See also: IRC log
<trackbot> Date: 29 June 2010
<scribe> ACTION: tlr to copy http://lists.w3.org/Archives/Member/member-xmlsec/2010Jun/att-0007/minutes-2010-06-22.html to http://www.w3.org/2010/06/22-xmlsec-minutes.html [recorded in http://www.w3.org/2010/06/29-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-601 - Copy http://lists.w3.org/Archives/Member/member-xmlsec/2010Jun/att-0007/minutes-2010-06-22.html to http://www.w3.org/2010/06/22-xmlsec-minutes.html [on Thomas Roessler - due 2010-07-06].
<Cynthia> I will be available next week
<mjensen> I won't be available next week
<scantor> I should be
<scribe> ScribeNick: fjh
<scribe> Scribe: Frederick_Hirsch
call on the 6th, no call on the 13th
"Digital Signatures for Widgets" was published as W3C Candidate Recommendation, 24 June 2010
http://www.w3.org/TR/2010/CR-widgets-digsig-20100624/
TPAC registration open (XML Security F2F 1-2 November 2010)
http://lists.w3.org/Archives/Member/member-xmlsec/2010Jun/0004.html
ACTION-592?
<trackbot> ACTION-592 -- Thomas Roessler to set up dial-in v attendance questionnaire for TPAC 2010 -- due 2010-06-22 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/592
Approve 22 June 2010 minutes
http://lists.w3.org/Archives/Member/member-xmlsec/2010Jun/att-0007/minutes-2010-06-22.html
RESOLUTION: Minutes from 22 June 2010 approved.
No W3C Team update expected until 6 July meeting.
The WG noted that this issue has been open for a long time, and resolution could help increase participation in interop and other work.
http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0003.html
defer for tlr
ACTION-585?
<trackbot> ACTION-585 -- Thomas Roessler to review proposal for LC-2387 -- due 2010-07-07 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/585
http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0034.html
http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0040.html
same concerns as with QNames
scantor: can incorporate Curies into proposal
ACTION-576?
<trackbot> ACTION-576 -- Pratik Datta to add "high performance profile" to c14n2 -- due 2010-06-22 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/576
ACTION-594?
<trackbot> ACTION-594 -- Scott Cantor to write detailed proposal, not including xsi:type, based on http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0020.html -- due 2010-06-22 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/594
ACTION-597?
<trackbot> ACTION-597 -- Pratik Datta to add proposed text to draft -- due 2010-06-22 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/597
<scantor> very detailed
<scribe> ACTION: fjh to figure out what ACTION-597 is [recorded in http://www.w3.org/2010/06/29-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-602 - to figure out what ACTION-597 is [on Frederick Hirsch - due 2010-07-06].
Profiles
scantor: grouping options might help with addressing use case
fjh: can treat as informational, explain how parameters can be used to address use cases
hal: would it help with interop to define a small number of cases, to avoid combinatorial explosion
scantor: does W3 allow mandatory
profile that requires optional parameters
... profile useful for conformance testing and interop
fjh: do not need mechanism in XML to define profiles, but can define in specification for conformance
hal: agree, and want to limit options
pdatta: +1
... asks if we should mark parameters as MUST or OPTIONAL
proposed RESOLUTION: WG agrees that profiles do not need to be expressed in markup, but should be dealt with in conformance clauses
RESOLUTION: WG agrees that profiles do not need to be expressed in markup, but should be dealt with in conformance clauses
http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0060.html
meiko: problem with adjacent text
nodes
... cannot distinguish two text nodes due to parser versus to
two from XPath selections.
... thus some whitespace might remain even though it could have
been trimmed
<scantor> I thought we precluded text node selection
pdatta: our XPath profile does not allow selection of text nodes
meiko: will need to look at
this
... what about use cases involving text
scantor: need to simplify and
limit use cases for adoption
... excluded for other reasons
pdatta: trimming and canonicalization can be done simultaneously
hal: not sure of value of use case with text value without any context
meiko: good for reuse
fjh: questions if we are reopening resolved issue?
hal: value without context is not
meaningful
... is 136 a random number, not meaningful, a stream of random
numbers is
http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0044.html
http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0050.html
proposed RESOLUTION: accept Pratik proposal regarding URI and US-ASCII encoding
RESOLUTION: accept Pratik proposal regarding URI and US-ASCII encoding
http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0013.html
ACTION-600?
<trackbot> ACTION-600 -- Thomas Roessler to draft proposal of how update to 1.0 schema will work practically for existing implementations -- due 2010-06-29 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/600
ACTION-590?
<trackbot> ACTION-590 -- Pratik Datta to create separate XPath profile document (from XML Signature 2.0) -- due 2010-06-08 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/590
ACTION-589?
<trackbot> ACTION-589 -- Pratik Datta to create 2.0 schema with X509IssuerSerial change -- due 2010-06-08 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/589
ACTION-586?
