# XML Security Working Group Teleconference

## 16 Aug 2011

[Agenda][3]

See also: [IRC log][4]

## Attendees

Present

    Frederick_Hirsch, Chris_Solc, Hal_Lockhart, Cynthia_Martin, Scott_Cantor,
Bruce_Rich

Regrets

    Pratik_Datta, Magnus_Nystrom, Brian_LaMacchia, Thomas_Roessler

Chair

    Frederick_Hirsch

Scribe

    fjh

## Contents

  * [Topics][5]

    1. [Administrative][6]

    2. [Minutes Approval][7]

    3. [XML Encryption 1.1][8]

    4. [XML Signature Properties][9]

    5. [XML Security 2.0][10]

    6. [Additional Actions][11]

    7. [Other Business][12]

    8. [Adjourn][13]

  * [Summary of Action Items][14]

* * *

<trackbot> Date: 16 August 2011

### Administrative

<scribe> ScribeNick: fjh

Updated Suite B interoperability document -
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0039.html][15]

### Minutes Approval

Approve minutes, 9 August 2011

[http://lists.w3.org/Archives/Public/public-
xmlsec/2011Aug/att-0012/minutes-2011-08-09.html][16]

Proposed RESOLUTION: Minutes from 9 August are approved.

**RESOLUTION: Minutes from 9 August are approved.**

### XML Encryption 1.1

LC-2543 PRFAlgorithmIdentifierType definition

[http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0028.html][17]

shouldn't the AlgorithmIdentifierType have a "type='anyURI' on the Algorithm
attribute definition?

<scantor> I concur

**RESOLUTION: add 'type="anyURI"' to Algorithm in AlgorithmIdentifierType**

<scribe> **ACTION:** fjh to update xml encryption schema and specification
with addition of type for Algorithm in AlgorithmIdentifierType [recorded in
[http://www.w3.org/2011/08/16-xmlsec-minutes.html#action01][18]]

<trackbot> Created ACTION-824 - Update xml encryption schema and specification
with addition of type for Algorithm in AlgorithmIdentifierType [on Frederick
Hirsch - due 2011-08-23].

LC-2544 xenc-schema-11.xsd does not import xmldsig11-schema.xsd but rather
import xmldsigschema.xsd

[http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0029.html][19]

<scribe> **ACTION:** fjh to make formal response, import is for ds:Digest
which is from original schema, hence no change needed [recorded in
[http://www.w3.org/2011/08/16-xmlsec-minutes.html#action02][20]]

<trackbot> Created ACTION-825 - Make formal response, import is for ds:Digest
which is from original schema, hence no change needed [on Frederick Hirsch -
due 2011-08-23].

LC-2542 Note re base64 encoding

[http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0027.html][21]

EncryptedType has an optional Encoding attribute. I believe the URI could be
used here to specify the encoding used for the CipherData. See the last
paragraph of 3.1, [http://www.w3.org/2008/xmlsec/Drafts/xmlenc-
core-11/Overview.html#sec-EncryptedType][22]

One might expect the encoding to appear as an optional attribute of
CipherValue but I suspect this is an attempt to provide it for both
CipherValue or CipherReference so that it is applicable to either.

At a minimum we probably should update the last paragraph of 3.1 to make
Encoding a new paragraph and maybe also reference the Encoding attribute in
the note.

scott: asks if two uses of base64 were there before

fjh: beiieve so

scott: if not shouldn't overload now, otherwise note appropriate

fjh: will double check, then close out issue

LC-2541 self-reference

[http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0026.html][23]

fjh: maintenance problem to have Media Type registration in document

... proposal to have reference as text within document

[http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.html#sec-
MediaType][24]

hal: why not remove registration material from document

fjh: proposal to remove section 8, XML Encryption Media Type registration from
this document, or restructure as note with reference

... we could put copy of registration into CVS as separate document and then
reference as informational document

alternatively put reference in line

<scribe> **ACTION:** fjh to check with tlr re removing (and archiving) section
8 from xml encryption 1.1 [recorded in [http://www.w3.org/2011/08/16-xmlsec-
minutes.html#action03][25]]

<trackbot> Created ACTION-826 - Check with tlr re removing (and archiving)
section 8 from xml encryption 1.1 [on Frederick Hirsch - due 2011-08-23].

ACTION-814?

<trackbot> ACTION-814 -- Magnus Nystrom to make namespace ("&xenc;") related
edits in XML Encryption 1.1 -- due 2011-07-05 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/814][26]

### XML Signature Properties

LC-2372 awaiting response from Juan Carlos

<scribe> **ACTION:** tlr to advise on how to close LC-2372 if no response
received from submitter of comment for resolution [recorded in
[http://www.w3.org/2011/08/16-xmlsec-minutes.html#action04][27]]

<trackbot> Created ACTION-827 - Advise on how to close LC-2372 if no response
received from submitter of comment for resolution [on Thomas Roessler - due
2011-08-23].

### XML Security 2.0

Awaiting actions from Pratik noted in agenda

ACTION-809?

