# XML Security Working Group Teleconference ## 29 Nov 2011 [Agenda][3] See also: [IRC log][4] ## Attendees Present Frederick_Hirsch, Scott_Cantor, Gerald_Edgar, Hal_Lockhart, Ed_Simon, Bruce_Rich, Chris_Solc, Pratik_Datta Regrets Thomas_Roessler Chair Frederick_Hirsch Scribe fjh ## Contents * [Topics][5] 1. [Administrative][6] 2. [Minutes Approval][7] 3. [XML Encryption 1.1][8] 4. [Test cases and interop][9] 5. [XML Security 2.0][10] 6. [Action Items][11] 7. [Issues][12] 8. [AOB][13] 9. [Adjourn][14] * [Summary of Action Items][15] * * * Date: 29 November 2011 ScribeNick: fjh ### Administrative Next call is 13 Dec ### Minutes Approval Approve minutes, 8 November 2011 [http://lists.w3.org/Archives/Public/public- xmlsec/2011Nov/att-0005/minutes-2011-11-08.html][16] **RESOLUTION: Minutes from 8 November 2011 are approved.** ### XML Encryption 1.1 Changed AES128-GCM from Optional to REQUIRED, left AES-192-GCM as Optional, added warning, paper reference, new security consideration * [http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0006.html][17] (Frederick) * Correction to URL for new rsa-oaep algorithm, see [http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0008.html][18] * Added algorithm to Security Algorithm Cross-Reference, [http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0009.html][19] ECC added to OpenSSL, [http://www.imperialviolet.org/2011/11/22/forwardsecret.html][20] (Hal) scantor: possible issue of companies choosing to ship hal: RC4 might be an issue in that implementation? scantor: red hat 6 does not support ECC, will be around some time Pratik sent suggested mitigations to Juraj, [http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0012.html][21] response from Juraj, [http://lists.w3.org/Archives/Public/public- xmlsec/2011Nov/0013.html][22] hal: rough summary, such countermeasures are broken ... note last sentence regarding WS-Policy, does this mean implementations don't necessarily enforce WS-Policy ... extra encryption can open new attacks, which can be counter intuitive; another issue is that signature verification, decryption then authorization check order means that decryption can happen even when not authorized, since check happens too late pdatta: need authentication tag otherwise all encryption modes are broken hal: creating low level primitives for apps to use may be risky approach in general? scantor: for SAML any reason not to take approach of signing over encryption? hal: no, that seems still good ### Test cases and interop [http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0018.html][23] pdatta: working on interop related to encryption, could use help to create common set of use cases brich: considering resourcing, no other steps at this point pdatta: can bruce and brian and others please review possible scenarios for interop, to help reduce the number of possible combinations ### XML Security 2.0 The 2.0 specs have been stable and have completed Last Call in May, all comments have been resolved (need to confirm) proposed RESOLUTION: Publish CR drafts of Canonical XML 2.0, XML Signature 2.0 and Streaming Profile of XPath 1.0 this month **ACTION:** fjh to send CfC for resolution to Publish CR drafts of Canonical XML 2.0, XML Signature 2.0 and Streaming Profile of XPath 1.0 this month [recorded in [http://www.w3.org/2011/11/29-xmlsec- minutes.html#action01][24]] Created ACTION-858 - Send CfC for resolution to Publish CR drafts of Canonical XML 2.0, XML Signature 2.0 and Streaming Profile of XPath 1.0 this month [on Frederick Hirsch - due 2011-12-06]. general sense on the call is to advance 2.0 to CR **ACTION:** fjh to send CfC to move XML Encryption 1.1 CipherReference Processing using 2.0 Transforms to LC [recorded in [http://www.w3.org/2011/11/29-xmlsec-minutes.html#action02][25]] Created ACTION-859 - Send CfC to move XML Encryption 1.1 CipherReference Processing using 2.0 