<trackbot> ACTION-586 -- Meiko Jensen to draft text about XPath risks for BP document -- due 2010-06-08 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/586
meiko: some of this material is in the best practices, but could be clearer
<mjensen> best practices case 2.2.2
<mjensen> already contains the XPath warning I proposed
<mjensen> but in weaker wording
<mjensen> I'd like to investigate more deeply...
http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/#id35830424
meiko: recommended as treating
empty selection as fault, in earlier discussion had result
might be useful to have signature that needs to select nothing,
absence of element
... need to be consistent
pdatta: suggests generalization, keep expected length of canonicalized data
scantor: best practice overstates situation, recommends modifying the best practice to indicate to be aware of risk
issue: update wording of best practice in 2.2.2 since empty result could be intentional, e.g. sign element even if missing. text to modify "In this case there is XPath transform, which evaluates to zero or false for every node, so it ends up selecting nothing. So even though the signature seems to sign the Approval, it actually doesn't. The application should reject this document."
<trackbot> Created ISSUE-207 - Update wording of best practice in 2.2.2 since empty result could be intentional, e.g. sign element even if missing. text to modify "In this case there is XPath transform, which evaluates to zero or false for every node, so it ends up selecting nothing. So even though the signature seems to sign the Approval, it actually doesn't. The application should reject this document." ; please complete additional details at http://www.w3.org/2008
<scribe> ACTION: fjh to update best practice for ISSUE-207 [recorded in http://www.w3.org/2010/06/29-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-603 - Update best practice for ISSUE-207 [on Frederick Hirsch - due 2010-07-06].
ISSUE-207: case of check what is signed, can be appropriate for it to be nothing
<trackbot> ISSUE-207 Update wording of best practice in 2.2.2 since empty result could be intentional, e.g. sign element even if missing. text to modify "In this case there is XPath transform, which evaluates to zero or false for every node, so it ends up selecting nothing. S notes added
http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0055.html
scantor: some of the test cases are out of date regarding syntax or missing ecc test cases
ACTION-280?
<trackbot> ACTION-280 -- Magnus Nyström to produce test cases for derived keys -- due 2009-05-19 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/280
ACTION-411?
<trackbot> ACTION-411 -- Pratik Datta to perform measurement related to transform octet conversion -- due 2010-06-30 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/411
ACTION-540?
<trackbot> ACTION-540 -- Frederick Hirsch to ask Makoto regarding implementations and interop -- due 2010-03-09 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/540
ACTION-552?
<trackbot> ACTION-552 -- Frederick Hirsch to ask on list about interop and implemention plans for 1.1 features, including encryption and also 2.0 -- due 2010-04-27 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/552
ACTION-538?
<trackbot> ACTION-538 -- Meiko Jensen to provide proposal related to namespace wrapping attacks -- due 2010-03-09 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/538
need to update action to indicate that this is waiting on XPath profile
ACTION-553?
<trackbot> ACTION-553 -- Thomas Roessler to contact implementers known from hmac affair -- due 2010-06-30 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/553
ACTION-581?
<trackbot> ACTION-581 -- Scott Cantor to make proposal around IDness of attributes -- due 2010-06-15 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/581
scantor: ids not often recognized
as IDs if have special name or DTD, hence xml:id
... since xml:id not widely used yet, allow to specify what
will be treated as ids in Dom
... data typing proposal, embedded within signature
... make DOM calls to establish uniqueness
meiko: many DOM parsers don't care if unique, use latest, cannot rely on uniqueness of ids
scantor: enables avoiding use of
XPath
... selection syntax still allows fragment references, id based
references
Type="...xml" : Select complete XML documents, or XML fragments.
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-Selection-2.0
csolc: concern about customers that use 3rd party DOM
scantor: DOM3 allows id setting
as part of the standard
... need to be clear how to reference items
general support for Scott's approach, but WG would like to see more detail in the proposal
ISSUE-160?
<trackbot> ISSUE-160 -- Define URI for Canonical XML 2.0, add section to Signature 2.0 defining Canonical XML 2.0 -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/160
issue-160 closed
<trackbot> ISSUE-160 Define URI for Canonical XML 2.0, add section to Signature 2.0 defining Canonical XML 2.0 closed
ISSUE-189?
<trackbot> ISSUE-189 -- RNG Schemas needed for XML Encryption 1.1 -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/189
ISSUE-189 closed
<trackbot> ISSUE-189 RNG Schemas needed for XML Encryption 1.1 closed
<scantor> (for the minutes, the 2.0 draft fdoes allow referencing an ID in a URI in the Selection element)
ISSUE-188?
<trackbot> ISSUE-188 -- Agreement referenced in XML Signature 1.1 but definition not clear -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/188
ISSUE-188 closed
<trackbot> ISSUE-188 Agreement referenced in XML Signature 1.1 but definition not clear closed
ISSUE-190?
