See also: IRC log
<trackbot> Date: 16 December 2008
<fjh> agenda http://lists.w3.org/Archives/Public/public-xmlsec/2008Dec/0021.html
<jwray> Next meeting Jan 6
<jwray> Sean to scribe 1/6
<fjh> http://www.w3.org/2002/09/wbs/42458/xmlsecredwood0109/results
<fjh> Errata for WS-Policy Framework Recommendation and Primer Note
<fjh> web page test cases
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2008Dec/0017.html
<esimon2> There was an EXI document discussing use of XML Signature and Encryption; that might have been a useful link.
<esimon2> ...useful link for the WG's home page.
<jwray> RESOLUTION: Minutes from Dec 9 approved
<fjh> home page to be updated with links to xml security tests, but not exi at this time
<tlr> minutes updated
<jwray> fjh: Signature Properties draft. Common spec for annotating signatures with properties.
<klanz2> @AOB XAdES 3rd Plugtest: http://www.etsi.org/plugtests/XAdES2/html/XAdES2.htm
<klanz2> http://lists.w3.org/Archives/Public/public-xmlsec/2008Dec/0022.html
<fjh> I will update the properties draft based on feedback received, and re XAdES and share on list. Please comment on it.
<fjh> First Public Working Draft publication process
<fjh> http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Exclusion
<csolc> much like signature algorithms it would be good to have a document that defines all the signature properties.
<csolc> This document should be augmented over time as new properties are needed.
<tlr> tlr: FPWD sometimes triggers internal review. You might want to avoid surprises around ECDSA.
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2008Dec/0010.html
<fjh> 2nd edition errata http://www.w3.org/2008/xmlsec/track/actions/82
<tlr> ACTION-82: closed
<trackbot> ACTION-82 Propose specific erratum for ISSUE-50 notes added
<trackbot> If you meant to close ACTION-82, please use 'close ACTION-82'
<tlr> close ACTION-82
<trackbot> ACTION-82 Propose specific erratum for ISSUE-50 closed
<fjh> http://www.w3.org/2008/xmlsec/track/actions/open
<tlr> ACTION-13?
<trackbot> ACTION-13 -- Konrad Lanz to review streaming using 2nd edition Signature -- due 2008-11-10 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/13
<fjh> close the action, but link the material to relevant issue for 2.0
<fjh> plan to discuss EXI at F2F, invite Taki
<fjh> if possible review EXI from Ed at 6 January call in advance of f2f
<fjh> action-90 for f2f, simple signing requirements
<fjh> action 100 associate with issue, then close, for 2.0 , two types of Reference
<fjh> action 105 Kelvin to contact other authors, to try to get more information. before f2f if possible
<tlr> ACTION-90: for face-to-face; simple signing requirements
<trackbot> ACTION-90 Provide a draft for the requirements document of the simple signing requirements. notes added
<fjh> http://www.w3.org/2008/xmlsec/track/actions/106
<tlr> ACTION-100: associate with issue, then close for 2.0, two types of Reference
<trackbot> ACTION-100 Email proposal regarding 2 ds:References, old and new notes added
<tlr> ACTION-105: kelvin contact other authors to get more information, before f2f
<trackbot> ACTION-105 Get in touch with RFC 4050 authors notes added
<tlr> close ACTION-106
<trackbot> ACTION-106 Work the text in the proposal to the req doc closed
<fjh> related to action-107 pdatta plans to add more to proposal
<tlr> close ACTION-114
<trackbot> ACTION-114 Propose language improvements for 1.1 draft closed
<tlr> ACTION: sean to draft best practice around xpath filter 2 - due 2008-12-31 [recorded in http://www.w3.org/2008/12/16-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-125 - draft best practice around xpath filter 2 [on Sean Mullan - due 2008-12-31].
<fjh> sean can draft additional best practice re xpath filter before f2f
<tlr> ACTION-115 closed
<trackbot> ACTION-115 Craft language on encouraging XPath2 Filter for Best Practices doc closed
<tlr> ACTION-117?
