14:45:43 RRSAgent has joined #xmlsec 14:45:43 logging to http://www.w3.org/2008/11/04-xmlsec-irc 14:45:45 RRSAgent, make logs member 14:45:47 Zakim, this will be XMLSEC 14:45:47 ok, trackbot; I see T&S_XMLSEC()10:00AM scheduled to start in 15 minutes 14:45:48 Meeting: XML Security Working Group Teleconference 14:45:48 Date: 04 November 2008 14:46:02 Chair: Frederick Hirsch 14:46:26 Agenda: http://lists.w3.org/Archives/Public/public-xmlsec/2008Nov/0001.html 14:46:40 Regrets: Thomas Roessler 14:46:53 Scribe: Shivaram Mysore 14:47:05 zakim, what is the code? 14:47:05 the conference code is 965732 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), fjh 14:49:49 shivaram has joined #xmlsec 14:53:27 cool - thanks 14:55:20 T&S_XMLSEC()10:00AM has now started 14:55:27 + +1.408.907.aaaa 14:56:29 magnus has joined #xmlsec 14:57:56 +Frederick_Hirsch 14:58:11 zakim, who is here? 14:58:11 On the phone I see shivaram, Frederick_Hirsch 14:58:13 On IRC I see magnus, shivaram, RRSAgent, fjh, anil, Zakim, klanz2, trackbot 14:58:32 smullan has joined #xmlsec 14:59:57 csolc has joined #xmlsec 15:00:27 zakim, who is here? 15:00:27 On the phone I see shivaram, Frederick_Hirsch 15:00:29 On IRC I see csolc, smullan, magnus, shivaram, RRSAgent, fjh, anil, Zakim, klanz2, trackbot 15:00:36 +??P2 15:00:41 + +1.617.876.aabb 15:00:43 pdatta has joined #xmlsec 15:01:02 +Ed_Simon 15:01:05 + +1.781.993.aacc 15:01:06 zakim, aabb is smullan 15:01:06 +smullan; got it 15:01:27 + +5aadd 15:01:31 zakim, aacc is hlockhart 15:01:31 +hlockhart; got it 15:01:32 zakim, aadd is csolc 15:01:32 +csolc; got it 15:01:33 jwray has joined #xmlsec 15:01:38 zakim, who is here? 15:01:38 On the phone I see shivaram, Frederick_Hirsch, klanz2, smullan, Ed_Simon, hlockhart, csolc 15:01:40 On IRC I see jwray, pdatta, csolc, smullan, magnus, shivaram, RRSAgent, fjh, anil, Zakim, klanz2, trackbot 15:01:42 +[Oracle] 15:02:01 + +1.425.237.aaee 15:02:06 zakim, Oracle is pdatta 15:02:06 +pdatta; got it 15:02:14 zakim, aaee is gerald 15:02:14 +gerald; got it 15:02:17 + +1.978.244.aaff 15:02:19 zakim, who is here? 15:02:19 On the phone I see shivaram, Frederick_Hirsch, klanz2, smullan, Ed_Simon, hlockhart, csolc, pdatta, gerald, +1.978.244.aaff 15:02:22 GeraldE has joined #xmlsec 15:02:26 On IRC I see jwray, pdatta, csolc, smullan, magnus, shivaram, RRSAgent, fjh, anil, Zakim, klanz2, trackbot 15:02:29 + +1.614.247.aagg 15:02:30 zakim, aaff is jwray 15:02:32 scantor has joined #xmlsec 15:02:38 +jwray; got it 15:02:41 brich has joined #xmlsec 15:02:54 + +1.512.401.aahh 15:02:54 jcruella has joined #xmlsec 15:03:07 Agenda: http://lists.w3.org/Archives/Public/public-xmlsec/2008Nov/0001.html 15:03:12 zakim, aahh is brich 15:03:18 + +1.206.726.aaii 15:03:20 +brich; got it 15:03:20 zakim, who is here? 15:03:24 On the phone I see shivaram, Frederick_Hirsch, klanz2 (muted), smullan, Ed_Simon, hlockhart, csolc, pdatta, gerald, jwray, +1.614.247.aagg, brich, +1.206.726.aaii 15:03:29 bal has joined #xmlsec 15:03:31 + +0468725aajj 15:03:34 On IRC I see jcruella, brich, scantor, GeraldE, jwray, pdatta, csolc, smullan, magnus, shivaram, RRSAgent, fjh, anil, Zakim, klanz2, trackbot 15:03:36 zakim, aajj is magnus 15:03:43 +magnus; got it 15:03:51 