# XML Security Working Group Teleconference

## 13 Dec 2011

[Agenda][3]

See also: [IRC log][4]

## Attendees

Present

    Frederick_Hirsch, Chris_Solc, Bruce_Rich, Gerald_Edgar, Ed_Simon,
Pratik_Datta, Hal_Lockhart

Regrets

    Thomas_Roessler, Brian_LaMacchia, Shivaram_Mysore, Magnus_Nystrom

Chair

    Frederick_Hirsch

Scribe

    fjh

## Contents

  * [Topics][5]

    1. [Administrative][6]

    2. [Minutes Approval][7]

    3. [Publication Status][8]

    4. [FIPS and XML Encryption][9]

    5. [XML Security 2.0][10]

    6. [Interop][11]

    7. [GCM][12]

    8. [Action review][13]

    9. [Adjourn][14]

  * [Summary of Action Items][15]

* * *

<trackbot> Date: 13 December 2011

<scribe> ScribeNick: fjh

### Administrative

<csolc> * no problem

Call next week, 20th; No call on 27 December

Keep 3 Jan on schedule but may cancel by email depending on 2.0 CR status

### Minutes Approval

Approve minutes, 29 November 2011

[http://lists.w3.org/Archives/Public/public-
xmlsec/2011Nov/att-0016/minutes-2011-11-29.html][16]

**RESOLUTION: Minutes from 29 November 2011 are approved.**

### Publication Status

[http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0006.html][17]

prepared XML Encyption 1.1 and Security Algorithms Cross Reference for
publication as WD, thursday 15 December

prepared "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms"
for Last Call publication

XML Encryption 1.1 Test Cases and Canonical XML 2.0 Test Cases documents for
publication

**RESOLUTION: CfCs for publication of XML Encryption 1.1 and test cases passed
successfully**

also

**RESOLUTION: CfCs for publication of Last Call XML "XML Encryption 1.1
CipherReference Processing using 2.0 Transforms" passed successfully**

### FIPS and XML Encryption

[http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html][18]

[http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0002.html][19]

<scribe> **ACTION:** hal to review FIPS and RSA-OAEP question in
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html][18]
[recorded in [http://www.w3.org/2011/12/13-xmlsec-minutes.html#action01][20]]

<trackbot> Created ACTION-862 - Review FIPS and RSA-OAEP question in
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html][18] [on
Hal Lockhart - due 2011-12-20].

### XML Security 2.0

Reference test cases from C14N 2.0:

[http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0005.html][21]

<scribe> **ACTION:** fjh to confirm correctness of C14N2 test case reference
after publication [recorded in [http://www.w3.org/2011/12/13-xmlsec-
minutes.html#action02][22]]

<trackbot> Created ACTION-863 - Confirm correctness of C14N2 test case
reference after publication [on Frederick Hirsch - due 2011-12-20].

CfC for going to CR: [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Nov/0024.html][23]

CfC includes summary of changes

From W3C process, transition to CR: "At this step, W3C believes the technical
report is stable and appropriate for implementation. The technical report may
still change based on implementation experience."

proposed RESOLUTION: Advance Canonical XML 2.0, XML Signature Streaming
Profile of XPath 1.0 and XML Signature 2.0 to CR with no features as at risk,
exit with at least 2 implementations

proposed RESOLUTION: Advance Canonical XML 2.0, XML Signature Streaming
Profile of XPath 1.0 and XML Signature 2.0 to CR with no features as at risk,
exit criteria at least 2 implementations and minimum period of two months

**RESOLUTION: Advance Canonical XML 2.0, XML Signature Streaming Profile of
XPath 1.0 and XML Signature 2.0 to CR with no features as at risk, exit
criteria at least 2 implementations and minimum period of two months**

csolc: how to get second implementation, open source or university, do we have
any contacts

two potential issues - elliptic curve status and implementation

<scribe> **ACTION:** fjh to implement CR transition [recorded in
[http://www.w3.org/2011/12/13-xmlsec-minutes.html#action03][24]]

<trackbot> Created ACTION-864 - Implement CR transition [on Frederick Hirsch -
due 2011-12-20].

fjh: hopefully the PAG will have a result this month

<scribe> **ACTION:** fjh to contact parties re participation in interop for
2.0 [recorded in [http://www.w3.org/2011/12/13-xmlsec-
minutes.html#action04][25]]

<trackbot> Created ACTION-865 - Contact parties re participation in interop
for 2.0 [on Frederick Hirsch - due 2011-12-20].

### Interop

Microsoft has additional and updated elliptic curve test cases in wiki,
completed oracle interop. Not working on encryption interop..

### GCM

Magnus noted "chunked" form of GCM would allow streaming, offlist

brich: specification requires checking of tags and full processing to reach
end

... hence streaming not possible

... certification not clear since spec has some vague language about
certification

hal: would be helpful to have detail from magnus on the public list

### Action review

ACTION-841?

