W3C

XML Security Working Group Teleconference

26 Oct 2010

Agenda

See also: IRC log

Attendees

Present
Cynthia_Martin, Frederick, Hirsch, Gerald_Edgar, Shivaram_Mysore, Meiko_Jensen, Pratik_Datta, Bruce_Rich, Scott_Cantor, Magnus_Nystrom, Thomas_Roessler
Regrets
Chris_Solc, Sean_Mullan
Chair
Frederick Hirsch
Scribe
cynthia

Contents


<trackbot> Date: 26 October 2010

<fjh> ScribeNick: cynthia

Administrative

Reminder - F2F next week in conjunction with TPAC, 1- 2 November. http://lists.w3.org/Archives/Member/member-xmlsec/2010Oct/0001.html

<fjh> Reminder - F2F next week in conjunction with TPAC, 1- 2 November.

<fjh> DST discrepancy if dialing in - http://lists.w3.org/Archives/Member/member-xmlsec/2010Oct/0001.html

<fjh> No teleconference 9 November, next teleconference 16 November.

TPAC Schedule: http://www.w3.org/2010/11/TPAC/Schedule.html#MonGroups

Daylight Saving Time ends in Europe one week earlier than in US: http://lists.w3.org/Archives/Member/member-xmlsec/2010Oct/0001.html

<fjh> add to agenda, performance, elliptic curve

fjh: Add 2 agenda items, Performance of C14N
... Will meet F2F Monday and Tuesday of next week Nov 1-2
... Will review F2F agenda next

Minutes Approval

http://www.w3.org/2010/10/19-xmlsec-minutes.html

RESOLUTION: Minutes from 19 October 2010 approved

Performance of C14N

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010Oct/0038.html

fjh: Information sent on list by mjensen

mjensen: Used Ruby approach with streaming implementation for v1.1
... Ruby implementation is streaming, to show that streaming is superior to non-streaming, see the impact of streaming technology
... It's somewhat like a worse case scenerio

fjh: Could be even better with an optimized implemenation, any issues with new parameters

mjensen: No, not especially, example has a huge number of attributes, so the streaming part did have an issue with huge number of attributes, could be improved by code

fjh: What's next, are they going to do more?

mjensen: This is about finished, the student will not be doing the full DSIG v2.0 implementation, would like to continue this work

fjh: Anything else to add?

mjensen: Implementation may be available for interoperability testing, try to make it available

fjh: Would be helpful to get the implementation, having it available would be helpful, what to do next?

<tlr> but no, any particular suggestion

fjh: Will check with tlr

tlr: No input, the more implementations the better, if it can be made available, it would be great
... Putting it on uni site and linking from W3C would be fine

mjensen: can put it on our site and possibly on sourceforge, hope it is not dying with the student leaving the work

pdatta: Any xpath implemenation with this?

mjensen: No, we froze this, did not do the selection part for now

fjh: People on the call look at the paper

Elliptic Curve

fjh: IETF ID compatible signatures to ECHSA
... Do we have a PAG or not? It is clear in the group not to drop ECDSA
... What if we reference the IETF ID, should be pursue this, change the documents and the reference and name of algorithm

I would like to pursue a possible change

magnus: This is exactly what Brian and I have been talking about, could be a way forward

fjh: Could reference this and maybe be clear

tlr: Was going to say something similar, have not analyzed the authors claim
... The IETF ID has disclosures from RIM against it, with patents released recently, looking at the ID is a good idea and looking at the IPR situation is a good idea
... There is a disclosure on the table that people could work with, few obvious questions to the authors and other conversations

<brich> can we have a link to this IETF possibility?

