# XML Security Working Group Teleconference ## 28 Aug 2012 [Agenda][3] See also: [IRC log][4] ## Attendees Present Frederick_Hirsch, Thomas_Roessler, Scott_Cantor, Gerald_Edgar, Bruce_Rich, Pratik_Datta Regrets Chair Frederick_Hirsch Scribe fjh ## Contents * [Topics][5] 1. [Administrivia: Agenda review, Liaisons, Announcements][6] 2. [Minutes Approval][7] 3. [PAG Update][8] 4. [XML Encryption RSA v1.5][9] 5. [XML Signature key size proposal (ISSUE-233, ACTION-899)][10] 6. [XML Encryption NIST SP800-56A][11] 7. [Roadmap][12] 8. [Actions][13] 9. [Pending Actions][14] 10. [Other Business][15] 11. [Adjourn][16] * [Summary of Action Items][17] * * * Date: 28 August 2012 ScribeNick: fjh ### Administrivia: Agenda review, Liaisons, Announcements fjh: no announcements ### Minutes Approval Approve minutes, 21 August 2012 [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/att-0027/minutes-2012-08-21.html][18] **RESOLUTION: Minutes from 21 August 2012 are approved** ### PAG Update tlr: should have more clarity on PAG later this week. There was some Team concern regarding the strength of the language wording. ... members of the WG who have legal participation in the PAG are welcome to discuss this offline in order to obtain resolution ### XML Encryption RSA v1.5 CfC to change RSA 1.5 from Required to Optional completed with support for change: [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/0019.html][19] **RESOLUTION: The XML Security WG agrees to change RSA 1.5 from Required to Optional in XML Encryption 1.1** **ACTION:** fjh to edit XML Encryption 1.1 to change RSA 1.5 from Required to Optional [recorded in [http://www.w3.org/2012/08/28-xmlsec- minutes.html#action01][20]] Created ACTION-905 - Edit XML Encryption 1.1 to change RSA 1.5 from Required to Optional [on Frederick Hirsch - due 2012-09-04]. ### XML Signature key size proposal (ISSUE-233, ACTION-899) Proposal: [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/0028.html][21] scantor: looked ok to me **RESOLUTION: The changes related to DSA and RSA key length advice and the update to SP800-57 Part 1 as proposed in [http://lists.w3.org/Archives/Public /public-xmlsec/2012Aug/0028.html][21] are adopted by the WG** **ACTION:** fjh to update XML Signature for key size language changes [recorded in [http://www.w3.org/2012/08/28-xmlsec-minutes.html#action02][22]] Created ACTION-906 - Update XML Signature for key size language changes [on Frederick Hirsch - due 2012-09-04]. ### XML Encryption NIST SP800-56A proposed RESOLUTION: The WG agrees to update the SP800-56A reference in XML Encryption 1.1 as proposed in [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/0029.html][23] **RESOLUTION: The WG agrees to update the SP800-56A reference in XML Encryption 1.1 as proposed in [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/0029.html][23]** **ACTION:** fjh to update xml enc reference for SP800-56A [recorded in [http://www.w3.org/2012/08/28-xmlsec-minutes.html#action03][24]] Created ACTION-907 - Update xml enc reference for SP800-56A [on Frederick Hirsch - due 2012-09-04]. ### Roadmap Extend to mid-Sept plans for removal of items with interop progressing. Items planned to be removed from XML Signature 1.1: OCSPResponse, X509Digest; DEREncodedKeyValue, KeyInfoReference ACTION-892? ACTION-892 -- Pratik Datta to check on adding KeyInfoReference -- due 2012-07-31 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/892][25] ACTION-902? ACTION-902 -- Scott Cantor to check whether he can resource an additional implementer (Brent) to complete implementation and interop of XML Signature 1.1 X509Digest; DEREncodedKeyValue, KeyInfoReference, to eliminate issue of same author and to obtain two implementations for these -- due 2012-08-28 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/902][26] ACTION-897? ACTION-897 -- Thomas Roessler to confirm whether two implementations from one author are ok for DEREncodedKeyValue and KeyInfoReference specifically -- due 2012-08-21 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/897][27] fjh: question a - do we need interop for xml schema placeholders like OCSPResponse, where the semantics and details are defined externally; question b can one person provide two implemenations if so; question c can we obtain additional interop participation proposal here [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/0030.html][28] scott response here [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/0031.html][29] scantor: we can follow w3c policy but not sure we need interop for item like OCSPResponse fjh: A similar case is the X509SKI element also noted in the X509Data list in XML Signature 1.0 tlr: what behaviours do we expect from an implementation of XML Signature 1.1, is