<trackbot> ACTION-809 -- Pratik Datta to fix examples in signature 2.0 -- due
2011-06-21 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/809][28]

ACTION-802?

<trackbot> ACTION-802 -- Pratik Datta to review comments from XML Core WG and
formulate response, [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0005.html][29] -- due 2011-06-14 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/802][30]

ACTION-717?

<trackbot> ACTION-717 -- Pratik Datta to document the Performance improvements
with 2.0 -- due 2010-11-09 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/717][31]

### Additional Actions

ACTION-238?

<trackbot> ACTION-238 -- Thomas Roessler to update the proposal associated
with ACTION-222 and send to list. -- due 2011-09-30 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/238][32]

### Other Business

general discussion of possible additional security considerations for xml
encryption

hal: should identify different types of attacks

<scribe> **ACTION:** hal to propose additional text for security
considerations of xml encryption [recorded in [http://www.w3.org/2011/08/16
-xmlsec-minutes.html#action05][33]]

<trackbot> Created ACTION-828 - Propose additional text for security
considerations of xml encryption [on Hal Lockhart - due 2011-08-23].

<scribe> **ACTION:** scantor to provide additional proposal text regarding xml
encryption changes for pkcs1.5 [recorded in [http://www.w3.org/2011/08/16
-xmlsec-minutes.html#action06][34]]

<trackbot> Created ACTION-829 - Provide additional proposal text regarding xml
encryption changes for pkcs1.5 [on Scott Cantor - due 2011-08-23].

cynthia: HTML version of Suite B interoperability document looks good.

### Adjourn

## Summary of Action Items

**[NEW]** **ACTION:** fjh to check with tlr re removing (and archiving)
section 8 from xml encryption 1.1 [recorded in [http://www.w3.org/2011/08/16
-xmlsec-minutes.html#action03][25]]

**[NEW]** **ACTION:** fjh to make formal response, import is for ds:Digest
which is from original schema, hence no change needed [recorded in
[http://www.w3.org/2011/08/16-xmlsec-minutes.html#action02][20]]

**[NEW]** **ACTION:** fjh to update xml encryption schema and specification
with addition of type for Algorithm in AlgorithmIdentifierType [recorded in
[http://www.w3.org/2011/08/16-xmlsec-minutes.html#action01][18]]

**[NEW]** **ACTION:** hal to propose additional text for security
considerations of xml encryption [recorded in [http://www.w3.org/2011/08/16
-xmlsec-minutes.html#action05][33]]

**[NEW]** **ACTION:** scantor to provide additional proposal text regarding
xml encryption changes for pkcs1.5 [recorded in [http://www.w3.org/2011/08/16
-xmlsec-minutes.html#action06][34]]

**[NEW]** **ACTION:** tlr to advise on how to close LC-2372 if no response
received from submitter of comment for resolution [recorded in
[http://www.w3.org/2011/08/16-xmlsec-minutes.html#action04][27]]


[End of minutes]

* * *

Minutes formatted by David Booth's [scribe.perl][35] version 1.135 ([CVS
log][36])

$Date: 2009-03-02 03:52:20 $

   [1]: http://www.w3.org/Icons/w3c_home

   [2]: http://www.w3.org/

   [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0040.html

   [4]: http://www.w3.org/2011/08/16-xmlsec-irc

   [5]: #agenda

   [6]: #item01

   [7]: #item02

   [8]: #item03

   [9]: #item04

   [10]: #item05

   [11]: #item06

   [12]: #item07

   [13]: #item08

   [14]: #ActionSummary

   [15]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0039.html

   [16]: http://lists.w3.org/Archives/Public/public-
xmlsec/2011Aug/att-0012/minutes-2011-08-09.html

   [17]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0028.html

   [18]: http://www.w3.org/2011/08/16-xmlsec-minutes.html#action01

   [19]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0029.html

   [20]: http://www.w3.org/2011/08/16-xmlsec-minutes.html#action02

   [21]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0027.html

   [22]: http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.html
#sec-EncryptedType

   [23]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Aug/0026.html

   [24]: http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.html
#sec-MediaType

   [25]: http://www.w3.org/2011/08/16-xmlsec-minutes.html#action03

   [26]: http://www.w3.org/2008/xmlsec/track/actions/814

   [27]: http://www.w3.org/2011/08/16-xmlsec-minutes.html#action04

   [28]: http://www.w3.org/2008/xmlsec/track/actions/809

   [29]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0005.html

   [30]: http://www.w3.org/2008/xmlsec/track/actions/802

   [31]: http://www.w3.org/2008/xmlsec/track/actions/717

   [32]: http://www.w3.org/2008/xmlsec/track/actions/238

   [33]: http://www.w3.org/2011/08/16-xmlsec-minutes.html#action05

   [34]: http://www.w3.org/2011/08/16-xmlsec-minutes.html#action06

   [35]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm

   [36]: http://dev.w3.org/cvsweb/2002/scribe/