See also: IRC log
<trackbot> Date: 11 May 2010
<fjh> ScribeNick: mjensen
<fjh> Charter extension approved
<fjh> http://lists.w3.org/Archives/Member/member-xmlsec/2010May/0004.html
<fjh> XSL 2.1, http://lists.w3.org/Archives/Member/member-xmlsec/2010May/0005.html
<fjh> Approve 4 May 2010 minutes
<fjh> http://www.w3.org/2010/05/04-xmlsec-minutes.html
<fjh> Proposed RESOLUTION: Minutes from 4 May 2010 approved.
RESOLUTION: Minutes from 4 May 2010 approved
<fjh> all updates completed for XML Encryption 1.1 and Generic Hybrid ciphers, also reference updates, including XML 1.0
<tlr> ACTION: thomas to update algorithm cross-reference for GHC namespace change [recorded in http://www.w3.org/2010/05/11-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-575 - Update algorithm cross-reference for GHC namespace change [on Thomas Roessler - due 2010-05-18].
<fjh> Work continues on this, no new announcement yet
fjh: updated docs, lots of Last Call publication preparation done
<fjh> http://lists.w3.org/Archives/Member/member-xmlsec/2010May/0006.html
<tlr> just ignore the CSS warning
fhj: done all for publication, if no further concerns...
<fjh> proposed RESOLUTION: Publish LCWD of XML Encryption 1.1, XML Security
<fjh> Generic Hybrid Ciphers, XML Signature 1.1 with a 1 month last call
<fjh> review period
RESOLUTION: Publish LCWD of XML Encryption 1.1, XML Security Generic Hybrid Ciphers, XML Signature 1.1 with a 1 month last call review period.
<fjh> Plan to publish 13 May.
fjh: trimTextNodes?
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0016.html
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0019.html
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0026.html
<fjh> pdatta notes that might not need a streaming profile since 2.0 is all intended for streaming
pratik: every option set is
streamable
... or decide for simple vs. high performance options
<fjh> meiko: notes that profile is valuable since choosing options is difficult
pratik: cal it high performance profile instead of streaming profile
<fjh> action; pdatta to add "high performance profile" to c14n2
<fjh> ACTION: pdatta to add "high performance profile" to c14n2 [recorded in http://www.w3.org/2010/05/11-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-576 - Add "high performance profile" to c14n2 [on Pratik Datta - due 2010-05-18].
<fjh> ACTION-565?
<trackbot> ACTION-565 -- Meiko Jensen to come up with a proposal for inspecting the IncludedXPath and ExcludedXPath for prefixes and marking them as visibility utilized -- due 2010-05-04 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/565
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0027.html
<fjh> meiko provided 5 approaches, all of which have drawbacks
<fjh> meiko notes any approach requiring change to XPath library probably not acceptable
<fjh> scribenick: fjh
scantor: approach 3 might be a good recommendation, avoid the problem
meiko: some XPath functions might not work properly in this case, if not using namespaces
scantor: how to use QNames if not using namespaces?
<scantor> isn't that pretty broken?
meiko will provide example on list
pdatta: prefer 1st option, simpler for understanding
ISSUE-201?
<trackbot> ISSUE-201 -- C14N 2.0 handling of DTD-related and Schema-related behaviors -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/201
http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0028.html
http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0029.html
All - please review Scott's detailed message for next week, http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0029.html
scantor: DTD processing only
happens when processing octet stream, so c14n is parser
dependent
... some of C14N2 options are not necessarily conforming with
XML, so would need to document
additional discussion of points from Pratik?
http://lists.w3.org/Archives/Public/public-xmlsec/2010Apr/0058.html
http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0011.html
pdatta: need syntax for referencing parameter set
scantor: or is it only a conformance requirement?
<mjensen> pdatta: named parameter sets must be specified and added by referencing scheme
issue: how to define parameter sets in document, vs conformance criteria
<trackbot> Created ISSUE-202 - How to define parameter sets in document, vs conformance criteria ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/202/edit .