there a must understand or must ignore model? Does conveyance work cleanly? ... second, do people agree that for OCSPResponse, do all understand the encoding, is it consistent ... want to have encoding, decoding test fjh: it is base64 in the text tlr: do not need a full infrastructure scantor: agree that some syntax testing is possible for a given key or certificate but no need to actually do the verification of a signature tlr: is it possible to create a test case for this scantor: can create test vectors but do not want to waste time ... was waiting to see if Java implementation could be used, but won't do that if not acceptable ... looking for another developer to see if he can do this ... KeyInfoReference needed since RetrievalMethod is broken, a fix to the spec ... X509Digest is needed since X509IssueSerial is broken, a fix to the spec ... we have a question of timing ... can we defer some ... open content model for some items fjh: cannot expect wg to be around indefinitely tlr: would like to have two implementation ... would be preferable to have two implementations, if one, change namespaces and put into WG NOTE ... this is not ideal fjh: do not like this ... cannot we get two implementations? Pratik is working on this? pratik: working on KeyInfoReference ... might be possible to do the other ones, such as X509Digest tlr: an experimental implementation is fine scantor: should know when Brent will be able to do more next week, probably end of Sept to complete, but this might change ... DEREncoded is fully implemented X509Digest is implemented syntactically KeyInfoReference is implemented as part of a SAML metadata key lookup module pdatta: will look at these three, will let you know if we can do them next week, am optimistic about it if Prateek can gen a test vector wth two KeyInfo elements in a signed object, I can turn that into a test I can run against fjh: this would leave us will all items in XML Signature done except for OCSPResponse Items planned to be removed from XML Encryption 1.1: AES-128/192/256-pad Symmetric Key Wrap, Key Agreement (ECDH, DH) fjh: Magnus and pratik are working on interop for key agreement ... plan to remove AES-128/192/256-pad Symmetric Key Wrap proposal is here, will add that identifiers are 'reserved' - [http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0032.html][30] I have to sign off... **RESOLUTION: the proposal to move the AES Key Wrap with Padding algorithm material to an informative appendix, as outlined in [http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0032.html][30] is accepted by the XML Security WG.** **ACTION:** fjh to update XML Encryption 1.1 to move AES Key Wrap with Padding algorithm material to an informative appendix [recorded in [http://www.w3.org/2012/08/28-xmlsec-minutes.html#action04][31]] Created ACTION-908 - Update XML Encryption 1.1 to move AES Key Wrap with Padding algorithm material to an informative appendix [on Frederick Hirsch - due 2012-09-04]. fjh: Formatting issue for schema/examples in XML Signature 1.1 introduced with ReSpec v3 change, not a ReSpec issue but change due to formatting in conjunction with source validation fixes ... working on this ### Actions ACTION-238? ACTION-238 -- Thomas Roessler to draft proposal to add identifiers for ECDSA-RIPEMD, RSA-WHIRLPOOL, ECDSA-WHIRLPOOL to XML Security Algorithms Cross-Reference (follow up to ACTION-222) -- due 2012-09-30 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/238][32] fjh: donald is working on RFC tlr: this could take a long time, not sure who the customer is for it fjh: this is not relevant for progressing XML Signature 1.1 and XML Encryption 1.1, do not want to delay them or corresponding Algorithms note publication general agreement to close this action with no further work ACTION-238 closed ACTION-238 Draft proposal to add identifiers for ECDSA-RIPEMD, RSA- WHIRLPOOL, ECDSA-WHIRLPOOL to XML Security Algorithms Cross-Reference (follow up to ACTION-222) closed I'll try and post some test vectors for the other two KeyInfo cases ACTION-717? ACTION-717 -- Pratik Datta to document the Performance improvements with 2.0 -- due 2010-11-09 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/717][33] ACTION-717: not needed unless 2.0 is progressed, will defer this work and open action as needed ACTION-717 Document the Performance improvements with 2.0 notes added ACTION-717 closed ACTION-717 Document the Performance improvements with 2.0 closed ACTION-883? ACTION-883 -- Frederick Hirsch to review C14N 20 test cases document -- due 2012-04-10 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/883][34] ACTION-892? ACTION-892 -- Pratik Datta to check on adding KeyInfoReference -- due 2012-07-31 