- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 12 Aug 2008 16:13:37 +0200
- To: public-xmlsec@w3.org
Minutes from our meeting on 2008-07-16 were approved and are
available online here:
http://www.w3.org/2008/07/16-xmlsec-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
XML Security Working Group Face-To-Face Meeting
16 Jul 2008
[2]Agenda
See also: [3]IRC log
Attendees
Present
Subramanian Chidambaram (SC), Frederick Hirsch (fjh), Gerald
Edgar (Gerald), Chris Solc (csolc), Konrad Lanz (klanz2), Thomas
Roessler (tlr), Brian LaMacchia (bal), Hal Lockhart (hal), Bruce
Rich (brich), Sean Mullan (sean), Magnus Nystrom (magnus), Anil
Saldhana (anil), Rob Miller (rmiller), Juan Carlos Cruellas,
Pratik Datta, Ed Simon
Regrets
Chair
Frederick Hirsch
Scribe
Konrad Lanz, Hal Lockhart
Contents
* [4]Topics
1. [5]Welcome, Attendance/Introductions, Agenda review
(10:00-10:30 am, 30 min)
2. [6]Scribing and Minutes (10:30 - 10:45 15 min)
3. [7]Scribe duties and scribe selection process
4. [8]WG Scheduling (10:45-11:15, 30 min)
5. [9]Teleconference Scheduling
6. [10]Upcoming meetings
7. [11]Coordination
8. [12]Introduction to W3C, W3C process and Tools [Thomas
Roessler]
9. [13]Tools decisions and volunteers (14:00 - 15:00, 1 hr)
10. [14]Using Tracker for Issues
11. [15]Charter Review
12. [16]WG Project Planning
13. [17]Overview of Principles and Requirements
14. [18]Review of workshop
15. [19]Presentation by Magnus
16. [20]Editors and volunteers
17. [21]Best Practices Document
18. [22]Errata
__________________________________________________________________
<trackbot> Date: 16 July 2008
1) Welcome, Attendance/Introductions, Agenda review (10:00-10:30 am, 30 min)
Hello Everyone,
<fjh> Scribe: Konrad Lanz
fjh: Introducing himself - work for Nokia, chairing this group, was
chair of previous XML Security Specifications Maintenance WG.
Participated in original XML Signature and Encryption working groups
and XKMS. Active in OASIS, including the Board and SAML TC.
brich: intro ...
SC: intro ... working for Nokia, on SAML OpenID ...
bal: intro ... XMLSEC, WSS, ...
hal: intro ... WSS, WS-SX, SSTC - Co-Chair, Oasis Technical Advisor ...
tlr: intro ,,, team contact, means I'm your man in W3C ...
klanz2: ... XML Toolkit @ IAIK/SIC
jcc: upc ... standardization
csolc: five years in the area with adobe
gerald: client of XMLDSIG ...
sean: intro ... SUN, XML sec implementions, JSR105 ...
@all: please augment where needed ...
RESOLUTION: Dinner @21:00, all are coming
rdmiller: intro ... MITRE Supports US Dept. of Defense, daily contact
with XML and XMLSEC, user perspective and best practices pperspective
... update crypto, NSA suite B
magnus: inro ... working for RSA, standardization PKCS
<rmiller> silence
setting up again
<tlr> yes, we got dropped
<tlr> sorry
lost the bridge
fjh: minutes @ every meeting
... on the irc chat
... notes during the meeting, you are encouraged to augment and correct
them
... minutes are public
...
... minutes are in general public, n
... but we might make them private until approved
... part of the job of scribing is cleaning the minues at the end
fjh: its cumbersome to move minutes around from private to public
klanz: member-list
tlr: yes, the member list, ...
RESOLUTION: Scribe will post the minutes once edited to member-list and
as soon as approved to the public-list
Subject: [minutes-draft], [minutes-approved] to be used ...
klanz2: we can then use the list searc features to list all the minutes
...
<fjh> scribe instructions
[23]http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html
[24]http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html
[25]http://tinyurl.com/find-minutes-approved
[26]http://tinyurl.com/find-minutes-draft
fjh: volunteer for scribing, ....
We will share scribing round robin in the WG, apart from the Chair and
Team contact.
2) Scribing and Minutes (10:30 - 10:45 15 min)
2a) Scribe duties and scribe selection process
http://www.w3.org/2007/xmlsec/Group/scribe-instructions.html
2b) Scribe volunteers for F2F:
Wed morning (16 July am) - Konrad
Wed afternoon (16 July pm) - Hal
Thursday morning (17 July am) - Bruce
Thursday afternoon (17 July pm) - Sean
hal: leaving tomorrow ...
brich: thursday morning
sean: thursday afternoon
3) WG Scheduling (10:45-11:15, 30 min)
fjh: one hour to little, need two hours
3a) Teleconference Scheduling
<fjh> [27]http://www.w3.org/2002/09/wbs/42458/xmlsec2008telco/
RESOLUTION: Tuesdays 10am ET, two hours
3b) Upcoming meetings
fjh: one more F2F, tech planary colocated
... 20-21. Oct. 2008
... What joint meeting do we need?
