- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Mon, 22 Sep 2008 18:16:49 -0400
- To: XMLSec WG Public List <public-xmlsec@w3.org>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
Agenda: W3C XML Security WG (XMLSec) v2
Teleconference 23 September 2008
Distributed Meeting #8
v2 changed time for XProc discussion to start of meeting, update
agenda for Best Practices decisions, added Last Call Widgets
Requirements, update for requirements/issues items
10-12:00 am Eastern Time
Information on meeting times in various time zones:
http://www.w3.org/2008/xmlsec/Group/Overview.html#phone
Zakim Bridge:
+1.617.761.6200 conference code 965732# ('XMLSEC')
IRC Chat:
irc.w3.org (port 6665), #xmlsec
Web-based IRC (member-only):
<http://cgi.w3.org/member-bin/irc/irc.cgi>
Please note that attendance of XMLSEC WG teleconferences is restricted
to registered WG participants and persons invited by the chair.
Chair: Frederick Hirsch
Regrets: see upcoming meetings
http://www.w3.org/2008/xmlsec/Group/Overview.html#upcoming-meetings
1) Administrivia: scribe confirmation, next meeting, other
1a) Rob Miller is scheduled to scribe
The current scribe list is at the end of this message, will rotate
through this list.
Scribe Instructions:
http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html
1b) Meeting planning: weekly meetings
This WG meets weekly on Tuesdays 10-12 Eastern unless a meeting is
cancelled.
Upcoming meeting information is available on the WG Administrative page:
http://www.w3.org/2008/xmlsec/Group/Overview.html#upcoming-meetings
30 September 2008 Teleconference cancelled.
Next meeting 7 October. Gerald Edgar is scheduled to scribe.
14 October 2008 Teleconference cancelled,
20-21 October 2008 F2F at TPAC.
2) XProc discussion with Norm Walsh
http://www.w3.org/2008/09/02-xmlsec-minutes.html#item03
3) Minutes Approval
3a) Minutes from 16 September 2008 for approval:
Revised
http://lists.w3.org/Archives/Member/member-xmlsec/2008Sep/0030.html
Additional discussion (should not impact approval of minutes)
http://lists.w3.org/Archives/Member/member-xmlsec/2008Sep/0032.html
4) Liaisons and Coordination
See status at members page
http://www.w3.org/2008/xmlsec/Group/Overview.html#coordination
4a) TPAC F2F Scheduling
http://lists.w3.org/Archives/Member/member-xmlsec/2008Sep/0004.html
Tentative:
XForms - 10:30 - noon (tentative) Monday 20 October
EXI - 2-3:30 Monday 20 October (note correction, 1 1/2 hours)
WebApps - 11-12 Tuesday 21 October
4b) WS-Policy
XML Signature Second Edition proposed errata to be handled by email on
WS-Policy list
http://lists.w3.org/Archives/Public/public-ws-policy/2008Sep/0001.html
4c) OASIS WS-SX
New issue accepted to add Second Edition reference
http://www.oasis-open.org/apps/org/workgroup/ws-sx/email/archives/200809/msg00014.html
Incorrect algorithm URI for C14N10, issue under consideration
http://www.oasis-open.org/apps/org/workgroup/ws-sx/email/archives/200809/msg00019.html
4d) WebApps Widgets 1.0 Requirements Last Call
"On September 19, the Web Apps WG published Last Call Working Draft #2
of the "Widgets 1.0: Requirements" spec: <http://www.w3.org/TR/2008/WD-widgets-reqs-20080915/
> If you have any comments, please send them to the public- webapps@w3.org
mail list (archive at [1]) by October 13 at the latest)
[1] <http://lists.w3.org/Archives/Public/public-webapps/>"
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0049.html
5) Best Practices - Actions before publication as working draft
Next steps:
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0043.html
5a) Resolution to accept Status/Abstract and incorporate into draft
(proposal from Thomas)
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0040.html
5b) Proposed revision for section 2.1, Best Practice 2 (Scott,
ACTION-56)
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0044.html
(Scott)
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0045.html
(Sean)
suggest moving practice later in document.
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0060.html
(Frederick)
5c) Draft review Section 1, section 2.1.4 (Sean)
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0046.html
(Sean)
Remove 2nd paragraph in section 1 as redundant
2.1.4, 4th paragraph, last sentence, define or remove "web bug"
Additional comment (Frederick)
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0055.html
5d) Draft review - section 2.1.2 (Best Practice 5) (Sean)
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0050.html
(Sean)
Note more advanced implementations might not be vulnerable to all
attacks
Change all examples in document to use absolute namespace URIs, not
relative
Proposal (Frederick)
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0056.html
URIs for example documents. Do instances in Best practices doc itself?
Do we want to retain links in document to example files?
5e) RetrievalMethod attack, section 2.1.3
Sean: Reality of attack in 2.1.3?
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0051.html
Pratik: Meaning of RetrievalMethod for KeyInfo not clear?