zakim, aaii is bal 15:03:56 +bal; got it 15:04:00 zakim, who is here? 15:04:09 On the phone I see shivaram, Frederick_Hirsch, klanz2 (muted), smullan, Ed_Simon, hlockhart, csolc, pdatta, gerald, jwray, +1.614.247.aagg, brich, bal, magnus 15:04:16 On IRC I see bal, jcruella, brich, scantor, GeraldE, jwray, pdatta, csolc, smullan, magnus, shivaram, RRSAgent, fjh, anil, Zakim, klanz2, trackbot 15:04:25 +[IPcaller] 15:04:29 TOPIC: Administrivia: 15:04:35 +Robert_Miller 15:04:37 zakim, IPcaller is jcc 15:04:41 zakim, who is here? 15:04:45 +jcc; got it 15:04:50 On the phone I see shivaram, Frederick_Hirsch, klanz2 (muted), smullan, Ed_Simon, hlockhart, csolc, pdatta, gerald, jwray, +1.614.247.aagg, brich, bal, magnus, jcc, Robert_Miller 15:04:59 On IRC I see bal, jcruella, brich, scantor, GeraldE, jwray, pdatta, csolc, smullan, magnus, shivaram, RRSAgent, fjh, anil, Zakim, klanz2, trackbot 15:05:06 25 November, 23 December, 30 December 2008 Teleconferences have been 15:05:09 cancelled 15:05:29 http://www.w3.org/2008/xmlsec/Group/Overview.html#upcoming-meetings 15:05:49 Folks should plan for travel to Redwood City, CA 15:05:52 13-14 January, redwood city 15:06:18 TOPIC: Liaisons and Coordination 15:07:04 SSTC: what is the general practice in the field 15:08:14 WS-Policy: there will be an errata regarding C14N and no revision of the spec itself 15:08:23 +[Microsoft] 15:09:10 TOPIC: Minutes from F2F 20-21 October 2008 15:09:15 zakim, Microsoft is kelvin 15:09:15 +kelvin; got it 15:09:30 they will be approved next week after getting input from other teams 15:09:42 TOPIC: Transform Simplification 15:09:54 http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html 15:11:02 rdmiller has joined #xmlsec 15:11:06 kyiu has joined #xmlsec 15:11:38 http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0047.html 15:11:57 q+ 15:12:09 zakim, kelivin is kyiu 15:12:09 sorry, shivaram, I do not recognize a party named 'kelivin' 15:12:17 zakim, kelvin is kyiu 15:12:17 +kyiu; got it 15:13:01 ack klanz 15:13:05 Bal: states that there is lot of history here. There are benefits to stating that "I am signing exactly this..." 15:13:15 bhill has joined #xmlsec 15:13:56 + +1.303.229.aakk 15:14:00 q+ 15:14:03 Konrad: expressed concern on referencing data in transformations 15:14:19 zakim, aakk is bhill 15:14:19 +bhill; got it 15:14:57 Don't intermingle selection, etc with exactly what is signed 15:15:45 hlockhar has joined #xmlsec 15:15:50 subu has joined #xmlsec 15:16:18 + +91.97.40.98.aall 15:16:20 zakim, aagg is scantor 15:16:20 +scantor; got it 15:17:10 zakim, aall is subu 15:17:10 +subu; got it 15:18:20 The goal is to reduce complexity, while including the maximum number of use cases 15:18:54 +1 to jwray 15:19:18 jwray notes that could sign xslt and they apply after signing etc to avoid attack issues 15:20:50 Request Pratik Datta to look into jwray's email 15:21:13 s/jwray/klanz2 15:21:32 s/klanz2 email/transform note 15:21:33 what do you mean by "reselection" 15:22:10 q+ 15:22:36 ack pdatta 15:22:40 ack klanz 15:24:41 klanz2 would like to see a minor revision to 1.0 XML Sig and not break too much compatibility, but, use a more restricted set 15:24:50 want to simplify so you can reduce complexity and this leads to more performant implementations 15:25:14 it also reduces the attack surrface. 