# XML Security Working Group Teleconference

## 28 Jun 2011

[Agenda][3]

See also: [IRC log][4]

## Attendees

Present

    Bruce_Rich, Cynthia_Martin, Frederick_Hirsch, Gerald_Edgar,
Magnus_Nystrom, Pratik_Datta, Scott_Cantor, Thomas_Roessler

Regrets

    Meiko_Jensen, Shivaram_Mysore

Chair

    Frederick_Hirsch

Scribe

    tlr

## Contents

  * [Topics][5]

    1. [agenda bashing][6]

    2. [minutes approval][7]

    3. [charter extension][8]

    4. [2.0 last call comments][9]

    5. [xml encryption and 2.0 transforms][10]

    6. [XML Encryption 1.0 Errata][11]

    7. [XML Encryption 1.1 editorial update][12]

    8. [testing and interop][13]

    9. [XML Signature Cert Order][14]

    10. [Interop][15]

    11. [Other Business][16]

    12. [Adjourn][17]

  * [Summary of Action Items][18]

* * *

<trackbot> Date: 28 June 2011

<scribe> Scribe: tlr

### agenda bashing

fjh: add item to discuss Marcos note about certificate ordering in 1.1 and
item re possible additional XML Encryption discussion

### minutes approval

<fjh> Approve minutes, 14 June 2011

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/att-0038/minutes-2011-06-14.html][19]

**RESOLUTION: 14 June minutes approved**

### charter extension

tlr: done, [http://www.w3.org/2008/02/xmlsec-charter.html][20]

### 2.0 last call comments

<fjh> C14N2 LC-2484 and LC-2486 closed, drafts updated

fjh: two last call comments taken care of

<fjh> XML Signature, LC-2487 (example correction)

<fjh> [http://www.w3.org/2006/02/lc-comments-tracker/42458/WD-xmldsig-
core2-20110421/2487][21]

<fjh> LC-2488, XML Signature comments from XML Core

<fjh> [http://www.w3.org/2006/02/lc-comments-tracker/42458/WD-xmldsig-
core2-20110421/2488][22]

fjh: pratik, review of XML Core comments?

pratik: not yet

<fjh> LC-2489 comments on XPath Profile

<fjh> [http://www.w3.org/2006/02/lc-comments-tracker/42458/WD-xmldsig-
xpath-20110421/2489][23]

fjh: response about xpath profile; XML Core is looking at response from Pratik

### xml encryption and 2.0 transforms

fjh: discussion of 2.0 transform model

<fjh> Call for Consensus to publish FPWD sent:

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0036.html][24]

<fjh> Summary of rationale for approaches,
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0037.html][25]
(Frederick)

<fjh> proposed RESOLUTION: publish FPWD of "XML Encryption 1.1 CipherReference
Processing using 2.0 Transforms" based on draft found at
[http://www.w3.org/2008/xmlsec/Drafts/xmlenc-transforms20/Overview.html][26]

fjh: had discussed various possibilities of how to do FPWD

... suggest putting material out for review,

... should make review easier

... decide on calling it 2.0 later

... good reasons either way

... strong opinions?

pratik: so we're keeping the documents separate?

fjh: still have 1.1, so can't finesse the issue (?)

pratik: ok, agree with publishing FPWD

**RESOLUTION: publish FPWD of "XML Encryption 1.1 CipherReference Processing
using 2.0 Transforms" based on draft found at**

<fjh> **ACTION:** fjh to prepare XML Enc 2.0 transforms for publication
[recorded in [http://www.w3.org/2011/06/28-xmlsec-minutes.html#action01][27]]

<trackbot> Created ACTION-812 - Prepare XML Enc 2.0 transforms for publication
[on Frederick Hirsch - due 2011-07-05].

### XML Encryption 1.0 Errata

<fjh> XML Encryption Recommendation (2002) Errata

<fjh> proposal, [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0047.html][28]

fjh: minor item for XML Enc

<scribe> **ACTION:** thomas to update errata for XML Enc 1.1 with
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0047.html][28]
[recorded in [http://www.w3.org/2011/06/28-xmlsec-minutes.html#action02][29]]

<trackbot> Created ACTION-813 - Update errata for XML Enc 1.1 with
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0047.html][28] [on
Thomas Roessler - due 2011-07-05].

ACTION-813: not 1.1, but 1.0

<trackbot> ACTION-813 Update errata for XML Enc 1.1 with
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0047.html][28]
notes added

### XML Encryption 1.1 editorial update

<fjh> XML Encryption 1.1 correction (CR draft) namespaces

<fjh> [http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0017.htm][30]

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0017.html][31]

<fjh> editorial correction

<scribe> **ACTION:** magnus to make namespace ("&xenc;") related edits in XML
Encryption 1.1 [recorded in [http://www.w3.org/2011/06/28-xmlsec-
minutes.html#action03][32]]

<trackbot> Created ACTION-814 - Make namespace ("&xenc;") related edits in XML
Encryption 1.1 [on Magnus Nystrom - due 2011-07-05].

ACTION-814: see [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0017.html][31]

<trackbot> ACTION-814 Make namespace ("&xenc;") related edits in XML
Encryption 1.1 notes added

### testing and interop

cynthia: haven't yet done the promised wiki update

<fjh> ACTION-699?

