See also: IRC log
<trackbot> Date: 26 October 2010
<fjh> ScribeNick: cynthia
Reminder - F2F next week in conjunction with TPAC, 1- 2 November. http://lists.w3.org/Archives/Member/member-xmlsec/2010Oct/0001.html
<fjh> Reminder - F2F next week in conjunction with TPAC, 1- 2 November.
<fjh> DST discrepancy if dialing in - http://lists.w3.org/Archives/Member/member-xmlsec/2010Oct/0001.html
<fjh> No teleconference 9 November, next teleconference 16 November.
TPAC Schedule: http://www.w3.org/2010/11/TPAC/Schedule.html#MonGroups
Daylight Saving Time ends in Europe one week earlier than in US: http://lists.w3.org/Archives/Member/member-xmlsec/2010Oct/0001.html
<fjh> add to agenda, performance, elliptic curve
fjh: Add 2 agenda items, Performance of C14N
... Will meet F2F Monday and Tuesday of next week Nov 1-2
... Will review F2F agenda next
http://www.w3.org/2010/10/19-xmlsec-minutes.html
RESOLUTION: Minutes from 19 October 2010 approved
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010Oct/0038.html
fjh: Information sent on list by mjensen
mjensen: Used Ruby approach with streaming implementation for v1.1
... Ruby implementation is streaming, to show that streaming is superior to non-streaming, see the impact of streaming technology
... It's somewhat like a worse case scenerio
fjh: Could be even better with an optimized implemenation, any issues with new parameters
mjensen: No, not especially, example has a huge number of attributes, so the streaming part did have an issue with huge number of attributes, could be improved by code
fjh: What's next, are they going to do more?
mjensen: This is about finished, the student will not be doing the full DSIG v2.0 implementation, would like to continue this work
fjh: Anything else to add?
mjensen: Implementation may be available for interoperability testing, try to make it available
fjh: Would be helpful to get the implementation, having it available would be helpful, what to do next?
<tlr> but no, any particular suggestion
fjh: Will check with tlr
tlr: No input, the more implementations the better, if it can be made available, it would be great
... Putting it on uni site and linking from W3C would be fine
mjensen: can put it on our site and possibly on sourceforge, hope it is not dying with the student leaving the work
pdatta: Any xpath implemenation with this?
mjensen: No, we froze this, did not do the selection part for now
fjh: People on the call look at the paper
fjh: IETF ID compatible signatures to ECHSA
... Do we have a PAG or not? It is clear in the group not to drop ECDSA
... What if we reference the IETF ID, should be pursue this, change the documents and the reference and name of algorithm
I would like to pursue a possible change
magnus: This is exactly what Brian and I have been talking about, could be a way forward
fjh: Could reference this and maybe be clear
tlr: Was going to say something similar, have not analyzed the authors claim
... The IETF ID has disclosures from RIM against it, with patents released recently, looking at the ID is a good idea and looking at the IPR situation is a good idea
... There is a disclosure on the table that people could work with, few obvious questions to the authors and other conversations
<brich> can we have a link to this IETF possibility?
<tlr> http://tools.ietf.org/html/draft-mcgrew-fundamental-ecc-03
fjh: The IETF ID status, would it progress to a useful state, dependance of this ID to progress
scantor: Someone at the IETF could look into it
fjh: This is a way forward, could be helpful, some revision of our draft, could have an effect on what is included
scantor: Could leave the spec the same, just change the implementations, the W3C would reference the IETF ID, would be provocative
... The IETF author is telling people they may be wrong, politics
fjh: Is there anyway to bring this IETF ID to your company internally for an opionion
<scantor> note that I wasn't saying provocative = bad
brich: I could, this would be provacative, potential for legal action would move to other actions
... Implementation point of view, flexability of choosing a draft/spec to implement to as an option, making life more difficult
<scantor> he and Brian believe their implementation would need no changes were we to reference the I-D
fjh: What Magnus is saying I believe is that this is reducing the risk, there is no risk free solution, the patents are a way to implement
brich: Input from legal folks based on the technical input of the group
fjh: want the work to go forward and get unstuck
http://lists.w3.org/Archives/Public/public-xmlsec/2010Oct/0036.html
fjh: Not everyone is going to be at the F2F, want to go through the v2.0 stuff and see if we want to go to last call
Agenda Item 3) XML Security 2.0 Last Call Readiness review, Ready to publish Last Call of 2.0 documents? Review actions, issues and next steps required.
