# XML Security Working Group Teleconference

## 07 Jun 2011

[Agenda][3]

See also: [IRC log][4]

## Attendees

Present

    Frederick_Hirsch, Cynthia_Martin, Pratik_Datta, Ed_Simon, Chris_Solc,
Meiko_Jensen, Gerald_Edgar, Scott_Cantor, Hal_Lockhart, Bruce_Rich,
Thomas_Roessler, Brian_LaMacchia

Regrets


Chair

    Frederick_Hirsch

Scribe

    Ed_Simon, Cynthia

## Contents

  * [Topics][5]

    1. [Administrative][6]

    2. [Minutes Approval][7]

    3. [2.0 Last Call][8]

    4. [C14N2 Test Cases][9]

    5. [XML Security 2.0 implementation planning][10]

    6. [XML Security 1.1 CR][11]

    7. [XML Signature 1.1][12]

    8. [Open Actions Review][13]

    9. [Open Issues Review][14]

    10. [Adjourn][15]

  * [Summary of Action Items][16]

* * *

<trackbot> Date: 07 June 2011

<fjh> ScribeNick: Ed_Simon

### Administrative

Next call is June 14, not June 21.

<fjh> Widget Signature Last Call, anticipated publication 7 June, please
review

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011May/0007.html][17]

### Minutes Approval

<fjh> Approve minutes, 24 May 2011

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011May/att-0009/minutes-2011-05-24.html][18]

Proposed RESOLUTION: Minutes from 24 May are approved.

**RESOLUTION: Minutes from 24 May are approved.**

<fjh> Agenda addition - feedback on 2.0 and Cynthia's draft

### 2.0 Last Call

<fjh> C14N2 editorial updates ( ACTION-794, ACTION-799 and ACTION-800 )

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0002.html][19]

Pratik did editorial updates.

<fjh> see [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0002.html][19] for details

Pratik clarified whitespace issue.

<fjh> pdatta checked, whitespace defined in XML 1.0 and 1.1 the same way

scribe: pdatta; prefix mapping, added new section on prefix writing,

and those were the main issues.

<Cynthia> changes are acceptable

<fjh> proposed RESOLUTION: Changes to resolve LC-2484 and LC-2486 are
acceptable (whitespace and prefix rewriting changes)

**RESOLUTION: Changes to resolve LC-2484 and LC-2486 are acceptable
(whitespace and prefix rewriting changes)**

fjh: Received last call comments from Paul Grosso

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0005.html][20]

fjh: short list of comments including concern about context, use of xml: lang
in text, clarification needed.

Pratik has not had a chance to go through Pauls' comments.

<fjh> **ACTION:** pdatta to review comments from XML Core WG and formulate
response, [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0005.html][20] [recorded in [http://www.w3.org/2011/06/07
-xmlsec-minutes.html#action01][21]]

<trackbot> Created ACTION-802 - Review comments from XML Core WG and formulate
response, [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0005.html][20] [on Pratik Datta - due 2011-06-14].

### C14N2 Test Cases

<fjh> [http://www.w3.org/2008/xmlsec/Group/interop/c14n2/][22]

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0001.html][23]

tlr: Ignore CSS warnings

### XML Security 2.0 implementation planning

<fjh> C14N2

<fjh> XML Signature Streaming Profile of XPath 1.0

<fjh> XML Signature 2.0

fjh: Pratik, where are you with your implementation?

... What can we do to move other implementations forward?

Pratik: We are building both C14N 2.0 and XML Signature 2.0.

No one else seems to be implementing the specs which puts interoperability
testing in question.

### XML Security 1.1 CR

<fjh> Minimum CR period of 1 June is ended.

<fjh> ACTION-779: Gerald Edgar to Review test cases for 1.1 and summarize
which are missing

<trackbot> ACTION-779 Review test cases for 1.1 and summarize which are
missing notes added

Gerald: Sent out review of test cases and coverage today; would like people to
review.

<fjh> Cynthia, suite b material for review
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0006.html][24]

Cynthia: Wrote summary of what Suite B is and why we are doing this. Created a
matrix form

... with things that should be in there. Would like review of wording before
the tables.

<fjh> pointer to draft from Cynthia [http://lists.w3.org/Archives/Public
/public-xmlsec/2011Jun/att-0006/Suite_B_Interoperability_06.08.11_a.pdf][25]

Cynthia: Suite B people have reviewed the text and found it confusing so we
need to tweak it.

... Also looking AES Key Wrap.

<fjh> **ACTION:** fjh to propose language re xmlsec required for suite b
description by Cynthia [recorded in [http://www.w3.org/2011/06/07-xmlsec-
minutes.html#action02][26]]

<trackbot> Created ACTION-803 - Propose language re xmlsec required for suite
b description by Cynthia [on Frederick Hirsch - due 2011-06-14].

Cynthia: Not sure that it (AES Key Wrap) should be in there because not sure
it is a required field.

