See also: IRC log
<trackbot> Date: 06 October 2009
<fjh> Scribe 13 October is Bruce Rich
<fjh> 13 October scribe Bruce, chair is Thomas
fjh: f2f early bird registration has been extended
<fjh> http://lists.w3.org/Archives/Member/member-xmlsec/2009Oct/0000.html
<fjh> http://www.w3.org/2009/09/29-xmlsec-minutes.html
RESOLUTION: Minutes from 29 September approved
fjh: updated status section in
c14n 2.0
... Shivaram minor comments updated
updated to 1.1 draft
put in transition request to publish 2.0 docs
<fjh> transition request out for 2.0 C14N and Signature, approved
<fjh> http://lists.w3.org/Archives/Member/member-xmlsec/2009Oct/0002.html
publish date set for Oct. 8
tlr: may not make Oct. 8 but soon
<fjh> issue-124?
<trackbot> ISSUE-124 -- Does w3c support conformance clauses for specification and minimum conformance levels, how to do properly -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/124
fjh: ISSUE-124
... probably can close this issue
if we have test case document with readmes we are probably ok
<fjh> issue-124 close
<fjh> we do not have to have a test document, but do need coverage with tests and associated readme's
<fjh> issue-142?
<trackbot> ISSUE-142 -- Is a single schema needed for XML Signature 1.1 to validate against, given that we have 2nd edition schema plus 1.1 additional schema -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/142
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0012.html
pdatta: multiple schemas are common
<fjh> ACTION: fjh ask xml coordination about use of multiple schemas and validation [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-384 - Ask xml coordination about use of multiple schemas and validation [on Frederick Hirsch - due 2009-10-13].
<fjh> I do not believe this would be an issue to stop last call
<fjh> defining multiple schemas is common practice
<fjh> issue-135?
<trackbot> ISSUE-135 -- Review transforms for XML Encryption 1.1 and alignment with Signature 1.1 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/135
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0007.html
fjh: issue 135
... should we put transforms in alg section?
<fjh> The syntax of the URI and Transforms is defined in XML Signature [XML- DSIG], however XML Encryption places the Transforms element in the XML Encryption namespace since it is used in XML Encryption obtain an octet stream for decryption.
<fjh> currently says
<fjh> The syntax of the URI and Transforms is similar to that of [XML- DSIG]. However, there is a difference between signature and encryption processing.
<bal> small in proposed text:
<bal> The syntax of the URI and Transforms is defined in XML Signature [XML- DSIG], however XML Encryption places the Transforms element in the XML Encryption namespace since it is used in XML Encryption **TO** obtain an octet stream for decryption.
<fjh> proposed resolution - accept change to XML Encryption proposed in http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0007.html , adding "to" before "obtain"
RESOLUTION: accept change to XML Encryption proposed in http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0007.html , adding "to" before "obtain"
<fjh> ACTION: fjh to edit xml encryption 1.1 with change in http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0007.html , adding "to" before "obtain" [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-385 - Edit xml encryption 1.1 with this change [on Frederick Hirsch - due 2009-10-13].
<fjh> issue: XML Encryption 1.1 table of contents incomplete, some headings not numbered correctly in document
<trackbot> Created ISSUE-147 - XML Encryption 1.1 table of contents incomplete, some headings not numbered correctly in document ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/147/edit .
<fjh> issue-137?
<trackbot> ISSUE-137 -- Normative reference to DRAFT-HOUSLEY-KW-PAD -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/137
bal: make change later today for issue 137
fjh: make decision at TPAC to go
to last call for 1.1 docs
... will need to make decision about ECC requirements
... will make recommendation on ECC before going to last call
t
<fjh> include XML Signature 1.1, XML Encryption 1.1, XML Security Generic Hybrid Ciphers, XML Signature Properties
fjh: list of docs: dsig an enc
1.1, generic hybrid ciphers, signature properties
... shouldn't go to last call w/o some impl experience?
tlr: impl exp not critical for last call
<fjh> Also publish an update to XML Security Algorithms Cross-Reference
<fjh> Plan is to resolve at TPAC F2F to bring XML Signature 1.1, XML Encryption 1.1, Generic Hybrid Ciphers and XML Signature Properties to Last Call
<fjh> issue-9?