<tlr> http://tools.ietf.org/html/draft-mcgrew-fundamental-ecc-03

fjh: The IETF ID status, would it progress to a useful state, dependance of this ID to progress

scantor: Someone at the IETF could look into it

<tlr> https://datatracker.ietf.org/ipr/search/?option=document_search&document_search=draft-mcgrew-fundamental-ecc

fjh: This is a way forward, could be helpful, some revision of our draft, could have an effect on what is included

scantor: Could leave the spec the same, just change the implementations, the W3C would reference the IETF ID, would be provocative
... The IETF author is telling people they may be wrong, politics

fjh: Is there anyway to bring this IETF ID to your company internally for an opionion

<scantor> note that I wasn't saying provocative = bad

brich: I could, this would be provacative, potential for legal action would move to other actions
... Implementation point of view, flexability of choosing a draft/spec to implement to as an option, making life more difficult

<scantor> he and Brian believe their implementation would need no changes were we to reference the I-D

fjh: What Magnus is saying I believe is that this is reducing the risk, there is no risk free solution, the patents are a way to implement

brich: Input from legal folks based on the technical input of the group

fjh: want the work to go forward and get unstuck

F2F Agenda review

http://lists.w3.org/Archives/Public/public-xmlsec/2010Oct/0036.html

fjh: Not everyone is going to be at the F2F, want to go through the v2.0 stuff and see if we want to go to last call

Agenda Item 3) XML Security 2.0 Last Call Readiness review, Ready to publish Last Call of 2.0 documents? Review actions, issues and next steps required.

<scantor> I can't dial-in, unfortunately

fjh: Not alot of requests to dial in

I may be able to dial in

fjh: Not sure how much we can do on EC at the F2F

tlr: Come back with the question at the end of the week

fjh: Would be helpful to have a brief conversation on this
... Will make adjustments as we go
... Actions on v2.0 specifications still to go

Agenda Item 5) Roadmap review

Agenda Item 6) Elliptic Curve/PAG next steps

Agenda Item 7) Readiness of 1.1 for Candidate Rec http://www.w3.org/2008/xmlsec/wiki/Roadmap

fjh: Most of the day in Europe is a bad day here in the US, what would be a good time to dial in

mjensen: Daylight saving time, what are the times

fjh: We could do the detail in the morning and summary in the afternoon
... Need to go through the timezone changes, meeting is scheduled until 6 PM, 10 hours from the west coast

mjensen: Would be 1 PM in France and 8 AM in East coast, 6 AM on west coast

That schedule would work for me

fjh: We need to talk about test plans for v1.0 and v2.0, may have to drop some things if we don't know what to do with them
... leaving off elliptic curve, may not have time, may end at noon on Tuesday Nov 2, concentrate on interop and test cases

tlr: Go thorugh the list of CRs, list is finite, may need to go to second last call depending on the changes made
... Look through the major edits to determine if we need to do a second last call, need to do interop testing for new features

fjh: Suggest making that decison of a last call of v1.1. at the F2F, any problem with that
... Still need to do the interop, concerned with some of the things in signature properties, not sure what is covered in testing

<tlr> yup. I owe examples for Encryption.

fjh: goal for actions and issues is to get through them, may effect F2F

<fjh> roadmap http://www.w3.org/2008/xmlsec/wiki/Roadmap

<fjh> CR Fall 2010

<fjh> XML Signature 1.1

<fjh> XML Signature Properties

<fjh> XML Encryption 1.1

<fjh> XML Security Generic Hybrid Ciphers

fjh: Not sure how we can leverage other WG work for this

<fjh> Last Call, Fall 2010

<fjh> Canonical XML 2.0

<fjh> XML Signature 2.0

<fjh> Streamable XPath Profile

<fjh> CR, 4Q 2010/1Q 2011

<tlr> correct

fjh: v2.0 is ok, issues with v1.1 because of elliptic curve issues
... Make a decison of what is going forward and remove what is not going forward

<fjh> we need to decide in advance of CR what will come out of the specs because it won't go forward, then estimate what might be at risk that we think should be in

<tlr> ack

fjh: Need help from Thomas to go to CR

<fjh> http://www.w3.org/2008/xmlsec/wiki/PublicationStatus

fjh: Can we talk about interop now?

