See also: IRC log
<trackbot-ng> Date: 23 October 2007
<tlr> Scribe: hal
<FrederickHirsch> Meeting: XML Security Specifications Maintenance WG Conference Call
<FrederickHirsch> Chair: Frederick Hirsch
<FrederickHirsch> Agenda: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Oct/0016.html
<FrederickHirsch> aaa is sean
<FrederickHirsch> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Oct/0016.html
<FrederickHirsch> Agenda: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Oct/0016.html
Ed to scribe next week
Plenary in Cambridge the following week
<FrederickHirsch> http://www.w3.org/XML/Group/2007/09/xml-f2f-20071105-agenda.htm
XMLcore WG will meet Tuesday to discuss C14N
ed: would like to dial in
tlr: they will have a bridge up, should be no problem
FH: need to tell them on chat you are trying to dial in
no meeting Nov 20
<tlr> http://www.w3.org/2007/10/16-xmlsec-minutes-public
Resolution: Minutes approved
<tlr> http://www.w3.org/2007/10/16-xmlsec-minutes
FH: minutes of workshop were approved previously
<FrederickHirsch> tlr: workshop followup list is established, will announce minutes and report
tlr: will be made public today
<tlr> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Oct/0010.html
tlr: w issue: 4.3.3.1 proposal to
reference XML Schema
... Konrad was asking about implications, so I looked into
it
<tlr> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Oct/0010.html
tlr: we may have got the meaning of the text backwards, based on study of Schema definition of any URI
<tlr> http://www.w3.org/TR/xmldsig-core/#sec-URI
<tlr> http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#sec-URI
<tlr> tlr: we might be getting the meaning of the transform in 4.3.3.1 backwards. The transform is a no-op if applied to a URI. It is the same trasnform that should be applied to an anyURI value to transform that to an actual URI.
<klanz2> http://www.w3.org/TR/xmlschema-2/#anyURI
FH: does this mean you have to escape the URI when you make it a value of the element or when you process it?
tlr: we seem to read the sentence
to mean that the value must conform to URI syntax
... this is stronger than what Schema requires
... but if we start with a real URI there is nothing
required
<klanz2> http://www.w3.org/TR/2001/REC-xlink-20010627/#link-locators
FH: you construct value, then you
use it as a reference, correct?
... what is the other direction?
tlr: other direction is compose signature, construct reference URI="" from an xpointer which might include interesting characters
<klanz2> http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2007JulSep/0005.html
FH: 2 choices
... encode before putting value in element
... or encode whan processing value
... you are proposing we follow WSchema and xlink
tlr: propose is to map value in element to URI
<FrederickHirsch> two possible views - encode what is placed into attribute value or what rules to follow when dereferencing value in attribute
FH: ed do you remember the rationale?
ed: no recollection
klanz2: one thing is you can convert string to URI
<FrederickHirsch> konrad: string converted to URI as late as possible, like xml schema, also dsig
klanz2: xml dsig does not have
this
... doubtful that any string can be converted to URI
... our implementation assumer value is valid URI except for
possible presence of []
tlr: Konrad is saying the model
may assume non-URI stuff, but his imple does not support
this
... want to hear from sean
<FrederickHirsch> konrad suggests that his implementation assumes URI fully escapted when value as attribute
sean: have to check what impl does
fh: should we wait for next call?
<FrederickHirsch> hal: can we express choice in higher level language
need to make clear the 2 alternatives
<FrederickHirsch> what are current implementations doing?
<klanz2> http://www.w3.org/TR/xmlschema-2/#anyURI
<klanz2> http://www.w3.org/TR/2001/WD-charmod-20010126/#sec-URIs
tlr: +1 to defer, need to check what impls do, will draft more clarificaiton
klanz: concerned about reference to working draft
<scribe> ... dropped it because I thought it was moot
<tlr> http://www.w3.org/TR/xmlschema-2/#anyURI
<tlr> The mapping from anyURI values to URIs is as defined by the URI reference escaping procedure defined in Section 5.4 Locator Attribute of [XML Linking Language] (see also Section 8 Character Encoding in URI References of [Character Model]). This means that a wide range of internationalized resource identifiers can be specified when an anyURI is called for, and still be understood as URIs per [RFC 2396], as amended by [RFC 2732], where appropriate to identify re
tlr: is reference to working draft, but looks like IRI spec
<klanz2> http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2007JulSep/0005.html
tlr: need to investigate
further
... suspect prob ok if follow current character model and IRI
spec
... IRI spec is awaiting update
... 2 actions
... draft choices
... drill into character model
... also check with implementors
<tlr> PROPOSED ACTION: tlr to write up choice
<tlr> PROPOSED ACTION: implementers to look at which choice current code makes
klanz2: link posted to chat could be starting point
tlr: Martin Dürst is most expert in this area
<tlr> PROPOSED ACTION: tlr to contact Martin, try to get handle on HRRI / IRI / ... issues
<tlr> ACTION: tlr to write up choice re 4.3.3.1 [recorded in http://www.w3.org/2007/10/23-xmlsec-minutes.html#action01]
<trackbot-ng> Created ACTION-102 - Write up choice re 4.3.3.1 [on Thomas Roessler - due 2007-10-30].
