See also: IRC log
<trackbot> Date: 24 August 2010
<scribe> ScribeNick: fjh
for agenda, want to include msg from cynthia http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0056.html
also from pratik for xpath http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html
Approve 17 August 2010 minutes
http://www.w3.org/2010/08/17-xmlsec-minutes.html
RESOLUTION: Minutes from 17 August 2010 approved.
Best Practices
Converted to ReSpec, updated status section, prepared for publication.
http://www.w3.org/2008/xmlsec/Drafts/best-practices/Overview-pub.html
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0039.html
XML Security RELAX NG Schemas
Updated, ready for publication, details in the email
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0046.html
XML Signature 2.0
Minor updates
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0042.html
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0044.html
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0048.html
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0050.html
proposed RESOLUTION: add dsig2:IDassertions child of the dsig2:Verification element as proposed by Scott Cantor in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0044.html
pdatta: this is per reference
scantor: yes
... could simplify and make single attribute, but could be in
XPath subset?
pdatta: yes could have there
magnus: is this limited for 2.0
scantor: yes
lets limit this to 2.0
proposed RESOLUTION: add dsig2:IDassertions child of the dsig2:Verification element as proposed by Scott Cantor in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0044.html
<scantor> I would use IDAttributes
proposed RESOLUTION: add dsig2:IDAttributes child of the dsig2:Verification element as proposed by Scott Cantor in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0044.html
<dsig2:QualifiedID name="..." ns="..."/>
<dsig2:UnqualifiedID name="..." parentname="..." parentns="..."/>
scantor: schema similar to that
in qname canonicalization
... if not xml:id, specify qualified name inside assertion
element
... need a way for verifier to know what is type ID without DTD
or schema, without relying on name string
pdatta: do we need this
... per document or per reference
scantor: it is per document but
this is cleaner and doesn't hurt
... enables it to be ignored
... could put elsewhere like signature properties
... will be not confusing if only one Reference
... advantageous to limit to one reference
pdatta: implementation will need to collect all ids from all references then scan?
scantor: not to identify
references, need to identify only per reference
... only matters in context of particular reference
pdatta: agrees we need this, was only asking about per-document, agree simpler this way
scantor: signature properties approach would have disadvantages
proposed RESOLUTION: add dsig2:IDAttributes child of the dsig2:Verification element as proposed by Scott Cantor in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0044.html
<mjensen> fine with me
RESOLUTION: add dsig2:IDAttributes child of the dsig2:Verification element as proposed by Scott Cantor in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0044.html
<scribe> ACTION: pdatta to add dsig2:IDAttributes child of the dsig2:Verification element as proposed by Scott Cantor in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0044.html [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-636 - Add dsig2:IDAttributes child of the dsig2:Verification element as proposed by Scott Cantor in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0044.html [on Pratik Datta - due 2010-08-31].
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0053.html
replace "http://www.w3.org/2008/xmlsec/experimental" with
"http://www.w3.org/2010/xmldsig2"
6.7.1, 6.7.2 and 6.7.3 for Type and SubType
<scribe> ACTION: pdatta to update URI per http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0053.html [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-637 - Update URI per http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0053.html [on Pratik Datta - due 2010-08-31].
also remove ... notation per Scott
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0043.html
ISSUE: restructuring of Signature 2.0 "uncomplicate" section 4.4.3 by
<trackbot> Created ISSUE-210 - Restructuring of Signature 2.0 "uncomplicate" section 4.4.3 by ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/210/edit .
moving some of the Reference content material to section 6.7 to fully define
the new Transform algorithm there., http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0043.html
ISSUE-210: moving some of the Reference content material to section 6.7 to fully define
<trackbot> ISSUE-210 Restructuring of Signature 2.0 "uncomplicate" section 4.4.3 by notes added
ISSUE-210: the new Transform algorithm there., http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0043.html
<trackbot> ISSUE-210 Restructuring of Signature 2.0 "uncomplicate" section 4.4.3 by notes added
<scribe> ACTION: scantor to make proposal for ISSUE-210, see also http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0043.html (uncomplicate section) [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-638 - Make proposal for ISSUE-210, see also http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0043.html (uncomplicate section) [on Scott Cantor - due 2010-08-31].