<scantor> I can't dial-in, unfortunately
fjh: Not alot of requests to dial in
I may be able to dial in
fjh: Not sure how much we can do on EC at the F2F
tlr: Come back with the question at the end of the week
fjh: Would be helpful to have a brief conversation on this
... Will make adjustments as we go
... Actions on v2.0 specifications still to go
Agenda Item 5) Roadmap review
Agenda Item 6) Elliptic Curve/PAG next steps
Agenda Item 7) Readiness of 1.1 for Candidate Rec http://www.w3.org/2008/xmlsec/wiki/Roadmap
fjh: Most of the day in Europe is a bad day here in the US, what would be a good time to dial in
mjensen: Daylight saving time, what are the times
fjh: We could do the detail in the morning and summary in the afternoon
... Need to go through the timezone changes, meeting is scheduled until 6 PM, 10 hours from the west coast
mjensen: Would be 1 PM in France and 8 AM in East coast, 6 AM on west coast
That schedule would work for me
fjh: We need to talk about test plans for v1.0 and v2.0, may have to drop some things if we don't know what to do with them
... leaving off elliptic curve, may not have time, may end at noon on Tuesday Nov 2, concentrate on interop and test cases
tlr: Go thorugh the list of CRs, list is finite, may need to go to second last call depending on the changes made
... Look through the major edits to determine if we need to do a second last call, need to do interop testing for new features
fjh: Suggest making that decison of a last call of v1.1. at the F2F, any problem with that
... Still need to do the interop, concerned with some of the things in signature properties, not sure what is covered in testing
<tlr> yup. I owe examples for Encryption.
fjh: goal for actions and issues is to get through them, may effect F2F
<fjh> roadmap http://www.w3.org/2008/xmlsec/wiki/Roadmap
<fjh> CR Fall 2010
<fjh> XML Signature 1.1
<fjh> XML Signature Properties
<fjh> XML Encryption 1.1
<fjh> XML Security Generic Hybrid Ciphers
fjh: Not sure how we can leverage other WG work for this
<fjh> Last Call, Fall 2010
<fjh> Canonical XML 2.0
<fjh> XML Signature 2.0
<fjh> Streamable XPath Profile
<fjh> CR, 4Q 2010/1Q 2011
<tlr> correct
fjh: v2.0 is ok, issues with v1.1 because of elliptic curve issues
... Make a decison of what is going forward and remove what is not going forward
<fjh> we need to decide in advance of CR what will come out of the specs because it won't go forward, then estimate what might be at risk that we think should be in
<tlr> ack
fjh: Need help from Thomas to go to CR
<fjh> http://www.w3.org/2008/xmlsec/wiki/PublicationStatus
fjh: Can we talk about interop now?
Yes, please
<fjh> http://www.w3.org/2008/xmlsec/wiki/Implementations
fjh: Need to figure out how we are going to do this
<fjh> http://www.w3.org/2008/xmlsec/wiki/Interop
fjh: Where are we on interop, pdatta?
pdatta: We had interop with MS and Oracle for signature, we didn't do encryption at all
fjh: This does not show up on the interop page
scantor: Yes, we have not tested with that key, verified the test vectors, no new coverage
fjh: We have to do something with encryption, Magnus generated test cases for keys
magnus: test cases for hybrid cyphers, will look into that
fjh: need to know what additional tests have been run
magnus: Send an email with what you are looking for
<fjh> ACTION: fjh to send magnus email re running additional test cases, including ghc [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-681 - Send magnus email re running additional test cases, including ghc [on Frederick Hirsch - due 2010-11-02].
fjh: Need to see what MS is doing for encryption and hybrid cypher testing, starting point, who else is in a position to do this
pdatta: yes we are in a position for interop (encryption)
fjh: This gives us 2 implementations for encryption, not sure that we have to do back testing
tlr: Good question, may be good to run the old tests
I agree, we should run the old tests but a sub-set
fjh: Limited resources for this
tlr: Good to run the old tests, argument either way
<tlr> understood
fjh: Complexity in the text, may options, don't want to dig a hole and go backwards, not complete covereage of everything, we may not have the resources to run everything
<fjh> ACTION: fjh to review Signature Properties testing [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-682 - Review Signature Properties testing [on Frederick Hirsch - due 2010-11-02].
