# XML Security Working Group Teleconference

## 28 Feb 2012

[Agenda][3]

See also: [IRC log][4]

## Attendees

Present

    Frederick_Hirsch, Chris_Solc, Scott_Cantor, Gerald_Edgar, Hal_Lockhart,
Pratik_Datta, Ed_Simon

Regrets


Chair

    Frederick_Hirsch

Scribe

    fjh

## Contents

  * [Topics][5]

    1. [Administrative][6]

    2. [Minutes Approval][7]

    3. [JSON and XML Security][8]

    4. [CR Transitions][9]

    5. [EXI and Canonical XML 2.0][10]

    6. [Interop][11]

    7. [Action review][12]

    8. [Pending Actions][13]

    9. [Other Business][14]

    10. [Adjourn][15]

  * [Summary of Action Items][16]

* * *

<trackbot> Date: 28 February 2012

<scribe> ScribeNick: fjh

### Administrative

**RESOLUTION: Cancel teleconference on 20 March 2012**

also

**RESOLUTION: Cancel teleconference on 17 April 2012**

also

**RESOLUTION: Cancel teleconference on 1 May 2012**

### Minutes Approval

Approve minutes, 21 February 2012

[http://lists.w3.org/Archives/Public/public-
xmlsec/2012Feb/att-0017/minutes-2012-02-21.html][17]

**RESOLUTION: Minutes from 21 February 2012 are approved**

### JSON and XML Security

[http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0018.html][18]

fjh: we will leave convergence to JSON community due to difference in
schedules and development, any concern?

scantor: no

... noted some concerns with JSON encryption approach, making it not
necessarily appropriate for XML Encryption

... e.g. use of long term keys

... interested in RFC approach is layering, evaluate HMAC separately from
signature, enabling use of OpenSSL API

hal: agree we need do nothing with this in XML Security WG, could see GCM
wider use in future

... we probably put too much flexibility into security technologies

<Hal> I think it is possible the future of secure protocols will be to
routinely confidentiality and integrity protect everything using GCM or the
like and not try to encrypt this and sign that and so forth

<Hal> Performance seems no longer to be an issue and the experiences of XML
security and WSS have shown us that flexibility in such matters is very
dangerous

<Hal> looking back at something like TLS there is a lot more going one under
the surface than meets the eye

### CR Transitions

Transition two documents to CR with publication on 13 March with CR ending no
earlier than 20 April 2012

proposed RESOLUTION: Publish "XML Encryption 1.1 CipherReference Processing
using 2.0 Transforms" as CR on 13 March 2012 with CR ending no earlier than 20
April 2012, with no features at risk, and exit criteria of at least two
interoperable implementations.

proposed RESOLUTION: Publish "XML Encryption 1.1" as CR on 13 March 2012 with
CR ending no earlier than 20 April 2012, with no features at risk, and exit
criteria of at least two interoperable implementations.

**RESOLUTION: Publish "XML Encryption 1.1 CipherReference Processing using 2.0
Transforms" as CR on 13 March 2012 with CR ending no earlier than 20 April
2012, with no features at risk, and exit criteria of at least two
interoperable implementations.**

also

**RESOLUTION: Publish "XML Encryption 1.1" as CR on 13 March 2012 with CR
ending no earlier than 20 April 2012, with no features at risk, and exit
criteria of at least two interoperable implementations.**

<scribe> **ACTION:** fjh to prepare XML Encryption 1.1 and CipherReference
Processing drafts for CR publication, make transition request etc [recorded in
[http://www.w3.org/2012/02/28-xmlsec-minutes.html#action01][19]]

<trackbot> Created ACTION-873 - Prepare XML Encryption 1.1 and CipherReference
Processing drafts for CR publication, make transition request etc [on
Frederick Hirsch - due 2012-03-06].

