XML Security Working Group Teleconference
28 Apr 2009


See also: IRC log


Bruce_Rich, Pratik_Datta, Frederick_Hirsch, Kelvin_Yiu, Brad_Hill, Chris_Solc, Gerald_Edgar, Hal_Lockhart, Juan_Carlos_Cruellas, Konard_Lanz, Thomas_Roessler, Sean_Mullan, Ed_Simon, Brian_LaMacchia, Shivaram Mysore
Scott_Cantor, Ken_Graf, John_Wray, Magnus_Nyström
Frederick Hirsch
Brian_LaMacchia, Kelvin_Yiu




<trackbot> Date: 28 April 2009

<jcruella> P54 is Juan Carlos

<shivaram> mute me

<bal> ScribeNick: bal


<fjh> Next meeting: 5 May, Bruce Rich is scheduled to scribe

F2F is 5/12-5/13, Bedford, MA

<fjh> F2F #4: 12-13 May, Bedford MA, logistics: http://lists.w3.org/Archives/Member/member-xmlsec/2009Mar/0015.html

Logistics for F2F: 9-6 both days, w/ 1hr break for lunch

RESOLUTION: F2F will be 9am-6pm each day, with 1hr for lunch

Request for help with the F2F agenda.

<hlockhar> having trouble getting on zakim

fjh: Want to make good use of everyone's time


<fjh> Sent question regarding DTDs and updated question on elliptic curve to

<fjh> oASIS SSTC, WS-SX, Liberty TEG and W3C XML CG


<fjh> Please complete F2F Registration (12-13 May) Questionnaire

<fjh> http://lists.w3.org/Archives/Member/member-xmlsec/2009Mar/0017.html

fjh: Registration questionnaire for F2F only shows responses
... Please respond even if you're not coming to the F2F

<fjh> Widget Signature published, please review now

fjh: Widget Signature has been published, going to last call

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Mar/0061.html

fjh: If you have comments today, still send them in

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Apr/0048.html

fjh: Widgets Sig WG agreed to ECC being a SHOULD in their spec
... and did not object to it being a MUST in XMLDSIG

<fjh> Namespace prefix undeclaring not being added to Namespace 1.0

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Apr/0043.html

fjh: New member of the WG

Cynthia_Martin: (new WG member) gives brief introduction

Minutes approval

<fjh> http://lists.w3.org/Archives/Member/member-xmlsec/2009Apr/att-0006/21-xmlsec-minutes.html

RESOLUTION: Minutes of 21 April as contained in fjh's message & link above are approved

Editorial Status Updates

<fjh> Updated XML Encryption 1.1 redline

Roadmap and publication planning

<fjh> Updated Roadmap and Publication status, with next publication dates

<fjh> http://www.w3.org/2008/xmlsec/wiki/RoadmapandPublicationStatus

Please review http://www.w3.org/2008/xmlsec/wiki/RoadmapandPublicationStatus

<fjh> Agree to publish Signature Properties

<fjh> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/Overview.html

Agree to publish Signature Properties

fjh: Widgets need us to publish a new draft of Signature Properties

RESOLUTION: WG agrees to publish a new draft of the Signature Properties document this week

<fjh> ACTION: fjh to make publication request for signature properties for this thursday, 30 April [recorded in http://www.w3.org/2009/04/28-xmlsec-minutes.html#action01]

<trackbot> Created ACTION-264 - Make publication request for signature properties for this thursday, 30 April [on Frederick Hirsch - due 2009-05-05].

<fjh> ACTION: tlr to update signature properties for publication and place in proper location [recorded in http://www.w3.org/2009/04/28-xmlsec-minutes.html#action02]

<trackbot> Created ACTION-265 - Update signature properties for publication and place in proper location [on Thomas Roessler - due 2009-05-05].

