W3C

XML Security Working Group Teleconference

16 Nov 2010

Agenda

See also: IRC log

Attendees

Present
Frederick_Hirsch, Cynthia_Martin, Chris_Solc, Scott_Cantor, Meiko_Jensen, Pratik_Datta, Hal_Lockhart, Gerald_Edgar, Magnus_Nystrom
Regrets
Brian_LaMacchia, Ed_Simon, Sean_Mullan, Shivaram_Mysore, Bruce_Rich
Chair
Frederick_Hirsch
Scribe
Gerald-E

Contents


<trackbot> Date: 16 November 2010

Administrative

<scribe> Scribe: Gerald-E

fjh: at the face to face there were a number of topics covered, with a focus on 2.0
... we met with the xslt and xquery groups, general support for our XPath profile after we clarified the difference in requirements
... details are in the minutes and Pratik's email on the C14N2 changes

<fjh> If you attended this year's TPAC meeting, the W3C created a related survey for your feedback: http://www.w3.org/2002/09/wbs/35125/tpac2010-feedback/

<fjh> for c14n2 changes, http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0006.html

fjh: this is important to review

<fjh> 2011 1H publishing moratorium 13-18 May, http://lists.w3.org/Archives/Member/member-xmlsec/2010Nov/0003.html

<fjh> Change to draft minute publishing, http://lists.w3.org/Archives/Member/member-xmlsec/2010Nov/0025.html

fjh: there is a change to publishing minutes to speed the process.

Minutes approval

<fjh> Approve F2F minutes, 1-2 November 2010

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/att-0015/minutes-2010-11-01.html

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/att-0015/minutes-2010-11-02.html

fjh: there are no substantive changes since yesterday

RESOLUTION: November 1-2 F2F minutes approved.

XML Signature 1.1 Last Call

<fjh> proposed RESOLUTION: The XML Security WG agrees to bring XML Signature 1.1 to an additional three week Last Call for the added X509Digest element, deprecation of the X509IssuerSerial element, and change of attribute from URN to URI in ECKeyValue section 4.5.2.3. This Last Call will begin 18 November 2010 and end 9 December 2010.

fjh: proposal to extend last call for 3 weeks, this week Thursday until December 9

RESOLUTION: The XML Security WG agrees to bring XML Signature 1.1 to an additional three week Last Call for the added X509Digest element, deprecation of the X509IssuerSerial element, and change of attribute from URN to URI in ECKeyValue section 4.5.2.3. This Last Call will begin 18 November 2010 and end 9 December 2010.

<fjh> Updated XML Signature 1.1 explain document, http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0013.html

<tlr> yes

<fjh> ACTION-719?

<trackbot> ACTION-719 -- Thomas Roessler to prepare for additional XML Signature 1.1 Last Call starting 9 November and ending 30 November 2010 -- due 2010-11-16 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/719

XML Encryption 1.1

fjh: we need to do another last call

<fjh> updated for EXI , http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0005.html

<fjh> ACTION-721?

<trackbot> ACTION-721 -- Thomas Roessler to review proposal for change to XML Encryption in response to EXI comment, http://lists.w3.org/Archives/Public/public-xmlsec/2010Oct/0045.html -- due 2010-11-16 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/721

<fjh> ACTION-697?

<trackbot> ACTION-697 -- Magnus Nystrom to update PBKDF2 for SHA2 URI -- due 2010-11-08 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/697

<fjh> proposed RESOLUTION: The XML Security WG agrees to bring XML Encryption 1.1 to an additional three week Last Call for the changed PBKDF2 schema (removed default from PRFAlgorithmIdentifierType), added recommendation to use HMAC-SHA256 with PBKDF2 instead of HMAC-SHA1, updated text regarding use of Type and MimeType with EXI, and corrections based on previous Last Call comments (LC-2420 and LC-2386). This Last Call will begin 18 November 2010 and end 9 December 2

<tlr> works for me

RESOLUTION: The XML Security WG agrees to bring XML Encryption 1.1 to an additional three week Last Call for the changed PBKDF2 schema (removed default from PRFAlgorithmIdentifierType), added recommendation to use HMAC-SHA256 with PBKDF2 instead of HMAC-SHA1, updated text regarding use of Type and MimeType with EXI, and corrections based on previous Last Call comments (LC-2420 and LC-2386). This Last Call will begin 18 November 2010 and end 9 December 2010

<fjh> exi last call comment tracking, http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0062.html

fjh: some concern with EXI

<fjh> ACTION: fjh to complete last call comment processing for exi, http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0062.html [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action01]

<trackbot> Created ACTION-726 - Complete last call comment processing for exi, http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0062.html [on Frederick Hirsch - due 2010-11-23].

fjh: about encryption - a discussion about the initialization vector and the offset for the initial data

<fjh> ACTION: magnus to share updated PBKDF2 and concatkdf test cases to list [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action02]

<trackbot> Created ACTION-727 - Share updated PBKDF2 and concatkdf test cases to list [on Magnus Nystrom - due 2010-11-23].

