<trackbot> Date: 05 November 2009
The agenda was approved
<scribe> ScribeNick: g-edgar
Rigo Wenning discussed Elliptic Curve next steps with Working Group. He will talk to RIM about elliptic curve.
<fhirsch3> http://www.w3.org/2009/10/27-xmlsec-minutes.html
Resolution: the minutes for the October 27 meeting are approved
<fhirsch3> http://www.w3.org/2009/10/27-xmlsec-minutes.html
<fhirsch3> http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0007.html
Resolution: the November 10 meeting is canceled
Juan Carlos has offered to host a face-to-face
<fhirsch3> Call for Exclusions (Update): XML Security Generic Hybrid Ciphers
<fhirsch3> http://lists.w3.org/Archives/Member/member-xmlsec/2009Oct/0024.html
<fhirsch3> action-396?
<trackbot> ACTION-396 -- Thomas Roessler to implement suggestion on multiple schemas http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0023.html -- due 2009-11-30 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/396
<fhirsch3> action-406?
<trackbot> ACTION-406 -- Magnus Nystrom to make proposal on list to address SP80056AConcatKDF in XML Encryption 1.1 concern -- due 2009-10-27 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/406
<fhirsch3> http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0003.html
Brian: Concat KDF - SP800-56a
There are up to 5 additional pieces of information added
Brian: XML is a carrier of information and provide a channel
... This is in section 5.4.1
<fhirsch3> need attributes since partyuinfo can be derived from cert and need to be shared, in addition to otherinfo
<fhirsch3> brian - need to share maybe for cert verification
<fhirsch3> attributes are listed as optional
Resolution: to accept the change proposed by Brian and Magnus in their November 3 message
<scribe> ACTION: Brian to implement the KDF change [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-419 - Implement the KDF change [on Brian LaMacchia - due 2009-11-12].
Gerald examined the errata and the explanation document for XML Signature 1.1 it is clear and the errata have been addressed
<fhirsch3> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0080.html
<tlr> ACTION: frederick to share with Norm the RELAX schema [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-420 - Share with Norm the RELAX schema [on Frederick Hirsch - due 2009-11-12].
<bal> Question whether we should add support for AES-GCM in XMLENC
GCM = Galois Counter Mode
<bal> For example, AES-GCM in TLS is http://tools.ietf.org/html/rfc5288
<scribe> ACTION: Ed to look at the 1.1 schema [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-421 - Look at the 1.1 schema [on Ed Simon - due 2009-11-12].
Cynthia: looked at the signature 1.1 and found a problem with keyinfo field
<bal> question is whether a bad actor could pur bogus information in the keyinfo field and cause problems for a signature validator
this is [S14]-[S16]
This is in the text explaining the example
<scribe> ACTION: Cynthia to propose wording to improve KEYINFO explanation [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-422 - Propose wording to improve KEYINFO explanation [on Cynthia Martin - due 2009-11-12].
Cynthia: in section 2.1.1 there is discussion on optional transformations
security considerations could use some improvement
This is section 8
<tlr> "... following factors. For additional security considerations in implementation and deployment of this specification, see [XML Security Best Practices]."
<scribe> ACTION: Frederick to add reference to "best practices" to XML digital signature 1.1 [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action05]
<trackbot> Created ACTION-423 - Add reference to "best practices" to XML digital signature 1.1 [on Frederick Hirsch - due 2009-11-12].
re review a draft of a message to IETF regarding 1.1
<esimon2> I have nothing specific to talk about.
John Schneider spoke of EXI is included in C14N
John had a question on encryption, but he wants to look at everything in context
<esimon2> What is the current status of EXI?
<fhirsch3> discussion of which EXI parameters are needed when EXI option for serialization is chosen
<fhirsch3> John and EXI group will make recommendation on this
John: EXI is at CR in the next few weeks
Ed: What are the tool kits available?
John: there are boeth commercial and GPL ones available
Frederick: is there performance testing for EXI available?
<scribe> ACTION: Frederick to share performance information with the EXI group [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action06]
<trackbot> Created ACTION-424 - Share performance information with the EXI group [on Frederick Hirsch - due 2009-11-12].
Frederick - a question on EXI serialization performance
<fhirsch3> EXI performance document at http://www.w3.org/TR/exi-evaluation/#processing-results
<fhirsch3> see section 3.2.2 exi encode speed graph
<fhirsch3> namespaces account for 1400% range
John: large performance performance improvements were those with a lot of name spaces
<fhirsch3> some cases have schema, some do not, hence some more variability
performance improvements vary based on the bottleneck
performance improvements vary based on the bottleneck
Issue: use of XML encryption type encoding in EXI
<trackbot> Created ISSUE-150 - Use of XML encryption type encoding in EXI ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/150/edit .
discussion of baselines to show performance improvements
<fhirsch3> japex framework from Sun and EXI web site
<scribe> ACTION: Sean to indicate sources of implementations [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action07]
<trackbot> Created ACTION-425 - Indicate sources of implementations [on Sean Mullan - due 2009-11-12].