Missing items in 1.1

<fjh> URI Reference processing, References, RNG schema, other?

fjh: There are probably some things missing in our 1.1 spec that I can use the WG's help in cleaning up
... If you're aware of anything missing in the 1.1 spec, now is the time to raise these issues.
... Regarding RNG schema, fjh contacted someone who's an RNG schema expert and he has agreed to help us once he's got some cycles


<fjh> bal suggests interop on first day of f2f

<fjh> bal notes this allows time for follow up, also some might have to leave early on day two, e.g. 3pm

<scribe> ScribeNick: kyiu


<fjh> http://www.w3.org/2008/xmlsec/wiki/InteropPlanning

need to start a wiki page interop

SHA256, RSA, verify can add OCSP response, AES key wrap

have a couple of algs (exc-c14n and xpath 2.0) - not sure if it changed status

we need to do ECDSA with ECKeyValue and ECDH as well as KeyValue

if you are planning to interop, take a look at the wiki and update with your plans

<bal> +q

bal: recommend to create a table of people who plan to do inteorp and the set of tests they expect to interop

<fjh> wiki is publicly readable, writable requires account

thomas will make sure everyone who is doing interop will have access to wiki

<tlr> http://www.w3.org/2008/xmlsec/Group/interop will be the space for that work

<fjh> if you need access to interop directory please let thomas know

<tlr> everybody who does not have editors' access already, please send me a note

<fjh> sean suggests preparing by next week for interop, with signatures generated, info in them to make easy to validate

fjh: we have a 2 day f2f, but have not decided on which day we'll do the interop

sean, bal and pratik are confirmed for interop.

Constrained implementation of Exclusive C14N

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Apr/0045.html

pdatta: try to show the complexity of the topic
... defined 9 cases, but have only seen 4 in practice

fjh: part of the goal is to define and agree on the cases and when to stop

pdatta: case 1 - 90% of the cases refers to a single subtree
... case 2: also common. eg enveloped signature transform where you exclude the signature
... case 3: could represent the case where you countersign a bunch of elements

<fjh> pratik suggests we stop with case 4, including support for that, multiple subtrees with exclusions

<fjh> pratik notes 5 is harder but doable, probably not do

pdatta: cannot exclude namespace attributes because it leads to a lot of complications

<klanz2> well isn't the only difference that the missing ancestors in the mittle have to be inspected vs. being plainly skipped, ...

<fjh> pratik notes case 6 increases complexity and 7 significantly

<fjh> what is impact of not supporting cases 5-9?

pdatta: case 8 is when you end up with if the xpath implementation doesn't completely expand all nodesets

<klanz2> I sense, ... that if inheritable attributes/namespaces are treated irrespective of their inclusion in the input node-set or not - implementation can be performed by a very simple stack architecture pushing down the information into orphaned nodes

fjh: what do we lose if we do only 1-4?

<fjh> case 5 example, include keyinfo in enveloped signature..

<fjh> not just one reference

which is the same as most implementations that use 1.0

fjh: can we eliminate some of the cases without harm?

klanz: expect engine to process xpath and do it correctly
... very hard to estimate impact of removing some cases

fjh: trying to determine whether there is a compelling need for each of the cases

klanz: it's not that hard to process a nodeset

ACTION 259 proposal

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Apr/0040.html

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Apr/0041.html

could be done with pratik's proposal

<fjh> pratik notes that we can go with XPath Filter 2.0 approach that selects and includes subtrees

<fjh> pratik notes that XPath Filter 2.0 is already defined, now profiling to say only one intersect for example

pdatta: we are just limiting xpath 2,0 filter to just intersect and union

<fjh> pratik notes it is important to look at XPath 2.0 filter, not XPath 1.0.

pdatta: xpath filter 2 does not evaluate against every node

klanz: how do you profile xpath 2 properly?

<fjh> working to profile XPath Filter 2.0

<fjh> pratik notes that the transform simplification note outlines how to do this

pdatta: simplification comes from constraining xpath to select only elements

<fjh> selecting elements

pdatta: most people use very simple xpath
... which always selects subtree

<fjh> constraining XPath to select a subtree

pdatta: xpointer doesn't support exclusion

fjh: should we be starting a new specification for the xpath profile?

pdatta: thinks klanz's proposal is equivalent to supporting cases 1-8 in pratik's proposal

<fjh> is konrad saying that implementation should ignore certain choices that can be expressed, while pratik proposal limits what can be expressed to match what is done?

pdatta: there is a perf gain to avoid expanding elements into array

klanz: problem is now you have to educate people on our requirements on xpath and the parts that are not supported
... thinks we can improve the description in c14n

fjh: seems constraining by elements and subtrees should be easy to understand

klanz: we could define difference conformance levels

<fjh> concern about performance expectations matching what can be delivered in general case, when allowing arbitrary expressions