### EXI and Canonical XML 2.0

Request for review and comment on EXI Signature WIKI :
[https://www.w3.org/XML/Group/EXI/wiki/EXISignature][20]

Brought Canonical XML 2.0 to their attention: [http://www.w3.org/TR/2012/CR-
xml-c14n2-20120124/][21]

fjh: Review comments on the EXI wiki would be welcome, if you can do so please
share comments on our public list and also EXI list

... XML Security WG , however, is not in a position to take on new work in
this area.

... I've pointed them to C14N2 for their consideration

### Interop

fjh: We will need to determine the current status of tests, gerald is working
on reviewing recent work

... Planned offline call to discuss interop this week, but will cancel and
discuss on next week telecon, so we have information from Gerald, and anyone
that wants to can attend

### Action review

ACTION-238?

<trackbot> ACTION-238 -- Thomas Roessler to update the proposal associated
with ACTION-222 and send to list. -- due 2012-01-31 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/238][22]

ACTION-717?

<trackbot> ACTION-717 -- Pratik Datta to document the Performance improvements
with 2.0 -- due 2010-11-09 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/717][23]

ACTION-865?

<trackbot> ACTION-865 -- Frederick Hirsch to contact parties re participation
in interop for 2.0 -- due 2011-12-20 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/865][24]

ACTION-866?

<trackbot> ACTION-866 -- Scott Cantor to review XML Encryption 1.1 for schema
and text description consistency and clarity -- due 2012-01-24 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/866][25]

ACTION-867?

<trackbot> ACTION-867 -- Frederick Hirsch to review XML Encryption 1.1 for
schema and text description consistency and clarity -- due 2012-01-24 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/867][26]

ACTION-872?

<trackbot> ACTION-872 -- Gerald Edgar to update interop status tables to
reflect additional tests that need to be added -- due 2012-02-28 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/872][27]

### Pending Actions

ACTION-870 closed

<trackbot> ACTION-870 Check with John Bradley re JSON plans re MAC+CBC closed

ACTiON-871 closed

<trackbot> ACTION-871 Check with Microsoft regarding plans for JSON closed

### Other Business

none

### Adjourn

## Summary of Action Items

**[NEW]** **ACTION:** fjh to prepare XML Encryption 1.1 and CipherReference
Processing drafts for CR publication, make transition request etc [recorded in
[http://www.w3.org/2012/02/28-xmlsec-minutes.html#action01][19]]


[End of minutes]

* * *

Minutes formatted by David Booth's [scribe.perl][28] version 1.135 ([CVS
log][29])

$Date: 2009-03-02 03:52:20 $

   [1]: http://www.w3.org/Icons/w3c_home

   [2]: http://www.w3.org/

   [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0019.html

   [4]: http://www.w3.org/2012/02/28-xmlsec-irc

   [5]: #agenda

   [6]: #item01

   [7]: #item02

   [8]: #item03

   [9]: #item04

   [10]: #item05

   [11]: #item06

   [12]: #item07

   [13]: #item08

   [14]: #item09

   [15]: #item10

   [16]: #ActionSummary

   [17]: http://lists.w3.org/Archives/Public/public-
xmlsec/2012Feb/att-0017/minutes-2012-02-21.html

   [18]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Feb/0018.html

   [19]: http://www.w3.org/2012/02/28-xmlsec-minutes.html#action01

   [20]: https://www.w3.org/XML/Group/EXI/wiki/EXISignature

   [21]: http://www.w3.org/TR/2012/CR-xml-c14n2-20120124/

   [22]: http://www.w3.org/2008/xmlsec/track/actions/238

   [23]: http://www.w3.org/2008/xmlsec/track/actions/717

   [24]: http://www.w3.org/2008/xmlsec/track/actions/865

   [25]: http://www.w3.org/2008/xmlsec/track/actions/866

   [26]: http://www.w3.org/2008/xmlsec/track/actions/867

   [27]: http://www.w3.org/2008/xmlsec/track/actions/872

   [28]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm

   [29]: http://dev.w3.org/cvsweb/2002/scribe/