalization, b) define new algorithm URI for EXI canoncailzation, c) new type for Encryption EXIelement

14:56:01 [rdmiller]

fhirsch3: Performance measurements regarding the use of EXI for canoniclaization would be helpful.

14:57:04 [rdmiller]

EXI does have a test framework for measuring compression and decompression that is a Java based framework.

14:57:18 [rdmiller]

It can measure both Java and C++

14:58:21 [tlr]

ACTION: thomas to update homepage with information test suites

14:58:21 [trackbot]

Created ACTION-89 - Update homepage with information test suites [on Thomas Roessler - due 2008-10-27].

14:59:38 [brutzman]

The EXI test corpus is online at http://www.movesinstitute.org/exi

15:01:08 [brutzman]

The EXI test corpus is hosted at Naval Postgraduate School in Monterey

15:01:22 [rdmiller]

fhirsch3: It may make sense to have a joint EXI XMLSEC session at the next XMLSEC F2F (13-14 January 2009).

15:01:53 [brutzman]

The EXI test corpus is based on Japex https://japex.dev.java.net - "Japex is a simple yet powerful tool to write Java-based micro-benchmarks."

15:03:47 [pdatta]

john: In the case where the fidelity is not important - e.g. in web services an EXI bases canonicalization will be advantageous

15:04:31 [rdmiller]

fhirsch3: What is the benefit of EXI users to use EXI canonicalization?

15:04:42 [pdatta]

bal: in web services fidelty is important - shred and reconstruct use cases

15:04:56 [rdmiller]

john: We have some information based on a customer experiment that was done in 2006.

15:07:25 [rdmiller]

fhirsch3: Do the benefits of using EXI for canonicalization outweigh the costs for adding everything needed to process EXI?

15:08:38 [pdatta]

fhirsch3: Using EXI for canoncalization adds more dependent libraries - need to evaluate this

15:11:29 [jkangash]

jkangash has left #xmlsec

15:13:03 [dape]

dape has joined #xmlsec

15:13:04 [brutzman]

bye

15:13:27 [dape]

dape has left #xmlsec

15:14:04 [youenn]

youenn has joined #xmlsec

15:14:29 [klanz2]

Please find answer to Sue Hoylen's Question: http://lists.w3.org/Archives/Member/member-xmlsec/2008Oct/0011.html

15:18:23 [rdmiller]

TOPIC: Hoylen Response

15:18:31 [klanz2]

http://lists.w3.org/Archives/Member/member-xmlsec/2008Oct/0012.html

15:21:39 [caribou]

caribou has left #xmlsec

15:21:41 [klanz2]

http://lists.w3.org/Archives/Public/public-xmlsec-comments/2008Oct/0000.html

15:22:25 [rdmiller]

fhirsch3: The response looks reasonable.

15:23:13 [rdmiller]

RESOLUTION: Konrad's response to Sue Hoylen is fine and Konrad will send it.

15:25:32 [rdmiller]

RESOLUTION: Add Hal's Web Services info into the requirements doc.

15:26:36 [rdmiller]

ACTION: kyiu to provide a draft for the requirements document of the simple signing requirements.

15:26:37 [trackbot]

Created ACTION-90 - Provide a draft for the requirements document of the simple signing requirements. [on Kelvin Yiu - due 2008-10-27].

15:27:47 [rdmiller]

ACTION: jcruella to provide a draft for the requirements document for long term signatures.

15:27:47 [trackbot]

Created ACTION-91 - Provide a draft for the requirements document for long term signatures. [on Juan Carlos Cruellas - due 2008-10-27].

15:33:54 [rdmiller]

TOPIC: Web Apps Prep

15:33:55 [tlr]

http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0076.html

15:34:53 [herve]

herve has left #xmlsec

15:35:04 [rdmiller]

tlr: WebApps is writing a profile of XML Signature for signing widgets.

15:36:53 [rdmiller]

tlr: WebApps want to know what set of algorithms should be mandatory?

15:38:32 [klanz2]

http://tools.ietf.org/html/rfc4051

15:38:54 [klanz2]

http://tools.ietf.org/html/rfc4051#section-2.1.2

15:39:28 [klanz2]

http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sha256

15:40:11 [klanz2]

RSA-SHA256

15:40:11 [klanz2]

http://tools.ietf.org/html/rfc4051#section-2.3.2

15:40:31 [klanz2]

http://tools.ietf.org/html/rfc4051#section-2.3.6

15:40:34 [klanz2]

ECDSA

15:43:03 [klanz2]

RFC 4051 is PROPOSED STANDARD in http://tools.ietf.org/html/rfc4051 ...