<fhirsch3> http://www.w3.org/XML/EXI/
<fhirsch3> need to write code to drive tests
<scribe> ACTION: Pratik to run old tests [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action08]
<trackbot> Created ACTION-426 - Run old tests [on Pratik Datta - due 2009-11-12].
action-426 to use data from additional sources
<esimon2> Would be interesting to use the EXI test cases but using encryption and compare the differences.
<hlockhar> need to drop for a while now
we need to start performance measurements for 2.0
<esimon2> I plan to stay to 18h00 Eastern (15h00 Pacific).
we will recess for an hour
to return 10 minutes of the hour
bob: A need to define an XPath subset
we need different profiles for different purposes
s/fff/ff/
there other xpath subsets for other purposes
<fjh> pratik notes having multiple subsets might make implementation difficult
for streaming we want xml 2.0 to have good performance for streaming
Pratik: when we are streaming we should not have to make more than one pass
there is not a since element, but it could be a large part of the document
<fjh> xml signature 2.0 XPath subset at http://www.w3.org/TR/2009/WD-xmldsig-core2-20091022/#spec-xpath-subset
<fjh> ws-fragment editors draft http://www.w3.org/2002/ws/ra/edcopies/wsfrag.html
<fjh> focus on ws-fragment simplification of selection
Bob: there is a need to simplify selection of a subset
transfer by default transfers everything
Pratik: we are trying to make it work on limited devices.
Frederick: to start with questions, there might be obvious things
Pratik: can we have a similar subset?
Frederick: there are multiple paths and potential for confusion.
... we can continue to use what we have, we can (or might be able to) improve performance,
... we have the WS-* stack
brian: there are three ways to sign: you can sight the entire document, you can embed the signature, or you can do detached signatures
... you can do the whole document, or you can do a portion of the document
Frederick: you use an enveloped signature, selecting portions of the message to sign
... one goal of our work is performance
Doug: look at section 4.4.3.5
... how to look at that table
Pratik: there is a need to selectively sign "ceiling" and "floor"
... there is a need for a little more logic
Doug: can we use a layering approach?
Frederick: can we use XPath transfer?
Pratik: can we have a separate document of an XPath subset?
Frederick: we can have a single document specifying level one and level two
... this could address both transfer and signature
... there is a lot of overlap
<pdatta> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0032.html
Pratik: streaming parsers should break up what is received
... we do not have a parse function
... we do not have a relative XPath
... everything is relative to the root
Frederick: we will have a base that is common to everything, and then portions for signature and streaming
Doug: if one is not a superset of everything, then we need to look carefully and make sure there is not an issue
Pratik: if there is more than one subset we need to examine to determine if one has everything of the other subset
Frederick: we need to have a core and additional elements that will make each subset
Is there an existing subset?
Bob: transfer and fragment are separate secs
Frederick: to reference the fragment document
... we would have additional constraints, Fragment can go ahead as it is, we can reference it normatively
... we would have a small document to define signature needs for this
Doug: take a look of Fragment, it is more than XPath
Frederick: we should review the WS-Fragment document
Brian: to use a small XPath document for our needs
Asir: XMLScema and XMLQuery have subsets now
Brian: there is no mandatory subset. There is no guaranteed interop
Bran: we do not have a relative XPath
Bob / Asir : we need to establish context
Doug: to start with a slash
Bob: you can not go up above the body
... streaming is an XPath processor issue
Pratik: you are not combining all the chunks
Frederick: should Fragment have an XPath doc?
Doug: to pull in QName,
... we need to work together to have a central document
Bob: are we OK with the change? or potential changes?
... he is hoping for a spring last call for a candidate recommendation
Frederick: this is a action on the Fragment working group
Bob: a first step to respond to the analysis, then to have a review and reconciliation of they group and our needs
<esimon2> * Hal, audio is very sporadic for me; how about you?
Frederick: this is a good idea to have a joint meeting and come to a conclusion.
<shivaram> scribe nick shivaram
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0077.html
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0079.html
<shivaram> scribenick shivaram
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0081.html
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0082.html
<fjh> http://www.nds.rub.de/media/nds/downloads/mjensen/ICWS09.pdf
<shivaram> summarizing XPATH discussions
<fjh> question about supporting id meaning
<shivaram> pdatta: implementing XPATH is optional
<shivaram> use of fully qualified XPATH as compared to just a reference
<shivaram> ... discussion about Meiko's email
<shivaram> where is the requirement to implement XPATH - required or optional
<shivaram> there is now a implicit MUST to require XPATH
<fjh> issue: review XML Signature 2.0 and Canonical XML 2.0 for testable assertions
<trackbot> Created ISSUE-151 - Review XML Signature 2.0 and Canonical XML 2.0 for testable assertions ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/151/edit .
