W3C

XML Security Specifications Maintenance Working Group Teleconference

06 May 2008

Agenda

See also: IRC log

Attendees

Present
Frederick_Hirsch, shivaram, pdatta, Ed_Simon, Hal_Lockhart, jcc, Thomas, brich, PHB, klanz2
Regrets
Sean, Mullan
Chair
Frederick Hirsch
Scribe
Shivaram Mysore

Contents


Administrative

Should we need to have a meeting next week on May 13th?

No. But, it will be held on May 20, 2008

<fjh> minutes approval http://www.w3.org/2008/04/15-xmlsec-minutes.html

RESOLUTION: Minutes from April 15, 2008 approved

<tlr> will remove draft from April 15 minutes and publish the same

AC Review

http://lists.w3.org/Archives/Member/w3c-ac-forum/2008AprJun/0022.html

Note: All please have your AC reps to complete the questionnaire

pdatta: question on the questionnaire about intention of implementations - are we held responsible for this?

Thomas responds that answers are never made public and is just infomational to understand interest in implementation and adoption

<tlr> tlr: no, the purpose of that question is to enable The Director to make an informed judgment whether there is critical mass for moving ahead.

<tlr> ... that is obviously about the intention with which you go into this, not about a formal product commitment, or anything like that ...

F2F Planning

JCC: if # of people <25/30, it should not be a problem to host. Nt much of a constraint in terms of dates 15-17 July

klanz2 can also host the meeting in Graz

XML Signature, Second Edition, Issues

Editorial fix

<tlr> RESOLUTION: editorial fixes as outlined in 6a and 6c accepted

References corrections

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0033.html

fjh: References for namespaces and Unicode - fixing errata and clarification - shall we update this

<klanz2> http://www.w3.org/XML/xml-V10-4e-errata#E10

<tlr> ick, this sounds nasty

klanz2: implementation may have to do something like this: 1.1 doc may be processed as 1.0 doc if there is no namespace

<klanz2> http://www.w3.org/XML/xml-V10-2e-errata#E16

klanz2: There is direct use of RFC 3986, but no normative reference
... There was no consistent usage of namespace in namespaces 1.0. and namespaces 1.1 There could be some breaking changes depending on how the character sets are handled

Shivaram suggests that we should add a note that at the point of writing the spec, we see the following issues ...

tlr: if we see that the change causes implementation differences, then we should be hesitant to make the change

<klanz2> ie. namespaces 1.0 have no namespace undeclarations

<klanz2> I think by adopting this we, implicitly define XPath datamodel for a subset of XML 1.1, which is good, isn't it?

<klanz2> this subset of xml 1.1 is the one not using namespace undeclarations 1.1?

<tlr> no, we don't make that definition. The erratum says that an XML 1.0 processor can treat certain documents as XML 1.0 even though are called XML 1.1 IF they do not use non-XML 1.0 features.

<tlr> So we are not updating it to permit XML 1.1 documents.

<klanz2> @tlr fine with me ...

If we are working on this issue, then who is going to be working on this?

Konrad, FJH, TLR?

<klanz2> So what we say is then the subset of xml 1.1 with namespaces 1.1, that does not use namespace undeclreations is treated as an xml 1.0 ...

I would suggest Konrad to write this snippet as he seems to be more aware of this impact

and then send the snippet to XML WG for review

klanz2: what is the impact on conformance for markup?

tlr suggests that we talk to the coordination group as it is not specific to XML Signature and it affects the parser

I would suggest checking with others before making resolution

<scribe>

<scribe> ACTION: tlr to write assumptions to references update [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action02]

<trackbot-ng> Created ACTION-152 - Write assumptions to references update [on Thomas Roessler - due 2008-05-13].