Transforms to LC [on Frederick Hirsch - due 2011-12-06]. Both CfC run from now until 9 December ### Action Items ACTION-238? ACTION-238 -- Thomas Roessler to update the proposal associated with ACTION-222 and send to list. -- due 2011-09-30 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/238][26] ACTION-717? ACTION-717 -- Pratik Datta to document the Performance improvements with 2.0 -- due 2010-11-09 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/717][27] defer to later ACTION-841? ACTION-841 -- Pratik Datta to add link to canonical XML 2.0 samples into the spec -- due 2011-10-11 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/841][28] in progress **ACTION:** fjh to review ACTION-841 [recorded in [http://www.w3.org/2011/11/29-xmlsec-minutes.html#action03][29]] Created ACTION-860 - Review ACTION-841 [on Frederick Hirsch - due 2011-12-06]. ACTION-847? ACTION-847 -- Pratik Datta to propose update to 2.0 algorithm requirements to encourage authenticating mode -- due 2011-10-18 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/847][30] need to create a link from the canonical xml 2.0 document to the canonical xml 2.0 testcases document close ACTION-841 ACTION-841 Add link to canonical XML 2.0 samples into the spec closed reopen ACTION-841 ACTION-841 Add link to canonical XML 2.0 samples into the spec re- opened close ACTION-860 ACTION-860 Review ACTION-841 closed pdatta: 2.0 does not include encryption fjh: right, we should close this action close ACTION-847 ACTION-847 Propose update to 2.0 algorithm requirements to encourage authenticating mode closed ACTION-848? ACTION-848 -- Bruce Rich to contact OASIS ebXML community regarding large data issue and GCM -- due 2011-10-25 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/848][31] brich: have discussed internally, in progress, will talk to TC chair ACTION-850? ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security considerations and propose changes in light of today's discussion -- due 2011-10-25 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/850][32] ACTION-851? ACTION-851 -- Pratik Datta to propose text regarding KeyLength and PBKDF2, assuming we do not change the schemna -- due 2011-10-25 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/851][33] pdatta: need to add text, in progress ACTION-856? ACTION-856 -- Brian LaMacchia to discuss with magnus possible encryption algorithms suitable for streaming -- due 2011-11-15 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/856][34] ACTION-857? ACTION-857 -- Pratik Datta to ask regarding risk of use of GCM without checking tag during processing -- due 2011-11-15 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/857][35] answered in [http://lists.w3.org/Archives/Public/public- xmlsec/2011Nov/0013.html][22] ACTION-857 answered in [http://lists.w3.org/Archives/Public/public- xmlsec/2011Nov/0013.html][22] close ACTION-857 ACTION-857 Ask regarding risk of use of GCM without checking tag during processing closed close ACTION-854 ACTION-854 Talk with thomas about encouraging implementation support for AES-GCM in existing algorithms closed close ACTION-855 ACTION-855 Update XML Encryption 1.1 draft for AES-GCM mandatory to implement closed ### Issues ISSUE-230? ISSUE-230 -- CBC attack on XML Encryption, [http://www.nds.rub.de/research/publications/breaking-xml-encryption/][36] -- open [http://www.w3.org/2008/xmlsec/track/issues/230][37] changed algorithm requirements, so that should close issue **ACTION:** fjh to send message re closing ISSUE-230 [recorded in [http://www.w3.org/2011/11/29-xmlsec-minutes.html#action04][38]] Created ACTION-861 - Send message re closing ISSUE-230 [on Frederick Hirsch - due 2011-12-06]. ISSUE-229? ISSUE-229 -- Mask generation function for RSA-OAEP as defined in 5.5.2 of XML Encryption 1.1 appears to be limited to MGF1 with SHA1 -- open [http://www.w3.org/2008/xmlsec/track/issues/229][39] ISSUE-229: added algorithm to address this, rsa-oaep ISSUE-229 Mask generation function for RSA-OAEP as defined in 5.5.2 of XML Encryption 1.1 appears to be limited to MGF1 with SHA1 notes added close ISSUE-229 ISSUE-229 Mask generation function for RSA-OAEP as defined in 5.5.2 of XML Encryption 1.1 appears to be limited to MGF1 with SHA1 closed ISSUE-227? ISSUE-227 -- CR of XML Encryption 1.1 requires update to namespace refs, [http://lists.w3.org/Archives/Public/public- xmlsec/2011Jun/0017.html][40] -- open [http://www.w3.org/2008/xmlsec/track/issues/227][41] ISSUE-122? ISSUE-122 -- Explain peformance improvements and rationale, relationship to earlier work, document, benchmarks -- open [http://www.w3.org/2008/xmlsec/track/issues/122][42] ISSUE-91? ISSUE-91 -- ECC can't be REQUIRED -- open [http://www.w3.org/2008/xmlsec/track/issues/91][43] ### AOB none ### Adjourn ## Summary of Action Items **[NEW]** **ACTION:** fjh to review ACTION-841 [recorded in [http://www.w3.org/2011/11/29-xmlsec-minutes.html#action03][29]] **[NEW]** **ACTION:** fjh to send CfC for resolution to Publish CR drafts of Canonical XML 2.0, XML Signature 2.0 and Streaming Profile of XPath 1.0 this month [recorded in [http://www.w3.org/2011/11/29-xmlsec- minutes.html#action01][24]] **[NEW]** **ACTION:** fjh to send CfC to move XML Encryption 1.1 CipherReference Processing using 2.0 Transforms to LC [recorded in [http://www.w3.org/2011/11/29-xmlsec-minutes.html#action02][25]] **[NEW]** **ACTION:** fjh to send message re closing ISSUE-230 [recorded in [http://www.w3.org/2011/11/29-xmlsec-minutes.html#action04][38]] [End of minutes] * * * Minutes formatted by David Booth's [scribe.perl][44] version 1.135 ([CVS log][45]) $Date: 2009-03-02 03:52:20 $ [1]: http://www.w3.org/Icons/w3c_home [2]: http://www.w3.org/ [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0011.html [4]: http://www.w3.org/2011/11/29-xmlsec-irc [5]: #agenda [6]: #item01 [7]: #item02 [8]: #item03 [9]: #item04 [10]: #item05 [11]: #item06 [12]: #item07 [13]: #item08 [14]: #item09 [15]: #ActionSummary [16]: http://lists.w3.org/Archives/Public/public- xmlsec/2011Nov/att-0005/minutes-2011-11-08.html [17]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0006.html [18]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0008.html [19]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0009.html [20]: http://www.imperialviolet.org/2011/11/22/forwardsecret.html [21]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0012.html [22]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0013.html [23]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0018.html [24]: http://www.w3.org/2011/11/29-xmlsec-minutes.html#action01 [25]: http://www.w3.org/2011/11/29-xmlsec-minutes.html#action02 [26]: http://www.w3.org/2008/xmlsec/track/actions/238 [27]: http://www.w3.org/2008/xmlsec/track/actions/717 [28]: http://www.w3.org/2008/xmlsec/track/actions/841 [29]: http://www.w3.org/2011/11/29-xmlsec-minutes.html#action03 [30]: http://www.w3.org/2008/xmlsec/track/actions/847 [31]: http://www.w3.org/2008/xmlsec/track/actions/848 [32]: http://www.w3.org/2008/xmlsec/track/actions/850 [33]: http://www.w3.org/2008/xmlsec/track/actions/851 [34]: http://www.w3.org/2008/xmlsec/track/actions/856 [35]: http://www.w3.org/2008/xmlsec/track/actions/857 [36]: http://www.nds.rub.de/research/publications/breaking-xml-encryption/ [37]: http://www.w3.org/2008/xmlsec/track/issues/230 [38]: http://www.w3.org/2011/11/29-xmlsec-minutes.html#action04 [39]: http://www.w3.org/2008/xmlsec/track/issues/229 [40]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0017.html [41]: http://www.w3.org/2008/xmlsec/track/issues/227 [42]: http://www.w3.org/2008/xmlsec/track/issues/122 [43]: http://www.w3.org/2008/xmlsec/track/issues/91 [44]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [45]: http://dev.w3.org/cvsweb/2002/scribe/