Additional changes
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0047.html
In http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-Verification-2.0, <dsig2:PositionAssertion>, I suggest the following change:
Remove the last sentence from #2 ("The good thing about this approach is that implementations could simply ignore this verification assertion and rely solely on the ID-based referencing at the risk of being vulnerable to signature wrapping.")
Add new paragraph after numbered list, with the following text:
Verification of the <dsig2:Verifcation> element by validators is optional, even if the element is present. Thus validators can make a trade off between sole ID-based referencing (with the risk of being vulnerable to signature wrapping attacks) or verifying the <dsig2:PositionAssertion>, for example.
scantor: also add note in section on validation, http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview.html#sec-CoreValidation
<scribe> ACTION: pdatta to implement changes suggested in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0047.html , also add note in core validation section [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-639 - Implement changes suggested in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0047.html , also add note in core validation section [on Pratik Datta - due 2010-08-31].
ACTION-476?
<trackbot> ACTION-476 -- Frederick Hirsch to review xml signature 2.0 -- due 2010-08-18 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/476
ACTION-621?
<trackbot> ACTION-621 -- Thomas Roessler to propose ECC-related refactoring of spec -- due 2010-08-31 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/621
wait with this until after publication
Before publication, 3 new actions assigned to pratik, need to update status with changes
plan to publish this one next Tuesday, with edits completed this week on Thursday
http://www.w3.org/2008/xmlsec/Drafts/c14n-20/
ACTION-620?
<trackbot> ACTION-620 -- Cynthia Martin to review C14N2 references, ISSUE-200 -- due 2010-08-10 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/620
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0056.html
cynthia: XML Dsig Core 2 should be listed as work in progress, and is not
<scribe> ACTION: fjh to update references per Cynthia review http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0056.html [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action05]
<trackbot> Created ACTION-640 - Update references per Cynthia review http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0056.html [on Frederick Hirsch - due 2010-08-31].
cynthia: also reviewed what is
normative and informative, and it seems to be correct
... dom level 2 core could be moved to normative
http://www.w3.org/2008/xmlsec/Drafts/c14n-20/
tlr: informative, using infoset. suggest leaving informative
<scribe> ACTION: fjh to generate updated publication drafts after reference updates [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action06]
<trackbot> Created ACTION-641 - Generate updated publication drafts after reference updates [on Frederick Hirsch - due 2010-08-31].
tlr: for publication only need to link to diff
Pratik email update - http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html
pdatta: disable string() without arguments because it expands node
To change
A) Disable the string() function with no arguments. Similarly do not allow the no argument forms of string-length() and normalize-space()
Because these no argument forms take the string value of the current node.
B) Allow predicates in all steps, not just the final step.
C) Add the "following" and "following-sibling" axes.
scribe: message lists also what
we should not do,
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html
... use diff for now, later consider stand alone version
ISSUE: stand alone version of Streaming XPath Profile versus diff, http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html
<trackbot> Created ISSUE-211 - Stand alone version of Streaming XPath Profile versus diff, http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/211/edit .
<mjensen> should be in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0020.html
RESOLUTION: accept changes proposed by Pratik in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html ; A-C
<scribe> ACTION: pdatta to update Streaming XPath Profile with changes in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action07]
<trackbot> Created ACTION-642 - Update Streaming XPath Profile with changes in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html [on Pratik Datta - due 2010-08-31].
pdatta: can do this week by Thursday this week
ISSUE: additional denial of service attack for Best Practices, http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0020.html
<trackbot> Created ISSUE-212 - Additional denial of service attack for Best Practices, http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0020.html ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/212/edit .
