- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 6 May 2008 15:08:59 +0200
- To: public-xmlsec-maintwg@w3.org
Minutes from our meeting on 2008-04-15 were approved and are
available online here:
http://www.w3.org/2008/04/15-xmlsec-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
XML Security Specifications Maintenance Working Group Teleconference
15 Apr 2008
[2]Agenda
See also: [3]IRC log
Attendees
Present
Thomas Roessler, Frederick Hirsch, John Wray Rob Miller, Sean
Mullan, Ed Simon, Bruce Rich, Phill Hallam-Baker, Juan Carlos
Cruellas, Hal Lockhart, Pratik Datta, Shivaram Mysore, Konrad
Lanz
Regrets
Chair
Frederick Hirsch
Scribe
Thomas Roessler, Frederick Hirsch
Contents
* [4]Topics
1. [5]Administrative
2. [6]Meeting Planning
3. [7]minutes from last meeting
4. [8]test case document
5. [9]Relax NG schema
6. [10]best practices
7. [11]action item review
8. [12]aob
* [13]Summary of Action Items
__________________________________________________________________
<trackbot-ng> Date: 15 April 2008
Administrative
Meeting Planning
<scribe> ScribeNick: tlr
<fjh> next call is 6 May
Frederick: next meeting 6 May, Shivaram to scribe
... sent material to WS-I
<fjh> WAF widget signing: [14]http://www.w3.org/TR/widgets-digsig/
frederick: widget signing is FPWD now ...
... you may want to review latest draft ...
<fjh> minutes - [15]http://www.w3.org/2008/04/01-xmlsec-minutes.html
minutes from last meeting
RESOLUTION: approved
<fjh> Dsig AC Reps
[16]http://www.w3.org/2002/09/wbs/33280/xmlsigper2008/
<fjh> [17]http://www.w3.org/2002/09/wbs/33280/xmlsec2008/
frederick: please make sure your AC reps submit reviews for PER and
charter
... chartering deadline is 2 may
... contacting AC reps now might be helpful
... face-to-face schedule for kick-off getting tight
... propose week of 14 July ...
... how would that work? ...
<brich> that would be a problem for me
juan carlos: would be a problem - holiday starting on the 15th
hal: first time I heard the date
<EdS> I would have to check for conflicts too.
hal: no conflicts off the top of my head
... location?
frederick: had two offers from Europe (Barcelona or Graz) ...
jcc: number?
frederick: 15-20 as wild guess
juan carlos: will check, may have some degrees of freedom
hal: Can host in Boston or Bay for < 30
frederick: please share possibilities on member-visible list, what
dates work, etc.
... konrad?
konrad: umh
tlr: talked to Peter last week, he said the offer is on
pbaker: please make Tue-Thu, not Mon or Fri
frederick: reasonable
test case document
frederick: some editorial clean-up from Thomas, some content-wise from
Sean
<fjh>
[18]http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0
015.htm
sean: main change in section 3.3.4
<fjh> section 3.3.4 and fixed reference
sean: explained optional behavior for generation, mandatory for
verification ...
... improved wording, added rationale, etc ...
... tried to improve readability of section
frederick: don't know if people have reviewed
<fjh> tlr: fixed markup, references, added text about conformance
<fjh> ... added sectioning for individual test cases for ease of use
(discussion about make vs ant build processes)
frederick: process for moving forward?
tlr: moratorium ends 28 April
frederick: expect to proceed with publication if don't hear by then
Relax NG schema
<fjh> [19]http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/
<fjh> tlr: request on original xmlsig list related to Open Office XML
<fjh> ... desire to have normative reference to Relax NG schema
<fjh> ... original version from Joseph Reagle on W3C site
<fjh> ... rather than having it copied, a Note might be preferable,
especially since they wanted Compact Syntax which had not yet been
created.
<fjh> ... Proposal, have minimal WG Note with both Relax NG full and
compact syntax. Not normative document.
<fjh> ... Need WG review of Relax NG schema for correctness
[20]http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/
<klanz2> we do not support Relax NG
<shivaram> How many support Relax NG?
RobMiller: put out call on internal list for review
... will report back if/when there's more information ...
hal: not committing anything either
<klanz2> well, we can parse what xalan can parse, but we'll always
check signautre itself against xmlschema
frederick: what's your message in the chat saying?
klanz: we can try to validate a bunch of signatures against RNG schema
frederick: konrad, if there's anything immediately noticeable, please
say
best practices
[21]http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
frederick: tried to rework what Hal and Pratik had posted into that
format
pratik: on xpath, had a list of xpath expressions
... example there was complex xpath that was signing no node ...
frederick: more on nodes?
hal: need bunch of references
... plan to do 5 more or so on the topics ...
... depth, different issues ...
... there's also some controversial issues ...
... will attempt to identify where people might disagree ...
... question what's most expedient
<fjh> ws-i bsp "threats and countermeasures"
klanz2: think we should do some more referencing
... where others have done work ...
... there are some that are narrow xmldsig, some are about stuff on top
of xmldsig ...
... time stamps are more broadly ...
<fjh> wider sense - e.g. application usage of xml signature
klanz2: xpath and canonicalization are narrower ...
... think there's a natural partition ...
<fjh> narrow sense - detail of xml signature standard itself
hal: agree there's a logical division, not sure how easy to do
... and how useful to the reader ...
... I'd think you'd always want to put in a time stamp ...