... EXI, XML Core,
klanz: namespace inheritance -> xml core
... enveloping signatures
<klanz22> hal: encapsulation
Coordination
<scribe> ACTION: fjh to arrange joint meetings on the coordination call
[recorded in
[28]http://www.w3.org/2008/07/16-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-4 - Arrange joint meetings on the
coordination call [on Frederick Hirsch - due 2008-07-23].
fjh: telco starting on time, ... we start on time ... try to be on time
... charter, do we need the infoset, what to do with C14n, doe we need
transforms ...
hal: need to be aware of interdependencies and conflicting goals
fjh: we need to take advantage of members as resource for editing,
actions etc ....
... maintaining issues lists
... workshop results last year, went into requirements ...
that one ?:
[29]http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0006.html
[30]http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0007.html
hal: ECC SuiteB, (IPR ... ), no one from NIST or NSA here ?
... Encryption and Signature in hardware?
rdmiller: have contact into both areas, re SuiteB and hardware
<trackbot> ACTION-27 -- Robert Miller to contact crypto hardware and
suiteB experts in NSA regarding XML Security WG and possible
involvement -- due 2008-08-08 --OPEN
<trackbot> [31]http://www.w3.org/2008/xmlsec/track/actions/27
bal: even if do not get direct involvement, we hope we can obtain feed
back ...
... on request.
5) Introduction to W3C, W3C process and Tools [Thomas Roessler] (11:30 -
12:00, 30 min) am ET)
[32]http://www.w3.org/2008/xmlsec/w3c101#(1)
hal: heart beat requirement?
tlr: draft every three month for each deliverable
bal: Don Eastlake? IETF?
hal: Encryption not an RFC ...
tlr: minutes, we value availability over perfection
... vCal availiable for tracker items ... there is a feed
<fjh> can enter action-# to get link to it
<fjh> action-001
<tlr> action-001?
<trackbot> ACTION-1 -- Thomas Roessler to test trackbot-ng -- due
2007-04-12 -- CLOSED
<trackbot> [33]http://www.w3.org/2008/xmlsec/track/actions/1
NOTE: Update the association with the new Workgroup, and associate
Products
<tlr> COI policy
[34]http://www.w3.org/2005/10/Process-20051014/policies.html#coi
<sean> ack
general discussion on IPR
tlr: WG notes are not covered by the IPR policy
brich: did we have any under the maintenance group?
tlr: test cases, best practices ...
hal: distinction between public review and WG issues raised?
fjh: process wise different
... external comments will be discussed ... internal one have to be
specific ....
... we need to more formal to get get more review ...
tlr: use working relations and formal contact where suited ...
hal: there is a difference between getting plain feedback vs. formal
feed back from other groups that might not even be existence any more
...
<scribe> ACTION: fjh to check how the formal OASIS liasion is working.
[recorded in
[35]http://www.w3.org/2008/07/16-xmlsec-minutes.html#action06]
<trackbot> Created ACTION-5 - Check how the formal OASIS liasion is
working. [on Frederick Hirsch - due 2008-07-23].
hal: the conflict of interest policy is section 3.1.1 W3C process ...
<tlr> [36]http://www.w3.org/2001/11/StdLiaison#OASIS needs update,
incidentally. That's an action on me. I suspect.
<anil> zamkim, code?
9). Tools decisions and volunteers (14:00 - 15:00, 1 hr)
fjh: home page simple, if you want to enhance please do so its in cvs
... we should get a wiki, wiki didn't work to good in the past
... volunteers for main page?
... tracker, lists issues and actions ...
<jcc> FH; something that we did not used: tool for creating new issues
<anil> [37]http://www.w3.org/2006/WSC/track/issues/200
<anil> example ^^^
<jcc> Link: www.w3.org/2008/xmlsec/track/issues/new
<jcc> FH: certain basic rules for new issues, including meaningful
information categories
<jcc> details in www.w3.org/2002/ws/policy/
<jcc> actually in [38]http://www.w3.org/2002/ws/policy/#issues
fjh: issues lists is a good tool to move issues through states
Using Tracker for Issues
<tlr> ISSUE: tracker doesn't get its e-mails through
<trackbot> Created ISSUE-2 - Tracker doesn't get its e-mails through ;
please complete additional details at
[39]http://www.w3.org/2008/xmlsec/track/issues/2/edit .
fjh: we need a volunteer to take responsibility of making sure external
issues get on the list
Gerald: Volunteered to take care of issue Tracking
fjh: Thanks
<Zakim> anil, you wanted to mention that the spec can be updated at
places with issue numbers and dealt with as and when completed
<rmiller> Rob Miller is going offline and will not return until
tomorrow morning.