15:25:37 subu has joined #xmlsec 15:25:44 klanz noted that could have two ds:Reference elements, one old style, one new 15:25:48 anil has left #xmlsec 15:26:38 ACTION: klanz2 to email list with specifics on this performant implementaiton 15:26:38 Created ACTION-99 - Email list with specifics on this performant implementaiton [on Konrad Lanz - due 2008-11-11]. 15:27:28 I'm not sure the Action reflects what we were discussing? 15:27:56 q+ 15:27:58 ACTION: klanz to email proposal regarding 2 ds:References, old and new 15:27:58 Created ACTION-100 - Email proposal regarding 2 ds:References, old and new [on Konrad Lanz - due 2008-11-11]. 15:28:16 +q 15:28:30 ack klanz 15:28:34 ack bal 15:28:59 bal does not see XSLT see as esential. It can be more of a security hole 15:29:00 bal dont see xslt as essential to xml signature transform chain, view as security risk 15:29:03 +1 15:29:05 +1 15:29:18 esimon2 has joined #xmlsec 15:29:48 q+ 15:31:29 discussion of whether signature over presentation or data.. 15:31:53 ack fjh 15:32:16 Bal notes that he is more concerned about data and not much about the presentation aspects for Signature objects 15:33:02 q+ 15:33:57 There is discussion oh the implication of what is signed and how it is presented and the implication of verification of presentation layer 15:34:07 ck csolc 15:34:40 ack csolc 15:35:00 q+ 15:35:07 why not perform xslt processing before Reference processing 15:35:19 then sign xslt transform as well as what else is required for auditing. 15:35:37 this simplifies xml signature processing, reduces risks, and brings transformation closer to application layer 15:37:52 zakim, who is making noise? 15:38:04 fjh, listening for 10 seconds I heard sound from the following: Frederick_Hirsch (13%), klanz2 (19%), bal (50%) 15:38:13 zakim, mute bal 15:38:13 bal should now be muted 15:38:28 shivaram: states that may be we should separate out Data and Presentation use of Signing 15:38:52 and create appropriate best practices 15:39:08 ack shivaram 15:41:21 konrad notes that xslt not a risk if xslt instance is trusted and reviewed 15:42:26 -hlockhart 15:42:27 Use case: if there a XSLT that is trusted and tested, then one should be able to use it 15:42:50 TOPIC: Open Action Review 15:44:59 q+ 15:45:10 ffj: states piece mealing spec items so that we can get them resolved faster & better. Then we can piece it together to make it into our requirements doc 15:45:31 ffj requests suggestions and comments on best ways to achieve the same 15:45:52 s/ffj/fhj/ 15:46:26 ACTION: fjj to provide a detailed roadmap on getting to the end game of Requirements 15:46:26 Sorry, couldn't find user - fjj 15:46:34 Bruce_Rich has joined #xmlsec 15:46:43 ACTION: fjh to provide a detailed roadmap on getting to the end game of Requirements 15:46:43 Created ACTION-101 - Provide a detailed roadmap on getting to the end game of Requirements [on Frederick Hirsch - due 2008-11-11]. 