Yes, please

<fjh> http://www.w3.org/2008/xmlsec/wiki/Implementations

fjh: Need to figure out how we are going to do this

Interop

<fjh> http://www.w3.org/2008/xmlsec/wiki/Interop

fjh: Where are we on interop, pdatta?

pdatta: We had interop with MS and Oracle for signature, we didn't do encryption at all

fjh: This does not show up on the interop page

scantor: Yes, we have not tested with that key, verified the test vectors, no new coverage

fjh: We have to do something with encryption, Magnus generated test cases for keys

magnus: test cases for hybrid cyphers, will look into that

fjh: need to know what additional tests have been run

magnus: Send an email with what you are looking for

<fjh> ACTION: fjh to send magnus email re running additional test cases, including ghc [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action01]

<trackbot> Created ACTION-681 - Send magnus email re running additional test cases, including ghc [on Frederick Hirsch - due 2010-11-02].

fjh: Need to see what MS is doing for encryption and hybrid cypher testing, starting point, who else is in a position to do this

pdatta: yes we are in a position for interop (encryption)

fjh: This gives us 2 implementations for encryption, not sure that we have to do back testing

tlr: Good question, may be good to run the old tests

I agree, we should run the old tests but a sub-set

fjh: Limited resources for this

tlr: Good to run the old tests, argument either way

<tlr> understood

fjh: Complexity in the text, may options, don't want to dig a hole and go backwards, not complete covereage of everything, we may not have the resources to run everything

<fjh> ACTION: fjh to review Signature Properties testing [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action02]

<trackbot> Created ACTION-682 - Review Signature Properties testing [on Frederick Hirsch - due 2010-11-02].

<fjh> suggest limit testing to new features, due to quantity and complexity of older material

pdatta: don't want to run those v.1.1 cases again, no reason for doing those things, concentrate on the new items in v1.1

fjh: Elliptic curve testing, key and key exchange, need to test this

<fjh> task at F2F is to summarize interop testing needed and status

fjh: Don't want to get into testing xpath now, discuss at F2F

Can we get the new use cases and keys on the Interop web site?

brich: More resources next year, trying to do some things and run into issues, need to talk to Magnus on derived key case

Magnus: need to look at it, the plain text case did not look right

fjh: Share it on the list so we all know what's going on
... F2F Agenda, morning agenda is ok for now, interop for v1.1. and 2.0 after lunch, day 2 in the morning is CR prep for v1.1 to make sure we have everything right, possible elliptic curve discussion
... Do you think 1 1/2 days is enough for the F2F, does it add anything?

tlr: Will not necessarily be there on the 2nd day in the afternoon

fjh: virtual interop and do as much on the list as possible
... Reiterate F2F agenda, start at 0830, guest introductions
... We want to deliver some performance numbers in the work, thought Pratik and Meiko would do that

pdatta: We would have a more concrete form of numbers, would be available to everyone in the group

fjh: Will not need 4 hours for this, could add this to the Tuesday morning agenda
... Thomas, send CR requirements
... anything else we need to talk about now that is not on the agenda?

Action Item review

fjh: Pratik, lots of actions that need to be reviewed

pdatta, action 659

<fjh> ACTION-659?

<trackbot> ACTION-659 -- Pratik Datta to review newTransformModel URI and does URI need correct? http://www.w3.org/2010/xmldsig2#newTransformModel in Signature 2.0 -- due 2010-09-14 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/659

pdatta: Not sure we discussed this at the last meeting

fjh: No we didn't

<fjh> ACTION: fjh to review newTransformModel URI, ACTION-659 [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action03]

<trackbot> Created ACTION-683 - Review newTransformModel URI, ACTION-659 [on Frederick Hirsch - due 2010-11-02].

fjh: Will look at this off line, not now
... Not sure what happened with magic signatures

<fjh> ACTION-638?

<trackbot> ACTION-638 -- Scott Cantor to make proposal for ISSUE-210, see also http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0043.html (uncomplicate section) -- due 2010-08-31 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/638

My action is done, but we were going to work with the magic signatures POC to clarify their claim

<fjh> ISSUE-210?