Charter Review
<fjh> Pratik has been working on best practices, interested in
streaming
fjh: versioning policy constrains us
work on xml enc is limited to dsig compatability and algs
updates to c14n will be jointly issued by us and xml core in order to
retain IPR commitments
members of the wg are encouraged to nominate other groups who we should
coordinate with
thomas to act as informal liasion with IETF
hal, jcc & fjh will liaise with OASIS TCs
bruce to informally liaise with WS-Fed
need to add ebxml tcs to list of OASIS TCs
sean to investigate ebxml liasion
<scribe> ACTION: sean to investigate ebxml liasion [recorded in
[40]http://www.w3.org/2008/07/16-xmlsec-minutes.html#action07]
<trackbot> Created ACTION-6 - Investigate ebxml liasion [on Sean Mullan
- due 2008-07-23].
<scribe> ACTION: bruce to informally liaise with WS-Fed [recorded in
[41]http://www.w3.org/2008/07/16-xmlsec-minutes.html#action08]
<trackbot> Created ACTION-7 - Informally liase with WS-Fed [on Bruce
Rich - due 2008-07-23].
<anil> I am getting involved in some healthcare security standard
groups (no one in particular)
hal & fjh to liaise with WS-I BSP
will use workshop mailing list to communicate with interested parties
bruce & sean to liaise with Java community
klanz: need to tradeoff between maint and major changes
... need requirements discussion first
hal: could do low impact items first, but risk of not driving adoption
of later step
sean: can have actions on wg members to provide proposals on different
areas
WG Project Planning
fjh: need to focus on reqs
sean: tag with risk level
fjh: do best practices and maint in parallel
bal: whan we gather reqs will see a break btw simple and hard
... then we can decide tactics
... worry about task force idea
... relatively small group
fjh: make easy decisions up front
bal: will be pressure to produce short term spec
... will be easier to get impls
tlr: have ability to split or join specs
fjh: want to defer this for now
overview of principles and reqs
fjh: principles and requirements
... valuable exercise to go through ...
... walking through slide with original requirements ...
... design for security and mitigate attacks ...
... some workshop feed-back shows that there was a *lot* of balancing
going on ...
... maybe solve through profiling ...
... revisit extensibility requirements ...
... interoperability and compatibility are important, and new since
we're talking about Vnext ...
... should recognize layered architecture of implementations ...
... I probably missed some principles ...
<tlr>
[42]http://www.w3.org/2008/xmlsec/f2f-2008-07-16/rqmts/2008-07-12-xmlse
c-rqmts.ppt
RESOLUTION: have a list of principles as basis for work
bal: needed both principles and usecases
klanz: may find things which are incompatible with principles
... principles SHOULD be followed
bal: principles may be in conflict
review of workshop
hal: propose 4 categories: security, performance, new features,
operational errors
fjh: how should we process workshop papers?
bal: create reading groups
<bal> and schedule a few workshop papers/presentations for discussion
each week during the conf call
... review batch for each call to generate issues and suggestions
klanz: possibility of requesting profile of xslt?
<tlr> XSL is being chaired by Sharon Adler, IBM
<tlr> [43]http://www.w3.org/2006/06/XML/xsl.html
klanz: noted that might need xslt transform to be able to sign
including the whitespace generated by transform
bal: xsl came in as a part of web arch
... need to take a look at actual use
... maybe need to drop things which cause security problems
... may not need to carry forward all requirements from orginal dsig
klanz: most of our customers use XSLT
<EdS> XSLT can also be used as a means to collect and meld data from a
variety of sources before hashing.
<fjh> review original requirements of dsig
bal: RDF was a requirement at W3C at that time
<pdatta> can you share the URL for this original requirements document
<fjh> [44]http://www.w3.org/TR/xmldsig-requirements
bal: 3.2-4 was a reaction to CMS limitations
... 3.2 supports compound documents
<tlr> look at pkcs1 in 6.4.2
<tlr> it includes an identifier for the hash algorithm
<tlr> (rsa-sha1 algorithm)
general uncertainty about purpose of 3.3 point 3; likely
interpretation: data in XML Signature takes precedence over data in
crypto blob
Presentation by Magnus
[45]Presentation
hal: notes support for derived keys in various ws* specs, should
consider those requirements and attempt to unify
hal: use cases?
magnus: not really there, indeed
brich: derived keys that WS-SecureConversation makes use of
... can proposal be extended to cover use cases there?