Best to have more reviewers.

fjh: Helpful to list the relevant algorithms even if not ECC specific, so it
is clear what is ECC and what is not.

... Better to have a little too much info than not enough.

Cynthia: Once I have everyone's feedback, wiki will be edited.

<fjh> documents for 1.1 interop :

<fjh> XML Signature 1.1

<fjh> XML Encryption 1.1

<fjh> XML Signature Properties

<fjh> XML Security Generic Hybrid Ciphers

tlr: Can we use the results from Web Applications testing of Signature
Properties, and test suite and test result? Yes.

... Then we need to show interoperable implementations of the spec based on
the test suite, then we can go to Proposed Rec.

<tlr> y

<fjh> XMLSec WG should review WebApps Signature Properties test suite, interop
and remove at risk material from Signature Properties as necessary

fjh: Not sure how we will progress Generic Hybrid Ciphers because no public
implementation that we can reference.

Brian: Will be talking to Magnus about possibilities.

... We still need a second implementation

... If no second implementation, what happens to the spec

... (will sit in CR until two implementations are ready).

fjh: Unless we have implementations of Hybrid Ciphers we should not spend time
on it.

tlr: If not expecting two implementations, Hybrid Ciphers could be published
as Note.

### XML Signature 1.1

Brian: Magnus would be implementing it and Microsoft could participate in XML
Signature 1.1. interop testing.

Pratik will have an implementation.

<fjh> Who apart from Microsoft and Oracle is able to participate in further
1.1 interop?

<fjh> If anyone is planning on implementing Generic Hybrid Ciphers please
indicate on the list

<fjh> ScribeNick: Cynthia

fjh: Try to set up something regarding interop testing to move forward, need
to figure out scheduling

... Try to set up a call or do it via email, contact Magnus to see when he is
available

pdatta: We did not do encryption last time, need to pick that up

<fjh> **ACTION:** fjh to send email to set up offline interop discussion with
Microsoft, Oracle, Signature 1.1, Encryption 1.1 [recorded in
[http://www.w3.org/2011/06/07-xmlsec-minutes.html#action03][27]]

<trackbot> Created ACTION-804 - Send email to set up offline interop
discussion with Microsoft, Oracle, Signature 1.1, Encryption 1.1 [on Frederick
Hirsch - due 2011-06-14].

fjh: Need to look at the interop page to see what needs to be done

Interop Page: [http://www.w3.org/2008/xmlsec/wiki/Interop][28]

<fjh> One priority is XML Encryption 1.1 interop, the other is filling the
gaps in Signature 1.1 interop

fjh: Is there any sense of finality with Notes?

<fjh> XML Security 1.1 Requirements and Design Considerations

<fjh> XML Security Algorithm Cross-Reference

<fjh> XML Security RELAX NG Schemas

<fjh> XML Security 2.0 Requirements and Design Considerations

<fjh> XML Signature Best Practices

tlr: Note is non-normative, can be updated by WG decision, could be published
by working draft if changes are to be made

<fjh> suggestion that we complete these as W3C Notes once we go to REC with
XML SIgnature 1.1 and XML Encryption 1.1

+1

<fjh> understanding is these are complete and in good shape, please indicate
if you are aware of any issues

### Open Actions Review

<fjh> ACTION-238?

<trackbot> ACTION-238 -- Thomas Roessler to update the proposal associated
with ACTION-222 and send to list. -- due 2011-06-30 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/238][29]

tlr: leave this open for now

<fjh> ACTION-705?

<trackbot> ACTION-705 -- Juan Carlos Cruellas to confirm suitability of
exclusive -- due 2010-11-09 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/705][30]

<fjh> propose to close, see [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0000.html][31]

<fjh> ACTION-779?

<trackbot> ACTION-779 -- Gerald Edgar to review test cases for 1.1 and
summarize which are missing -- due 2011-03-08 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/779][32]

Gerald-E: waiting for comments, will change as necessary

I will try to review it

<fjh> I will also look at it

<fjh> ACTION-791?

<trackbot> ACTION-791 -- Thomas Roessler to request SAAG review of XML Sec 2.0
once spec is in LC -- due 2011-04-19 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/791][33]

tlr: will do that right now, what is the deadline for them

fjh: deadline - 2 weeks to a month?

tlr: 4 weeks is fine

+1

<fjh> ACTION-796?

<trackbot> ACTION-796 -- Thomas Roessler to review xml sec charter extension,
see [http://lists.w3.org/Archives/Member/member-xmlsec/2011Apr/0001.html][34],
with possibility of 9 months vs 1 year -- due 2011-04-26 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/796][35]

fjh: requesting extension between 9 months to a year

<fjh> [http://www.w3.org/2008/02/xmlsec-charter.html][36]

I believe we need a year extension given the need for v2.0 implementations

### Open Issues Review

<fjh> ISSUE-132?