<fjh> not convinced one change to the generic algorithm will be successful though it could be

the difference is expanding all nodes versus expanding only the root element of the subtree

<fjh> it seems clear that constraining what is expressed and supported can result in performance improvement and implementation simplification

<fjh> konrad noted that cost can be in xpath processing versus nodeset processing

<fjh> issues might apply to both

<fjh> pratik notes soap body can be huge, so is input to c14n the one element or all the children as a nodeset

klanz: it's question of constraining xpath expression so it's more of a profile than a new spec

fjh: next step: start working on a profile of xpath filter 2

<klanz2> http://www.w3.org/TR/xmldsig-core/#sec-Reference

<klanz2> Type

<klanz2> What about defining a value for the Type of the reference that indicates that a reference is constrained / profiled in the way pratik is suggested

<fjh> sean notes a number implemenations already have material to improve performance, using subtrees etc, so will we get improvement

<fjh> pratik notes it would be useful to have in spec

<klanz2> Isn't this more a requirement / best practice for Users how to use XPath correctly

<klanz2> ... and a profile

<fjh> brad notes complexity of implementation has been barrier, easy for first few use cases

<fjh> pratik noted then too hard.

<fjh> so not only performance but also complexity of implementation

<klanz2> http://www.w3.org/TR/xmldsig-core/#sec-Same-Document

<klanz2> What is the problem with propagating XPointer?

<klanz2> besides it's spec status

fjh: looks like there is some agreement on pratik's proposal

<fjh> pratik plans to share some sample code, possible next step, to get numbers

pdatta: perhaps we can prove the perf difference with numbers

<klanz2> q

<fjh> chris notes that many have done optimizations but it is hard to figure out when you can do optimizations

<fjh> chris notes may be better to be clear that can be done for all

<fjh> konrad agrees with simplification, limiting use of transforms etc

<fjh> konrad may want it to be clear that simplication

klanz: agrees with simplification, but we should flag the fact that simplification is used and also continue to allow the full feature set

<fjh> simplification would allow digesting while signing, additional improvements and optimizations are enabled

<scribe> ACTION: pratik to start email discussion on how different inputs to canonicalization could start ... [recorded in http://www.w3.org/2009/04/28-xmlsec-minutes.html#action03]

<trackbot> Created ACTION-266 - Start email discussion on how different inputs to canonicalization could start ... [on Pratik Datta - due 2009-05-05].

<scribe> ACTION: klanz: simplify canonicalization note [recorded in http://www.w3.org/2009/04/28-xmlsec-minutes.html#action04]

<trackbot> Created ACTION-267 - Simplify canonicalization note [on Konrad Lanz - due 2009-05-05].

<fjh> talking about profiling XPath

<fjh> konrad notes should be able to constrain what user can express

<klanz2> http://www.w3.org/TR/2003/REC-xptr-framework-20030325/#NT-Pointer

<klanz2> [1] Pointer ::= Shorthand | SchemeBased

<klanz2> [2] Shorthand ::= NCName

<klanz2> no sheme however maybe, pratik ?

XPath Filter Transform and Namespace Declarations for Qualified Nodes

<fjh> discuss next week, ed will distribute some more materials

postpone until next week


<klanz2> @pratik, http://www.w3.org/TR/2002/WD-xptr-xpointer-20021219/#NT-xpointerschemedata

<fjh> http://www.w3.org/2008/xmlsec/track/actions/open

<tlr> ACTION-262 closed

<trackbot> ACTION-262 Provide interop script for producing result tables as used before closed

ACTION-262 close

<fjh> action-261?

<trackbot> ACTION-261 -- Thomas Roessler to update xmlsec-algorithms draft to include aes key wrap with padding uris -- due 2009-04-27 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/261

<klanz2> @pratik,

<klanz2> http://www.w3.org/TR/xpath#NT-Expr

<klanz2> maybe only allowing

<klanz2> http://www.w3.org/TR/xpath#NT-AbsoluteLocationPath

<fjh> action-260?