<trackbot> ACTION-699 -- Cynthia Martin to update interop wiki with suite B
organization -- due 2010-11-08 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/699][33]

<fjh> ACTION-779: Gerald Edgar to Review test cases for 1.1 and summarize
which are missing

<trackbot> ACTION-779 Review test cases for 1.1 and summarize which are
missing notes added

<fjh> ACTION-793: Gerald Edgar to Review 1.1 interop to determine which gaps
we have in 1.1 testing itself

<trackbot> ACTION-793 Review 1.1 interop to determine which gaps we have in
1.1 testing itself notes added

<fjh> Update to C14N 2.0 test cases

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0043.html][34]

fjh: pratik... 2.0 test cases?

pratik: put in C14N 1.0 test cases and all that

... working on prefixes in xpath

... 1.0 test cases normative?

tlr: that'd be news

pratik: examples section in 1.1

<pdatta> [http://www.w3.org/TR/xml-c14n11/][35] Section 3

<fjh> please review test cases document

<pdatta> [http://www.w3.org/2008/xmlsec/Drafts/c14n-20/test-cases/][36]

### XML Signature Cert Order

<fjh> [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/0054.html][37]

fjh: marcos' comment, received in CR

... suggests adding note to Signature spec to practice regarding order of
certs

tlr: wait - this is about widget signatures? why can't it be handled in the
profile?

<fjh> marcos suggesting best practice, scott notes this might need to be in
best practices document

scott: lots of people like to assume ordering

tlr: so, best practice + addition to their profile?

<fjh> proposed response - not to update signature core spec as it does not
specify such details, consider adding note to our best practices doc, widget
signature can as a profile add normative requirements or provide further
advice

<fjh> **ACTION:** fjh to respond to marcos re cert order [recorded in
[http://www.w3.org/2011/06/28-xmlsec-minutes.html#action04][38]]

<trackbot> Created ACTION-815 - Respond to marcos re cert order [on Frederick
Hirsch - due 2011-07-05].

### Interop

<fjh> No progress, fjh to send follow up msg, include gerald

### Other Business

<fjh> Discussion of possible issues related to XML Encryption and whether a
2.0 will be desired.

<fjh> Reminder that section 6.6, "Error Messages" provides useful advice

<fjh> Implementations should not provide detailed error responses related to
security algorithm processing. Error messages should be limited to a generic
error message to avoid providing information to a potential attacker related
to the specifics of the algorithm implementation. For example, if an error
occurs in decryption processing the error response should be a generic message
providing no specifics on the details of the processing error.

<fjh> question - should GCM be mandatory to implement in XML Encryption 1.1
(currently optional).

<fjh> optional AES128-GCM

<fjh> [http://www.w3.org/2009/xmlenc11#aes128-gcm][39]

<fjh> For 2.0 if we have it, consider separation of algorithms into a separate
document

<fjh> tlr to share summary of today's discussion off-list

### Adjourn

## Summary of Action Items

**[NEW]** **ACTION:** fjh to prepare XML Enc 2.0 transforms for publication
[recorded in [http://www.w3.org/2011/06/28-xmlsec-minutes.html#action01][27]]

**[NEW]** **ACTION:** fjh to respond to marcos re cert order [recorded in
[http://www.w3.org/2011/06/28-xmlsec-minutes.html#action04][38]]

**[NEW]** **ACTION:** magnus to make namespace ("&xenc;") related edits in XML
Encryption 1.1 [recorded in [http://www.w3.org/2011/06/28-xmlsec-
minutes.html#action03][32]]

**[NEW]** **ACTION:** thomas to update errata for XML Enc 1.1 with
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0047.html][28]
[recorded in [http://www.w3.org/2011/06/28-xmlsec-minutes.html#action02][29]]


[End of minutes]

* * *

Minutes formatted by David Booth's [scribe.perl][40] version 1.135 ([CVS
log][41])

$Date: 2009-03-02 03:52:20 $

   [1]: http://www.w3.org/Icons/w3c_home

   [2]: http://www.w3.org/

   [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0052.html

   [4]: http://www.w3.org/2011/06/28-xmlsec-irc

   [5]: #agenda

   [6]: #item01

   [7]: #item02

   [8]: #item03

   [9]: #item04

   [10]: #item05

   [11]: #item06

   [12]: #item07

   [13]: #item08

   [14]: #item09

   [15]: #item10

   [16]: #item11

   [17]: #item12

   [18]: #ActionSummary

   [19]: http://lists.w3.org/Archives/Public/public-
xmlsec/2011Jun/att-0038/minutes-2011-06-14.html

   [20]: http://www.w3.org/2008/02/xmlsec-charter.html

   [21]: http://www.w3.org/2006/02/lc-comments-tracker/42458/WD-xmldsig-
core2-20110421/2487

   [22]: http://www.w3.org/2006/02/lc-comments-tracker/42458/WD-xmldsig-
core2-20110421/2488

   [23]: http://www.w3.org/2006/02/lc-comments-tracker/42458/WD-xmldsig-
xpath-20110421/2489

   [24]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0036.html

   [25]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0037.html

   [26]: http://www.w3.org/2008/xmlsec/Drafts/xmlenc-
transforms20/Overview.html

   [27]: http://www.w3.org/2011/06/28-xmlsec-minutes.html#action01

   [28]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0047.html

   [29]: http://www.w3.org/2011/06/28-xmlsec-minutes.html#action02

   [30]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0017.htm

   [31]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0017.html

   [32]: http://www.w3.org/2011/06/28-xmlsec-minutes.html#action03

   [33]: http://www.w3.org/2008/xmlsec/track/actions/699

   [34]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0043.html

   [35]: http://www.w3.org/TR/xml-c14n11/

   [36]: http://www.w3.org/2008/xmlsec/Drafts/c14n-20/test-cases/

   [37]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0054.html

   [38]: http://www.w3.org/2011/06/28-xmlsec-minutes.html#action04

   [39]: http://www.w3.org/2009/xmlenc11#aes128-gcm

   [40]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm

   [41]: http://dev.w3.org/cvsweb/2002/scribe/