# XML Security Working Group Teleconference ## 18 Sep 2012 [Agenda][3] See also: [IRC log][4] ## Attendees Present Frederick_Hirsch, Chris_Solc, Bruce_Rich, Pratik_Datta, Gerald_Edgar, Hal_Lockhart, Scott_Cantor Regrets Chair Frederick_Hirsch Scribe fjh ## Contents * [Topics][5] 1. [Administrative items, announcements][6] 2. [Minutes Approval][7] 3. [Remove OCSPResponse from XML Signature 1.1][8] 4. [Editorial updates][9] 5. [1.1 Interop status][10] 6. [Sharing 1.1 test cases][11] 7. [Action Review][12] 8. [Issue Review][13] 9. [2.0 Status][14] 10. [Summary][15] 11. [Maintenance][16] 12. [Other business][17] 13. [Adjourn][18] * [Summary of Action Items][19] * * * Date: 18 September 2012 ScribeNick: fjh ### Administrative items, announcements fjh: PAG update - PAG teleconference and resolution has been delayed, with detailed discussion of wording, see PAG mail archive. ### Minutes Approval Approve minutes from 11 September 2012 [http://lists.w3.org/Archives/Public/public- xmlsec/2012Sep/att-0021/minutes-2012-09-11.html][20] **RESOLUTION: Minutes from 11 September 2012 are approved.** ### Remove OCSPResponse from XML Signature 1.1 fjh: Call for Consensus (CfC) to remove the OCSPResponse element from XML Signature 1.1 completed, [http://lists.w3.org/Archives/Public/public- xmlsec/2012Sep/0024.html][21] **RESOLUTION: Remove OCSPResponse element from XML Signature 1.1 and 2.0 as outlined in the CfC and also remove from the interop test report.** **ACTION:** fjh to remove OCSPResponse element from XML Signature 1.1 and 2.0 as outlined in the CfC and also remove from the interop test report [recorded in [http://www.w3.org/2012/09/18-xmlsec-minutes.html#action01][22]] Created ACTION-911 - Remove OCSPResponse element from XML Signature 1.1 and 2.0 as outlined in the CfC and also remove from the interop test report [on Frederick Hirsch - due 2012-09-25]. fjh: this will enable us to move XML Signature 1.1 forward to Last Call once PAG completes as all interop testing for XML Signature 1.1 is now complete. Please review the spec for correctness. ### Editorial updates fjh: I updated functional explain docs to remove links to detailed explains as previously agreed: [http://lists.w3.org/Archives/Public/public- xmlsec/2012Sep/0026.html][23] Proposed RESOLUTION: The WG agrees to defer updating the SP800-56A reference in XML Encryption 1.1 until the new draft is finalized. **RESOLUTION: The WG agrees to defer updating the SP800-56A reference in XML Encryption 1.1 until the new draft is finalized.** ### 1.1 Interop status fjh: XML Encryption 1.1 interop is underway but will require more time pdatta: will ask magnus to send more debug output so we can figure out the difficulty fjh: scott, do you have more testing to do? scantor: I could run test on ecdsa, if needed ### Sharing 1.1 test cases fjh: we will need to publish the test cases when we move forward toward Rec, exiting CR ... Decision needed on approach ; [http://lists.w3.org/Archives/Public/public- xmlsec/2012Sep/0025.html][24] pdatta: prefer to have one document with both test cases and results if we plan to publish the results fjh: yes we plan to publish interop test results scantor: favor using the wiki, easier to work with ... with a wiki it is easier to get others to contribute ... could help with updating the wiki if we go that route fjh: it depends on whether we plan to publish as a document the interop test results pdatta: we already have a test case document for 2.0 fjh: suggest we create consolidated result and test case docs for 1.1 and update the wiki for pointing to earlier 1.0 testing scantor: can help with the wiki fjh: ok, so I will put the signature material from the wiki into the interop document pdatta: I can update the encryption test case document fjh: please include the encryption material from the wik ... then I can look at merging that with the interop test results document **RESOLUTION: WG agrees to move test case material into documents combined with interop test results** ### Action Review ACTION-883? ACTION-883 -- Frederick Hirsch to review C14N 20 test cases document -- due 2012-04-10 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/883][25] ACTION-910? ACTION-910 -- Pratik Datta to update test cases document with new tests, [http://lists.w3.org/Archives/Public/public- xmlsec/2012Sep/0020.html][26] -- due 2012-09-18 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/910][27] ### Issue Review ISSUE-234? ISSUE-234 -- Reference SP800-56A later in publication process if the latest version is no longer a draft -- open [http://www.w3.org/2008/xmlsec/track/issues/234][28] ISSUE-91? ISSUE-91 -- ECC can't be REQUIRED -- open [http://www.w3.org/2008/xmlsec/track/issues/91][29] ISSUE-122? ISSUE-122 -- Explain peformance improvements and rationale, relationship to earlier work, document, benchmarks -- open [http://www.w3.org/2008/xmlsec/track/issues/122][30] ### 2.0 Status fjh: I've been updating 2.0 with changes from 1.1 as we go forward but have not done anything more ... who has implemented or is thinking about implementation of 2.0? scantor: I looked at 2.0, was thinking of writing SAML profile for it, looks like amenable to self-contained implementation ... but cannot do this if it does not move foward fjh: pratik, I assume you have implementation pdatta: only for canonicalization, not clear that will do for signature at this point scantor: could C14N2 be used with 1.1? That could have some value. fjh: we need to look at this pdatta: inputs are different fjh: maybe we should not be treating 2.0 as a monolithic package, but see what is possible with moving C14N2 forward. ... we should be making a conscious decision regarding 2.0 hal: performance is important benefit of 2.0 and critical for its adoption, so we probably need to document the performance changes to get interest fjh: will people care if JSON is the new trend hal: there are a lot of existing XML implementations fjh: pratik do you have any infrastructure to get some performance numbers pdatta: no, do not have anything, but have been thinking about doing it. Only want to do it if it makes sense. fjh: 2.0 is good work scantor: agree can separate security protocols, but vendors may not agree hal: if we do not document performance, that indicates that we might want to mothball 2.0 fjh: argument is that XML is no longer good, as opposed to JSON scantor: right, protocol issue is driving conversation, what about documents fjh: epub3 uses XML security ... I can ask about outreach at xml coordination group meeting scantor: is the work done technically? fjh: I think it is done technically, , we had two reviews of the XPath and C14N material, it certainly seems stable.. hal: getting a reputation for being slow can be hard to shed ... hardware also gets faster, also addressing performance issues. scantor: performance problems that mattered have been addressed by now hal: lightweight is embedded in the JSON understanding, XML has a heavyweight reputation, which we cannot change scantor: need to see who needs the capabilities and performance, then they need to ask vendors to provide it ### Summary fjh: pratik to continue interop with magnus ; to update XML Encryption 1.1 test cases document (ACTION-910), including material from test case wiki ACTION-910: include in update XML Encryption 1.1 test cases on wiki, [http://w ww.w3.org/2008/xmlsec/wiki/Interop#XML_Encryption_1.1_Key_Derivation_using_Con catKDF_and_PBKDF2][31] ACTION-910 Update test cases document with new tests, [http://lists.w3.org/Archives/Public/public-xmlsec/2012Sep/0020.html][26] notes added **ACTION:** fjh to put XML Signature 1.1 test case material from wiki into XML Signature 1.1. interop test report [recorded in [http://www.w3.org/2012/09/18-xmlsec-minutes.html#action02][32]] Created ACTION-912 - Put XML Signature 1.1 test case material from wiki into XML Signature 1.1. interop test report [on Frederick Hirsch - due 2012-09-25]. **ACTION:** fjh to merge XML Encryption 1.1 test case document into XML Encryption 1.1 interop test result document, once Pratik concludes updating XML Encryption 1.1 test case document (ACTION-910) [recorded in [http://www.w3.org/2012/09/18-xmlsec-minutes.html#action03][33]] Created ACTION-913 - Merge XML Encryption 1.1 test case document into XML Encryption 1.1 interop test result document, once Pratik concludes updating XML Encryption 1.1 test case document (ACTION-910) [on Frederick Hirsch - due 2012-09-25]. fjh: scott, pratik to look at C14N2 to see if it can progress independently of 2.0 as a whole **ACTION:** fjh to consult with XML Coordination Group to see if there is a community that would be interested in XML Security 2.0 and how to reach them [recorded in [http://www.w3.org/2012/09/18-xmlsec- minutes.html#action04][34]] Created ACTION-914 - Consult with XML Coordination Group to see if there is a community that would be interested in XML Security 2.0 and how to reach them [on Frederick Hirsch - due 2012-09-25]. ### Maintenance fjh: we should start thinking how maintenance will be done once this WG has completed the specifications ... one approach is to keep the WG open