# XML Security Working Group Teleconference

## 15 May 2012

[Agenda][3]

See also: [IRC log][4]

## Attendees

Present

    Frederick_Hirsch, Chris_Solc, Ed_Simon, Scott_Cantor, Hal_Lockhart,
Pratik_Datta, Brian_LaMacchia, Gerald_Edgar, Bruce_Rich

Regrets


Chair

    Frederick_Hirsch

Scribe

    fjh

## Contents

  * [Topics][5]

    1. [Administrative][6]

    2. [Minutes Approval][7]

    3. [Updates to draft XML Signature 1.1 and XML Encryption 1.1 interop test
reports][8]

    4. [Remaining XML Signature 1.1 interop tests][9]

    5. [XML Encryption 1.1][10]

    6. [Other 1.1 interop notes][11]

    7. [XML Security 2.0][12]

    8. [Action review][13]

    9. [Other business][14]

    10. [Adjourn][15]

  * [Summary of Action Items][16]

* * *

<trackbot> Date: 15 May 2012

<scribe> ScribeNick: fjh

### Administrative

fjh: still waiting for a PAG meeting to happen so that the PAG issue can be
resolved, hoping this will happen soon

... it seems the PAG is nearing a conclusion but there was still some
discussion, hopefully to be resolved soon

... also thanks to Pratik for fixing links in test case document

### Minutes Approval

Approve minutes, 24 April 2012

[http://lists.w3.org/Archives/Public/public-
xmlsec/2012Apr/att-0009/minutes-2012-04-24.html][17]

**RESOLUTION: Minutes from 24 April 2012 are approved.**

### Updates to draft XML Signature 1.1 and XML Encryption 1.1 interop test
reports

Agree to proposed updates (remove unnecessary tests)

[http://lists.w3.org/Archives/Public/public-xmlsec/2012May/0002.html][18]

[http://lists.w3.org/Archives/Public/public-xmlsec/2012May/0003.html][19]

**RESOLUTION: WG agrees to update the interop test reports as proposed and to
not interop test items that have been tested as previous Recommendations**

<scribe> **ACTION:** fjh to update interop test reports to remove unneeded
tests [recorded in [http://www.w3.org/2012/05/15-xmlsec-
minutes.html#action01][20]]

<trackbot> Created ACTION-886 - Update interop test reports to remove unneeded
tests [on Frederick Hirsch - due 2012-05-22].

### Remaining XML Signature 1.1 interop tests

[http://www.w3.org/2008/xmlsec/wiki/AdditionalSignature11TestCases][21]

fjh: we have six items listed that need to be interop tested before we can go
to Rec with XML Signature 1.1, in addition to PAG resolution

... most are of nature of finding the key and then validating a signature, in
addition to OCSPResponse, and HMACOutputLength

scantor: has implementation for #3 and #5, DerEncodedKeyValue and
KeyInfoReference, would prefer not to see these dropped

... also X509Digest, #2

... what do we have to do to demonstrate interop?

fjh: not have to prove output, but vouch that able to process, e.g. in
original XML Signature interop output was table of Y and N for tests (merlin)

bal: that is right

scantor: need to recognize syntax but not build a CA infrastructure

bal: yes, limit the amount of work

scantor: have limited resources for testing

fjh: So we only need to go as far as parsing the XML and finding the
X509Digest, for example, that should suffice for interop. Is there someone
else on the call that has implementations of #2, #3, #5 that could also test
these?

[silence]

fjh: bal can you please check with Magnus and his team regarding these tests
and possible participation or resolution...

brich: possible but no commitment 2, 3, 4,6

fjh: does #6 need an interop test? HMacOutputLength?

scantor: perhaps not, it is a security test, if not tested we are not going to
remove from the spec are we?

bal: this might have been put into 1.0 as a patch

fjh: has this already been tested?

bal: ability to truncate may have been removed in some implementations

hal: these things are trivial to implement

scantor: question of degree of 1.1 implementation

hal: should add truncation as a best practice to the best practices document

... I'm planning to do this

<scribe> **ACTION:** hal to draft text on HMAC truncation for XML Signature
best practices [recorded in [http://www.w3.org/2012/05/15-xmlsec-
minutes.html#action02][22]]

<trackbot> Created ACTION-887 - Draft text on HMAC truncation for XML
Signature best practices [on Hal Lockhart - due 2012-05-22].

### XML Encryption 1.1

fjh: XML Encryption 1.1 has more interop work to be done

[http://www.w3.org/2008/xmlsec/Drafts/xmlenc-
core1-interop/Overview.src.html][23]

please review this and indicate if you have implementation that can be tested

### Other 1.1 interop notes

fjh: Expect GHC will simply remain at CR and not move forward

... Expect Signature Properties can move forward with at-risk items removed,
due to Widget Signature interop

... but expect to wait with moving it forward until we can also move other
items like XML Signature 1.1, so we move stuff forward together

... will also need publication of algorithm cross reference etc at that time
(changes are already in place in the editors drafts)

### XML Security 2.0

fjh: focus on moving 1.1 to Rec, but please indicate if any work required on
2.0 at this point

### Action review

ACTION-238?