<fjh> Updated XML Encryption explain document, http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0013.html

c14n 2.0

<fjh> Summary of changes decided at F2F: http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0006.html

<fjh> ACTION-712?

<trackbot> ACTION-712 -- Pratik Datta to xPathAware child element of QNameAware to C14n2 -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/712

<fjh> ACTION-715?

<trackbot> ACTION-715 -- Pratik Datta to add content on scanning algorithm (augment to remove duplicates), and information on where to emit the namespace declaration -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/715

<fjh> Call for Consensus on removal of digest prefix rewriting in C14N2

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0004.html

<fjh> proposed RESOLUTION: remove digest based prefix rewriting from C14N2

fjh: to remove the digent prefix rewriting but we do not want to make a decision without the working group being aware.

RESOLUTION: remove digest based prefix rewriting from C14N2

fjh: he does not have anything more to say, the information is in the minutes of the face to face.

XPath Profile

<fjh> ACTION-686?

<trackbot> ACTION-686 -- Pratik Datta to add sections on top-level expressions and predicate to XPath profile -- due 2010-11-08 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/686

<fjh> ACTION-691?

<trackbot> ACTION-691 -- Pratik Datta to add security considerations section to xpath profile -- due 2010-11-08 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/691

fjh: there are two sets of actions

<fjh> ACTION-687?

<trackbot> ACTION-687 -- Meiko Jensen to produce top level grammar for XPath profile -- due 2010-11-08 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/687

<fjh> ACTION-688?

<trackbot> ACTION-688 -- Meiko Jensen to add id function at XPath top level -- due 2010-11-08 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/688

<fjh> ACTION-690?

<trackbot> ACTION-690 -- Meiko Jensen to make explicit in grammar difference of included and excluded xpath, - ExcludedXpath can select attributes and element, whereas IncludedXPath can only select elements -- due 2010-11-08 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/690

<fjh> ACTION-689?

<trackbot> ACTION-689 -- Pratik Datta to limit to xpath profile during xml signature 2.0 generation in 2.0 mode -- due 2010-11-08 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/689

<fjh> ACTION-723?

<trackbot> ACTION-723 -- Pratik Datta to incorporate changes to XPath profile based on joint xslt/xquery F2F meeting, http://lists.w3.org/Archives/Member/member-xmlsec/2010Nov/att-0000/minutes-2010-11-01.html#item07 -- due 2010-11-19 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/723

Pratik: we need to define our streaming profile.
... the path is not known in advance. we need to evaluate XPath in context.
... briefly summarized differences between XPath and XSLT
... how to define the profile using a dataflow graph

<pdatta> http://www.w3.org/TR/xslt-21/#expr-tree-choices

Pratik: what is streamable is based on thie dataflow graph
... our streaming is based on syntax

<pdatta> http://www.w3.org/TR/xslt-21/#streamability-conditions

theirs is done by dataflow graph

<fjh> see 18.4.5, streamability conditions

<fjh> ACTION: pdatta to send summary of differences of xslt and xml security streamability and XPath profiling to list [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action03]

<trackbot> Created ACTION-728 - Send summary of differences of xslt and xml security streamability and XPath profiling to list [on Pratik Datta - due 2010-11-23].

Pratik: they said that we sould use dataflow based and not syntax based

<fjh> pdatta noted stream processing model and data flow graph versus syntax approach, as well as some minor feedback

Pratik: we have to make some things more precise. there are several ways to express the same thing.
... we have to fix some things in our definition.
... we will not go with the dataflow model, since it is more difficult to understand.

fjh: we need to make ours understandable and usable

<Cynthia> I believe it would make it more difficult to perform interop testing and develop those test cases also

C14n 2.0 revisited

<pdatta> http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0006.html

Pratik: Exclusive c14n is the way to go

<fjh> pdatta notes new 2.0 features obviate the need to inclusive c14n

<fjh> I spoke with Norm and no concern about using exclusive

Pratik: with the new changes, there is no need to use inclusive.
... we are removing the XML ansestors requirement.
... for EXI we have to use the new c14n
... the default value for trimtext nodes is no

<scantor> I think QName awareness needs to be MTI if you take out inclusive processing

fjh: we discussed XML base at the face to face.
... we will produce the last call draft, and receive input, but if the groups are not paying attention we may not get the needed input.

<fjh> ISSUE: for canonical xml 2.0 is eliminating inclusive c14n an issue for xml:base etc (which use cases are impacted), and should QName aware be mandatory

<trackbot> Created ISSUE-218 - For canonical xml 2.0 is eliminating inclusive c14n an issue for xml:base etc (which use cases are impacted), and should QName aware be mandatory ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/218/edit .

scantor: He is raising the issue of making QName aware as optional.

<fjh> ISSUE=218: WG aware of major use case for web services and for signing tokens, not aware of use cases involving xml:base and xml signature

scantor: we need notes in the document to call attention to what we are taking out.

<fjh> ACTION: pdatta to highlight potential issue with non-support for xml:base through removal of inclusive in xml signature and c14n2 drafts [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action04]

<trackbot> Created ACTION-729 - Highlight potential issue with non-support for xml:base through removal of inclusive in xml signature and c14n2 drafts [on Pratik Datta - due 2010-11-23].

tlr: we are being transparent in our activity, this is enough for the process. he is not sure what "really" breaks. we need to define a case where it actually breaks.

fjh: we should go forward on the change.