<trackbot> ISSUE-190 -- Two different sha384 URIs -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/190
ISSUE-190 closed
<trackbot> ISSUE-190 Two different sha384 URIs closed
ISSUE-195?
<trackbot> ISSUE-195 -- Camelli a cipher -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/195
ISSUE-195 closed
<trackbot> ISSUE-195 Camelli a cipher closed
ISSUE-170?
<trackbot> ISSUE-170 -- Should we recomend signing namespaces as part of Best Practice 12 -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/170
scantor: this would require a complete rework of xml signature
fjh: why have this as an open issue
scantor: people need to convince themselves about the risks
related to namespace wrapping attack.
<Cynthia> +
ISSUE-170: dependency on ACTION-538
<trackbot> ISSUE-170 Should we recomend signing namespaces as part of Best Practice 12 notes added
hal: include namespace identifier under signature, yes
scantor: output in c14n output might not be clear
<scribe> ACTION: hal to propose change for best practices for ISSUE-170 [recorded in http://www.w3.org/2010/06/29-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-604 - Propose change for best practices for ISSUE-170 [on Hal Lockhart - due 2010-07-06].
ISSUE-196?
<trackbot> ISSUE-196 -- Which URI to use for serialization parameter for XML and EXI in C14N2 -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/196
issue-196 closed
<trackbot> ISSUE-196 Which URI to use for serialization parameter for XML and EXI in C14N2 closed
update with corresponding action
ISSUE-200?
<trackbot> ISSUE-200 -- Which references are normative vs informative for C14N2 -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/200
action pdatta to update references for C14N2, placing into normative vs informative to resolve ISSUE-200
<trackbot> Created ACTION-605 - Update references for C14N2, placing into normative vs informative to resolve ISSUE-200 [on Pratik Datta - due 2010-07-06].
ISSUE-180?
<trackbot> ISSUE-180 -- Section 8 identifies Joseph Reagle as the contact for the XML Encryption media type. This needs to be updated, perhaps to a generic identity? -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/180
ISSUE-180: resolved in http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.html#sec-MediaType , uses World Wide Web Consortium <web-human at w3.org>
<trackbot> ISSUE-180 Section 8 identifies Joseph Reagle as the contact for the XML Encryption media type. This needs to be updated, perhaps to a generic identity? notes added
ISSUE-180 closed
<trackbot> ISSUE-180 Section 8 identifies Joseph Reagle as the contact for the XML Encryption media type. This needs to be updated, perhaps to a generic identity? closed
ISSUE-196: resolved, see http://lists.w3.org/Archives/Public/public-xmlsec/2010Jun/0045.html for ACTION-561
<trackbot> ISSUE-196 Which URI to use for serialization parameter for XML and EXI in C14N2 notes added
ISSUE-196 closed
<trackbot> ISSUE-196 Which URI to use for serialization parameter for XML and EXI in C14N2 closed
ISSUE-195: resolved, see http://lists.w3.org/Archives/Public/public-xmlsec/2010Apr/0006.html
<trackbot> ISSUE-195 Camelli a cipher notes added
ISSUE-195: see also http://lists.w3.org/Archives/Public/public-xmlsec/2010Apr/0001.html for resolution, for ISSUE-195 and ISSUE-196
<trackbot> ISSUE-195 Camelli a cipher notes added
issue-195?
<trackbot> ISSUE-195 -- Camelli a cipher -- closed
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/195
ISSUE-190: resolution at http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0052.html
<trackbot> ISSUE-190 Two different sha384 URIs notes added
ISSUE-190: resolution confirmation at http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0053.html
<trackbot> ISSUE-190 Two different sha384 URIs notes added
ISSUE-188: resolved, see http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0050.html
<trackbot> ISSUE-188 Agreement referenced in XML Signature 1.1 but definition not clear notes added
ISSUE-189: resolved, schemas added to RNG Schema document, see http://www.w3.org/2008/xmlsec/Drafts/xmlsec-rngschema/Overview.html#sec-Encryption11-rngSchema
<trackbot> ISSUE-189 RNG Schemas needed for XML Encryption 1.1 notes added
ISSUE-160: resolved, see http://www.w3.org/2008/xmlsec/Drafts/c14n-20/#sec-Use . Not listed in XML Signature 2.0?
<trackbot> ISSUE-160 Define URI for Canonical XML 2.0, add section to Signature 2.0 defining Canonical XML 2.0 notes added
ISSUE-160: open
<trackbot> ISSUE-160 Define URI for Canonical XML 2.0, add section to Signature 2.0 defining Canonical XML 2.0 notes added
ISSUE-160 reopen
ISSUE-160 may need to be open until URI is also listed in Signature 2.0.
ISSUE: list 2.0 algorithms in algorithms cross-reference
<trackbot> Created ISSUE-208 - List 2.0 algorithms in algorithms cross-reference ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/208/edit .