<trackbot> ISSUE-132 -- Keep 2.0 xenc transform feature in sync with signature
2.0 -- open

<trackbot> [http://www.w3.org/2008/xmlsec/track/issues/132][37]

tlr: No news in particular (regarding the PAG status)

... this is an ancient issue, what are the changes mean in general

fjh: Does anyone want to take a look at this?

<fjh> **ACTION:** fjh to review ISSUE-132 [recorded in
[http://www.w3.org/2011/06/07-xmlsec-minutes.html#action04][38]]

<trackbot> Created ACTION-805 - Review ISSUE-132 [on Frederick Hirsch - due
2011-06-14].

pdatta: want to take a look at it

<fjh> **ACTION:** pdatta to review ISSUE-132, whether we need XML Encryption
update to reflect changes in Signature 2.0 transform model [recorded in
[http://www.w3.org/2011/06/07-xmlsec-minutes.html#action05][39]]

<trackbot> Created ACTION-806 - Review ISSUE-132, whether we need XML
Encryption update to reflect changes in Signature 2.0 transform model [on
Pratik Datta - due 2011-06-14].

<tlr> action-791 closed

<trackbot> ACTION-791 Request SAAG review of XML Sec 2.0 once spec is in LC
closed

### Adjourn

<fjh> Note, teleconference schedule update, our next call will be next week 14
June. There will be no call on 21 June.

## Summary of Action Items

**[NEW]** **ACTION:** fjh to propose language re xmlsec required for suite b
description by Cynthia [recorded in [http://www.w3.org/2011/06/07-xmlsec-
minutes.html#action02][26]]

**[NEW]** **ACTION:** fjh to review ISSUE-132 [recorded in
[http://www.w3.org/2011/06/07-xmlsec-minutes.html#action04][38]]

**[NEW]** **ACTION:** fjh to send email to set up offline interop discussion
with Microsoft, Oracle, Signature 1.1, Encryption 1.1 [recorded in
[http://www.w3.org/2011/06/07-xmlsec-minutes.html#action03][27]]

**[NEW]** **ACTION:** pdatta to review comments from XML Core WG and formulate
response, [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0005.html][20] [recorded in [http://www.w3.org/2011/06/07
-xmlsec-minutes.html#action01][21]]

**[NEW]** **ACTION:** pdatta to review ISSUE-132, whether we need XML
Encryption update to reflect changes in Signature 2.0 transform model
[recorded in [http://www.w3.org/2011/06/07-xmlsec-minutes.html#action05][39]]


[End of minutes]

* * *

Minutes formatted by David Booth's [scribe.perl][40] version 1.135 ([CVS
log][41])

$Date: 2009-03-02 03:52:20 $

   [1]: http://www.w3.org/Icons/w3c_home

   [2]: http://www.w3.org/

   [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0003.html

   [4]: http://www.w3.org/2011/06/07-xmlsec-irc

   [5]: #agenda

   [6]: #item01

   [7]: #item02

   [8]: #item03

   [9]: #item04

   [10]: #item05

   [11]: #item06

   [12]: #item07

   [13]: #item08

   [14]: #item09

   [15]: #item10

   [16]: #ActionSummary

   [17]: http://lists.w3.org/Archives/Public/public-xmlsec/2011May/0007.html

   [18]: http://lists.w3.org/Archives/Public/public-
xmlsec/2011May/att-0009/minutes-2011-05-24.html

   [19]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0002.html

   [20]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0005.html

   [21]: http://www.w3.org/2011/06/07-xmlsec-minutes.html#action01

   [22]: http://www.w3.org/2008/xmlsec/Group/interop/c14n2/

   [23]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0001.html

   [24]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0006.html

   [25]: http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/att-0006/Suite_B_Interoperability_06.08.11_a.pdf

   [26]: http://www.w3.org/2011/06/07-xmlsec-minutes.html#action02

   [27]: http://www.w3.org/2011/06/07-xmlsec-minutes.html#action03

   [28]: http://www.w3.org/2008/xmlsec/wiki/Interop

   [29]: http://www.w3.org/2008/xmlsec/track/actions/238

   [30]: http://www.w3.org/2008/xmlsec/track/actions/705

   [31]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0000.html

   [32]: http://www.w3.org/2008/xmlsec/track/actions/779

   [33]: http://www.w3.org/2008/xmlsec/track/actions/791

   [34]: http://lists.w3.org/Archives/Member/member-xmlsec/2011Apr/0001.html

   [35]: http://www.w3.org/2008/xmlsec/track/actions/796

   [36]: http://www.w3.org/2008/02/xmlsec-charter.html

   [37]: http://www.w3.org/2008/xmlsec/track/issues/132

   [38]: http://www.w3.org/2011/06/07-xmlsec-minutes.html#action04

   [39]: http://www.w3.org/2011/06/07-xmlsec-minutes.html#action05

   [40]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm

   [41]: http://dev.w3.org/cvsweb/2002/scribe/