XML Security Specifications Maintenance Working Group Teleconference

27 Nov 2007


See also: IRC log


Frederick_Hirsch, Thomas Roessler, Konrad Lanz, Sean Mullan, Ed Simon, Hal Lockhart, Bruce Rich, Phill Hallam-Baker, Pratik Datta, Shivaram Mysore
Juan Carlos Cruellas, Rob Miller
Frederick Hirsch


Administrivia: scribe confirmation, next meeting, other

frederick: welcome back

frederick: minutes from October 30 meeting accepted?

RESOLUTION: October 30 minutes approved


frederick: face-to-facce minutes accepted?

RESOLUTION: face-tof-ace minutes accepted



XML Signature update

frederick: updated draft according to discussion at face-to-face ...
... redline is available ...
... hope people had chance to look ...

<shivaram> I am still dialing in ...

<FrederickHirsch> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007Nov/0018.html

frederick: section that was changed is section 4 ...
... also, removed "Applications must be able to parse URI syntax" ...

<FrederickHirsch> clean http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/nochanges.html#sec-URI

<FrederickHirsch> removed XML signature applications MUST be able to parse URI syntax.

frederick: clean version shows section without the removed stuff

tlr: where does "a string as" come from?

frederick: believe face-to-face?

<FrederickHirsch> using a string as a URI-Reference - change introduced at F2F in discussion, konrad?

<klanz2> did people hear what I said ?

<FrederickHirsch> is this better: The URI attribute string value identifies a data object as a URI-Reference

<FrederickHirsch> see "klanz: should say "using a string as a URI reference"" in 8 Nov minujt

<FrederickHirsch> sean agrees with tlr

<FrederickHirsch> The URI attribute identifies a data object using as a URI-Reference

tlr: Don'T think the "as string" helps; more likely to cause confusion. Underlying concern unfounded, as we sayi n the next paragraph that there is a mapping.

<FrederickHirsch> choice #1

sean: agree

The URI attribute identifies a data object using a URI-Reference"

<brich> +1

RESOLUTION: revert first sentence in to "The URI attribute identifies a data object using a URI-Reference"

frederick: any other issues?

PROPOSED RESOLUTION: considering all issues with dsig-core closed

RESOLUTION: considering all issues with dsig-core closed

C14N11 red line

frederick: sent a new redline to xml core

<FrederickHirsch> sent a new redline to xml core reflecting changes and examples

<FrederickHirsch> http://www.w3.org/2007/xmlsec/c14n11/07-11-20-redline/

frederick: have people looked at this?

tlr: my browser history says this is what I looked at, and I didn'T find any issues

frederick: would like to walk through some

<FrederickHirsch> The "Remove Dot Segments" algorithm is modified to ensure that a combination of two xml:base attribute

<FrederickHirsch> values that include relative path components (i.e., path components that do not begin with a '/'

<FrederickHirsch> character) results in an attribute value that is a relative path component.

<FrederickHirsch> -- added this as bullet

frederick: putting key changes into IRC...
... modifying algorithm to combine relative path components ...
... also, add examples from previous discussion ...
... third change, to +++ATH ...

<FrederickHirsch> 1. added bullet, 2. added examples, see document, 3. change to xml:id in examples, 4. give link for `appendix A content

<FrederickHirsch> Two questions: (1) any issue with this change from inspection

<FrederickHirsch> (2) implementations to enable xml core to accept

bruce: Looking for the examples

<FrederickHirsch> http://www.w3.org/2007/xmlsec/c14n11/07-11-20-redline/

frederick: in the document

bruce: where?

<FrederickHirsch> http://www.w3.org/2007/xmlsec/c14n11/07-11-20-redline/c14n11-update-clean.pdf

<FrederickHirsch> lines 108 to 128

tlr: lines 119++?

<FrederickHirsch> 3 bullets and removal of b and c from xml example

tlr: 108-111 examples for combining URI references, 119+ XML example

brich: in the original test suite?

tlr: no, discovered at tech plenary

klanz2: similar test cases for appendix a
... can be seen in mail ...
... mentioned "ending in .." problem ...
... should have been exercised in appendix a ...