<trackbot> ISSUE-9 -- Review WS-I BSP constraints on DSig -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/9
fjh: need some help on this one
hal: will take a look at it, what about 1.0 vs 1.1?
fjh: look at 1.0, then 1.1, signature may be the same
<scribe> ACTION: hal to look at WS-I BSP constraints on DSig [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-386 - Look at WS-I BSP constraints on DSig [on Hal Lockhart - due 2009-10-13].
<fjh> issue-32?
<trackbot> ISSUE-32 -- Define metadata that needs to be conveyed with signature, e.g. profile information -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/32
fjh: will wait on this one for Scott to comment on
<fjh> issue-45?
<trackbot> ISSUE-45 -- Multiple or layered signatures -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/45
<fjh> multiple signature blocks discussed last week
fjh: need to check requirements to see if we address this
<scribe> ACTION: Gerald to propose text for requirements for issue-45 [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-387 - Propose text for requirements for issue-45 [on Gerald Edgar - due 2009-10-13].
<fjh> issue-60?
<trackbot> ISSUE-60 -- Define requirements for XML Security and EXI usage -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/60
<fjh> requirement -ability to sign an EXI serialization without reformatting it
<scribe> ACTION: Gerald to propose text for requirements for issue-60 [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action05]
<trackbot> Created ACTION-388 - Propose text for requirements for issue-60 [on Gerald Edgar - due 2009-10-13].
pdatta: added EXI in one of the encoding types in c14n 2.0
<fjh> issue-63?
<trackbot> ISSUE-63 -- Namespace requirements: undeclarations, QNames, use of partial content in new contexts -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/63
fjh: should be a requirement to support QNames in content
<pdatta> EXI is one option for the serialization parameter in C14n 2.0 See http://www.w3.org/2008/xmlsec/Drafts/c14n-20/#Canonicalization-Parameters
hal: need to be more precise: support QNames in content
pdatta: there is an option in c14n 2.0 to support this
<fjh> c14n2 has option related to QNames in content
<fjh> suggest - add to requirements that should be possible to have QNames in content
<scribe> ACTION: Gerald to propose requirements text for issue-63 [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action06]
<trackbot> Created ACTION-389 - Propose requirements text for issue-63 [on Gerald Edgar - due 2009-10-13].
<pdatta> This is the section in C14N 2.0 about QNames in content -> http://www.w3.org/2008/xmlsec/Drafts/c14n-20/#Other-Ideas-Considered , QNames in xsi:type are considered separately
fjh: be careful there are 2 requirements docs, transforms and general
<fjh> have we dealt with issue-63 ?
hal: couple of unresolved
points
... 1) false positives
may be a QName, might not be
<fjh> detecting colon might not be good enough notes hal
some software preprocesses doc and look for QName prefix and add to list of exclusive C14N
extra pass over data so not good for streaming
2) rare cases changes to namespace decl outside of what is signed can still cause false positives
<fjh> QNames in content are inherently ambiguous, since colon is also legitimate text
hal: an example will make it
clear for #2
... you can get two different signature values
<fjh> see Hal's workshop paper
hal: think both are called in out in workshop paper
pdatta: for QNames in content in xsi tags (80%) we have addressed
<fjh> suggestion - record difficult issues in requirements document, note approach taken
<fjh> pratik notes we need more use cases where we use QNames in content
fjh: need to define use cases in reqmts doc and show how we addressed them
hal: section in paper: spurious
validation and QNames in content
... has examples of edge case
<fjh> issue-65?
<trackbot> ISSUE-65 -- Define requirements on transforms -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/65
fjh: thinks this is answered in 2.0 drafts
pdatta: 2.0 doc based on requirements but can take a look
<fjh> suggest this issue can be closed, based on 2.0 requirements and 2.0 signature and 2.0 C14n drafts
<fjh> issue-65 close
<fjh> issue-65 closed
<trackbot> ISSUE-65 Define requirements on transforms closed
<fjh> issue-66?