... are that will have to be done sooner or later
magnus: do not see why not; maybe take this conversation offline
hal: specs using derived keys are wss username token, ws-trust,
ws-securitypolicy
... and ws-secureconversation
brich: bulk in secure conversation
not latest: [46]http://www.oasis-open.org/specs/index.php#wssecconv1.3
Editors and volunteers
fjh: editor per spec vs. editor team
... should use XMLSPEC
... need to set up properly to use ant
... compatable with any XSLT stream
... already have editors for best practices
<tlr> ACTION: thomas to read this action's number [recorded in
[47]http://www.w3.org/2008/07/16-xmlsec-minutes.html#action09]
<trackbot> Created ACTION-8 - Read this action's number [on Thomas
Roessler - due 2008-07-23].
<scribe> ACTION: gerald to test Issues entry and list generation
[recorded in
[48]http://www.w3.org/2008/07/16-xmlsec-minutes.html#action10]
<trackbot> Sorry, couldn't find user - gerald
<scribe> ACTION: tlr to fix Tracker [recorded in
[49]http://www.w3.org/2008/07/16-xmlsec-minutes.html#action11]
<trackbot> Created ACTION-9 - Fix Tracker [on Thomas Roessler - due
2008-07-23].
RESOLUTION: No call on July 22nd or 5 August.
... No call on Aug 5
Best Practices Document Overview
<tlr> for context:
[50]http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
<klanz2> [51]http://www.w3.org/TR/xmldsig-core/#sec-Secure
<klanz2> reviewing 8.1.1 - 8.1.3 : A quote from 8.1.3: Some
applications might operate over the original or intermediary data but
should be extremely careful about potential weaknesses introduced
between the original and transformed data.
RESOLUTION: Accept Best Practices as a Work Item, based on previous
work
bal: need to consider best practices for new specs
<bal> and whether some of these turn into a processing model for
applications verifying sigs
RESOLUTION: Pratik to continue editing best practices document
konrad: does best practice require implementation experience?
hal: should be sure it works
<scribe> ACTION: fjh to update wg page to include issues link [recorded
in [52]http://www.w3.org/2008/07/16-xmlsec-minutes.html#action12]
<trackbot> Created ACTION-10 - Update wg page to include issues link
[on Frederick Hirsch - due 2008-07-23].
bruce: put non-normative info in back of spec, could have best
practices there as well
Errata
tlr: process, once approved add to errata document, but non-normative
until new edition published
... decide on update of REC when appropriate, enough docs
... not update REC or red-line at this time
<fjh> WG should review the errata and we will decide whether to approve
on next call
<fjh> document section link
[53]http://www.w3.org/TR/xml-c14n11/#Example-DocSubsetsXMLAttrs
<fjh> issue link
[54]http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Jun/0
021.html
<klanz2>
[55]http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec-102
<klanz2>
[56]http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec2-10
2
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0000.html
3. http://www.w3.org/2008/07/16-xmlsec-irc
4. http://www.w3.org/2008/07/16-xmlsec-minutes.html#agenda
5. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item001
6. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item002
7. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item003
8. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item01
9. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item02
10. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item03
11. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item04
12. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item05
13. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item06
14. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item07
15. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item08
16. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item09
17. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item10
18. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item11
19. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item12
20. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item13
21. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item14
22. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item15
23. http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html
24. http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html
25. http://tinyurl.com/find-minutes-approved
26. http://tinyurl.com/find-minutes-draft
27. http://www.w3.org/2002/09/wbs/42458/xmlsec2008telco/
28. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action01
29. http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0006.html
30. http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0007.html
31. http://www.w3.org/2008/xmlsec/track/actions/27
32. http://www.w3.org/2008/xmlsec/w3c101#%281%29
33. http://www.w3.org/2008/xmlsec/track/actions/1
34. http://www.w3.org/2005/10/Process-20051014/policies.html#coi
35. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action06
36. http://www.w3.org/2001/11/StdLiaison#OASIS
37. http://www.w3.org/2006/WSC/track/issues/200
38. http://www.w3.org/2002/ws/policy/#issues
39. http://www.w3.org/2008/xmlsec/track/issues/2/edit
40. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action07
41. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action08
42. http://www.w3.org/2008/xmlsec/f2f-2008-07-16/rqmts/2008-07-12-xmlsec-rqmts.ppt
43. http://www.w3.org/2006/06/XML/xsl.html
44. http://www.w3.org/TR/xmldsig-requirements
45. http://www.w3.org/2008/xmlsec/f2f-2008-07-16/XML-Encryption-Derived-Keys/
46. http://www.oasis-open.org/specs/index.php#wssecconv1.3
47. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action09
48. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action10
49. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action11
50. http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
51. http://www.w3.org/TR/xmldsig-core/#sec-Secure
52. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action12
53. http://www.w3.org/TR/xml-c14n11/#Example-DocSubsetsXMLAttrs
54. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Jun/0021.html
55. http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec-102
56. http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec2-102
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 12 August 2008 14:14:16 UTC