12:46:57 RRSAgent has joined #xmlsec 12:46:57 logging to http://www.w3.org/2008/05/20-xmlsec-irc 12:46:59 RRSAgent, make logs public 12:46:59 Zakim has joined #xmlsec 12:47:01 Zakim, this will be XMLSEC 12:47:01 ok, trackbot-ng; I see T&S_XMLSEC()9:00AM scheduled to start in 13 minutes 12:47:02 Meeting: XML Security Specifications Maintenance Working Group Teleconference 12:47:02 Date: 20 May 2008 12:47:17 Chair: Frederick Hirsch 12:48:43 klanz2 has joined #xmlsec 12:49:09 Agenda: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0029.html 12:50:02 Regrets: Thomas Roessler, Shivaram Mysore 12:51:26 Hi, I'm currently in a train in Austria, so I may have dificulties to dial in using VoIP, ... 12:51:27 There is no access number in Austria I could use to dial in, isn't it? 12:53:07 sean has joined #xmlsec 12:55:20 rdmiller has joined #xmlsec 12:56:25 T&S_XMLSEC()9:00AM has now started 12:56:32 + +1.443.695.aaaa 12:57:10 Zakim aaa is rdmiller 12:58:01 EdS has joined #xmlsec 12:58:26 brich has joined #xmlsec 12:58:30 +Frederick_Hirsch 12:58:43 zakim, who is here? 12:58:43 On the phone I see +1.443.695.aaaa, Frederick_Hirsch 12:58:44 On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng 12:59:00 zakim, aaaa is Rob Miller 12:59:00 I don't understand 'aaaa is Rob Miller', fjh 12:59:07 + +1.512.401.aabb 12:59:08 zakim, aaaa is rdmiller 12:59:08 +rdmiller; got it 12:59:20 zakim, aabb is brich 12:59:20 +brich; got it 12:59:28 zakim, who is here? 12:59:28 On the phone I see rdmiller, Frederick_Hirsch, brich 12:59:29 On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng 12:59:34 + +1.617.876.aacc 12:59:42 trying to dial in 12:59:46 zakim, aacc is sean 12:59:46 +sean; got it 12:59:55 zakim, who is here? 12:59:55 On the phone I see rdmiller, Frederick_Hirsch, brich, sean 12:59:57 On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng 13:00:22 +Ed_Simon 13:00:22 Zakim, mute me 13:00:24 rdmiller should now be muted 13:00:24 zakim, who is making noise 13:00:24 I don't understand 'who is making noise', fjh 13:00:40 I'll be on the chat and try to call in at 6) Bestpractices 13:00:45 zakim, who is here? 13:00:45 On the phone I see rdmiller (muted), Frederick_Hirsch, brich, sean, Ed_Simon 13:00:47 On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng 13:01:12 + +1.978.244.aadd 13:01:15 bruce is making noise, maybe ... 13:01:26 zakim, mute me 13:01:26 brich should now be muted 13:01:43 zakim, aadd is jwray 13:01:43 +jwray; got it 13:01:49 zakim, who is here? 13:01:49 On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray 13:01:51 On IRC I see brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng 13:01:52 pdatta has joined #xmlsec 13:03:31 John Wray to scibe on June 3. 13:03:38 s/scibe/scribe/ 13:04:25 Next meeting is 2008 June 3. 13:04:37 + +1.650.506.aaee 13:04:39 TOPIC: Administrative Words 13:04:46 zakim, aaee is pdatta 13:04:46 +pdatta; got it 13:04:55 zakim, who is here? 13:04:55 On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta 13:04:57 On IRC I see pdatta, brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng 13:05:38 TOPIC: F2F 13:05:55 F2F for next WG planned. 16-17 July, Barcelona 13:06:01 Next F2F is in Barcelona from July 16-17 13:06:26 TOPIC: WG Chartering 13:06:44 fjh: Ask your rep to register your interest 13:06:46 http://lists.w3.org/Archives/Member/member-xmlsec-maintwg/2008May/0003.html 13:07:20 Comments from a couple of companies were incorporated into the charter. 13:07:28 + +aaff 13:07:47 charter link http://www.w3.org/2008/02/xmlsec-charter.html 13:08:08 home page for new xmlsec http://www.w3.org/2008/xmlsec/ 13:08:33 Mail list not set up for new WG 13:08:53 deastlak has joined #xmlsec 13:09:01 TOPIC: XML Signature 2ed 13:09:04 zakim, who is here? 13:09:04 On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta, +aaff 13:09:06 On IRC I see deastlak, pdatta, brich, EdS, rdmiller, sean, klanz2, Zakim, RRSAgent, fjh, jwray, trackbot-ng 13:09:29 zakim, aaff is deastlak 13:09:29 +deastlak; got it 13:09:42 PHB2 has joined #xmlsec 13:09:59 Important to register for the new WG because of IPR issues. 