XML Security Working Group Teleconference
05 Jan 2010


See also: IRC log


Frederick, Hirsch, Chris_Solc, Cynthia_Martin, Bruce_Rich, Scott_Cantor, Brian_LaMacchia, Gerald_Edgar, Pratik_Datta
Thomas_Roessler, Ed_Simon, Shivaram_Mysore
Frederick Hirsch




<trackbot> Date: 05 January 2010


scribe, Gerald-E

<fhirsch> publication of NIST Special Publication (SP) 800-57 RECOMMENDATION FOR KEY MANAGEMENT, Part 3

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0065.html


<fhirsch> http://www.w3.org/2009/12/15-xmlsec-minutes.html

Resolution: 15 December minutes are approved

Editorial Update

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0079.html

fjh: Editing has been done in encryption and signature

<fhirsch> ACTION-464, MgmtData change

<fhirsch> ACTION-466 Incorporate RSA key size

<fhirsch> This XML Signature 1.1 revision REQUIRES all conforming >> implementations >> to support RSA signature generation and verification with public >> keys at >> least 2048 bits in length.

fjh: links have been checked

<fhirsch> All conforming implementations of XML Signature 1.1 MUST support RSA >> signature generation and verification with public keys at least 2048 >> bits in length. "

<fhirsch> ACTION-467 Add action-404 proposal into editors draft, history why DERKeyValue is not child of KeyValue

fjh: Editorial changes have been made to get the language consistant with the RFC

<fhirsch> ACTION-470 Change "see below" to link to section 6.2 in xml sig 1.1 (changed in a number of places)

<fhirsch> ACTION-471 Add SHA-1 warning to 6.2.1 and fix DSS reference in sig 1.1 ReSpec conversion fixes

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0059.html

fjh: A need to address Cynthia's review

Cynthia: not to make keyinfo mandatory

<fhirsch> removed following

<fhirsch> While we identify two SignatureMethod algorithms, one mandatory and one optional to implement, user specified algorithms may be used as well.

<fhirsch> need to check that allow user specified transforms in draft

<fhirsch> added boilerplate to references section

<fhirsch> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#references

<fhirsch> Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.

Cynthia: to review references in signature

<trackbot> ACTION-449 -- Cynthia Martin to review 1.1 bibliographies (depends on ACTION-448) -- due 2009-11-24 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/449

<fhirsch> fix section numbering for Syntax Constraints section; update copyright to include IETF; fix font on Only what is signed section; clarify acknowledgements for first edition; add uri in comment on versioning and namespaces

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0077.html

<fhirsch> Section 3.2 Core Signature Validation

<fhirsch> Comparison of each value in reference and signature validation is over the numeric (e.g., integer) or decoded octet sequence of the value. Different implementations may produce different encoded digest and signature values when processing the same resources because of variances in their encoding, such as accidental white space. But if one uses numeric or octet comparison (choose one) on both the stated and computed values these problems are elimi

Cynthia: people use either numeric or octet

<fhirsch> pratik notes most people use octets

<fhirsch> which is what I thought

<fhirsch> scott notes issue would only occur if padding is not 0s. No change needed.

<fhirsch> HMACOutputLength warning

<fhirsch> Signatures must be deemed invalid if the truncation length is below half the underlying hash algorithm's output length, or 80 bits, whichever of these two values is greater.

fjh: HMAC output warning

<bal> Signatures must be deemed invalid if the truncation length is below the larger of (a) half the underlying hash algorithm's output length, and (b) 80 bits

<Cynthia> I agree with Brian

Resolution: to accept Brian's suggestion about signature HMAC output length warning

<fhirsch> Did not change references from C14N 1.0 to 1.1 since do not want to change normative intent in 1.1, to not break compatibility

<fhirsch> added historical note

<fhirsch> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-DEREncodedKeyValue

<fhirsch> Note - should the schema error for RetrievalMethod be fixed in 2.0?

fjh: schema error to be fixed

<fhirsch> section 4.5.3

<fhirsch> Note - MimeType etc for Object element might be an issue for 2.0 since we do not rely on Transforms for that model?

<fhirsch> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-Object

<fhirsch> ACTION: fjh to create issues for 2.0 from 1.1 review [recorded in http://www.w3.org/2010/01/05-xmlsec-minutes.html#action01]

<trackbot> Created ACTION-480 - Create issues for 2.0 from 1.1 review [on Frederick Hirsch - due 2010-01-12].

<fhirsch> What is a "sufficiently functional alternative" and why do we mention it in Base64 transform section?

<fhirsch> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-Base-64

<fhirsch> This transform accepts either an octet-stream or a node-set as input. If an octet-string is given as input, then this octet-stream is processed directly. If an XPath node-set (or sufficiently functional alternative) is given as input, then it is converted to an octet stream by performing operations logically equivalent to 1) applying an XPath transform with expression self::text(), then 2) taking the string-value of the node-set. Thus, if an XML element is i

<fhirsch> more editorial fixes

<fhirsch> Fix section depths in Algorithm section, updating table of contents etc. Restore text that was lost from 2nd edition in section on canonicalization algorithms. Review and Fix textual section references, e.g. explicit section numbers mentioned in text. Make RelaxNG reference normative Fix editorial corrections such as 'a' to 'an' etc Format element names using <code> formatting, multiple corrections as needed Correct case of referenced elements, also ad

<fhirsch> all - please review XML Signature 1.1 before next week call, so we can go to Last Call

<fhirsch> Cynthia is to review references

Encryption 1.1

<fhirsch> ACTION-469 Add aes-gcm to enc 1.1 (including reference)

