W3C

XML Security Working Group Teleconference

13 Dec 2011

Agenda

See also: IRC log

Attendees

Present
Frederick_Hirsch, Chris_Solc, Bruce_Rich, Gerald_Edgar, Ed_Simon, Pratik_Datta, Hal_Lockhart
Regrets
Thomas_Roessler, Brian_LaMacchia, Shivaram_Mysore, Magnus_Nystrom
Chair
Frederick_Hirsch
Scribe
fjh

Contents


<trackbot> Date: 13 December 2011

<scribe> ScribeNick: fjh

Administrative

<csolc> * no problem

Call next week, 20th; No call on 27 December

Keep 3 Jan on schedule but may cancel by email depending on 2.0 CR status

Minutes Approval

Approve minutes, 29 November 2011

http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/att-0016/minutes-2011-11-29.html

RESOLUTION: Minutes from 29 November 2011 are approved.

Publication Status

http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0006.html

prepared XML Encyption 1.1 and Security Algorithms Cross Reference for publication as WD, thursday 15 December

prepared "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" for Last Call publication

XML Encryption 1.1 Test Cases and Canonical XML 2.0 Test Cases documents for publication

RESOLUTION: CfCs for publication of XML Encryption 1.1 and test cases passed successfully

also

RESOLUTION: CfCs for publication of Last Call XML "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" passed successfully

FIPS and XML Encryption

http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html

http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0002.html

<scribe> ACTION: hal to review FIPS and RSA-OAEP question in http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html [recorded in http://www.w3.org/2011/12/13-xmlsec-minutes.html#action01]

<trackbot> Created ACTION-862 - Review FIPS and RSA-OAEP question in http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html [on Hal Lockhart - due 2011-12-20].

XML Security 2.0

Reference test cases from C14N 2.0:

http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0005.html

<scribe> ACTION: fjh to confirm correctness of C14N2 test case reference after publication [recorded in http://www.w3.org/2011/12/13-xmlsec-minutes.html#action02]

<trackbot> Created ACTION-863 - Confirm correctness of C14N2 test case reference after publication [on Frederick Hirsch - due 2011-12-20].

CfC for going to CR: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0024.html

CfC includes summary of changes

From W3C process, transition to CR: "At this step, W3C believes the technical report is stable and appropriate for implementation. The technical report may still change based on implementation experience."

proposed RESOLUTION: Advance Canonical XML 2.0, XML Signature Streaming Profile of XPath 1.0 and XML Signature 2.0 to CR with no features as at risk, exit with at least 2 implementations

proposed RESOLUTION: Advance Canonical XML 2.0, XML Signature Streaming Profile of XPath 1.0 and XML Signature 2.0 to CR with no features as at risk, exit criteria at least 2 implementations and minimum period of two months

RESOLUTION: Advance Canonical XML 2.0, XML Signature Streaming Profile of XPath 1.0 and XML Signature 2.0 to CR with no features as at risk, exit criteria at least 2 implementations and minimum period of two months

csolc: how to get second implementation, open source or university, do we have any contacts

two potential issues - elliptic curve status and implementation

<scribe> ACTION: fjh to implement CR transition [recorded in http://www.w3.org/2011/12/13-xmlsec-minutes.html#action03]

<trackbot> Created ACTION-864 - Implement CR transition [on Frederick Hirsch - due 2011-12-20].

fjh: hopefully the PAG will have a result this month

<scribe> ACTION: fjh to contact parties re participation in interop for 2.0 [recorded in http://www.w3.org/2011/12/13-xmlsec-minutes.html#action04]

<trackbot> Created ACTION-865 - Contact parties re participation in interop for 2.0 [on Frederick Hirsch - due 2011-12-20].

Interop

Microsoft has additional and updated elliptic curve test cases in wiki, completed oracle interop. Not working on encryption interop..

GCM

Magnus noted "chunked" form of GCM would allow streaming, offlist

brich: specification requires checking of tags and full processing to reach end
... hence streaming not possible
... certification not clear since spec has some vague language about certification

hal: would be helpful to have detail from magnus on the public list

Action review

ACTION-841?

<trackbot> ACTION-841 -- Pratik Datta to add link to canonical XML 2.0 samples into the spec -- due 2011-10-11 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/841

fjh: I did this

close ACTION-841

<trackbot> ACTION-841 Add link to canonical XML 2.0 samples into the spec closed

ACTION-848?

<trackbot> ACTION-848 -- Bruce Rich to contact OASIS ebXML community regarding large data issue and GCM -- due 2011-10-25 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/848

brich: ebXML is in use for small chunks of data, so more general issue than GCM
... will forward message to xml signature public list

fjh: summary, not an issue here

ACTION-850?

<trackbot> ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security considerations and propose changes in light of today's discussion -- due 2011-10-25 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/850

hal: producing a detailed summary, few paragraphs, lots of subtlety
... for example, can have wrapping attack with even one error message
... issue is multiple processing layers, security, application, etc without any responsibility on any layer to detect message structure

<Ed_Simon> * Ed: signing off.

ACTION-851?

<trackbot> ACTION-851 -- Pratik Datta to propose text regarding KeyLength and PBKDF2, assuming we do not change the schemna -- due 2011-10-25 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/851

proposal made, adopted in draft

close ACTION-851

<trackbot> ACTION-851 Propose text regarding KeyLength and PBKDF2, assuming we do not change the schemna closed

hal: could use hmac based on decryption key but not more helpful than GCM

ACTION-856?

<trackbot> ACTION-856 -- Brian LaMacchia to discuss with magnus possible encryption algorithms suitable for streaming -- due 2011-11-15 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/856

<scribe> done but need to share result with wg

close ACTION-858

<trackbot> ACTION-858 Send CfC for resolution to Publish CR drafts of Canonical XML 2.0, XML Signature 2.0 and Streaming Profile of XPath 1.0 this month closed

close ACTION-859

<trackbot> ACTION-859 Send CfC to move XML Encryption 1.1 CipherReference Processing using 2.0 Transforms to LC closed

close ACTION-861

<trackbot> ACTION-861 Send message re closing ISSUE-230 closed

Adjourn

Summary of Action Items

[NEW] ACTION: fjh to confirm correctness of C14N2 test case reference after publication [recorded in http://www.w3.org/2011/12/13-xmlsec-minutes.html#action02]
[NEW] ACTION: fjh to contact parties re participation in interop for 2.0 [recorded in http://www.w3.org/2011/12/13-xmlsec-minutes.html#action04]
[NEW] ACTION: fjh to implement CR transition [recorded in http://www.w3.org/2011/12/13-xmlsec-minutes.html#action03]
[NEW] ACTION: hal to review FIPS and RSA-OAEP question in http://lists.w3.org/Archives/Public/public-xmlsec/2011Dec/0001.html [recorded in http://www.w3.org/2011/12/13-xmlsec-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2009-03-02 03:52:20 $