13:10:16 No more comments from XML Sig 2ed PER 13:10:28 http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0015.html 13:10:35 +PHB 13:10:53 Additional update to remove XSL reference 13:10:59 fjh: One additional comment after PER was to remove XSL reference. 13:11:11 http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0023.html 13:11:38 RESOLUTION: Remove non-normative XSL reference in PER references 13:11:54 All agreed. 13:12:18 fjh: No more changes foreseen to PER. 13:12:34 red line http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/ 13:12:49 explain document http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/explain.html 13:12:57 fjh: Looks like 2ed is done. 13:13:08 klanz has joined #xmlsec 13:13:23 fjh: Please took a look at the explain document and the 2ed to see if anything catches your eye. 13:13:26 . 13:13:37 TOPIC: XML Signature 2ed RFC 13:13:57 Originally, XML Signature was a joint project between W3C and IETF. 13:15:29 might have to be proposed standard before draft standard 13:15:37 deastlak: Proposed creating 2nd edition RFC to IETF. Donald is looking into the standards status of XMLSIG RFC/Internet Draft/ Draft Standard. 13:16:06 deastlak: Might take 6 to 8 months to complete process at IETF. 13:16:56 deastlak: Will start looking at converting the W3C 2ed this weekend. 13:18:30 TOPIC: RELAX NG SCHEMA 13:18:53 fjh: Norm drafted a RELAX NG Schema. 13:18:56 http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0005.html 13:19:24 Test results from Thomas (trang to xml schema then xml lint results) 13:19:41 http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0007.html 13:20:54 fjh: Two issues: how well the RELAX version matches the official schema; and how correct the RELAX NG schema is. 13:21:17 Has anyone looked at the RELAX NG version? 13:21:24 I haven't 13:21:29 ... (besides Thomas). 13:21:49 not yet ... 13:22:21 I have some guys that are interested, but getting the time could be a problem. 13:22:37 ACTION: Frederick to check on status with customer. 13:22:37 Created ACTION-158 - Check on status with customer. [on Frederick Hirsch - due 2008-05-27]. 13:23:19 Note: change action to indicate reference to RELAX NG schema 13:23:31 TOPIC: Best Practices 13:24:04 fjh: Updated draft document with material from Hal, Pratik, and Sean 13:24:06 see http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0028.html 13:24:37 fjh: Please review Best Practices document. 13:24:38 please review and propose changes on list 13:24:57 TOPIC: Best Practices -- Retrieval Method Looping 13:25:05 http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0022.html 13:25:29 + +43.676.550.aagg 13:25:31 pratik: checked in files wrt denial of service (2 for retrieval method) 13:25:53 pratik: retrieval method could point to itself; ways of creating infinite loops. 13:26:26 pratik: Best Practice is to ignore Retrieval Methods. 13:26:42 pratik: Other 3 files were wrt XPath. 13:26:44 +Hal_Lockhart 13:27:08 pratik: one example has 100 NS and 100 elements. 13:27:27 pratik: in Xpath, it becomes 100*100 nodes. 13:27:53 hal has joined #xmlsec 13:28:04 pratik: leads to (100*100)^2 operations 13:28:18 zakim, who is here? 13:28:18 On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta, deastlak, PHB, +43.676.550.aagg, Hal_Lockhart 13:28:21 On IRC I see hal, PHB2, deastlak, pdatta, brich, EdS, rdmiller, sean, Zakim, RRSAgent, fjh, jwray, trackbot-ng 13:28:50 fjh: What do we next with these examples? 13:29:11 pratik: will provide more documentation for us to look at. 13:29:22 zakim, aagg is konrad lanz 13:29:22 I don't understand 'aagg is konrad lanz', fjh 13:29:43 klanz: Was at workshop discussing web services and XML Signatures. 