<trackbot> ACTION-841 -- Pratik Datta to add link to canonical XML 2.0 samples
into the spec -- due 2011-10-11 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/841][26]

fjh: I did this

close ACTION-841

<trackbot> ACTION-841 Add link to canonical XML 2.0 samples into the spec
closed

ACTION-848?

<trackbot> ACTION-848 -- Bruce Rich to contact OASIS ebXML community regarding
large data issue and GCM -- due 2011-10-25 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/848][27]

brich: ebXML is in use for small chunks of data, so more general issue than
GCM

... will forward message to xml signature public list

fjh: summary, not an issue here

ACTION-850?

<trackbot> ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security
considerations and propose changes in light of today's discussion -- due
2011-10-25 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/850][28]

hal: producing a detailed summary, few paragraphs, lots of subtlety

... for example, can have wrapping attack with even one error message

... issue is multiple processing layers, security, application, etc without
any responsibility on any layer to detect message structure

<Ed_Simon> * Ed: signing off.

ACTION-851?

<trackbot> ACTION-851 -- Pratik Datta to propose text regarding KeyLength and
PBKDF2, assuming we do not change the schemna -- due 2011-10-25 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/851][29]

proposal made, adopted in draft

close ACTION-851

<trackbot> ACTION-851 Propose text regarding KeyLength and PBKDF2, assuming we
do not change the schemna closed

hal: could use hmac based on decryption key but not more helpful than GCM

ACTION-856?

<trackbot> ACTION-856 -- Brian LaMacchia to discuss with magnus possible
encryption algorithms suitable for streaming -- due 2011-11-15 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/856][30]

<scribe> done but need to share result with wg

close ACTION-858

<trackbot> ACTION-858 Send CfC for resolution to Publish CR drafts of
Canonical XML 2.0, XML Signature 2.0 and Streaming Profile of XPath 1.0 this
month closed

close ACTION-859

<trackbot> ACTION-859 Send CfC to move XML Encryption 1.1 CipherReference
Processing using 2.0 Transforms to LC closed

close ACTION-861

<trackbot> ACTION-861 Send message re closing ISSUE-230 closed

### Adjourn

## Summary of Action Items

**[NEW]** **ACTION:** fjh to confirm correctness of C14N2 test case reference
after publication [recorded in [http://www.w3.org/2011/12/13-xmlsec-
minutes.html#action02][22]]

**[NEW]** **ACTION:** fjh to contact parties re participation in interop for
2.0 [recorded in [http://www.w3.org/2011/12/13-xmlsec-
minutes.html#action04][25]]

**[NEW]** **ACTION:** fjh to implement CR transition [recorded in
[http://www.w3.org/2011/12/13-xmlsec-minutes.html#action03][24]]

**[NEW]** **ACTION:** hal to review FIPS and RSA-OAEP question in
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html][18]
[recorded in [http://www.w3.org/2011/12/13-xmlsec-minutes.html#action01][20]]


[End of minutes]

* * *

Minutes formatted by David Booth's [scribe.perl][31] version 1.135 ([CVS
log][32])

$Date: 2009-03-02 03:52:20 $

   [1]: http://www.w3.org/Icons/w3c_home

   [2]: http://www.w3.org/

   [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0007.html

   [4]: http://www.w3.org/2011/12/13-xmlsec-irc

   [5]: #agenda

   [6]: #item01

   [7]: #item02

   [8]: #item03

   [9]: #item04

   [10]: #item05

   [11]: #item06

   [12]: #item07

   [13]: #item08

   [14]: #item09

   [15]: #ActionSummary

   [16]: http://lists.w3.org/Archives/Public/public-
xmlsec/2011Nov/att-0016/minutes-2011-11-29.html

   [17]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0006.html

   [18]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html

   [19]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0002.html

   [20]: http://www.w3.org/2011/12/13-xmlsec-minutes.html#action01

   [21]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0005.html

   [22]: http://www.w3.org/2011/12/13-xmlsec-minutes.html#action02

   [23]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0024.html

   [24]: http://www.w3.org/2011/12/13-xmlsec-minutes.html#action03

   [25]: http://www.w3.org/2011/12/13-xmlsec-minutes.html#action04

   [26]: http://www.w3.org/2008/xmlsec/track/actions/841

   [27]: http://www.w3.org/2008/xmlsec/track/actions/848

   [28]: http://www.w3.org/2008/xmlsec/track/actions/850

   [29]: http://www.w3.org/2008/xmlsec/track/actions/851

   [30]: http://www.w3.org/2008/xmlsec/track/actions/856

   [31]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm

   [32]: http://dev.w3.org/cvsweb/2002/scribe/