<fjh> suggest limit testing to new features, due to quantity and complexity of older material
pdatta: don't want to run those v.1.1 cases again, no reason for doing those things, concentrate on the new items in v1.1
fjh: Elliptic curve testing, key and key exchange, need to test this
<fjh> task at F2F is to summarize interop testing needed and status
fjh: Don't want to get into testing xpath now, discuss at F2F
Can we get the new use cases and keys on the Interop web site?
brich: More resources next year, trying to do some things and run into issues, need to talk to Magnus on derived key case
Magnus: need to look at it, the plain text case did not look right
fjh: Share it on the list so we all know what's going on
... F2F Agenda, morning agenda is ok for now, interop for v1.1. and 2.0 after lunch, day 2 in the morning is CR prep for v1.1 to make sure we have everything right, possible elliptic curve discussion
... Do you think 1 1/2 days is enough for the F2F, does it add anything?
tlr: Will not necessarily be there on the 2nd day in the afternoon
fjh: virtual interop and do as much on the list as possible
... Reiterate F2F agenda, start at 0830, guest introductions
... We want to deliver some performance numbers in the work, thought Pratik and Meiko would do that
pdatta: We would have a more concrete form of numbers, would be available to everyone in the group
fjh: Will not need 4 hours for this, could add this to the Tuesday morning agenda
... Thomas, send CR requirements
... anything else we need to talk about now that is not on the agenda?
fjh: Pratik, lots of actions that need to be reviewed
pdatta, action 659
<fjh> ACTION-659?
<trackbot> ACTION-659 -- Pratik Datta to review newTransformModel URI and does URI need correct? http://www.w3.org/2010/xmldsig2#newTransformModel in Signature 2.0 -- due 2010-09-14 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/659
pdatta: Not sure we discussed this at the last meeting
fjh: No we didn't
<fjh> ACTION: fjh to review newTransformModel URI, ACTION-659 [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-683 - Review newTransformModel URI, ACTION-659 [on Frederick Hirsch - due 2010-11-02].
fjh: Will look at this off line, not now
... Not sure what happened with magic signatures
<fjh> ACTION-638?
<trackbot> ACTION-638 -- Scott Cantor to make proposal for ISSUE-210, see also http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0043.html (uncomplicate section) -- due 2010-08-31 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/638
My action is done, but we were going to work with the magic signatures POC to clarify their claim
<fjh> ISSUE-210?
<trackbot> ISSUE-210 -- Restructuring of Signature 2.0 "uncomplicate" section 4.4.3 by -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/210
fjh: When can you look at this, before F2F
scantor: Will not have time before F2F
fjh: May want to try to get to last call at F2F, just a few things to close
scantor: The spec is hard to follow, section is still too long
<fjh> scantor: need to make spec easier to follow, delineate compatibility material from new material
fjh: may need to restructure?
scantor: Yes
fjh: Can this be done after next week if we don't go to last call, what is the time frame for this, want to go to last call (possibly later in Nov)
<fjh> ACTION-660?
<trackbot> ACTION-660 -- Scott Cantor to propose changes to C14N2 to support enveloped signature -- due 2010-09-14 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/660
fjh: Thought we had a resolution for this
<fjh> ACTION-661?
<trackbot> ACTION-661 -- Pratik Datta to summarize issue related to use of ID without DTD for discussion and resolution -- due 2010-09-14 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/661
pdatta: Yes, not forcing people to support multiple ID
fjh: Put this in the text then
pdatta: Yes
<fjh> scantor: make xml:id a should
<fjh> +1
scantor: By making it a should, may make the vendors implement
pdatta: Will make the change in the document
<fjh> ACTION-674?
<trackbot> ACTION-674 -- Scott Cantor to update 1.1 with change for X509SerialNumber -- due 2010-10-05 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/674
<fjh> ISSUE-170?
<trackbot> ISSUE-170 -- Should we recomend signing namespaces as part of Best Practice 12 (dependency on ACTION-538) -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/170
<fjh> i need to review this one, thought it was done
fjh: Thought we had added something to best practices
<fjh> ISSUE-159?
<trackbot> ISSUE-159 -- Address/document potential security issues due to mismatch of security and application processing, including wrapping attacks -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/159
fjh: what happened to all the wrapping attack work?
<fjh> ACTION-538?
<trackbot> ACTION-538 -- Meiko Jensen to provide proposal related to namespace wrapping attacks once XPath profile available -- due 2010-03-09 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/538
Meiko: have not checked all the latest mail, we keep putting it on the list, if we keep the spec as is, we will be vulnerable
... Not must feedback on the list, could discuss this at the F2F, will be there
fjh: Add this to the agenda, after lunch
<fjh> ISSUE-43?
<trackbot> ISSUE-43 -- Improvements to XML Signature schema -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/43
fjh: Improvements to XML schema?
<fjh> "remaining action is for mixed content"
scantor: Mixed content may be issue, need to be compatable
<fjh> ACTION: scantor to propose text related to mixed content for ISSUE-43 [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-684 - Propose text related to mixed content for ISSUE-43 [on Scott Cantor - due 2010-11-02].
<fjh> ISSUE-201?