<trackbot> ISSUE-66 -- Which constraints can we impose on xml data model for simplification -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/66
<fjh> issue-66 dealt with in 2.0 C14N and 2.0 Signature
fjh: think we have addressed this in 2.0 docs, recommend closing
<fjh> issue-66 closed
<trackbot> ISSUE-66 Which constraints can we impose on xml data model for simplification closed
<fjh> issue-68?
<trackbot> ISSUE-68 -- Enable generic use of randomized hashing -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/68
bal: think we decided it didn't
have to be in 1.1 because someone could extend and add it
... but look at it for 2.0
... keep it open for 2.0
... support it depending how much demand/support in
community
fjh: next step for someone to make a proposal
<fjh> this one deserves consideration
<fjh> issue-127?
<trackbot> ISSUE-127 -- Should XML Security WG consider supporting and/or defining EXI canonicalization -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/127
fjh: combine with issue-60
<fjh> suggest consolidating this one with ISSUE-60
<fjh> any objection?
<fjh> ACTION: fjh consolidate ISSUE-127 and issue-60 [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action07]
<trackbot> Created ACTION-390 - Consolidate ISSUE-127 and issue-60 [on Frederick Hirsch - due 2009-10-13].
<fjh> issue-131?
<trackbot> ISSUE-131 -- Is semantic equivalence robustness in requirements document -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/131
<scribe> ACTION: Gerald to see if issue-31 is covered in requirements doc [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action08]
<trackbot> Created ACTION-391 - See if issue-31 is covered in requirements doc [on Gerald Edgar - due 2009-10-13].
<fjh> action-391 closed
<trackbot> ACTION-391 See if issue-31 is covered in requirements doc closed
<scribe> ACTION: Gerald to see if issue-131 is covered in requirements doc [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action09]
<trackbot> Created ACTION-392 - See if issue-131 is covered in requirements doc [on Gerald Edgar - due 2009-10-13].
<fjh> issue-131?
<trackbot> ISSUE-131 -- Is semantic equivalence robustness in requirements document -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/131
<fjh> issue-136?
<trackbot> ISSUE-136 -- Is normalization of prefixes a goal for 2.0 c14n -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/136
<fjh> believe we have option for this 2.0, need to check
<fjh> issue-139?
<trackbot> ISSUE-139 -- Need to collect streaming XPath requirements -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/139
pdatta: still under discussion what the subset is
fjh: suggest we need to put something in reqmts doc
pdatta: looked at some of the
papers, they still have some restrictions on XPath for
streaming
... we need to define our subset somewhere in the middle
... will try to define our subset more clearly
hal: is there enough interest in defining an XPath subset is acceptable to community?
pdatta: many uses are just simple
XPath expressions
... ws security policy group should review 2.0 doc
<fjh> ws-sx, sstc
<fjh> ACTION: fjh announce 2.0 to oasis security tcs, draw attention to points [recorded in http://www.w3.org/2009/10/06-xmlsec-minutes.html#action10]
<trackbot> Created ACTION-393 - Announce 2.0 to oasis security tcs, draw attention to points [on Frederick Hirsch - due 2009-10-13].
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2009Oct/0001.html
fjh: streamable XPath
pdatta: in our subset it didn't have the issues in jeni's blog
<fjh> pratik notes that proposed 2.0 subset of XPath is different from other subsets that have been critiqued in research papers
pdatta: some expressions cannot
be done in one pass
... can do it in one pass but would require a lot of memory
<fjh> when we publish XPath subset as part of our 2.0 FPWD we can then seek constructive feedback
pdatta: proposed a simpler subset - we can now decide if we want to do any advanced ones
<fjh> http://www.w3.org/2008/xmlsec/wiki/Interop
fjh: need to move forward on 1.1
interop
... can we use TPAC f2f to get things moving?
mullan: will be able to participate in interop testing DEREncodedKeyValue