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/892][25] in progress ACTION-897? ACTION-897 -- Thomas Roessler to confirm whether two implementations from one author are ok for DEREncodedKeyValue and KeyInfoReference specifically -- due 2012-08-21 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/897][27] fjh: tlr has confirmed that two implementations from one author are not acceptable ACTION-897: tlr has confirmed that two implementations from one author are not acceptable ACTION-897 Confirm whether two implementations from one author are ok for DEREncodedKeyValue and KeyInfoReference specifically notes added ACTION-897 closed ACTION-897 Confirm whether two implementations from one author are ok for DEREncodedKeyValue and KeyInfoReference specifically closed ACTION-902? ACTION-902 -- Scott Cantor to check whether he can resource an additional implementer (Brent) to complete implementation and interop of XML Signature 1.1 X509Digest; DEREncodedKeyValue, KeyInfoReference, to eliminate issue of same author and to obtain two implementations for these -- due 2012-08-28 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/902][26] fjh: in progress ACTION-903? ACTION-903 -- Pratik Datta to look into creating KeyInfoReference implementation and interop with Scott -- due 2012-08-28 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/903][35] fjh: this and ACTION-892 are duplicates ACTION-892: duplicates ACTION-903, see ACTION-903 ACTION-892 Check on adding KeyInfoReference notes added ACTION-892 closed ACTION-892 Check on adding KeyInfoReference closed ACTION-904? ACTION-904 -- Frederick Hirsch to follow up to fix formatting of schema/code due to ReSpec update -- due 2012-08-28 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/904][36] fjh: working on this ### Pending Actions ACTION-899: Frederick Hirsch to Review and propose changes related to 2010 wording ACTION-900: Pratik Datta to Contact Magnus regarding key agreement test cases and interop ACTION-901: Frederick Hirsch to Send message to list regarding OCSPResponse and AES-128/192/256-pad Symmetric Key Wrap fjh: will close pending actions after meeting ### Other Business fjh: tlr, how will WG know of status of PAG later this week tlr: message will be sent on PAG list ### Adjourn ## Summary of Action Items **[NEW]** **ACTION:** fjh to edit XML Encryption 1.1 to change RSA 1.5 from Required to Optional [recorded in [http://www.w3.org/2012/08/28-xmlsec- minutes.html#action01][20]] **[NEW]** **ACTION:** fjh to update xml enc reference for SP800-56A [recorded in [http://www.w3.org/2012/08/28-xmlsec-minutes.html#action03][24]] **[NEW]** **ACTION:** fjh to update XML Encryption 1.1 to move AES Key Wrap with Padding algorithm material to an informative appendix [recorded in [http://www.w3.org/2012/08/28-xmlsec-minutes.html#action04][31]] **[NEW]** **ACTION:** fjh to update XML Signature for key size language changes [recorded in [http://www.w3.org/2012/08/28-xmlsec- minutes.html#action02][22]] [End of minutes] * * * Minutes formatted by David Booth's [scribe.perl][37] version 1.135 ([CVS log][38]) $Date: 2009-03-02 03:52:20 $ [1]: http://www.w3.org/Icons/w3c_home [2]: http://www.w3.org/ [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0033.html [4]: http://www.w3.org/2012/08/28-xmlsec-irc [5]: #agenda [6]: #item01 [7]: #item02 [8]: #item03 [9]: #item04 [10]: #item05 [11]: #item06 [12]: #item07 [13]: #item08 [14]: #item09 [15]: #item10 [16]: #item11 [17]: #ActionSummary [18]: http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/att-0027/minutes-2012-08-21.html [19]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0019.html [20]: http://www.w3.org/2012/08/28-xmlsec-minutes.html#action01 [21]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0028.html [22]: http://www.w3.org/2012/08/28-xmlsec-minutes.html#action02 [23]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0029.html [24]: http://www.w3.org/2012/08/28-xmlsec-minutes.html#action03 [25]: http://www.w3.org/2008/xmlsec/track/actions/892 [26]: http://www.w3.org/2008/xmlsec/track/actions/902 [27]: http://www.w3.org/2008/xmlsec/track/actions/897 [28]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0030.html [29]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0031.html [30]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0032.html [31]: http://www.w3.org/2012/08/28-xmlsec-minutes.html#action04 [32]: http://www.w3.org/2008/xmlsec/track/actions/238 [33]: http://www.w3.org/2008/xmlsec/track/actions/717 [34]: http://www.w3.org/2008/xmlsec/track/actions/883 [35]: http://www.w3.org/2008/xmlsec/track/actions/903 [36]: http://www.w3.org/2008/xmlsec/track/actions/904 [37]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [38]: http://dev.w3.org/cvsweb/2002/scribe/