<fjh> question of defining roles, target audience for individual best
practices
hal: some of the other concerns only a few people will run into ...
klanz: some applications might simply assume "signature was made during
validity period"
... some points here go into PKI validation ...
... time stamping belongs there, too ...
frederick: there are different audiences
hal: want to talk about references
... what we learned doing in WSS ...
... what things turned out to be bad ideas ...
... are deprecated ..
... lots of stuff around that ...
<fjh> need to discuss referencing
<fjh> acc jcc
jcc: what are the plans for the production of best practices
... do we expect people to provide material, and people may comment on
the material ...
... what's the expectation?
frederick: two aspects to this question
... first one, what's WG process
... second one, what are the broader implications
... this is obviously a draft ...
... need agreement in the WG ...
... trying to put something down, then correct ...
... as opposed to inching toward it piecewise ...
... do stuff on list, get it started ...
... so, please comment ...
... broader question - how play out in general community ...
... is it important for us to get external feedback?
... e.g., WS-I, OASIS?
... what's the right process
<hal> +1
<shivaram> I would suggest an informal notice to all of these groups
and have them comment on public mailing list. We can then invite them
as needed.
<klanz2> tlr: Intended to be a Note
<klanz2> ... we can do a Deliverable like this in the next WG even
without having it in the charter (process wise)
<fjh> tlr: can start and hand off to follow on WG
<klanz2> tlr: we can make working drafts to notes
<fjh> tlr: can produce version, can publish as public WD to have
continued by follow on wg, and seek external input
jcc: personal feeling is that external review would be extremely useful
... e.g., etsi has time-stamp related formats on top of dsig
<klanz2>
[22]http://lists.w3.org/Archives/Public/public-xmlsec-comments/
klanz2: can we use the comments mailing list?
... for people to send input?
tlr: yes
<fjh> tlr: this list is appropriate
frederick: will take a bit of time to have an initial version that
we're comfortable with
... can start public review at that point ...
... something to do before we have to worry about that ...
... sounds like we don't have a problem ...
... main thing is to write down things we've learned in this group ...
hal: 3-5 more mails of the same size, then might want to flush that out
... speaking to what JCC said, looking forward to comment ...
... would be surprised if I got it all right ...
... another point, very true and general comments can end up being
unintelligible ...
frederick: yes, value of concrete examples
<jcc> Sorry, was kicked off
klanz: think this is a good thing to lead us from this group to the
next one
<jcc> dialing again
frederick: anything else on best practices
... also, anybody who has material to contribute, please send to public
list ...
... hoping to make progress on draft between now and next call ...
action item review
trackbot-ng, close ACTION-147
<trackbot-ng> ACTION-147 Update the test cases document; polish for
publication as a Note closed
<fjh> see
[23]http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0
010.html
trackbot-ng, close ACTION-148
<trackbot-ng> ACTION-148 Send comments to EXI group as circulated to
the XMLSEC closed
<fjh>
[24]http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0
009.html
trackbot-ng, close ACTION-149
<trackbot-ng> ACTION-149 Clarify DName testing in test case document
closed
<fjh>
[25]http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0
015.html
ACTION-150?
<trackbot-ng> ACTION-150 -- Phillip Hallam-Baker to distribute a draft
regarding identifiers registry -- due 2008-04-15 -- OPEN
<trackbot-ng> [26]http://www.w3.org/2007/xmlsec/Group/track/actions/150
[27]http://www.w3.org/2007/xmlsec/Group/track/actions/pendingreview
trackbot-ng, close ACTION-121
<trackbot-ng> ACTION-121 Fix CR/LF issue for test case 103 closed
trackbot-ng, close ACTION-126
<trackbot-ng> ACTION-126 Check consistency of 4.3.3.1 and references
closed
trackbot-ng, close ACTION-127
<trackbot-ng> ACTION-127 Propose change to charter draft that opens
encryption, in a limited way closed
aob
frederick: reminders again: Please ask AC representatives to complete
questionnaires on XML Signature PER and Security Activity/XMLSec
chartering. Also work on list for Best Practices before next call, and
review of Relax NG schemas.
frederick: RNG schema
... prod ac reps
... review best practices
adjourned
<fjh> Scribe: Thomas Roessler, Frederick Hirsch
__________________________________________________________________
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0016.html
3. http://www.w3.org/2008/04/15-xmlsec-irc
4. http://www.w3.org/2008/04/15-xmlsec-minutes.html#agenda
5. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item01
6. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item02
7. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item03
8. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item04
9. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item05
10. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item06
11. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item07
12. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item08
13. http://www.w3.org/2008/04/15-xmlsec-minutes.html#ActionSummary
14. http://www.w3.org/TR/widgets-digsig/
15. http://www.w3.org/2008/04/01-xmlsec-minutes.html
16. http://www.w3.org/2002/09/wbs/33280/xmlsigper2008/
17. http://www.w3.org/2002/09/wbs/33280/xmlsec2008/
18. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0015.htm
19. http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/
20. http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/
21. http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
22. http://lists.w3.org/Archives/Public/public-xmlsec-comments/
23. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0010.html
24. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0009.html
25. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0015.html
26. http://www.w3.org/2007/xmlsec/Group/track/actions/150
27. http://www.w3.org/2007/xmlsec/Group/track/actions/pendingreview
Received on Tuesday, 6 May 2008 13:09:41 UTC