<FrederickHirsch> Question can we test these 4 cases explicitly, 3 Remove-Dot-Segment test and the one XML input and output

tlr: this occurs while input for appendix a algorithm is prepared

klanz2: ??

<klanz2> http://www.w3.org/2007/xmlsec/interop/c14n11/appendixa/inputs.txt

<klanz2> http://www.w3.org/2007/xmlsec/interop/c14n11/appendixa/outputs.txt

tlr: problem is that trailing path segment of left-hand side is removed in 3986, which is wrong if that left-hand side is relative URI reference with trailing ..

<klanz2> http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/testcases.html#XMLBASE_ANNEXA

klanz2: should have same results now as at the interop

frederick: would like to have this in c14n 1.1 document
... would like to be able to say that we have tested the examples provided ...
... this seems to be a small, slightly different set ...
... can we test and include with core?

klanz2: Can we use the old examples?

frederick: is this really covered with test suite

tlr: same question, not sure I heard that at the f2f

sean: was under impression we're adding this as new test case
... waiting for tlr ...

<hal> the link near the end of the doc is broken

<hal> http://lists.w3.org/Archives/Public/public-xml-core-187wg/2007Jun/att-0050/Apendix_20060625.html

tlr: sorry to have slacked on this

sean: wanted to update some other material in test suite as well

<FrederickHirsch> Sean - do you have list of what else to be updated?

tlr: let's stay on after this call and try to get this test case in right away.

klanz2: yes, need an integrated test; agree
... had another look at the test cases ...

frederick: rejoining; confused
... do we have remove_dot_segments "unit tests"?

<klanz2> http://www.w3.org/2007/xmlsec/interop/c14n11/appendixa/outputs.txt

<klanz2> http://www.w3.org/2007/xmlsec/interop/c14n11/appendixa/inputs.txt

klanz2: confident that we can split these at any forward slash, combine, and get same results
... but agree that we should have integrated test ...

frederick: 3 tests needed
... 1. example in redline
... 2. bullets in redline
... think we have mechanism to test that as well
... any need for actions?

tlr: umh, no, still have that one

frederick: wait for sean, thomas to come back

tlr: yes, think so

chartering for follow-up work

frederick: worked on this at face-to-face
... thought we reached pretty good point ...
... distribute to wider audience for feed-back ...

<hal> +1

frederick: any problems with sharing this ...

+1 to sharing with -discuss

scribe: and sending heads-up to aC

<FrederickHirsch> tlr: share with workshop participants and send heads up to AC, before formal team process occurs

<FrederickHirsch> 4 week AC review is later step in process

<FrederickHirsch> now considering AC advanced notice.

tlr: (explains process)

proposed: to share with workshop participants, work with comm team to send advance notice

RESOLUTION: to share current material with workshop participants, work with comm team to send advance notice

<scribe> ACTION: thomas to send message to public-xmlsec-discuss to solicit feed-back [recorded in http://www.w3.org/2007/11/27-xmlsec-minutes.html#action01]

<trackbot-ng> Created ACTION-118 - Send message to public-xmlsec-discuss to solicit feed-back [on Thomas Roessler - due 2007-12-04].

<scribe> ACTION: thomas to work with comm team on AC advance notice [recorded in http://www.w3.org/2007/11/27-xmlsec-minutes.html#action02]

<trackbot-ng> Created ACTION-119 - Work with comm team on AC advance notice [on Thomas Roessler - due 2007-12-04].

interop report

frederick: think we're ready
... next step is template and fill it in

tlr: yes
... another overdue action item, sorry ...

frederick: c14n 1 closure is the other action item here, so we don't rework stuff

best practices

frederick: ed, think nobody ever responded
... to ASN.1 issue ...

ed: ?? got back to me, couldn't see security issue
... don't have that e-mail in front of me ...
... totally swamped last three weeks ...
... we can probably close this issue ...
... if anything new, will point that out ...

frederick: anything we need to do as result of this question?

ed: idea was to consult with ASN.1 expert to take look
... still a bit confused as to security considerations in RFC ...
... whether they are applicable as security considerations ...
... RFC 4514 ...
... not sure why it wouldn't affect work we#re doing ...
... tend to agree there isn't much of a hole there ...
... hard to say anything defnitive right now

<FrederickHirsch> Did we ever decide on which wording of the best practice we desired?

frederick: anything we should record and distill from this?
... don't want to just close this ...
... other question is hal and who else were interested to look at some material ...
... Hal and Sean, I think ...

sean: yes

<hal> I am interested, may start in Dec

any other topics?