<fjh> proposed RESOLUTION: make QNameAware mandatory in C14N2

RESOLUTION: Make the QNameAware parameter as mandatory in C14N2.

Signature 2.0

<fjh> ACTION-706?

<trackbot> ACTION-706 -- Scott Cantor to propose definition section text for Included/ExcludedXPath elements for XML Signature 2.0 -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/706

<fjh> ACTION-707?

<trackbot> ACTION-707 -- Pratik Datta to remove EnvelopedSignature from section 6.7.1, http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-Type-xml -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/707

<fjh> ACTION-708?

<trackbot> ACTION-708 -- Pratik Datta to fix typo in XML Signature 2.0 in DigestDataLength description purpose c) -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/708

<fjh> ACTION-709?

<trackbot> ACTION-709 -- Pratik Datta to incorporate Meiko's examples in the document - ISSUE-217 -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/709

<fjh> ACTION-710?

<trackbot> ACTION-710 -- Pratik Datta to add reference to XPath profile in the XML Signature 2.0 doc -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/710

<fjh> ACTION-711?

<trackbot> ACTION-711 -- Meiko Jensen to add QnameAware elements and IDAttributes element to the examples (or check whether they're in and correct) -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/711

<fjh> ACTION-713?

<trackbot> ACTION-713 -- Bruce Rich to review XML Signature 2.0 requirements, http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs2/Overview.html -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/713

<fjh> pdatta notes will limit to XPath profile in 2.0 mode of Signature 2.0

<fjh> Will need clarity in draft on this requirement

XML id

scott: there is some question of where ID shows up

<mjensen> XPaths can be either location-paths or (solely) the id() function

<mjensen> so a combination (using id() function within any other XPath) is not allowed

<fjh> pdatta, enabling compatibility with XPath 1.0 processor, not defining what is an id, up to implementation to know

Wrapping attacks review

<fjh> mjensen notes signature wrapping remains, some reduced with prefix scanning, pragmatic compromise in 2.0

<fjh> ACTION-716?

<trackbot> ACTION-716 -- Meiko Jensen to propose text for xpath and best practices -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/716

mjensen: summary of current inquiries about signature threats. We are advising people about vulnerabilities and mitigations

<fjh> ACTION-716: to protect against wrapping attacks as best as possible

<trackbot> ACTION-716 Propose text for xpath and best practices notes added

performance testing and interop

<fjh> ACTION-717?

<trackbot> ACTION-717 -- Pratik Datta to document the Performance improvements with 2.0 -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/717

<fjh> ACTION-718?

<trackbot> ACTION-718 -- Frederick Hirsch to create performance data draft -- due 2010-11-09 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/718

fjh: created a template draft.
... Magnus and Bruce have been working on this.

Exclusive c14n

fjh: concern about use of undefined prefixes in prefix list

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0010.html

<fjh> seems reasonable to ignore prefixes that are not specified

Scott: talking about prefix lists, he thinks the spec is clear about treating prefixes that are listed but not defined

<fjh> ACTION: tlr to check if 1.0 comment list for xml signature is forward to our active errata list [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action05]

<trackbot> Created ACTION-730 - Check if 1.0 comment list for xml signature is forward to our active errata list [on Thomas Roessler - due 2010-11-23].

<mjensen> +1 on ignore

<fjh> proposed RESOLUTION: no change needed to exclusive c14n, unknown prefix need not be processed as would have no impact according to algorithm

RESOLUTION: no change needed to exclusive c14n, unknown prefix need not be processed as would have no impact according to algorithm

<fjh> ACTION: fjh to respond to Sampo re http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0010.html [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action06]

<trackbot> Created ACTION-731 - Respond to Sampo re http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0010.html [on Frederick Hirsch - due 2010-11-23].

fjh: there is no call next week, the next call is 30 November 2010

<fjh> http://www.w3.org/Signature/2001/04/05-xmldsig-interop.html

fjh: please take time to do actions before December

Summary of Action Items

[NEW] ACTION: fjh to complete last call comment processing for exi, http://lists.w3.org/Archives/Public/public-xmlsec/2010May/0062.html [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action01]
[NEW] ACTION: fjh to respond to Sampo re http://lists.w3.org/Archives/Public/public-xmlsec/2010Nov/0010.html [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action06]
[NEW] ACTION: magnus to share updated PBKDF2 and concatkdf test cases to list [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action02]
[NEW] ACTION: pdatta to highlight potential issue with non-support for xml:base through removal of inclusive in xml signature and c14n2 drafts [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action04]
[NEW] ACTION: pdatta to send summary of differences of xslt and xml security streamability and XPath profiling to list [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action03]
[NEW] ACTION: tlr to check if 1.0 comment list for xml signature is forward to our active errata list [recorded in http://www.w3.org/2010/11/16-xmlsec-minutes.html#action05]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2009-03-02 03:52:20 $