<mjensen> scantor: we have to decide which options are mandatory and which are optional
<mjensen> fjh: we have to figure out what sets are logical
<mjensen> fjh: shortcut would be handy
<mjensen> pdatta: not all implementations have to support all option combinations, we have minimal parameter set for this
issue-202: are parameter sets used to define conformance (e.g. set must be supported, indicating which parameters included), or also provided as interface
<trackbot> ISSUE-202 How to define parameter sets in document, vs conformance criteria notes added
<scantor> ACTION: scantor to propose more general mechanism for QNames in content [recorded in http://www.w3.org/2010/05/11-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-577 - Propose more general mechanism for QNames in content [on Scott Cantor - due 2010-05-18].
Attacks related to XML Schema defaults - best practices topic?
http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0015.html
http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0017.html
this is related to ISSUE-138
ISSUE-138?
<trackbot> ISSUE-138 -- What interoperability and security issues arise out of schema validation behavior? -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/138
<mjensen> scantor: relates to previous issue
<mjensen> ... Issue-201
ISSUE-138: see later discussion http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0015.html
<trackbot> ISSUE-138 What interoperability and security issues arise out of schema validation behavior? notes added
best practices document http://www.w3.org/TR/2010/WD-xmldsig-bestpractices-20100204/
<mjensen> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
see http://www.w3.org/TR/2010/WD-xmldsig-bestpractices-20100204/#avoid-default-schema-values
ISSUE-138: http://www.w3.org/TR/2010/WD-xmldsig-bestpractices-20100204/#avoid-default-schema-values
<trackbot> ISSUE-138 What interoperability and security issues arise out of schema validation behavior? notes added
<mjensen> scantor: people almost never use a schema
<mjensen> .. validator
<mjensen> esimon: there could be an attack based on default values
esimon: RNG does not define default attributes and element content
<mjensen> ... propose saying "these features are not safe" in the spec
esimon: HTML5 warns against external DTDs
<esimon2> http://www.w3.org/TR/html5/the-xhtml-syntax.html#writing-xhtml-documents
esimon quotes - Note According to the XML specification, XML processors are not guaranteed to process the external DTD subset referenced in the DOCTYPE. This means, for example, that using entity references for characters in XHTML documents is unsafe if they are defined in an external file (except for <, >, &, " and ').
scantor: validating processors are required to process
<mjensen> scantor: since we talk about nodesets, parsing + Schema processing has already been done
<mjensen> wording could be cleaned up in the spec
<Gerald-E> I have to drop off.
<mjensen> tlr: what say in best practices, what elsewhere?
<mjensen> ... if validator deals with external entities that is a security issue
tlr: safe case - signer does not use external entities, receiver does not schema validate
<mjensen> ... best practice: generator should not rely on correct behaviour of validator for external entities
<scribe> ACTION: tlr to provide signature best practice proposal related to external references [recorded in http://www.w3.org/2010/05/11-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-578 - Provide signature best practice proposal related to external references [on Thomas Roessler - due 2010-05-18].
<mjensen> ... its clear what most valueable behaviour of generator is.
tlr: e.g. avoid unparsed entities in signed material and avoid relying on schema changes to attribute values and element content
<mjensen> ... instead of saying "avoid default schema value" say "avoid relying on schema validation"
http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0031.html
request for review of widget signature last call, ending June 1
http://www.w3.org/TR/2010/WD-widgets-digsig-20100511/
<mjensen> fjh: volunteers for additional review?
<mjensen> scantor: what about digest prefix rewriting?
http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0013.html
<mjensen> fjh: there was a proposal by scott any issues with that?
<mjensen> pratik: I'm fine with it.
<mjensen> scott: fine with me
RESOLUTION: accept ACTION-574: proposal on prefix rewriting as sent by Scott
<scribe> ACTION: pdatta to update c14n2 with proposal from ACTION-574 [recorded in http://www.w3.org/2010/05/11-xmlsec-minutes.html#action05]
<trackbot> Created ACTION-579 - Update c14n2 with proposal from ACTION-574 [on Pratik Datta - due 2010-05-18].
<tlr> action-578?
<trackbot> ACTION-578 -- Thomas Roessler to provide signature best practice proposal related to external references -- due 2010-05-18 -- OPEN