indefinitely, I'm not sure that is a good option or that we will retain participants. ... another approach is like the WS* maintenance group, though I think I've heard that didn't work well hal: it took a long time to start, but I'm not sure there was a problem afterwards, what have you heard? fjh: I have no details, just general discussion at TPAC **ACTION:** fjh to bring up issue of XML maintenance at XML Coordination group [recorded in [http://www.w3.org/2012/09/18-xmlsec- minutes.html#action05][35]] Created ACTION-915 - Bring up issue of XML maintenance at XML Coordination group [on Frederick Hirsch - due 2012-09-25]. ### Other business scantor: what is the time frame until recommendation, will it be done for 1.1 this year? I have another specification that depends on it. I have a SAML spec for using it with GSS-API and SASL that depends on Enc 1.1 fjh: We are trying to complete by year end, but there are built in delays in the process such as minimum time for last call, CR, director review, AC review etc ... if the PAG does not finish soon we will not be able to complete this year, but I still think we have a chance **ACTION:** fjh to outline timeline for completing 1.1 Rec and share with XML Security WG and PAG [recorded in [http://www.w3.org/2012/09/18 -xmlsec-minutes.html#action06][36]] Created ACTION-916 - Outline timeline for completing 1.1 Rec and share with XML Security WG and PAG [on Frederick Hirsch - due 2012-09-25]. ### Adjourn ## Summary of Action Items **[NEW]** **ACTION:** fjh to bring up issue of XML maintenance at XML Coordination group [recorded in [http://www.w3.org/2012/09/18-xmlsec- minutes.html#action05][35]] **[NEW]** **ACTION:** fjh to consult with XML Coordination Group to see if there is a community that would be interested in XML Security 2.0 and how to reach them [recorded in [http://www.w3.org/2012/09/18-xmlsec- minutes.html#action04][34]] **[NEW]** **ACTION:** fjh to merge XML Encryption 1.1 test case document into XML Encryption 1.1 interop test result document, once Pratik concludes updating XML Encryption 1.1 test case document (ACTION-910) [recorded in [http://www.w3.org/2012/09/18-xmlsec-minutes.html#action03][33]] **[NEW]** **ACTION:** fjh to outline timeline for completing 1.1 Rec and share with XML Security WG and PAG [recorded in [http://www.w3.org/2012/09/18 -xmlsec-minutes.html#action06][36]] **[NEW]** **ACTION:** fjh to put XML Signature 1.1 test case material from wiki into XML Signature 1.1. interop test report [recorded in [http://www.w3.org/2012/09/18-xmlsec-minutes.html#action02][32]] **[NEW]** **ACTION:** fjh to remove OCSPResponse element from XML Signature 1.1 and 2.0 as outlined in the CfC and also remove from the interop test report [recorded in [http://www.w3.org/2012/09/18-xmlsec- minutes.html#action01][22]] [End of minutes] * * * Minutes formatted by David Booth's [scribe.perl][37] version 1.135 ([CVS log][38]) $Date: 2009-03-02 03:52:20 $ [1]: http://www.w3.org/Icons/w3c_home [2]: http://www.w3.org/ [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Sep/0027.html [4]: http://www.w3.org/2012/09/18-xmlsec-irc [5]: #agenda [6]: #item01 [7]: #item02 [8]: #item03 [9]: #item04 [10]: #item05 [11]: #item06 [12]: #item07 [13]: #item08 [14]: #item09 [15]: #item10 [16]: #item11 [17]: #item12 [18]: #item13 [19]: #ActionSummary [20]: http://lists.w3.org/Archives/Public/public- xmlsec/2012Sep/att-0021/minutes-2012-09-11.html [21]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Sep/0024.html [22]: http://www.w3.org/2012/09/18-xmlsec-minutes.html#action01 [23]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Sep/0026.html [24]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Sep/0025.html [25]: http://www.w3.org/2008/xmlsec/track/actions/883 [26]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Sep/0020.html [27]: http://www.w3.org/2008/xmlsec/track/actions/910 [28]: http://www.w3.org/2008/xmlsec/track/issues/234 [29]: http://www.w3.org/2008/xmlsec/track/issues/91 [30]: http://www.w3.org/2008/xmlsec/track/issues/122 [31]: http://www.w3.org/2008/xmlsec/wiki/Interop#XML_Encryption_1.1_Key_Der ivation_using_ConcatKDF_and_PBKDF2 [32]: http://www.w3.org/2012/09/18-xmlsec-minutes.html#action02 [33]: http://www.w3.org/2012/09/18-xmlsec-minutes.html#action03 [34]: http://www.w3.org/2012/09/18-xmlsec-minutes.html#action04 [35]: http://www.w3.org/2012/09/18-xmlsec-minutes.html#action05 [36]: http://www.w3.org/2012/09/18-xmlsec-minutes.html#action06 [37]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [38]: http://dev.w3.org/cvsweb/2002/scribe/