<trackbot> ACTION-238 -- Thomas Roessler to update the proposal associated
with ACTION-222 and send to list. -- due 2012-01-31 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/238][24]

need info from Thomas on what this is, and what the status is

ACTION-717?

<trackbot> ACTION-717 -- Pratik Datta to document the Performance improvements
with 2.0 -- due 2010-11-09 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/717][25]

defer to later

ACTION-883?

<trackbot> ACTION-883 -- Frederick Hirsch to review C14N 20 test cases
document -- due 2012-04-10 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/883][26]

still open

ACTION-885?

<trackbot> ACTION-885 -- Pratik Datta to update test cases document and send
email clarifying changes -- due 2012-05-01 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/885][27]

ACTION-885 closed

<trackbot> ACTION-885 Update test cases document and send email clarifying
changes closed

ACTION-865?

<trackbot> ACTION-865 -- Frederick Hirsch to contact parties re participation
in interop for 2.0 -- due 2011-12-20 -- PENDINGREVIEW

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/865][28]

ACTION-865 closedc

<trackbot> ACTION-865 Contact parties re participation in interop for 2.0
closed

ACTION-884?

<trackbot> ACTION-884 -- Frederick Hirsch to review CR features at risk for
Signature Properties -- due 2012-05-01 -- PENDINGREVIEW

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/884][29]

ACTION-884 closed

<trackbot> ACTION-884 Review CR features at risk for Signature Properties
closed

### Other business

ed_simon: looked at EXI, and gave feedback

... suggested that members of xml security wg do not have time to work on
this, but might be interested in review

... will continue to look at it with EXI group

fjh: XML Security WG is chartered to 30 June 2012.

... lack of PAG completion makes it more likely we will have to extend
charter, as does need to complete interop

... Regarding upcoming calls, we have them scheduled for every week, but will
cancel if there is no business.

... if we have limited business then the call will be short.

... please indicate any progress especially with regards to interop, on the
list. We will use the list traffic to determine if we need a call.

... please review the interop testing and implementations to see how we can
move this work forward.

... thanks

### Adjourn

## Summary of Action Items

**[NEW]** **ACTION:** fjh to update interop test reports to remove unneeded
tests [recorded in [http://www.w3.org/2012/05/15-xmlsec-
minutes.html#action01][20]]

**[NEW]** **ACTION:** hal to draft text on HMAC truncation for XML Signature
best practices [recorded in [http://www.w3.org/2012/05/15-xmlsec-
minutes.html#action02][22]]


[End of minutes]

* * *

Minutes formatted by David Booth's [scribe.perl][30] version 1.135 ([CVS
log][31])

$Date: 2009-03-02 03:52:20 $

   [1]: http://www.w3.org/Icons/w3c_home

   [2]: http://www.w3.org/

   [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2012May/0005.html

   [4]: http://www.w3.org/2012/05/15-xmlsec-irc

   [5]: #agenda

   [6]: #item01

   [7]: #item02

   [8]: #item03

   [9]: #item04

   [10]: #item05

   [11]: #item06

   [12]: #item07

   [13]: #item08

   [14]: #item09

   [15]: #item10

   [16]: #ActionSummary

   [17]: http://lists.w3.org/Archives/Public/public-
xmlsec/2012Apr/att-0009/minutes-2012-04-24.html

   [18]: http://lists.w3.org/Archives/Public/public-xmlsec/2012May/0002.html

   [19]: http://lists.w3.org/Archives/Public/public-xmlsec/2012May/0003.html

   [20]: http://www.w3.org/2012/05/15-xmlsec-minutes.html#action01

   [21]: http://www.w3.org/2008/xmlsec/wiki/AdditionalSignature11TestCases

   [22]: http://www.w3.org/2012/05/15-xmlsec-minutes.html#action02

   [23]: http://www.w3.org/2008/xmlsec/Drafts/xmlenc-
core1-interop/Overview.src.html

   [24]: http://www.w3.org/2008/xmlsec/track/actions/238

   [25]: http://www.w3.org/2008/xmlsec/track/actions/717

   [26]: http://www.w3.org/2008/xmlsec/track/actions/883

   [27]: http://www.w3.org/2008/xmlsec/track/actions/885

   [28]: http://www.w3.org/2008/xmlsec/track/actions/865

   [29]: http://www.w3.org/2008/xmlsec/track/actions/884

   [30]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm

   [31]: http://dev.w3.org/cvsweb/2002/scribe/