W3C home > Mailing lists > Public > public-xmlsec-maintwg@w3.org > May 2008

Meeting record: XML Sec Weekly 2008-04-15

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 6 May 2008 15:08:59 +0200
To: public-xmlsec-maintwg@w3.org
Message-ID: <20080506130859.GA4331@iCoaster.does-not-exist.org>

Minutes from our meeting on 2008-04-15 were approved and are
available online here:


A text version is included below the .signature.

Thomas Roessler, W3C  <tlr@w3.org>


      XML Security Specifications Maintenance Working Group Teleconference

15 Apr 2008


   See also: [3]IRC log


          Thomas Roessler, Frederick Hirsch, John Wray Rob Miller, Sean
          Mullan, Ed Simon, Bruce Rich, Phill Hallam-Baker, Juan Carlos
          Cruellas, Hal Lockhart, Pratik Datta, Shivaram Mysore, Konrad

          Frederick Hirsch

          Thomas Roessler, Frederick Hirsch


     * [4]Topics
         1. [5]Administrative
         2. [6]Meeting Planning
         3. [7]minutes from last meeting
         4. [8]test case document
         5. [9]Relax NG schema
         6. [10]best practices
         7. [11]action item review
         8. [12]aob
     * [13]Summary of Action Items

   <trackbot-ng> Date: 15 April 2008


Meeting Planning

   <scribe> ScribeNick: tlr

   <fjh> next call is 6 May

   Frederick: next meeting 6 May, Shivaram to scribe
   ... sent material to WS-I

   <fjh> WAF widget signing: [14]http://www.w3.org/TR/widgets-digsig/

   frederick: widget signing is FPWD now ...
   ... you may want to review latest draft ...

   <fjh> minutes - [15]http://www.w3.org/2008/04/01-xmlsec-minutes.html

minutes from last meeting

   RESOLUTION: approved

   <fjh> Dsig AC Reps

   <fjh> [17]http://www.w3.org/2002/09/wbs/33280/xmlsec2008/

   frederick: please make sure your AC reps submit reviews for PER and
   ... chartering deadline is 2 may
   ... contacting AC reps now might be helpful
   ... face-to-face schedule for kick-off getting tight
   ... propose week of 14 July ...
   ... how would that work? ...

   <brich> that would be a problem for me

   juan carlos: would be a problem - holiday starting on the 15th

   hal: first time I heard the date

   <EdS> I would have to check for conflicts too.

   hal: no conflicts off the top of my head
   ... location?

   frederick: had two offers from Europe (Barcelona or Graz) ...

   jcc: number?

   frederick: 15-20 as wild guess

   juan carlos: will check, may have some degrees of freedom

   hal: Can host in Boston or Bay for < 30

   frederick: please share possibilities on member-visible list, what
   dates work, etc.
   ... konrad?

   konrad: umh

   tlr: talked to Peter last week, he said the offer is on

   pbaker: please make Tue-Thu, not Mon or Fri

   frederick: reasonable

test case document

   frederick: some editorial clean-up from Thomas, some content-wise from


   sean: main change in section 3.3.4

   <fjh> section 3.3.4 and fixed reference

   sean: explained optional behavior for generation, mandatory for
   verification ...
   ... improved wording, added rationale, etc ...
   ... tried to improve readability of section

   frederick: don't know if people have reviewed

   <fjh> tlr: fixed markup, references, added text about conformance

   <fjh> ... added sectioning for individual test cases for ease of use

   (discussion about make vs ant build processes)

   frederick: process for moving forward?

   tlr: moratorium ends 28 April

   frederick: expect to proceed with publication if don't hear by then

Relax NG schema

   <fjh> [19]http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/

   <fjh> tlr: request on original xmlsig list related to Open Office XML

   <fjh> ... desire to have normative reference to Relax NG schema

   <fjh> ... original version from Joseph Reagle on W3C site

   <fjh> ... rather than having it copied, a Note might be preferable,
   especially since they wanted Compact Syntax which had not yet been

   <fjh> ... Proposal, have minimal WG Note with both Relax NG full and
   compact syntax. Not normative document.

   <fjh> ... Need WG review of Relax NG schema for correctness


   <klanz2> we do not support Relax NG

   <shivaram> How many support Relax NG?

   RobMiller: put out call on internal list for review
   ... will report back if/when there's more information ...

   hal: not committing anything either

   <klanz2> well, we can parse what xalan can parse, but we'll always
   check signautre itself against xmlschema

   frederick: what's your message in the chat saying?

   klanz: we can try to validate a bunch of signatures against RNG schema

   frederick: konrad, if there's anything immediately noticeable, please

best practices


   frederick: tried to rework what Hal and Pratik had posted into that

   pratik: on xpath, had a list of xpath expressions
   ... example there was complex xpath that was signing no node ...

   frederick: more on nodes?

   hal: need bunch of references
   ... plan to do 5 more or so on the topics ...
   ... depth, different issues ...
   ... there's also some controversial issues ...
   ... will attempt to identify where people might disagree ...
   ... question what's most expedient

   <fjh> ws-i bsp "threats and countermeasures"

   klanz2: think we should do some more referencing
   ... where others have done work ...
   ... there are some that are narrow xmldsig, some are about stuff on top
   of xmldsig ...
   ... time stamps are more broadly ...

   <fjh> wider sense - e.g. application usage of xml signature

   klanz2: xpath and canonicalization are narrower ...
   ... think there's a natural partition ...

