# XML Security Working Group Teleconference ## 27 Nov 2012 [Agenda][3] See also: [IRC log][4] ## Attendees Present Frederick_Hirsch, Chris_Solc, Scott_Cantor, Gerald_Edgar, Bruce_Rich, Pratik_Datta, Hal_Lockhart Regrets Chair Frederick_Hirsch Scribe fjh ## Contents * [Topics][5] 1. [Administrative: Agenda review, Announcements][6] 2. [Minutes Approval][7] 3. [Key Separation and XML Encryption 1.1][8] 4. [XML Signature 1.1 Last Call updates][9] 5. [XML Security 2.0][10] 6. [Action Review][11] 7. [Issue Review][12] 8. [Adjourn][13] * [Summary of Action Items][14] * * * Date: 27 November 2012 ScribeNick: fjh ### Administrative: Agenda review, Announcements XML Encryption 1.1 Interop Test Report" and "XML Signature 1.1 Interop Test Report" published as W3C Notes on 13 November, see [http://www.w3.org/News/2012#entry-9630][15] ### Minutes Approval Approve minutes from 13 November 2012 [http://lists.w3.org/Archives/Public/public- xmlsec/2012Nov/att-0012/minutes-2012-11-13.html][16] **RESOLUTION: Minutes from 13 November 2012 are approved.** ### Key Separation and XML Encryption 1.1 Proposed changes to XML Encryption 1.1 security considerations proposed RESOLUTION: working group agrees to add new security consideration noted by Frederick Hirsch based on Juraj input **RESOLUTION: working group agrees to add new security consideration noted by Frederick Hirsch based on Juraj input** **ACTION:** tlr to confirm ok to add security consideration to XML Encryption 1.1 before PR [recorded in [http://www.w3.org/2012/11/27-xmlsec- minutes.html#action01][17]] Created ACTION-924 - Confirm ok to add security consideration to XML Encryption 1.1 before PR [on Thomas Roessler - due 2012-12-04]. scantor: question of what is supported by OpenSSL to enable implementations, such as GCM ### XML Signature 1.1 Last Call updates here() function clarification added to Editors draft (for Last Call comment LC-2721), per [http://lists.w3.org/Archives/Public/public- xmlsec/2012Nov/0009.html][18] See [http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.html#sec- XPath][19] fjh: please review the change but I think this is done ### XML Security 2.0 fjh: a couple of thoughts - we could disallow risky algorithms, Sign metadata (e.g. algorithm information), etc ... also not sure I like having a replication of 1.1 in a backward compatibility section ... however if we are not progressing not sure we should devote resources to it ... pdatta, have you heard anything more about implementations? ### Action Review ACTION-883? ACTION-883 -- Frederick Hirsch to review C14N 20 test cases document -- due 2012-04-10 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/883][20] ACTION-922? ACTION-922 -- Frederick Hirsch to propose additional security consideration for XML Encryption 1.1 key separation and update draft -- due 2012-11-20 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/922][21] fjh: done by Juraj, revised by me close ACTION-922 ACTION-922 Propose additional security consideration for XML Encryption 1.1 key separation and update draft closed ACTION-921? ACTION-921 -- Frederick Hirsch to update XML Signature 1.1 to address LC-2721 -- due 2012-11-20 -- PENDINGREVIEW [http://www.w3.org/2008/xmlsec/track/actions/921][22] close ACTION-921 ACTION-921 Update XML Signature 1.1 to address LC-2721 closed ACTION-923? ACTION-923 -- Frederick Hirsch to update Roadmap page to reflect current status -- due 2012-11-20 -- PENDINGREVIEW [http://www.w3.org/2008/xmlsec/track/actions/923][23] close ACTION-923 ACTION-923 Update Roadmap page to reflect current status closed ### Issue Review ISSUE-122? ISSUE-122 -- Explain peformance improvements and rationale, relationship to earlier work, document, benchmarks -- open [http://www.w3.org/2008/xmlsec/track/issues/122][24] ISSUE-234? ISSUE-234 -- Reference SP800-56A later in publication process if the latest version is no longer a draft -- open [http://www.w3.org/2008/xmlsec/track/issues/234][25] ISSUE-236? ISSUE-236 -- Update all references in all Notes and Recs when publishing final REC? -- open [http://www.w3.org/2008/xmlsec/track/issues/236][26] ### Adjourn ## Summary of Action Items **[NEW]** **ACTION:** tlr to confirm ok to add security consideration to XML Encryption 1.1 before PR [recorded in [http://www.w3.org/2012/11/27-xmlsec- minutes.html#action01][17]] [End of minutes] * * * Minutes formatted by David Booth's [scribe.perl][27] version 1.135 ([CVS log][28]) $Date: 2009-03-02 03:52:20 $ [1]: http://www.w3.org/Icons/w3c_home [2]: http://www.w3.org/ [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Nov/0014.html [4]: http://www.w3.org/2012/11/27-xmlsec-irc [5]: #agenda [6]: #item01 [7]: #item02 [8]: #item03 [9]: #item04 [10]: #item05 [11]: #item06 [12]: #item07 [13]: #item08 [14]: #ActionSummary [15]: http://www.w3.org/News/2012#entry-9630 [16]: http://lists.w3.org/Archives/Public/public- xmlsec/2012Nov/att-0012/minutes-2012-11-13.html [17]: http://www.w3.org/2012/11/27-xmlsec-minutes.html#action01 [18]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Nov/0009.html [19]: http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.html #sec-XPath [20]: http://www.w3.org/2008/xmlsec/track/actions/883 [21]: http://www.w3.org/2008/xmlsec/track/actions/922 [22]: http://www.w3.org/2008/xmlsec/track/actions/921 [23]: http://www.w3.org/2008/xmlsec/track/actions/923 [24]: http://www.w3.org/2008/xmlsec/track/issues/122 [25]: http://www.w3.org/2008/xmlsec/track/issues/234 [26]: http://www.w3.org/2008/xmlsec/track/issues/236 [27]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [28]: http://dev.w3.org/cvsweb/2002/scribe/