<trackbot> ISSUE-210 -- Restructuring of Signature 2.0 "uncomplicate" section 4.4.3 by -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/210

fjh: When can you look at this, before F2F

scantor: Will not have time before F2F

fjh: May want to try to get to last call at F2F, just a few things to close

scantor: The spec is hard to follow, section is still too long

<fjh> scantor: need to make spec easier to follow, delineate compatibility material from new material

fjh: may need to restructure?

scantor: Yes

fjh: Can this be done after next week if we don't go to last call, what is the time frame for this, want to go to last call (possibly later in Nov)

<fjh> ACTION-660?

<trackbot> ACTION-660 -- Scott Cantor to propose changes to C14N2 to support enveloped signature -- due 2010-09-14 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/660

fjh: Thought we had a resolution for this

<fjh> ACTION-661?

<trackbot> ACTION-661 -- Pratik Datta to summarize issue related to use of ID without DTD for discussion and resolution -- due 2010-09-14 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/661

pdatta: Yes, not forcing people to support multiple ID

fjh: Put this in the text then

pdatta: Yes

<fjh> scantor: make xml:id a should

<fjh> +1

scantor: By making it a should, may make the vendors implement

pdatta: Will make the change in the document

<fjh> ACTION-674?

<trackbot> ACTION-674 -- Scott Cantor to update 1.1 with change for X509SerialNumber -- due 2010-10-05 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/674

Issues

<fjh> ISSUE-170?

<trackbot> ISSUE-170 -- Should we recomend signing namespaces as part of Best Practice 12 (dependency on ACTION-538) -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/170

<fjh> i need to review this one, thought it was done

fjh: Thought we had added something to best practices

<fjh> ISSUE-159?

<trackbot> ISSUE-159 -- Address/document potential security issues due to mismatch of security and application processing, including wrapping attacks -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/159

fjh: what happened to all the wrapping attack work?

<fjh> ACTION-538?

<trackbot> ACTION-538 -- Meiko Jensen to provide proposal related to namespace wrapping attacks once XPath profile available -- due 2010-03-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/538

Meiko: have not checked all the latest mail, we keep putting it on the list, if we keep the spec as is, we will be vulnerable
... Not must feedback on the list, could discuss this at the F2F, will be there

fjh: Add this to the agenda, after lunch

<fjh> ISSUE-43?

<trackbot> ISSUE-43 -- Improvements to XML Signature schema -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/43

fjh: Improvements to XML schema?

<fjh> "remaining action is for mixed content"

scantor: Mixed content may be issue, need to be compatable

<fjh> ACTION: scantor to propose text related to mixed content for ISSUE-43 [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action04]

<trackbot> Created ACTION-684 - Propose text related to mixed content for ISSUE-43 [on Scott Cantor - due 2010-11-02].

<fjh> ISSUE-201?

<trackbot> ISSUE-201 -- C14N 2.0 handling of DTD-related and Schema-related behaviors -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/201

<fjh> ISSUE-203?

<trackbot> ISSUE-203 -- How to tag id-ness of attributes when schema isn't parsed -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/203

<fjh> ACTION-580?

<trackbot> ACTION-580 -- Pratik Datta to review c14n 2.0 for parsing-related options; propose removal (or add octet-stream processing to 2.0) -- due 2010-06-01 -- CLOSED

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/580

<fjh> ISSUE-201: questions regarding entity expansion

<trackbot> ISSUE-201 C14N 2.0 handling of DTD-related and Schema-related behaviors notes added

scantor: Not sure were we ended up on the capatibility issues, during parsing
... May add best practice text, can't do a whole lot in the normative text

<fjh> ISSUE-201: added best practice, http://www.w3.org/2008/xmlsec/Drafts/best-practices/Overview.html#external-unparsed-entities , Best Practice 21: Do not transmit unparsed external entity references.

