# XML Security Working Group Teleconference ## 21 Feb 2012 [Agenda][3] See also: [IRC log][4] ## Attendees Present Frederick_Hirsch, Scott_Cantor, Gerald_Edgar, Pratik_Datta, Bruce_Rich, Hal_Lockhart Regrets Chair Frederick_Hirsch Scribe fjh ## Contents * [Topics][5] 1. [Administrative][6] 2. [Minutes Approval][7] 3. [Additional CR transitions][8] 4. [Interop][9] 5. [Other business][10] 6. [Adjourn][11] * [Summary of Action Items][12] * * * Date: 21 February 2012 ScribeNick: fjh ### Administrative No announcements. PAG continues with an additional meeting this Friday. ### Minutes Approval Approve minutes, 24 January 2012 [http://lists.w3.org/Archives/Public/public- xmlsec/2012Jan/att-0025/minutes-2012-01-24.html][13] **RESOLUTION: Minutes from 24 January 2012 are approved** ### Additional CR transitions "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" has finished Last Call with no comments. proposed RESOLUTION: Publish "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" as CR on 28 February (or later if necessary) with CR ending no earlier than 30 days after (i.e. 15 April 2012), no features at risk, and exit criteria of at least two interoperable implementations. proposed RESOLUTION: Publish "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" as CR on 8 March 2012 with CR ending no earlier than 30 days after (i.e. 20 April 2012), no features at risk, and exit criteria of at least two interoperable implementations. **RESOLUTION: Publish "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" as CR on 8 March 2012 with CR ending no earlier than 30 days after (i.e. 20 April 2012), no features at risk, and exit criteria of at least two interoperable implementations.** Also completed Last Call of XML Encryption 1.1 with no comments other than a minor editorial typo fix fjh: should we move XML Encryption 1.1 forward to CR or do we need to make additional changes related to algorithms scantor: I am not planning to implement GCM and there isn't general support in toolkits fjh: concern with security risk scantor: could specify as a separate document ... concern that JSON will diverge, not having GCM as mandatory to implement algorithm, but alternative fjh: adding a non GCM MAC+CBC algorithm could be as a separate document, if non-normative, [http://lists.w3.org/Archives/Public/public- xmlsec/2012Feb/0009.html][14] **ACTION:** scantor to check with John Bradley re JSON plans re MAC+CBC [recorded in [http://www.w3.org/2012/02/21-xmlsec- minutes.html#action01][15]] Created ACTION-870 - Check with John Bradley re JSON plans re MAC+CBC [on Scott Cantor - due 2012-02-28]. scantor: adoption is probably important, may wish to check whether we have algorithms in XML Encryption that are compatible with JSON work fjh: Given the need for the PAG to conclude as well as the need to complete interop on existing material, there does not seem to be a reason we cannot add an item to XML Encryption and have another Last Call ... possible concern if it is mandatory, optional should not be a problem **ACTION:** fjh to check with Microsoft regarding plans for JSON [recorded in [http://www.w3.org/2012/02/21-xmlsec-minutes.html#action02][16]] Created ACTION-871 - Check with Microsoft regarding plans for JSON [on Frederick Hirsch - due 2012-02-28]. fjh: defer processing of "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" CR until we resolve plans for XML Encryption 1.1, so we can do both together pdatta: better to put in spec now fjh: +1 ... more confusing to have separate document ### Interop [http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0015.html][17] pdatta: Oracle has not completed Key Derivation interop since were planning to do as part of XML Encryption 1.1 brich: IBM has completed interop for Key Derivation ... could contribute 1.1 test vectors but this would be pending PAG status **ACTION:** gerald-e to update interop status tables to reflect additional tests that need to be added [recorded in [http://www.w3.org/2012/02/21-xmlsec-minutes.html#action03][18]] Sorry, couldn't find user - gerald-e ACTION-872? ACTION-872 -- Gerald Edgar to update interop status tables to reflect additional tests that need to be added -- due 2012-02-28 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/872][19] ACTION-862? ACTION-862 -- Hal Lockhart to review FIPS and RSA-OAEP question in [http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html][20] -- due 2011-12-20 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/862][21] ACTION-862: [http://lists.w3.org/Archives/Public/public- xmlsec/2012Feb/0000.html][22] ACTION-862 Review FIPS and RSA-OAEP question in [http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html][20] notes added ACTION-862 closed ACTION-862 Review FIPS and RSA-OAEP question in [http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html][20] closed hal: summary is that ok [http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0002.html][23] ACTION-865? ACTION-865 -- Frederick Hirsch to contact parties re participation in interop for 2.0 -- due 2011-12-20 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/865][24] fjh: I can use help with this ACTION-866? ACTION-866 -- Scott Cantor to review XML Encryption 1.1 for schema and text description consistency and clarity -- due 2012-01-24 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/866][25] ACTION-867? ACTION-867 -- Frederick Hirsch to review XML Encryption 1.1 for schema and text description consistency and clarity -- due 2012-01-24 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/867][26] action-868 closed ACTION-868 Raise RFC 6476 with magnus closed action-869 closed ACTION-869 Contact Brian/Magnus re 1.1 interop closed ### Other business **RESOLUTION: Teleconference on 20 March cancelled.** ### Adjourn ## Summary of Action Items **[NEW]** **ACTION:** fjh to check with Microsoft regarding plans for JSON [recorded in [http://www.w3.org/2012/02/21-xmlsec-minutes.html#action02][16]] **[NEW]** **ACTION:** gerald-e to update interop status tables to reflect additional tests that need to be added [recorded in [http://www.w3.org/2012/02/21-xmlsec-minutes.html#action03][18]] **[NEW]** **ACTION:** scantor to check with John Bradley re JSON plans re MAC+CBC [recorded in [http://www.w3.org/2012/02/21-xmlsec- minutes.html#action01][15]] [End of minutes] * * * Minutes formatted by David Booth's [scribe.perl][27] version 1.135 ([CVS log][28]) $Date: 2009-03-02 03:52:20 $ [1]: http://www.w3.org/Icons/w3c_home [2]: http://www.w3.org/ [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0016.html [4]: http://www.w3.org/2012/02/21-xmlsec-irc [5]: #agenda [6]: #item01 [7]: #item02 [8]: #item03 [9]: #item04 [10]: #item05 [11]: #item06 [12]: #ActionSummary [13]: http://lists.w3.org/Archives/Public/public- xmlsec/2012Jan/att-0025/minutes-2012-01-24.html [14]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0009.html [15]: http://www.w3.org/2012/02/21-xmlsec-minutes.html#action01 [16]: http://www.w3.org/2012/02/21-xmlsec-minutes.html#action02 [17]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0015.html [18]: http://www.w3.org/2012/02/21-xmlsec-minutes.html#action03 [19]: http://www.w3.org/2008/xmlsec/track/actions/872 [20]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html [21]: http://www.w3.org/2008/xmlsec/track/actions/862 [22]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0000.html [23]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0002.html [24]: http://www.w3.org/2008/xmlsec/track/actions/865 [25]: http://www.w3.org/2008/xmlsec/track/actions/866 [26]: http://www.w3.org/2008/xmlsec/track/actions/867 [27]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [28]: http://dev.w3.org/cvsweb/2002/scribe/