13:29:56 zakim, aagg is klanz 13:29:56 +klanz; got it 13:30:10 klanz: XML Signature could allow random access, not just streaming. 13:31:10 klanz: XML Signature could be redesigned to allow better random access and more efficient processing. 13:31:33 -klanz 13:32:08 zakim, who is here? 13:32:08 On the phone I see rdmiller (muted), Frederick_Hirsch, brich (muted), sean, Ed_Simon, jwray, pdatta, deastlak, PHB, Hal_Lockhart 13:32:11 On IRC I see hal, PHB2, deastlak, pdatta, brich, EdS, rdmiller, sean, Zakim, RRSAgent, fjh, jwray, trackbot-ng 13:32:17 See Konrad's post to the list 13:32:29 +klanz 13:33:16 Hal: klanz's proposal is on the same motivations as Ed presented at the last F2F but Konrad's is more aligned with the current XML Signature framework. 13:33:16 Hal noted that Konrad's approach might work with current standard 13:33:45 Frederick noted that work on revised version of XML Signature should be deferred to upcoming WG. 13:34:30 klanz: what is new is that we stay within the current syntax; web services community should consider not requiring the XML Signature to be in the SOAP header. 13:34:50 http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0026.html 13:34:56 fjh: Is that work for the new WG? 13:35:06 Ed: Sounds to me like it is. 13:35:47 klanz: Thinks it would be. 13:38:00 Konrad to send an email to capture the technical thoughts that he just expressed. 13:39:08 Frederick - should remember this in newly chartered wg 13:40:17 +q 13:40:58 ACTION: klanz2 to Draft proposal for best practices document re signed streaming content in current XML Sig syntax 13:40:58 Created ACTION-159 - Draft proposal for best practices document re signed streaming content in current XML Sig syntax [on Konrad Lanz - due 2008-05-27]. 13:41:11 q+ 13:41:51 hal: should focus Konrad's ideas on HTTP streaming of XML documents 13:42:15 hal - simpler, possibly more impact 13:42:23 ack pdatta 13:42:32 -klanz 13:42:34 klanz2: Thinks we need to be careful not limit the proposal too much. 13:43:24 pdatta: Signing (after content) could be done is a streaming way, but not verification. 13:43:25 Pratik: verification in streaming might not work, e.g. cannot know if valid until all content in memory 13:44:08 pdatta: Attachments also complicate things because the signature may be after the body but before the attachments. 13:44:28 ack sean 13:44:59 sean: These are interesting proposals but is hesitant to put them into best practices until we have practical experience for them. 13:45:33 +1 13:46:18 TOPIC: Best Practices -- Denial of Service 13:46:28 http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0025.html 13:47:16 pdatta: 2 examples were related to XSLT and too many transforms. In XSLT, one can have nested loops. In examples, it is easy to get 100 million iterations. 13:47:45 pdatta: Last example wrt c14n. 13:49:31 q+ 13:49:58 Compared XPath node set with DOM tree approach. Best to limit number of transforms and also be aware of the impract preceding transforms can have on following ones. 13:50:17 Pratik will send an email elaborating on this. 13:50:57 ACTION: pdatta to Add more documentation to the Best Practices document for his examples 13:50:58 Created ACTION-160 - Add more documentation to the Best Practices document for his examples [on Pratik Datta - due 2008-05-27]. 13:52:03 administrative http://www.w3.org/2007/xmlsec/Group/Overview.html 13:52:24 ack sean 13:52:42 sean: has not reviewed Best Practices document yet. 13:53:09 action: Frederick to add link to best practices example directory to WG administrative page 13:53:09 Created ACTION-161 - Add link to best practices example directory to WG administrative page [on Frederick Hirsch - due 2008-05-27]. 13:53:33 sean: Attacks are more serious if one validates references first, should validate signature and keys first; should be stated in Best Practices document. 