15:47:31 http://www.w3.org/2008/xmlsec/track/actions/open 15:48:34 q+ 15:48:38 ack klanz2 15:49:13 http://www.w3.org/2008/xmlsec/track/actions/13 15:50:30 http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0034.html 15:50:51 ACTION-13 15:51:03 action 13 done, will add email 15:51:03 Sorry, couldn't find user - 13 15:51:18 action 24 2008-12-01 15:51:18 Sorry, couldn't find user - 24 15:51:27 The proposal basically was to use hints to stipulate how a chain of transforms will behave in terms of streaming processing 15:51:43 set deadline for action 24 to end november 15:52:42 set deadline for action 13 to 11 november 15:52:50 set deadline for action 13 to next week for shivaram 15:53:27 the action 52 went into transform primitives 15:53:36 action-52 closed 15:53:36 ACTION-52 Attempt summarizing recent discussions as input for design document closed 15:54:17 konrad, derive requiements for simple transform 15:54:53 add transform primitives to requirements document? 15:55:17 need to discuss list of transforms, or canonicalization 15:56:08 http://www.w3.org/TR/xptr-element/ 15:56:24 add to next week agenda discussion of transform primitives, xpointer element 15:56:35 maybe also http://www.w3.org/TR/xptr-xmlns/ 15:57:06 could be an easy way to be used for selection ... 15:57:22 set date for 55 to next week 15:58:36 part of material for action-66 from norm 15:59:09 http://lists.w3.org/Archives/Public/public-xmlsec/2008Nov/0002.html 16:00:18 set date for 85 to next week 16:01:25 kelvin will work on algorithms first then 86 16:02:30 subu has joined #xmlsec 16:02:51 planning to look at 88 end dec 16:02:59 -Robert_Miller 16:03:54 to close either 86 or 90, duplication 16:04:01 very initial draft in: http://lists.w3.org/Archives/Public/public-xmlsec/2008Nov/0006.html 16:04:27 close action-91 16:04:28 ACTION-91 Provide a draft for the requirements document for long term signatures. closed 16:05:51 kelvin provided list of uris at f2f 16:06:00 close action-92 16:06:00 ACTION-92 Propose text for note providing an index to XML Security URIs closed 16:07:38 discussion of action-94, algorithms for 1.1 16:07:41 could you please, type to the chat ... 16:08:35 q+ 16:08:40 q- 16:08:50 ack bal 16:09:00 q- 16:09:39 http://tools.ietf.org/html/rfc4050 16:09:47 http://tools.ietf.org/html/rfc4051 16:10:25 4050 is INFORMATIONAL ... 16:10:47 bal: inelegant markup ... ? 16:11:14 proposal? -> harmoniue 4050 and XMLDSIG ? 16:11:26 s/harmoniue(harmonize/ 16:11:58 bal and kelvin note that RFC 4051 is Eastlake list of algs, RFV 4050 definitions of ECC in dsig 16:12:45 csolc has joined #xmlsec 16:12:58 noted that RFC 4050 is translation of ASN.1 spec, structures do not mix well with xml dsig, cannot just merge DTDs 16:13:07 question, do we want to define DTDs going forward 16:13:38 4050 not elegant, may wish to define structures as appropriate in XML Security, not necessarily matching 4050 16:13:53 depend on 4050 as much as possible 16:14:10 need - samples of ecc signatures, what is supported from 4050, what is actually used 16:14:19 request to implementers for input on this issue 16:14:23 we support ECC ... 16:14:32 q+ 16:14:35 I Is the W3C maintaining the DTD spec? Will future XML versions introduce features not properly expressible by DTDs? 16:14:37 ack klanz 16:14:46 do you know how much of 4050 you support? 