<trackbot> ACTION-260 -- Pratik Datta to respond to the proposed change -- due 2009-04-14 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/260

<fjh> action-259?

<trackbot> ACTION-259 -- Konrad Lanz to propoal for the C14N spec change -- due 2009-04-14 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/259

<fjh> action-267?

<trackbot> ACTION-267 -- Konrad Lanz to simplify canonicalization note -- due 2009-05-05 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/267

<fjh> ACTION-267 is to write simpler and smaller C14N spec, and ACTION-259 can be closed

<fjh> action-259 closed

<trackbot> ACTION-259 Propoal for the C14N spec change closed

<fjh> Konrad proposed C14N clarification and errata language, should follow up

<fjh> issue: C14N clarification and errata as noted by Konrad wrt ACTION-259

<trackbot> Created ISSUE-116 - C14N clarification and errata as noted by Konrad wrt ACTION-259 ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/116/edit .

<fjh> action-257?

<trackbot> ACTION-257 -- Konrad Lanz to follow up and provide unified proposal for changes to support randomized hashing and signing -- due 2009-04-14 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/257

<fjh> still in progress

<fjh> action-256?

<trackbot> ACTION-256 -- Thomas Roessler to update xref note with addtl type Uris -- due 2009-04-14 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/256

<fjh> still open, additional URIs for RetrievalMethod Type attribute, to be added to document

<fjh> action-248?

<trackbot> ACTION-248 -- Thomas Roessler to put together strawman for additional algorithm RFC -- due 2009-04-13 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/248

<fjh> still open

<klanz2> btw. any news frm Donald Eastlake?

<fjh> action-245 closed

<trackbot> ACTION-245 Update issues closed

<fjh> action-246

<fjh> action-246 closed

<trackbot> ACTION-246 Update Issues closed

<fjh> action-247?

<trackbot> ACTION-247 -- Gerald Edgar to rework ISSUE-45 -- due 2009-04-07 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/247

<fjh> action-247 closed

<trackbot> ACTION-247 Rework ISSUE-45 closed

<fjh> action-239?

<trackbot> ACTION-239 -- Magnus Nyström to investigate alternative source for material in X9.62 -- due 2009-03-31 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/239

<fjh> action-238?

<trackbot> ACTION-238 -- Konrad Lanz to update the proposal associated with ACTION-222 and send to list. -- due 2009-03-24 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/238

<tlr> action-222?

<trackbot> ACTION-222 -- Konrad Lanz to make proposal RIPE algorithms -- due 2009-03-03 -- CLOSED

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/222

<fjh> relates to ACTION-248

<fjh> konrad needs to create proposal here.

<fjh> define work with encoding and anchors

<fjh> action-174?

<trackbot> ACTION-174 -- Pratik Datta to update the transforms related to ISSUE-69 -- due 2009-01-21 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/174

<fjh> ISSUE-69?

<trackbot> ISSUE-69 -- Update example file to avoid empty XPath result -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/69

<jcruella> I am sorry,.... I must leave now...talk to you next week

<fjh> action-150?

<trackbot> ACTION-150 -- Sean Mullan to check Java API dependencies/compatibility -- due 2009-01-20 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/150

<klanz2> added notes to http://www.w3.org/2008/xmlsec/track/actions/248

<fjh> ACTION-150 closed

<trackbot> ACTION-150 Check Java API dependencies/compatibility closed

<fjh> no major issues with ecc algorithms with Java APIs

<fjh> http://www.w3.org/2008/xmlsec/Group/Scribe-Instructions.html

Summary of Action Items

[NEW] ACTION: fjh to make publication request for signature properties for this thursday, 30 April [recorded in http://www.w3.org/2009/04/28-xmlsec-minutes.html#action01]
[NEW] ACTION: klanz: simplify canonicalization note [recorded in http://www.w3.org/2009/04/28-xmlsec-minutes.html#action04]
[NEW] ACTION: pratik to start email discussion on how different inputs to canonicalization could start ... [recorded in http://www.w3.org/2009/04/28-xmlsec-minutes.html#action03]
[NEW] ACTION: tlr to update signature properties for publication and place in proper location [recorded in http://www.w3.org/2009/04/28-xmlsec-minutes.html#action02]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2009/05/05 14:25:21 $