# XML Security Working Group Teleconference ## 24 Apr 2012 [Agenda][3] See also: [IRC log][4] ## Attendees Present Frederick_Hirsch, Hal_Lockhart, Gerald_Edgar, Pratik_Datta, Bruce_Rich, Ed_Simon Regrets Brian_LaMacchia, Scott_Cantor Chair Frederick_Hirsch Scribe fjh ## Contents * [Topics][5] 1. [Administrative][6] 2. [Minutes Approval][7] 3. [Draft XML Signature 1.1 and XML Encryption 1.1 interop test reports][8] 4. [XML Security Generic Hybrid Ciphers interop][9] 5. [XML Signature Properties interop][10] 6. [XML Security 2.0][11] 7. [Action Item review][12] 8. [PAG Status][13] 9. [Other business][14] 10. [Adjourn][15] * [Summary of Action Items][16] * * * Date: 24 April 2012 ScribeNick: fjh ### Administrative Please respond on public list with any interest in EXI canonicalization, see [http://lists.w3.org/Archives/Public/public-xmlsec/2012Apr/0005.html][17] (Taki) Ed Simon indicated interest in this topic and will respond to Taki ### Minutes Approval Approve minutes, 3 April 2012 [http://lists.w3.org/Archives/Public/public- xmlsec/2012Apr/att-0004/minutes-2012-04-03.html][18] Proposed RESOLUTION: Minutes from 3 April 2012 are approved. **RESOLUTION: Minutes from 3 April 2012 are approved.** ### Draft XML Signature 1.1 and XML Encryption 1.1 interop test reports I have updated the interop test reports for XML Signature 1.1 and XML Encryption 1.1: [http://lists.w3.org/Archives/Public/public- xmlsec/2012Apr/0006.html][19] (Frederick) also corrected Encryption interop test report for participants: XML Signature 1.1 Interop Test Report [http://www.w3.org/2008/xmlsec/Drafts/xmldsig- core1-interop/Overview.src.html][20] XML Encryption 1.1 Interop Test Report [http://www.w3.org/2008/xmlsec/Drafts/xmlenc- core1-interop/Overview.src.html][21] fjh: I have updated these interop test reports since last time to make them much clearer, remove non-testable material, and re-organized ... also fixed an issue with companies listed for xml encryption interop ... this should help make it clear what we need to do to move these specs forward toward REC, the red material has not been tested ... please review for correctness ... and also see if there are any tests that have been done but are not listed ... please indicate on the list if you are able to test any of the untested material, even if you think there is no second party ... as two may be concerned about the same item and not realize they could test together ... if there is anything else in these reports that can be removed please indicate on the list ... note that we need such reports to go to REC so I thought I'd put them in place now, to see where we are XML Signature 1.1, XML Encryption 1.1: Additional implementation information for untested features or specs? Future decision: remove features and revisit Last Call and CR? ### XML Security Generic Hybrid Ciphers interop [http://www.w3.org/TR/2011/CR-xmlsec-generic-hybrid-20110303/][22] fjh: likely that this spec will not progress beyond CR unless we are able to have 2 implementations for interop ### XML Signature Properties interop [http://www.w3.org/TR/2011/CR-xmldsig-properties-20110303/][23] Widget interop sufficient? [http://dev.w3.org/2006/waf/widgets-digsig/imp- report/][24] fjh: preliminary review - some but not all tested, tested SignatureProperties ... widget testing included Profile, Role, and Identifier, with 3 implementations ... not tested: Created, Expires, ReplayProtect ... likely outcome unless we implement and test is to remove Created, Expires, ReplayProtect **ACTION:** fjh to review CR features at risk for Signature Properties [recorded in [http://www.w3.org/2012/04/24-xmlsec- minutes.html#action01][25]] Created ACTION-884 - Review CR features at risk for Signature Properties [on Frederick Hirsch - due 2012-05-01]. fjh: if these were at risk we can simply remove them and progress the document ... please indicate any concerns or suggestions on the list, otherwise we are likely to pursue this path ... I believe this covers the 1.1 docs ... summary - signature 1.1 and encryption 1.1 have interop docs, additional work needed ... ghc probably won't progress, can progress properties after removing features noted as at risk ... can update notes when we move the docs forward (updates are already in place) ### XML Security 2.0 fjh: please review the 2.0 specs ### Action Item review ACTION-238? ACTION-238 -- Thomas Roessler to update the proposal associated with ACTION-222 and send to list. -- due 2012-01-31 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/238][26] ACTION-717? ACTION-717 -- Pratik Datta to document the Performance improvements with 2.0 -- due 2010-11-09 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/717][27] ACTION-865? ACTION-865 -- Frederick Hirsch to contact parties re participation in interop for 2.0 -- due 2011-12-20 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/865][28] will send a ping on the xmlsec open source list, then close. ACTION-883? ACTION-883 -- Frederick Hirsch to review C14N 20 test cases document -- due 2012-04-10 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/883][29] following to close ACTION-880? ACTION-880 -- Pratik Datta to contact sean regarding signature 1.1 interop and whether x509 enhancements were implemented -- due 2012-04-10 -- PENDINGREVIEW [http://www.w3.org/2008/xmlsec/track/actions/880][30] I contacted sean as well no response to fjh or pratik yet ACTION-880 closed ACTION-880 Contact sean regarding signature 1.1 interop and whether x509 enhancements were implemented closed ACTION-881? ACTION-881 -- Frederick Hirsch to ask magnus re xml encryption 1.1 test cases document -- due 2012-04-10 -- PENDINGREVIEW [http://www.w3.org/2008/xmlsec/track/actions/881][31] ACTION-881 closed ACTION-881 Ask magnus re xml encryption 1.1 test cases document closed ACTION-882? ACTION-882 -- Frederick Hirsch to ask bruce rich about xml encryption 1.1 interop -- due 2012-04-10 -- PENDINGREVIEW [http://www.w3.org/2008/xmlsec/track/actions/882][32] ACTION-882 closed ACTION-882 Ask bruce rich about xml encryption 1.1 interop closed open issues ISSUE-91? ISSUE-91 -- ECC can't be REQUIRED -- open [http://www.w3.org/2008/xmlsec/track/issues/91][33] ISSUE-122? ISSUE-122 -- Explain peformance improvements and rationale, relationship to earlier work, document, benchmarks -- open [http://www.w3.org/2008/xmlsec/track/issues/122][34] ### PAG Status fjh: no new update, no meeting scheduled, was supposed to be scheduled two weeks ago but has been deferred ... would like to see completion before summer holidays, really would like to see conclusion this month ### Other business No meeting next week. Next meeting is 8 May. will cancel if no need for meeting, depending on list discussion and agenda topics fjh: plan to keep interop test cases document separate from interop test report The private keys and certs section of the testcase has some confusing text associated with the links. In particular, P521 test has a link that calls it P256 with SHA521 **ACTION:** pdatta to update test cases document and send email clarifying changes [recorded in [http://www.w3.org/2012/04/24-xmlsec- minutes.html#action02][35]] Created ACTION-885 - Update test cases document and send email clarifying changes [on Pratik Datta - due 2012-05-01]. ### Adjourn ## Summary of Action Items **[NEW]** **ACTION:** fjh to review CR features at risk for Signature Properties [recorded in [http://www.w3.org/2012/04/24-xmlsec- minutes.html#action01][25]] **[NEW]** **ACTION:** pdatta to update test cases document and send email clarifying changes [recorded in [http://www.w3.org/2012/04/24-xmlsec- minutes.html#action02][35]] [End of minutes] * * * Minutes formatted by David Booth's [scribe.perl][36] version 1.135 ([CVS log][37]) $Date: 2009-03-02 03:52:20 $ [1]: http://www.w3.org/Icons/w3c_home [2]: http://www.w3.org/ [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Apr/0007.html [4]: http://www.w3.org/2012/04/24-xmlsec-irc [5]: #agenda [6]: #item01 [7]: #item02 [8]: #item03 [9]: #item04 [10]: #item05 [11]: #item06 [12]: #item07 [13]: #item08 [14]: #item09 [15]: #item10 [16]: #ActionSummary [17]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Apr/0005.html [18]: http://lists.w3.org/Archives/Public/public- xmlsec/2012Apr/att-0004/minutes-2012-04-03.html [19]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Apr/0006.html [20]: http://www.w3.org/2008/xmlsec/Drafts/xmldsig- core1-interop/Overview.src.html [21]: http://www.w3.org/2008/xmlsec/Drafts/xmlenc- core1-interop/Overview.src.html [22]: http://www.w3.org/TR/2011/CR-xmlsec-generic-hybrid-20110303/ [23]: http://www.w3.org/TR/2011/CR-xmldsig-properties-20110303/ [24]: http://dev.w3.org/2006/waf/widgets-digsig/imp-report/ [25]: http://www.w3.org/2012/04/24-xmlsec-minutes.html#action01 [26]: http://www.w3.org/2008/xmlsec/track/actions/238 [27]: http://www.w3.org/2008/xmlsec/track/actions/717 [28]: http://www.w3.org/2008/xmlsec/track/actions/865 [29]: http://www.w3.org/2008/xmlsec/track/actions/883 [30]: http://www.w3.org/2008/xmlsec/track/actions/880 [31]: http://www.w3.org/2008/xmlsec/track/actions/881 [32]: http://www.w3.org/2008/xmlsec/track/actions/882 [33]: http://www.w3.org/2008/xmlsec/track/issues/91 [34]: http://www.w3.org/2008/xmlsec/track/issues/122 [35]: http://www.w3.org/2012/04/24-xmlsec-minutes.html#action02 [36]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [37]: http://dev.w3.org/cvsweb/2002/scribe/