13:54:55 sean: If signature verifies, and one trusts the source, then less likely that message would be an attack. 13:56:13 hal: Cannot check the signature is valid without checking the transforms. Can steal someone else's signature part to get past first check. 13:56:33 Sean to review Best Practices document. 13:57:13 Pratik: transforms in RetrievalMethod is risk even when getting the key first, so still issue related to validating signature 13:58:14 pdatta: In response to Hal, points out the transforms are checked as part of verifying the signature. 13:58:41 ...therefore verifying the signature first does provide some security against DOS. 13:58:49 s/DOS/DoS/ 13:59:06 link to denial of services directory: http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/samples/ 13:59:12 hal: Will look into this further. 13:59:23 q? 13:59:58 fjh: Everyone please look at Best Practices document and continue discussion on mailing list. 14:00:44 fjh: Juan Carlos had message about time stamp practices; please take a look at it. 14:01:03 best practices draft http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/ 14:01:27 juan carlos message: http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008May/0030.html 14:01:35 TOPIC: Action Items Review 14:01:49 klanz2 has joined #xmlsec 14:02:25 Action-151 is open. 14:03:06 Action-154 and Action-153 Open. 14:03:45 XMLHttpRequest review request - please indicate if you plan to review 14:04:01 No official action item for XMLHttpRequest review request, but please review it. 14:04:23 Closed Action-155 14:04:30 Close Action-155 14:04:30 ACTION-155 add timestamp/nonce material from Hal Lockhart to best practices document closed 14:04:39 Close Action-156 14:04:39 ACTION-156 incorporate Pratik update to best practices on transforms closed 14:04:50 Close Action-157 14:04:50 ACTION-157 incorporate Sean's best practice material closed 14:05:13 -PHB 14:05:19 Action-150 is still open. 14:05:47 TOPIC: Administration - Closing Words 14:06:07 Next meeting is June 3, talk to your AC rep about joining new WG. 14:06:31 Everyone, please review Best Practices. 14:06:32 -Hal_Lockhart 14:06:38 -brich 14:06:43 bye bye 14:06:45 pdatta has left #xmlsec 14:06:50 -pdatta 14:07:06 -jwray 14:07:09 Zakim, list participants 14:07:09 As of this point the attendees have been +1.443.695.aaaa, Frederick_Hirsch, +1.512.401.aabb, rdmiller, brich, +1.617.876.aacc, sean, Ed_Simon, +1.978.244.aadd, jwray, 14:07:12 ... +1.650.506.aaee, pdatta, +aaff, deastlak, PHB, +43.676.550.aagg, Hal_Lockhart, klanz 14:07:16 -sean 14:07:56 Present: Ed Simon, Pratik Datta, Donald Eastlake, Frederick Hirsch, Hal Lockhart, Bruce Rich, Konrad Lanz, Phill Hallam-Baker, John Wray, Rob Miller, Sean Mullan 14:08:13 Zakim, list participants 14:08:13 As of this point the attendees have been +1.443.695.aaaa, Frederick_Hirsch, +1.512.401.aabb, rdmiller, brich, +1.617.876.aacc, sean, Ed_Simon, +1.978.244.aadd, jwray, 14:08:17 ... +1.650.506.aaee, pdatta, +aaff, deastlak, PHB, +43.676.550.aagg, Hal_Lockhart, klanz 14:08:24 RRSAgent, make log public 14:08:34 RRSAgent, generate minutes 14:08:34 I have made the request to generate http://www.w3.org/2008/05/20-xmlsec-minutes.html fjh 14:10:01 -Frederick_Hirsch 14:10:02 -Ed_Simon 14:10:07 -rdmiller 14:10:09 -deastlak 14:10:10 zakim, who is here? 14:10:11 On the phone I see no one 14:10:12 On IRC I see klanz2, PHB2, deastlak, brich, EdS, rdmiller, sean, Zakim, RRSAgent, fjh, trackbot-ng 14:10:14 T&S_XMLSEC()9:00AM has ended 14:10:16 Attendees were +1.443.695.aaaa, Frederick_Hirsch, +1.512.401.aabb, rdmiller, brich, +1.617.876.aacc, sean, Ed_Simon, +1.978.244.aadd, jwray, +1.650.506.aaee, pdatta, +aaff, 14:10:18 ... deastlak, PHB, +43.676.550.aagg, Hal_Lockhart, klanz 14:10:49 @desatlak, have you seen the request about whirlpool? 14:10:55 for RFC 4051? 14:12:10 No. 14:23:33 klanz2 has joined #xmlsec 14:59:18 tlr has joined #xmlsec 16:19:53 Zakim has left #xmlsec