<trackbot> ISSUE-201 -- C14N 2.0 handling of DTD-related and Schema-related behaviors -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/201
<fjh> ISSUE-203?
<trackbot> ISSUE-203 -- How to tag id-ness of attributes when schema isn't parsed -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/203
<fjh> ACTION-580?
<trackbot> ACTION-580 -- Pratik Datta to review c14n 2.0 for parsing-related options; propose removal (or add octet-stream processing to 2.0) -- due 2010-06-01 -- CLOSED
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/580
<fjh> ISSUE-201: questions regarding entity expansion
<trackbot> ISSUE-201 C14N 2.0 handling of DTD-related and Schema-related behaviors notes added
scantor: Not sure were we ended up on the capatibility issues, during parsing
... May add best practice text, can't do a whole lot in the normative text
<fjh> ISSUE-201: added best practice, http://www.w3.org/2008/xmlsec/Drafts/best-practices/Overview.html#external-unparsed-entities , Best Practice 21: Do not transmit unparsed external entity references.
<trackbot> ISSUE-201 C14N 2.0 handling of DTD-related and Schema-related behaviors notes added
<fjh> ISSUE-201 closed
<trackbot> ISSUE-201 C14N 2.0 handling of DTD-related and Schema-related behaviors closed
<fjh> ISSUE-140?
<trackbot> ISSUE-140 -- Clarify how XPath is interpreted relative to entire document and ds:Reference -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/140
<fjh> ISSUE-138?
<trackbot> ISSUE-138 -- What interoperability and security issues arise out of schema validation behavior? -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/138
<fjh> ISSUE-138 closed
<trackbot> ISSUE-138 What interoperability and security issues arise out of schema validation behavior? closed
fjh: Should close this at this point
<fjh> ISSUE-199?
<trackbot> ISSUE-199 -- Move appendix A and example type material to separate examples document from C14N2 -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/199
<fjh> probably not helpful to change this, suggest closing with no action.
<fjh> ISSUE-199 closed
<trackbot> ISSUE-199 Move appendix A and example type material to separate examples document from C14N2 closed
<fjh> ISSUE-198?
<trackbot> ISSUE-198 -- How to determine if arbitrary text content contains prefixes? Might need to do a lot of searching because text content can be large -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/198
pdatta: This is for xpath
<fjh> ISSUE-206?
<trackbot> ISSUE-206 -- For c14n20 profile - clarify that conformance implies support, but also changes to xml or what must be explicitly specified -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/206
<fjh> ISSUE-217?
<trackbot> ISSUE-217 -- XML Signature 2.0 needs 2.0 mode examples, e.g. , verification, selection etc. -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/217
mjensen: sent it to the list, but it didn 't make it into the spec
<fjh> ISSUE-217: Meiko created examples, shared on list, but have not been added to spec
<trackbot> ISSUE-217 XML Signature 2.0 needs 2.0 mode examples, e.g. , verification, selection etc. notes added
fjh: need help with the editing before next week
<fjh> mjensen: 10 Sept mail from Meiko, for examples
mjensen: Email was sent on Sept 10, examples
<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2010Sep/0024.html
pdatta: Looking through the text to see if the examples are there
<fjh> ISSUE-217: http://lists.w3.org/Archives/Public/public-xmlsec/2010Sep/0024.html
<trackbot> ISSUE-217 XML Signature 2.0 needs 2.0 mode examples, e.g. , verification, selection etc. notes added
mjensen: Did the examples by hand, not an implemenation, may need some re-engineering
pdatta: Would be good if there was a working example of this
<fjh> ACTION: gerald to review 2.0 examples from meiko, http://lists.w3.org/Archives/Public/public-xmlsec/2010Sep/0024.html [recorded in http://www.w3.org/2010/10/26-xmlsec-minutes.html#action05]
<trackbot> Created ACTION-685 - Review 2.0 examples from meiko, http://lists.w3.org/Archives/Public/public-xmlsec/2010Sep/0024.html [on Gerald Edgar - due 2010-11-02].
<fjh> ISSUE-211?
<trackbot> ISSUE-211 -- Stand alone version of Streaming XPath Profile versus diff, http://lists.w3.org/Archives/Public/public-xmlsec/2010Aug/0055.html -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/211
<Gerald-E> Gerald-E - case sensitive
fjh: what do we want to use for last call
<fjh> ISSUE-213?
<trackbot> ISSUE-213 -- XML Signature 2.0 needs precise definitions of Included/ExcludedXPath elements -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/213
agreed
fjh: Time to end the call
... If the actions can be closed this week, that would be good, before the F2F
I will be trying to call in at 0800 AM east coast time
<fjh> If you plan to dial in to the F2F please let us know on the chat first.