<FrederickHirsch> tlr: started team process for extension of this WG through March

<FrederickHirsch> 2008

tlr: note that this does not imply overlap between this group and the follow-up group

<FrederickHirsch> next step would be message to AC indicating group extended, no additional work for WG

tlr: aim of the process is that after director decides, extension announced to AC ...

action item review

ACTION-74 continued

ACTION-105 continued

frederick: Sean and Hal to work on the Wiki? What's the plan?


<trackbot-ng> ACTION-105 -- Frederick Hirsch to start issues list for best practices -- due 2007-10-30 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/105

<sean> wiki is fine for me

ACTION-105 continued; might be overtaken


<trackbot-ng> ACTION-109 -- Thomas Roessler to provide example for "isolated .." case -- due 2007-11-15 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/109


<trackbot-ng> ACTION-110 -- Frederick Hirsch to update redline and share with xml:core -- due 2007-11-15 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/110

trackbot-ng, close ACTION-110

<trackbot-ng> ACTION-110 Update redline and share with xml:core closed


<trackbot-ng> ACTION-111 -- Frederick Hirsch to review examples in C14N 1.1 and propose detailed changes to use xml:Id -- due 2007-11-15 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/111

trackbot-ng, close ACTION-111

<trackbot-ng> ACTION-111 Review examples in C14N 1.1 and propose detailed changes to use xml:Id closed


<trackbot-ng> ACTION-112 -- Thomas Roessler to prepare interop report template -- due 2007-11-15 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/112


<trackbot-ng> ACTION-113 -- Sean Mullan to update testcase document -- due 2007-11-15 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/113

frederick: sean, waht was that about again?

sean: there's test case that's in suite, not in document
... just generally review document to make sure it's consistent with test suite

frederick: time line?

sean: this week

ACTION-113 continued


<trackbot-ng> ACTION-114 -- Thomas Roessler to ensure that result from ACTION-109 goes into test suite -- due 2007-11-15 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/114


<trackbot-ng> ACTION-115 -- Juan Carlos Cruellas to review EXI with respect to correct XML Security usage -- due 2007-12-10 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/115

frederick: Juan Carlos told us he's working on this


<trackbot-ng> ACTION-116 -- Frederick Hirsch to remind Donald to review XML Signature and Encryption home pages for accuracy -- due 2007-11-16 -- OPEN

<trackbot-ng> http://www.w3.org/2007/xmlsec/Group/track/actions/116

frederick: haven't yet done, should do
... scribe for next meeting?
... ed? ...

<FrederickHirsch> ed - scribed oct 30

ed: can do, but scribed October 30
... would rather not ...

sean: will scribe
... btw, regrets two weeks from now ...

<EdS> I will scribe for Dec. 13

frederick: hope we're in better shape wrt test cases and c14n 1.1 testing
... if we can get impl testing under way, that would be great ...
... will coordinate wiht XML Core ...

ed, there is no meeting on Dec 13. It's Dec 11

frederick: anything else?

shivaram: XML Conf in Boston next week?

<EdS> OK, Dec. 11

shivaram: anybody going? ...

Frederick: won't be there

shivaram: might be interesting to meet up

<klanz2> no

frederick: if people get together, that's of course great
... shivaram, why don't you post to the list ...

-- adjourned --

Summary of Action Items

[NEW] ACTION: thomas to send message to public-xmlsec-discuss to solicit feed-back [recorded in http://www.w3.org/2007/11/27-xmlsec-minutes.html#action01]
[NEW] ACTION: thomas to work with comm team on AC advance notice [recorded in http://www.w3.org/2007/11/27-xmlsec-minutes.html#action02]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.128 (CVS log)
$Date: 2007/12/04 15:24:10 $