<mjensen> predicates in non-final XPath steps are supposed to follow the reduced predicate grammar (i.e. no element references may be put in there)
<scribe> ACTION: mjensen to propose text for best practices re ISSUE-212, attack noted in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0020.html [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action08]
<trackbot> Created ACTION-643 - Propose text for best practices re ISSUE-212, attack noted in http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0020.html [on Meiko Jensen - due 2010-08-31].
http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0052.html
can make more efficient with application information to implementation but that might be out of scope, beyond making a note of consideration
mjensen: 1-pass not always possible so should note in document that some cases will require 2-pass
scantor: might want to enumerate these cases - enveloped signatures, use of ID in certain cases
<scribe> ACTION: mjensen to propose text for Streaming XPath Profile to note that 1-pass not always possible, giving examples where 1-pass is not possible [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action09]
<trackbot> Created ACTION-644 - Propose text for Streaming XPath Profile to note that 1-pass not always possible, giving examples where 1-pass is not possible [on Meiko Jensen - due 2010-08-31].
ACTION-644: enveloped signatures, use of ID
<trackbot> ACTION-644 Propose text for Streaming XPath Profile to note that 1-pass not always possible, giving examples where 1-pass is not possible notes added
pdatta: cases where not possible is when forward references
mjensen: fine to publish what we have now, this will be an concern for interface for signature
ACTION-538?
<trackbot> ACTION-538 -- Meiko Jensen to provide proposal related to namespace wrapping attacks once XPath profile available -- due 2010-03-09 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/538
mjensen: connected to xpath
streaming, but not to delay publication
... may be moot
ACTION-548?
<trackbot> ACTION-548 -- Ed Simon to ed to review XPath Profile -- due 2010-04-20 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/548
ACTION-614?
<trackbot> ACTION-614 -- Meiko Jensen to review XPath Profile -- due 2010-08-10 -- CLOSED
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/614
ACTION-619?
<trackbot> ACTION-619 -- Ed Simon to review Meiko proposal for ACTION-538 -- due 2010-08-03 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/619
proposed RESOLUTION: WG agrees to publish updated WD of XML Signature Best Practices with publication date of 31 August.
RESOLUTION: WG agrees to publish updated WD of XML Signature Best Practices with publication date of 31 August.
proposed RESOLUTION: WG agrees to publish updated WD of XML Security RELAX NG Schemas with publication date of 31 August.
RESOLUTION: WG agrees to publish updated WD of XML Security RELAX NG Schemas with publication date of 31 August.
proposed RESOLUTION: WG agrees to publish updated WD of XML Signature 2.0 with publication date of 31 August, incorporating changes agreed at today's meeting.
RESOLUTION: WG agrees to publish updated WD of XML Signature 2.0 with publication date of 31 August, incorporating changes agreed at today's meeting.
proposed RESOLUTION: WG agrees to publish updated WD of Canonical XML Version 2.0 with publication date of 31 August, , incorporating changes agreed at today's meeting.
RESOLUTION: WG agrees to publish updated WD of Canonical XML Version 2.0 with publication date of 31 August, , incorporating changes agreed at today's meeting.
proposed RESOLUTION: WG agrees to publish FPWD of Streaming XPath Profile with publication date of 31 August, incorporating changes agreed at today's meeting.
RESOLUTION: WG agrees to publish FPWD of Streaming XPath Profile with publication date of 31 August, incorporating changes agreed at today's meeting.
proposed RESOLUTION: WG agrees to shortname xmldsig-xpath for Sreamable XPath Profile
RESOLUTION: WG agrees to shortname xmldsig-xpath for Streamable XPath Profile
<scribe> ACTION: fjh to request publication FPWD of Streamable XPath Profile [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action10]
<trackbot> Created ACTION-645 - Request publication FPWD of Streamable XPath Profile [on Frederick Hirsch - due 2010-08-31].
<scribe> ACTION: fjh to prepare manifest for publication [recorded in http://www.w3.org/2010/08/24-xmlsec-minutes.html#action11]
<trackbot> Created ACTION-646 - Prepare manifest for publication [on Frederick Hirsch - due 2010-08-31].