<tlr> ACTION: frederick to follow up with implementers to look at which choice wrt ACTION-102 they actually have taken [recorded in http://www.w3.org/2007/10/23-xmlsec-minutes.html#action02]
<trackbot-ng> Created ACTION-103 - Follow up with implementers to look at which choice wrt ACTION-102 they actually have taken [on Frederick Hirsch - due 2007-10-30].
<tlr> ACTION: tlr to contact Martin D, get handle on HRRI / IRI / charmod issues [recorded in http://www.w3.org/2007/10/23-xmlsec-minutes.html#action03]
<trackbot-ng> Created ACTION-104 - Contact Martin D, get handle on HRRI / IRI / charmod issues [on Thomas Roessler - due 2007-10-30].
<tlr> In that case, I'd suggest to put in "dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK..."
<esimon2> Don't worry abour real hash values; they need to be recalculated any time we change the example.
<tlr> that value is base64("this is not a signature")
<tlr> In any event, I don't feel strongly about this point.
<tlr> http://www.w3.org/2007/xmlsec/wiki/charter
draft charter posted on wiki
tlr: consider it a strawman, no where near final
FH: can edit it?
tlr: yes
See the member-confidential full minutes for details of this discussion.
fh: needs to go out this week because of W3C rules
<FrederickHirsch> http://lists.w3.org/Archives/Member/member-xmlsec-maintwg/2007Oct/0019.html
<tlr> tlr: understand we're on their list of groups to meet with
tlr: need to schedule joint meeting with EXI WG
FH: [discusses agenda]
<tlr> the background there is ongoing work in the XBRL community
<tlr> yep
<tlr> If we can get the slides in advance, there's no problem putting them on the web site.
klanz2: would like presentation materials online
hal: I can do it after plenary
<klanz2> I can help as well
<FrederickHirsch> hal: need to look at detail behind best practices to clarify what terse statements mean
<FrederickHirsch> I can also help
<shivaram> For best practices, please add me to the list
<FrederickHirsch> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Aug/0035.html
<FrederickHirsch> reversibility and RFC 4514
ed: reversibility of DNs
... is it a security issue?
can you go from string version to LDAP version?
scribe: is type indicated in
ASN.1, for example?
... need ASN.1 expert
FH: Issue for best practices?
<FrederickHirsch> shivaram suggests asking stephen farrell
shivaram: could ask Steve Farrell
ed: will contact him
... busy til F2F
<FrederickHirsch> action 71 should be resolved through follow up with Steve by Ed
<FrederickHirsch> reversability issue
<FrederickHirsch> close ACTION-71
<FrederickHirsch> ACTION: FrederickHirsch start issues list for best practices [recorded in http://www.w3.org/2007/10/23-xmlsec-minutes.html#action04]
<trackbot-ng> Sorry, couldn't find user - FrederickHirsch
<tlr> ACTION: fjh to start issues list for best practices [recorded in http://www.w3.org/2007/10/23-xmlsec-minutes.html#action05]
<trackbot-ng> Created ACTION-105 - Start issues list for best practices [on Frederick Hirsch - due 2007-10-30].
Action-74 stays open
ACTION-81 stays open
ACTION-93 stays open
<FrederickHirsch> ACTION-95 was to generate signatures for merlin23 for c14n11, dropped since not useful, no difference for c14n11
close ACTION-95
<FrederickHirsch> konrad: still lack of xml:id and xml:base, so no difference
sean: better to spend time on new test cases
<esimon2> hal, that wasn't me
<FrederickHirsch> ACTION-97 closed with message Konrad sent, leading to 4.3.3.1 issue
<trackbot-ng> Sorry... I don't know how to close ACTION yet
<FrederickHirsch> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Oct/0010.html
close ACTION-97
ACTION-98 stays open
<FrederickHirsch> ACTION-98 about backslash = escaping
ACTION-99 stays open
close ACTION-101
FH: does anyone have time to make
specific proposals?
... konrad do you know their plans?
klanz2: not enthusiastic
... expect it to be hard work
... strawman text would be best
<esimon2> btw, I forwarded my workshop c14n whitepaper to some of the c14n authors
ed: passed my workshop paper to key C14N people
FH: we have konrad text and
pseudo code
... neither is satisfactory
klanz2: have implemented 2
versions
... as close to current text
... and much simpler
... will try to draft something this week
<shivaram> hangup
ed: welcome to shivaram
<shivaram> part
<shivaram> quit
<FrederickHirsch> http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html