15:43:23 [fhirsch3]

http://www.w3.org/2008/xmlsec/track/issues/59

15:43:35 [rdmiller]

ACTION: kyiu to make a proposal for Issue 59.

15:43:35 [trackbot]

Created ACTION-92 - Make a proposal for Issue 59. [on Kelvin Yiu - due 2008-10-27].

15:45:03 [klanz2]

http://lists.w3.org/Archives/Public/public-xmlsec-discuss/2008Mar/0000.html

15:45:11 [magnus]

For HMAC, there are also some identifiers in RFC 4231

15:46:41 [klanz2]

http://tools.ietf.org/html/draft-eastlake-additional-xmlsec-uris-00

15:46:49 [klanz2]

that is the expired draft ...

15:47:34 [tlr]

I propose seeking review by the IETF security directorate.

15:48:25 [fhirsch3]

q+

15:48:50 [klanz2]

We MUST not forget about this one that was added to the expired draft ...

15:48:50 [klanz2]

http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160

15:48:50 [klanz2]

http://tools.ietf.org/html/draft-eastlake-additional-xmlsec-uris-00#section-2.3.6

15:49:21 [rdmiller]

pdatta: I recommend adding a table for recommendations regarding bit strength.

15:49:45 [rdmiller]

bal: I recommend not doing that and pointing to the relevant NIST doc.

15:50:07 [klanz2]

can we make sure all the URIs and references we have here in the minutes, are revisited by the person taking the action of collecting this stuff

15:51:55 [rdmiller]

4051 covers all of the algorithms that are not covered elswhere, but does not point to the ones that are covered.

15:51:59 [fhirsch3]

summary, can answer widgets re alg identifiers using sha256 uri from encryption for reference hashing and rsa-sha256 from 4051

15:53:10 [rdmiller]

bal: Who will implement the checks for WebApps?

15:55:28 [rdmiller]

TOPIC: Action Review

15:56:13 [rdmiller]

fhirsch3: All actions items can be closed.

15:56:34 [klanz2]

bye everyone ...

15:56:44 [magnus]

q

15:56:52 [rdmiller]

Recessing until tomorrow morning.

15:57:01 [Zakim]

-magnus

15:57:30 [esimon2]

bye

15:57:45 [Zakim]

-Ed_Simon

15:57:50 [jcruella]

bye have a nice dinner !!

15:58:03 [Zakim]

-jcc

15:58:05 [klanz2]

bye every one

15:58:13 [Zakim]

-klanz2

15:58:26 [rdmiller]

Zakim, list participants

15:58:26 [Zakim]

As of this point the attendees have been Ed_Simon, Executive_6, jcc, klanz2, +1.781.515.aaaa, magnus

15:58:33 [fhirsch3]

recess until tomorrow, thank you

15:58:35 [rdmiller]

RRSAgent, make log member

15:58:52 [rdmiller]

RRSAgent, generate minutes

15:58:52 [RRSAgent]

I have made the request to generate http://www.w3.org/2008/10/20-xmlsec-minutes.html rdmiller

15:59:06 [rdmiller]

Zakim, bye

15:59:06 [Zakim]

leaving. As of this point the attendees were Ed_Simon, Executive_6, jcc, klanz2, +1.781.515.aaaa, magnus

15:59:06 [Zakim]

Zakim has left #xmlsec

16:03:03 [fhirsch3]

Present+ Jaakko Kangasharju, Taki Kamiya, Bede Mccall, Youenn Fabuet, Herve Ruellan, Don Brutzman

16:03:53 [fhirsch3]

Present+ John Boyer, Steven Pemberton, Ultide Lisse, Nick Van den Blecken, Roland Merrick, TV Raman, Charlie Wiecha

16:04:16 [fhirsch3]

Present+ Keith Wells

16:04:42 [fhirsch3]

observers included Bede, Youenn, Herve, Xu

16:05:09 [fhirsch3]

RRSAgenda, generates minutes

16:05:25 [fhirsch3]

RRSAgent, generate minutes

16:05:25 [RRSAgent]

I have made the request to generate http://www.w3.org/2008/10/20-xmlsec-minutes.html fhirsch3

16:08:26 [bal]

bal has joined #xmlsec