16:15:52 kelvin notes could merge schema, but would require two dtds 16:16:40 kelvin notes might want to simplify schema, improve 16:16:48 -subu 16:17:24 yes 16:17:48 ok 16:18:51 klanz2 has offered to help kyiu with samples 16:19:17 kelvin, name curve ok, maybe simplify explicit 16:20:35 ACTION: fjh to check on DTDs with W3C 16:20:46 Created ACTION-102 - Check on DTDs with W3C [on Frederick Hirsch - due 2008-11-11]. 16:21:21 zakim, who is making noise? 16:21:32 fjh, listening for 10 seconds I heard sound from the following: Frederick_Hirsch (5%), gerald (34%), bal (55%) 16:21:35 q+ 16:21:44 ack Geralee 16:21:48 ack GeraldE 16:21:48 zakim, mute me 16:21:49 bal should now be muted 16:22:03 zakim, mute me 16:22:03 sorry, esimon2, I do not know which phone connection belongs to you 16:22:30 klanz2 zakim, who is on the phone? 16:23:47 subu has joined #xmlsec 16:24:01 zakim, who is here? 16:24:01 On the phone I see shivaram, Frederick_Hirsch, klanz2, smullan, Ed_Simon, csolc, pdatta, gerald, jwray, scantor, brich, bal (muted), magnus, jcc, kyiu, bhill 16:24:04 On IRC I see subu, csolc, Bruce_Rich, esimon2, bhill, kyiu, bal, jcruella, scantor, GeraldE, jwray, pdatta, magnus, shivaram, RRSAgent, fjh, Zakim, klanz2, trackbot 16:26:31 action-97 closed 16:26:31 ACTION-97 Add transforms requirements material to requirements draft closed 16:26:44 frederick incorporated material from pratik into transform draft 16:27:12 smullan has joined #xmlsec 16:27:59 action-98 closed 16:28:00 ACTION-98 Draft database certificate use case and requirements for document, share on mail list closed 16:28:02 http://lists.w3.org/Archives/Public/public-xmlsec/2008Nov/0007.html 16:29:32 close action-99 16:29:32 ACTION-99 Email list with specifics on this performant implementaiton closed 16:30:13 TOPIC: Issues list review 16:30:19 http://www.w3.org/2008/xmlsec/track/issues/open 16:33:35 subu has left #xmlsec 16:35:25 q+ 16:35:52 ack klanz 16:36:38 konrad notes that we may wish to review issues list for which items can be in v1.1 and addressed sooner, have impact 16:36:48 s/impact/quick impact/ 16:37:00 q- 16:38:10 konrad putting algorithms out in draft note earlier to get feedback as well? 16:38:45 TOPIC: Best Practices 16:39:14 Sean and Juan Carlos are working on this 16:39:26 re previous topic ... I'd advocate for putting a list of small "useful" transforms, transform primitives ... 16:41:32 http://lists.w3.org/Archives/Public/public-xmlsec/2008Oct/0020.html 16:44:25 action jcc to provide updated email on best practices issue 16:44:27 Created ACTION-103 - Provide updated email on best practices issue [on Juan Carlos Cruellas - due 2008-11-11]. 16:44:57 TOPIC: Requirements 16:45:02 http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html 16:46:44 fjh: Seperate requirements and design work. Publish note on design work after requirements 16:48:42 sounds good 16:49:45 do we have a link or something to anchor this ... 