<trackbot> ACTION-117 -- Scott Cantor to propose a schema and language for bare key encoding in KeyInfo -- due 2008-12-09 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/117
<fjh> xml encryption for f2f, new algs , action 121
<tlr> ACTION-117 due next week
<trackbot> ACTION-117 Propose a schema and language for bare key encoding in KeyInfo due date now next week
<fjh> scott notes do 117 in next week
<tlr> ACTION-121 due 2009-01-14
<trackbot> ACTION-121 Add new algorithms to XML Encryption for 1.1 due date now 2009-01-14
<tlr> ISSUE-74?
<trackbot> ISSUE-74 -- Hmac-sha256 required in 1.1? -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/74
<tlr> close ISSUE-74
<klanz2> Re Proper use of XSLT in XMLDSIG: https://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=90836#page=103
<klanz2> I wrote a document in the last two weeks ...that in part deals with this issue
<fjh> +
<fjh> tlr notes best practices may need additional material on this topic
<klanz2> http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf
<tlr> http://www.vupen.com/english/advisories/2007/2492
<tlr> +1 to highlighting this
<tlr> ScribeNick: tlr
Ken: how can we highlight the
arbitrary code execution from xslt problem?
... didn't want to mention this on public list ...
tlr: this one was a year old, no?
frederick: raise as issue; also, note we're talking about fixing transform mechanisms
klanz: one piece here is on signing a derived XHTML document when source data is in some other XML based format
<scribe> ACTION: ken to call out local systen access risks regarding XSLT [recorded in http://www.w3.org/2008/12/16-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-126 - Call out local systen access risks regarding XSLT [on Ken Graf - due 2008-12-23].
tlr: we are dealing with two points here, low-hanging fruit in BP and structural cahnges
Ken: Happy to provide some text
pdatta: want more information
<fjh> konrad notes link ending in 103 provides useful info
klanz: There are some recipes on how to mitigate the problem in the document above
klanz: also note that xslt is optional
fjh: would like to work through this complex at the f2f
<smullan> konrad, what section is that in your paper?
klanz: know of egov use cases
that use XSLT to get human-displayable things
... often use of well-known transforms
<fjh> ScribeNick: fjh
<jwray> fjh: Schedule XSLT discussion during f2f
konrad: egov uses small number of xslt transforms
tlr: why not define URIs for these transforms and not require xslt
+1
tlr: also add note to best practices
konrad: wide variety of off the shelf toolkits needed by government, xslt is widely generic
<tlr> sean: what section?
<tlr> konrad: section 4.2.4
konrad: section 4.2.4, section 9
<klanz2> page 89
<tlr> fjh: agree with tlr
<tlr> klanz: COTS for e-gov
<jwray> konrad: xslt is optional
tlr: about applications and patterns needed by them, need for extensibilty
<tlr> ACTION: thomas to draft text on trade-off between different extensibility mechanisms, for BP draft - due 2009-01-14 [recorded in http://www.w3.org/2008/12/16-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-127 - draft text on trade-off between different extensibility mechanisms, for BP draft [on Thomas Roessler - due 2009-01-14].
<tlr> no disagreement with that
<tlr> ACTION-127 due 2009-01-06
<trackbot> ACTION-127 draft text on trade-off between different extensibility mechanisms, for BP draft due date now 2009-01-06
konrad: prefers having profiles, rather than removing materials etc.
<jwray> konrad: Simplifications may be application-specific. Use of application-specific or technology-area-specific (web services) profiles supports this.
<klanz2> http://lists.w3.org/Archives/Public/public-xmlsec/2008Dec/0022.html
http://www.w3.org/2008/02/xmlsec-charter.html#milestones
<tlr> ACTION: konrad to document e-gov use cases - due 2009-01-06 [recorded in http://www.w3.org/2008/12/16-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-128 - document e-gov use cases [on Konrad Lanz - due 2009-01-06].
<tlr> fjh important to document those requirements that influence changes; want to understand Konrad's use cases
<tlr> klanz: will look into this, but after christmas
<klanz2> http://tinyurl.com/XSLT-in-XMLDSIG
<klanz2> This link is easier to remember