<fhirsch> ACTION-472 Add ConcatKDF note

<fhirsch> ReSpec conversion fixes, validation and link check fixes

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0054.html

<fhirsch> Add Reference section boilerplate

<fhirsch> add mention and reference to XML Security 1.1 requirements

fjh: the edits are complete and the docuemnts need review

<fhirsch> Call for consensus next week to publish last call of Signature 1.1 and Signature Properties

fjh: security requirements and best practices will need updates

<fhirsch> Publish updated drafts of XML Security 1.1 Requirements, XML Security 2.0 Requirements, Best Practices

<fhirsch> XML Encryption 1.1 Roadmap

fjh: people need to review signature 1.1

<fhirsch> last call for Encryption 1.1, XML Security Generic Hybrid Ciphers, in February tentatively

<fhirsch> Update WD for XML Security Algorithm Cross-Reference

XML signature

<fhirsch> XML Signature 2.0 Referencing Syntax, ACTION-434

<fhirsch> action-434?

<trackbot> ACTION-434 -- Scott Cantor to propose "final" disposition of Referencing syntax -- due 2009-11-13 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/434

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0058.html

<fhirsch> my comments: http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0065.html

scantor: he needs to see the spec in context he does not disagree with the proposal
... a greater concern with technical content

<fhirsch> Identifier for Canonical XML 2.0

<fhirsch> http://www.w3.org/2010/xml-c14n2 (new URI)

<fhirsch> Input: XML Document Subset, either entire DOM document or list of subtrees with exclusions, or event stream Output: Octet Stream The normative specification of Canonical XML Version 2.0 is [Canonical- XML-2].

<fhirsch> Please review this material.

fjh: with some restructuring we will have a draft

Canonical XML 2.0

<fhirsch> Prefix Free Canonicalization

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0000.html

Pratik: prefix free is seen the same as prefrix free rewriting

Scott: to force this is a mistake

Encyption 1.1 and EXI

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0073.html

fhirsch: Thomas had a proposal about EXI - to clean up processing rules

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0075.html

Scott: based on the type element there is no way to relate to the consumer what the original element is

<scantor> some schemas replace plaintext Foo with EncryptedFoo containing EncryptedData

Canonicalization Errata

<fhirsch> http://lists.w3.org/Archives/Public/public-xmlsec/2009Apr/0041.html

Scott: to make a change to C14N

<fhirsch> scott notes this a more major change to namespace handling, hence not an erratum

Action Review

<fhirsch> action -400?

<trackbot> Sorry, bad ACTION syntax

<fhirsch> action-400?

<trackbot> ACTION-400 -- Hal Lockhart to propose concrete next steps to address ISSUE-63 in 2.0 -- due 2009-11-03 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/400

<fhirsch> issue-63?

<trackbot> ISSUE-63 -- Namespace requirements: undeclarations, QNames, use of partial content in new contexts -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/63

<fhirsch> action-400 closed

<trackbot> ACTION-400 propose concrete next steps to address ISSUE-63 in 2.0 closed

<fhirsch> ACTION: fjh to check on follow-up status on WS-Transfer discussion [recorded in http://www.w3.org/2010/01/05-xmlsec-minutes.html#action02]

<trackbot> Created ACTION-481 - Check on follow-up status on WS-Transfer discussion [on Frederick Hirsch - due 2010-01-12].

<fhirsch> pratik prefers one document listing various subsets

<fhirsch> action-441?

<trackbot> ACTION-441 -- Cynthia Martin to review BSP 1.1 (http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html) with respect to Signature 1.1 and Encryption 1.1 -- due 2009-11-13 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/441

<fhirsch> Cynthia to review BSP 1.1 with respect to changes needed in XML Signature 1.1 and XML Encryption 1.1

<fhirsch> action-456?

<trackbot> ACTION-456 -- Scott Cantor to review workshop papers regarding strengthening id based references with respect to wrapping attacks -- due 2009-11-24 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/456

<fhirsch> focus of this is to look at id referencing and proposal to assist prevention of wrapping attacks

<fhirsch> action-450?

<trackbot> ACTION-450 -- Brian LaMacchia to check on Suite B AES-GCM -- due 2009-11-24 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/450

<fhirsch> waiting on official response

<fhirsch> action-451?

<trackbot> ACTION-451 -- Brian LaMacchia to review the Pratik AES-GCM proposal with Magnus -- due 2009-11-24 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/451

<fhirsch> open

<fhirsch> action-461?

<trackbot> ACTION-461 -- Bruce Rich to start a discussion on the list about concatKDF bit string hash interoperability issues -- due 2009-12-15 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/461

<fhirsch> discussion occurred

<fhirsch> action-461 closed

<trackbot> ACTION-461 Start a discussion on the list about concatKDF bit string hash interoperability issues closed

Bruce: status of action-461 this is an old action to be closed

<fhirsch> action-383?

<trackbot> ACTION-383 -- Sean Mullan to provide reference to performance paper -- due 2009-10-06 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/383

<fhirsch> to close, spanish paper

fjh: Review Signature 1.1 before next week

Summary of Action Items

[NEW] ACTION: fjh to check on follow-up status on WS-Transfer discussion [recorded in http://www.w3.org/2010/01/05-xmlsec-minutes.html#action02]
[NEW] ACTION: fjh to create issues for 2.0 from 1.1 review [recorded in http://www.w3.org/2010/01/05-xmlsec-minutes.html#action01]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2010/01/12 15:17:15 $