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0053.html
Sean: Clarification
Meaning of RetrievalMethod for KeyInfo not clear?
Pratik: continued relevance of attack
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0059.html
Question #1: proposed changes to 2.1.3?
Question #2: Action to propose clarification (proposed errata) for
Signature to clarify target of RetrievalMethod?
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0042.html
(Scott)
5f) Add synopsis for each Best Practice
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0057.html
5g) Misc editorial
Add change log item to reflect Brad's edits.
Consistent use of C14N11 capitalization
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0058.html
5h) Completion of implementer review actions?
See actions 57-64. http://www.w3.org/2008/xmlsec/track/products/11
6) Use Cases and Requirements
http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html
6a) Agree to add Web Services Security material, action to craft text
for document?
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0036.html
6b) Requirements logged in issues list
http://lists.w3.org/Archives/Public/public-xmlsec/2008Sep/0052.html
(Gerald)
Proposal, close in issues list, assign actions to craft proposals on
public list, then agree to add to requirements document.
7) Issues list
Procedure for creating issues: http://www.w3.org/2008/xmlsec/Group/Overview.html#issues
7a) Resolution to use tracker for issues.
7b) New issues
[OPEN] ISSUE-53 Practice summaries: Add short summary for each best
practice [on Best Practices for XML Signature]
http://www.w3.org/2008/xmlsec/track/issues/53
[OPEN] ISSUE-54 C14N usage: Use consistent spelling of C14N11 [on Best
Practices for XML Signature]
http://www.w3.org/2008/xmlsec/track/issues/54
7c) Issues list review
8) Completed Actions Pending Review
These actions have been completed (marked as pending review by owner
of action) and may be closed if WG agrees.
Actions pending review are listed in Tracker at http://www.w3.org/2008/xmlsec/track/actions/pendingreview
Unless there is any objection, the following actions will be closed at
this meeting.
[pending review] ACTION-27: Robert Miller to contact crypto hardware
and suiteB experts in NSA regarding XML Security WG and possible
involvement - due 2008-08-19 [on WG-Coordination]
http://www.w3.org/2008/xmlsec/track/actions/27
[pending review] ACTION-31: Thomas Roessler to Investigate ebXML
liaison (see ACTION-6) - due 2008-08-18 [on WG-Coordination]
http://www.w3.org/2008/xmlsec/track/actions/31
[pending review] ACTION-39: Hal Lockhart to Contribute web service
related scenario - due 2008-08-24 [on Rqmts (XML Signature and
Canonicalization V Next Requirements)]
http://www.w3.org/2008/xmlsec/track/actions/39
[pending review] ACTION-42: Thomas Roessler to Elaborate on "any
document" requirement vs canonicalizing xml:base - due 2008-08-26 [on
Rqmts (XML Signature and Canonicalization V Next Requirements)]
http://www.w3.org/2008/xmlsec/track/actions/42
[pending review] ACTION-47: Thomas Roessler to Add error noted in http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Jun/0021.html
to c14n 1.1 errata page - due 2008-09-01 [on Errata-C14N]
http://www.w3.org/2008/xmlsec/track/actions/47
[pending review] ACTION-66: Frederick Hirsch to Follow up with xsl to
get documents related to serialization - due 2008-09-23 [on WG-
Coordination]
http://www.w3.org/2008/xmlsec/track/actions/66
keep open until response received.
9) Open Action item review
Open actions are listed in Tracker at http://www.w3.org/2008/xmlsec/track/actions/open
Procedure for closing actions: http://www.w3.org/2007/xmlsec/Group/Overview.html#closing-actions
Please review open action list and update your actions appropriately:
http://www.w3.org/2008/xmlsec/actions-open.html
10) Adjourn
Scribing list
----------------
Gerald Edgar, Boeing ()
Robert Miller, MITRE ()
Shivaram Mysore, Invited Expert ()
Magnus Nyström, EMC ()
Leonard Rosenthol, Adobe ()
Anil Saldhana, Red Hat ()
Ed Simon, Invited Expert ()
John Wray, IBM ()
Kelvin Yiu, Microsoft ()
Konrad Lanz, IAIK (16 July F2F am)
Hal Lockhart, Oracle (16 July F2F pm)
Bruce Rich, IBM (17 July F2F am)
Chris Solc, Adobe (17 July F2F pm)
Scott Cantor, invited expert (29 July 2008)
Sean Mullan, Sun (12 August 2008)
Pratik Datta, Oracle (19 August 2008)
Subramanian Chidambaram, Nokia (26 August)
Brian LaMacchia, Microsoft (2 September 2008)
Bradley Hill, Invited Expert (9 September 2008)
Juan Carlos Cruellas, Universitat Politècnica de Catalunya (16
September 2008)
regards, Frederick
Frederick Hirsch, Nokia
Chair XML Security WG
Received on Monday, 22 September 2008 22:18:01 UTC