Unicode

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0034.html

Proposal by FJH to leave this alone

Pdatta: remove the reference to Unicode

<brich> +1

RESOLUTION: Remove the Unicode reference

<tlr> http://www.w3.org/2005/10/Process-20051014/tr.html#errata

tlr: according to process document, if there is an errata for a normative spec, then they would not impact conformance for that version of this specification, but, the errata must be included in the next version and hence would be in conformance as per process then

<klanz2> +1 to tlr for fourth edition

<tlr> PROPOSED RESOLUTION: update xml reference to 4e, namespaces to 2e

<fjh> update xml reference to 4th edition and namespace reference to 2nd edition

<brich> +1, makes sense given the Process...errata reference

RESOLUTION: update xml reference to 4th edition and namespace reference to 2nd edition

Update to v1 XML Signature and Encryption web pages

Relax NG Schema

<tlr> trackbot-ng, close ACTION-152

<trackbot-ng> ACTION-152 Write assumptions to references update closed

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0005.html

<klanz2> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/att-0005/dsig.rnc

Norm has noted that the RNG schema provided has little testing and review

FJH: looking for volunteers to look at this

<klanz2> What's the time frame for this?

Who uses RNG in the group?

<klanz2> We dont use RNG ...

<klanz2> http://xml.apache.org/xalan-j/apidocs/javax/xml/XMLConstants.html#RELAXNG_NS_URI

<pdatta> I will give it a try too

klanz2 will give it a try

Thanks to David for suggesting Norm and Norm for the RNG work

Review request for XMLHttpRequest

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0004.html

If WG memebers have comments, please send them to the list.

<klanz2> http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415/#security

Progressing test case document to W3C Note

<fjh> http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/testcases.html

<fjh> Proposed Resolution to accept shortname "xmldsig2ed-tests"

+1

RESOLUTION: accept shortname "xmldsig2ed-tests"
... publish test case document with the short name "xmldsig2ed-tests"

ACTOIN: fjh to make the transition request

<scribe> ACTION: tlr to make the publication of test case document happen [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action03]

<trackbot-ng> Created ACTION-153 - Make the publication of test case document happen [on Thomas Roessler - due 2008-05-13].

<fjh> ACTION: fjh to make transition request for test case document [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action04]

<trackbot-ng> Created ACTION-154 - Make transition request for test case document [on Frederick Hirsch - due 2008-05-13].

Best Practices

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0018.html

Process

http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0026.html

Timestamps and Nonces (Hal)

http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0018.html

hal does not have cycles to become an editor, but, can contribute

RESOLUTION: accept material from Hal as input to document

limiting the transforms (pdatta)

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/att-0000/00-part

signing XML vs signing Binary

<klanz2> Do people know that ? http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt

<klanz2> Should be a rich source of dont's ;-)

<klanz2> http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_bh07.pdf,

<klanz2> http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf, and

<klanz2> http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_Handout.pdf.

<klanz2> FJH: had this here http://www.w3.org/2007/09/25-xmlsec-minutes

<fjh> konrad suggests putting all best practices into document, even if conflicting, then review together and resolve

<fjh> +1

<klanz2> +1 to hal

<fjh> hal suggestes having security considerations and performance sections, since security not obvious

RESOLUTION: accept Pratik's input as input material

<pdatta> most of my comments are derived from Brad Hill's presentations

have CVS access so that folks can check in examples, tests cases, etc into the Best Practices section on the repository

Pratik had a look at Sean's input - http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0029.html

RESOLUTION: accept Sean's input for best practices

Action item review

all of them are still open

<EdS> I volunteer to scribe.

<tlr> fjh: proposed to skip next week, next call on the 20th

Next Meeting: May 20, 2008

<klanz2> aob?

EDS will be the scribe for May 20 meeting

<klanz2> xmldsig-more?

<fjh> phil upate http://lists.w3.org/Archives/Member/member-xmlsec-maintwg/2008Apr/0004.html

<klanz2> iana registry

<klanz2> http://lists.w3.org/Archives/Member/member-xmlsec-maintwg/2008Apr/0005.html

Summary of Action Items

[NEW] ACTION: fjh to make transition request for test case document [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action04]
[NEW] ACTION: tlr to make the publication of test case document happen [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action03]
[NEW] ACTION: tlr to write assumptions to references update [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action02]
[NEW] ACTION: tlr, Write assumptions to references update [recorded in http://www.w3.org/2008/05/06-xmlsec-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.133 (CVS log)
$Date: 2008/05/07 07:15:08 $