   <fjh> narrow sense - detail of xml signature standard itself

   hal: agree there's a logical division, not sure how easy to do
   ... and how useful to the reader ...
   ... I'd think you'd always want to put in a time stamp ...

   <fjh> question of defining roles, target audience for individual best

   hal: some of the other concerns only a few people will run into ...

   klanz: some applications might simply assume "signature was made during
   validity period"
   ... some points here go into PKI validation ...
   ... time stamping belongs there, too ...

   frederick: there are different audiences

   hal: want to talk about references
   ... what we learned doing in WSS ...
   ... what things turned out to be bad ideas ...
   ... are deprecated ..
   ... lots of stuff around that ...

   <fjh> need to discuss referencing

   <fjh> acc jcc

   jcc: what are the plans for the production of best practices
   ... do we expect people to provide material, and people may comment on
   the material ...
   ... what's the expectation?

   frederick: two aspects to this question
   ... first one, what's WG process
   ... second one, what are the broader implications
   ... this is obviously a draft ...
   ... need agreement in the WG ...
   ... trying to put something down, then correct ...
   ... as opposed to inching toward it piecewise ...
   ... do stuff on list, get it started ...
   ... so, please comment ...
   ... broader question - how play out in general community ...
   ... is it important for us to get external feedback?
   ... e.g., WS-I, OASIS?
   ... what's the right process

   <hal> +1

   <shivaram> I would suggest an informal notice to all of these groups
   and have them comment on public mailing list. We can then invite them
   as needed.

   <klanz2> tlr: Intended to be a Note

   <klanz2> ... we can do a Deliverable like this in the next WG even
   without having it in the charter (process wise)

   <fjh> tlr: can start and hand off to follow on WG

   <klanz2> tlr: we can make working drafts to notes

   <fjh> tlr: can produce version, can publish as public WD to have
   continued by follow on wg, and seek external input

   jcc: personal feeling is that external review would be extremely useful
   ... e.g., etsi has time-stamp related formats on top of dsig


   klanz2: can we use the comments mailing list?
   ... for people to send input?

   tlr: yes

   <fjh> tlr: this list is appropriate

   frederick: will take a bit of time to have an initial version that
   we're comfortable with
   ... can start public review at that point ...
   ... something to do before we have to worry about that ...
   ... sounds like we don't have a problem ...
   ... main thing is to write down things we've learned in this group ...

   hal: 3-5 more mails of the same size, then might want to flush that out
   ... speaking to what JCC said, looking forward to comment ...
   ... would be surprised if I got it all right ...
   ... another point, very true and general comments can end up being
   unintelligible ...

   frederick: yes, value of concrete examples

   <jcc> Sorry, was kicked off

   klanz: think this is a good thing to lead us from this group to the
   next one

   <jcc> dialing again

   frederick: anything else on best practices
   ... also, anybody who has material to contribute, please send to public
   list ...
   ... hoping to make progress on draft between now and next call ...

action item review

   trackbot-ng, close ACTION-147

   <trackbot-ng> ACTION-147 Update the test cases document; polish for
   publication as a Note closed

   <fjh> see

   trackbot-ng, close ACTION-148

   <trackbot-ng> ACTION-148 Send comments to EXI group as circulated to
   the XMLSEC closed


   trackbot-ng, close ACTION-149

   <trackbot-ng> ACTION-149 Clarify DName testing in test case document



   <trackbot-ng> ACTION-150 -- Phillip Hallam-Baker to distribute a draft
   regarding identifiers registry -- due 2008-04-15 -- OPEN

   <trackbot-ng> [26]http://www.w3.org/2007/xmlsec/Group/track/actions/150


   trackbot-ng, close ACTION-121

   <trackbot-ng> ACTION-121 Fix CR/LF issue for test case 103 closed

   trackbot-ng, close ACTION-126

   <trackbot-ng> ACTION-126 Check consistency of and references

   trackbot-ng, close ACTION-127

   <trackbot-ng> ACTION-127 Propose change to charter draft that opens
   encryption, in a limited way closed


   frederick: reminders again: Please ask AC representatives to complete
   questionnaires on XML Signature PER and Security Activity/XMLSec
   chartering. Also work on list for Best Practices before next call, and
   review of Relax NG schemas.

   frederick: RNG schema
   ... prod ac reps
   ... review best practices


   <fjh> Scribe: Thomas Roessler, Frederick Hirsch


   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0016.html
   3. http://www.w3.org/2008/04/15-xmlsec-irc
   4. http://www.w3.org/2008/04/15-xmlsec-minutes.html#agenda
   5. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item01
   6. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item02
   7. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item03
   8. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item04
   9. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item05
  10. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item06
  11. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item07
  12. http://www.w3.org/2008/04/15-xmlsec-minutes.html#item08
  13. http://www.w3.org/2008/04/15-xmlsec-minutes.html#ActionSummary
  14. http://www.w3.org/TR/widgets-digsig/
  15. http://www.w3.org/2008/04/01-xmlsec-minutes.html
  16. http://www.w3.org/2002/09/wbs/33280/xmlsigper2008/
  17. http://www.w3.org/2002/09/wbs/33280/xmlsec2008/
  18. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0015.htm
  19. http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/
  20. http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/
  21. http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
  22. http://lists.w3.org/Archives/Public/public-xmlsec-comments/
  23. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0010.html
  24. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0009.html
  25. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Apr/0015.html
  26. http://www.w3.org/2007/xmlsec/Group/track/actions/150
  27. http://www.w3.org/2007/xmlsec/Group/track/actions/pendingreview
Received on Tuesday, 6 May 2008 13:09:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:42:44 UTC