16:49:47 TOPIC: encoding related to certificates, leaving it open 16:50:30 q+ 16:50:46 ack magnus 16:51:51 magnus notes that have not seen encodings other than DER 16:52:01 q+ 16:52:04 scott notes that that raises interop issue, why not require DER 16:52:35 scott notes DSig maybe should require DER 16:52:36 ack bal 16:53:08 bal notes reference 5280, requires DER for computing hash, but not serialized that way 16:53:43 q+ 16:54:28 ack klanz 16:55:41 bal asks if PKIX to require DER 16:55:59 scott notes difference of asn1 library and certificate library, and limitation of cert library 16:56:21 -bhill 16:56:22 scott either need encoding attribute or processing rule in dsig to clarify encoding, why not in 1.1 require DER 16:56:38 issue require DER encoding in 1.1 16:56:46 issue: require DER encoding in 1.1 16:56:46 Created ISSUE-70 - Require DER encoding in 1.1 ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/70/edit . 16:57:11 q+ 16:57:30 issue: change section titles in best practices to match practices 16:57:30 Created ISSUE-71 - Change section titles in best practices to match practices ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/71/edit . 16:57:51 ack magnus 16:58:56 magnus suggests requiring supporting encoding, concerned about requiring DER, prefer change in base spec 16:59:24 scott notes with schema change we can nail down encoding, or provide encoding attribute 16:59:33 q+ 16:59:38 allow other encodings through use of extensions 16:59:44 ack bal 16:59:47 q+ 17:00:31 scott - huge burden to implement many encodings 17:00:45 ack bal 17:01:57 bal prefers text in spec, rather than new attribuite 17:02:06 s/uite/ute/ 17:02:23 -magnus 17:02:30 -csolc 17:04:00 -smullan 17:04:03 pdatta has left #xmlsec 17:04:10 -pdatta 17:04:14 -jcc 17:04:15 -bal 17:04:15 -gerald 17:04:16 -klanz2 17:04:16 -kyiu 17:04:18 -jwray 17:04:18 zakim, who is here? 17:04:21 -scantor 17:04:25 On the phone I see shivaram, Frederick_Hirsch, Ed_Simon, brich 17:04:27 -brich 17:04:29 On IRC I see Bruce_Rich, esimon2, bhill, kyiu, bal, jcruella, GeraldE, jwray, shivaram, RRSAgent, fjh, Zakim, klanz2, trackbot 17:04:47 zakim, who is here? 17:04:50 RRSAgent, generate minutes 17:04:50 I have made the request to generate http://www.w3.org/2008/11/04-xmlsec-minutes.html fjh 17:04:55 On the phone I see shivaram, Frederick_Hirsch, Ed_Simon 17:05:04 -Ed_Simon 17:05:08 On IRC I see Bruce_Rich, esimon2, bhill, kyiu, GeraldE, shivaram, RRSAgent, fjh, Zakim, klanz2, trackbot 17:05:47 Zakim, list participants 17:05:47 As of this point the attendees have been +1.408.907.aaaa, shivaram, Frederick_Hirsch, +1.617.876.aabb, Ed_Simon, +1.781.993.aacc, smullan, klanz2, +5aadd, hlockhart, csolc, 17:05:51 ... +1.425.237.aaee, pdatta, gerald, +1.978.244.aaff, +1.614.247.aagg, jwray, +1.512.401.aahh, +1.206.726.aaii, brich, +0468725aajj, magnus, bal, Robert_Miller, jcc, kyiu, 17:05:53 ... +1.303.229.aakk, bhill, +91.97.40.98.aall, scantor, subu 17:06:03 RRSAgent, generate minutes 17:06:03 I have made the request to generate http://www.w3.org/2008/11/04-xmlsec-minutes.html fjh 17:06:50 -Frederick_Hirsch 17:06:52 -shivaram 17:06:52 T&S_XMLSEC()10:00AM has ended 17:06:53 Attendees were +1.408.907.aaaa, shivaram, Frederick_Hirsch, +1.617.876.aabb, Ed_Simon, +1.781.993.aacc, smullan, klanz2, +5aadd, hlockhart, csolc, +1.425.237.aaee, pdatta, gerald, 17:06:58 ... +1.978.244.aaff, +1.614.247.aagg, jwray, +1.512.401.aahh, +1.206.726.aaii, brich, +0468725aajj, magnus, bal, Robert_Miller, jcc, kyiu, +1.303.229.aakk, bhill, 17:07:03 ... +91.97.40.98.aall, scantor, subu 19:33:24 Zakim has left #xmlsec