<shivaram> General concencus is that we prefer
<fjh> consensus that xpath profile might be better as stand alone document but will defer discussion with ws-ra until discussion of technical issues complete
<fjh> not using ids in document
<fjh> i think we should support use of ids for usability by document authors
<fjh> could have tool to convert ids to xpath expressions
<fjh> ACTION:pratik produce security consideration text that xml:id might have security risk [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action09]
<fjh> issue: add pratik as author to xpath subset document if produced by ws-ra
<trackbot> Created ISSUE-152 - Add pratik as author to xpath subset document if produced by ws-ra ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/152/edit .
<shivaram> Updated Requirements review http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0071.html
<fjh> http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html
<fjh> shortname "xmlsec-reqs" is not appropriate - should be "xmlsec-reqs11"
<shivaram> http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html#algorithm-suiteb
<fjh> proposal to change
<fjh> In order to enable use of XML Signature technology in interoperable US government applications that require Suite B, and to enable long term security for commercial companies, elliptic curve algorithms are to be added to XML Signature. As new hardware is developed and new algorithms to break cryto systems are found, the stronger algorithms offered by elliptic curve enable longer term security.
<fjh> to
<shivaram> As new hardware is developed and new algorithms to break cryto systems are found, the stronger algorithms offered by elliptic curve enable longer term security. In order to enable use of XML Signature technology in interoperable US government applications that require Suite B, and to enable long term security for commercial companies, elliptic curve algorithms are to be added to XML Signature.
<shivaram> bal proposes ...
<bal> In order to:
<bal> 1) enable long term security for digital signatures (including in commerical contexts),
<bal> 2) ensure that the XML Signature standard is cryptographically secure and makes use of the best current practices for digital signature algorithms, and
<bal> 3) enable use of XML Signature technology in a wide variety of commerical and government applications, including those that require Suite B
<bal> elliptic curve algorithms are to be added to XML Signature. As new
<bal> hardware is developed and new algorithms to break crypto systems are
<bal> found, the stronger algorithms offered by elliptic curve enable longer
<bal> term security.
<Cynthia> how about that- that works
<bal> new version
<bal> In order to:
<bal> 1) enable long term security for digital signatures (including in commerical contexts),
<bal> 2) ensure that the XML Signature standard is cryptographically secure and makes use of the best current practices for digital signature algorithms, and
<bal> 3) enable use of XML Signature technology in a wide variety of commerical and government applications, including those that require Suite B
<bal> elliptic curve algorithms are to be added to XML Signature.
<shivaram> RESOLUTION: replace para 1 in http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html#algorithm-suiteb with the above text as proposed by bal
<fjh> http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html#id65773
<shivaram> The WG plans to decide to publish the working drafts of updated requirements doc by next meeting
<shivaram> http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html
<Cynthia> I have a quesiton on 3.4.2.3 Avoid Security risks
<shivaram> ACTION: fjh look if correct style sheet is used for http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action10]
<trackbot> Created ACTION-427 - Look if correct style sheet is used for http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html [on Frederick Hirsch - due 2009-11-13].
<fjh> http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.html
<shivaram> ACTION-427 Closed
<trackbot> ACTION-427 Look if correct style sheet is used for http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html closed
<shivaram> http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html#prefix-rewrite
<fjh> http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html#prefix-rewrite
<fjh> shortname "xmlsec-reqs" is not appropriate - should be "xmlsec-reqs11"
<fjh> proposed requirement 2.0 change - remove entire 3.4.3 section, remove example in 3.2.3
<fjh> ACTION: fjh to edit requirements 2.0 [recorded in http://www.w3.org/2009/11/05-xmlsec-minutes.html#action11]
<trackbot> Created ACTION-428 - Edit requirements 2.0 [on Frederick Hirsch - due 2009-11-13].
<shivaram> RESOLUTION: Requirements change - remove entire 3.4.3 section, remove example in 3.2.3
<fjh> action to wg to review requirements doc before next call
<trackbot> Sorry, couldn't find user - to
<fjh> xmlsec-reqs11
<tlr> xmlsec-reqs2
<fjh> xmlsec-reqs20
<shivaram> RESOLUTION: xmlsec-reqs11 for 1.1 and xmlsec-reqs2 for 2.0
<fjh> http://www.w3.org/2008/02/xmlsec-charter.html
<fjh> need to know in March about timeline
<shivaram> revisit time line by mid January
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0073.html
<shivaram> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0073.html
<fjh> plan roadmaps to CR
<Cynthia> quit
<fjh> recessed
<bal> http://fiorillos.com/