<trackbot> ISSUE-201 C14N 2.0 handling of DTD-related and Schema-related behaviors notes added

<fjh> ISSUE-201 closed

<trackbot> ISSUE-201 C14N 2.0 handling of DTD-related and Schema-related behaviors closed

<fjh> ISSUE-140?

<trackbot> ISSUE-140 -- Clarify how XPath is interpreted relative to entire document and ds:Reference -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/140

<fjh> ISSUE-138?

<trackbot> ISSUE-138 -- What interoperability and security issues arise out of schema validation behavior? -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/138

<fjh> ISSUE-138 closed

<trackbot> ISSUE-138 What interoperability and security issues arise out of schema validation behavior? closed

fjh: Should close this at this point

<fjh> ISSUE-199?

<trackbot> ISSUE-199 -- Move appendix A and example type material to separate examples document from C14N2 -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/199

<fjh> probably not helpful to change this, suggest closing with no action.

<fjh> ISSUE-199 closed

<trackbot> ISSUE-199 Move appendix A and example type material to separate examples document from C14N2 closed

<fjh> ISSUE-198?

<trackbot> ISSUE-198 -- How to determine if arbitrary text content contains prefixes? Might need to do a lot of searching because text content can be large -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/198

pdatta: This is for xpath

<fjh> ISSUE-206?

<trackbot> ISSUE-206 -- For c14n20 profile - clarify that conformance implies support, but also changes to xml or what must be explicitly specified -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/206

<fjh> ISSUE-217?

<trackbot> ISSUE-217 -- XML Signature 2.0 needs 2.0 mode examples, e.g. , verification, selection etc. -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/217

mjensen: sent it to the list, but it didn 't make it into the spec

<fjh> ISSUE-217: Meiko created examples, shared on list, but have not been added to spec

<trackbot> ISSUE-217 XML Signature 2.0 needs 2.0 mode examples, e.g. , verification, selection etc. notes added

fjh: need help with the editing before next week

<fjh> mjensen: 10 Sept mail from Meiko, for examples

mjensen: Email was sent on Sept 10, examples

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010Sep/0024.html

pdatta: Looking through the text to see if the examples are there

<fjh> ISSUE-217: http://lists.w3.org/Archives/Public/public-xmlsec/2010Sep/0024.html

<trackbot> ISSUE-217 XML Signature 2.0 needs 2.0 mode examples, e.g. , verification, selection etc. notes added

mjensen: Did the examples by hand, not an implemenation, may need some re-engineering

pdatta: Would be good if there was a working example of this

<fjh> ACTION: gerald to review 2.0 examples from meiko, http://lists.w3.org/Archives/Public/public-xmlsec/2010Sep/0024.html [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action05]

<trackbot> Created ACTION-685 - Review 2.0 examples from meiko, http://lists.w3.org/Archives/Public/public-xmlsec/2010Sep/0024.html [on Gerald Edgar - due 2010-11-02].

<fjh> ISSUE-211?

<trackbot> ISSUE-211 -- Stand alone version of Streaming XPath Profile versus diff, http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/211

<Gerald-E> Gerald-E - case sensitive

fjh: what do we want to use for last call

<fjh> ISSUE-213?

<trackbot> ISSUE-213 -- XML Signature 2.0 needs precise definitions of Included/ExcludedXPath elements -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/213

agreed

fjh: Time to end the call
... If the actions can be closed this week, that would be good, before the F2F

I will be trying to call in at 0800 AM east coast time

<fjh> If you plan to dial in to the F2F please let us know on the chat first.

Summary of Action Items

[NEW] ACTION: fjh to review newTransformModel URI, ACTION-659 [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action03]
[NEW] ACTION: fjh to review Signature Properties testing [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action02]
[NEW] ACTION: fjh to send magnus email re running additional test cases, including ghc [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action01]
[NEW] ACTION: gerald to review 2.0 examples from meiko, http://lists.w3.org/Archives/Public/public-xmlsec/2010Sep/0024.html [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action05]
[NEW] ACTION: scantor to propose text related to mixed content for ISSUE-43 [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action04]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2009-03-02 03:52:20 $