W3C

XML Security Working Group Teleconference

08 Mar 2011

Agenda

See also: IRC log

Attendees

Present
Brian_LaMacchia, Cynthia_Martin, Frederick_Hirsch, Gerald_Edgar, Hal_Lockhart, Magnus_Nystrom, Meiko_Jensen, Pratik_Datta, Scott_Cantor, Ed_Simon, Bruce_Rich
Regrets
Thomas_Roessler
Chair
Frederick_Hirsch
Scribe
Ed_Simon

Contents


<trackbot> Date: 08 March 2011

Administrative

<fjh> ScribeNick: Ed_Simon

<fjh> Daylight savings time discrepancy http://lists.w3.org/Archives/Member/member-xmlsec/2011Mar/0002.html

fjh: March 22 Call might be Cancelled

<fjh> Teleconference on 15 March 2011 cancelled

Minutes Approval

<fjh> Approve minutes, 1 March 2011

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2011Mar/att-0004/minutes-2011-03-01.html

RESOLUTION: Minutes from 1 March 2011 are approved.

XML Security 1.1

<fjh> Published 3 March 2011, see news http://www.w3.org/News/2011#entry-9027

<fjh> http://www.w3.org/TR/2011/CR-xmldsig-core1-20110303/

<fjh> http://www.w3.org/TR/2011/CR-xmlenc-core1-20110303/

<fjh> http://www.w3.org/TR/2011/CR-xmlsec-generic-hybrid-20110303/

<fjh> http://www.w3.org/TR/2011/CR-xmldsig-properties-20110303/

<fjh> Updates of the following two WDs were also published

<fjh> 1.1 Requirements, http://www.w3.org/TR/2011/WD-xmlsec-reqs-20110303/

<fjh> RELAX NG Schemas, http://www.w3.org/TR/2011/WD-xmlsec-rngschema-20110303/

PAG

<fjh> PAG launched, see http://lists.w3.org/Archives/Member/member-xmlsec/2011Mar/0001.html

<fjh> charter, http://www.w3.org/2011/xmlsec-pag/

<fjh> Advisory Committee Representatives are required to

<fjh> register for this PAG via this form:

<fjh> http://www.w3.org/2002/09/wbs/42458/xmlsecpagreg/

XML Security 2.0

Pratik did some updates.

<fjh> ACTION-769?

<trackbot> ACTION-769 -- Pratik Datta to add note to XML SIgnature to clarify use of id with URI versus XPath -- due 2011-01-18 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/769

<fjh> ACTION-773?

<trackbot> ACTION-773 -- Pratik Datta to update signature 2.0 related to id and XPath -- due 2011-02-01 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/773

Pratik says documents should be available on web site; might need to verify if check-in worked.

Wording around URIs and how XPath is used still needs work.

<fjh> I did not see checkin messages on the commit list for some reason, but Pratik notes that changes are visible in editors draft on the web.

<fjh> ACTION: tlr to check on commit message mechanism for xmlsec [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action01]

<trackbot> Created ACTION-781 - Check on commit message mechanism for xmlsec [on Thomas Roessler - due 2011-03-15].

Updates to XML selection and binary selection parts; binary selection will have more restrictions; both have interplay with fragment identifier and XPath.

Restriction with binary selection is only select a single node.

Only an element node with only text children which should be base64 data.

<fjh> proposed change from Scott, http://lists.w3.org/Archives/Public/public-xmlsec/2011Mar/0007.html

Scott suggests have core use case for PositionAssertion feature.

<fjh> meiko reminds of use case - signer does not have XPath, verifier can use XPath to verify for id based references

<fjh> otherwise as scott suggests, selection xpath serves purpose

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2011Mar/0010.html

<Hal> In the PAG Charter the link to the mailing list is incorrect (Archive is misspelled) the correct link is: http://lists.w3.org/Archives/Member/member-xmlsec-pag/

scott suggests saying "signers or verifiers" in the note.

scott: using PositionAssertion does not require implementing full XPath.
... potentially useful for some profiles.

<fjh> proposed RESOLUTION: accept change proposed by Scott in http://lists.w3.org/Archives/Public/public-xmlsec/2011Mar/0007.html with change to "signers or verifiers"

RESOLUTION: accept change proposed by Scott in http://lists.w3.org/Archives/Public/public-xmlsec/2011Mar/0007.html with change to "signers or verifiers"

<scribe> ACTION: scantor to update draft with change to 10.7.2 [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action02]

<trackbot> Created ACTION-782 - Update draft with change to 10.7.2 [on Scott Cantor - due 2011-03-15].

Gerald's Feedback on 2.0

<fjh> http://lists.w3.org/Archives/Public/public-xmlsec/2011Mar/0006.html

Gerald wondering if test cases should include binary

fjh: We do not have to test EXI but we do need to test binary transforms in 2.0, maybe 1.1.

<fjh> Gerald will also review 1.1 specifications for gaps in the interop testing and propose test case coverage needed

fjh: Need to review1.1 specs for gaps in testing.

<fjh> ACTION-779?

<trackbot> ACTION-779 -- Gerald Edgar to review test cases for 1.1 and summarize which are missing -- due 2011-03-08 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/779

Gerald took wiki for interop test cases and compared with current draft of 2.0 to find what is not yet covered.

scribe: found some items wrt canonicalization and signature processing.
... Do not have combined c14n with inclusion and exclusion, etc.

fjh: Could Gerald do the same for 1.1? We need a checklist of mandatory/optional features and indicator of whether we have test cases for each feature.
... Need to find out exactly where we are for 1.1.

<fjh> Gerald indicated he can do this

2.0 Status

<fjh> ACTION-774?

<trackbot> ACTION-774 -- Pratik Datta to apply ID/IncludedXPath change to additional selection type -- due 2011-02-15 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/774

<fjh> ACTION-775?

<trackbot> ACTION-775 -- Pratik Datta to research XPath 1 vs 2 differences -- due 2011-02-15 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/775

<fjh> ACTION-732?

<trackbot> ACTION-732 -- Frederick Hirsch to add example to signature 2.0 once Meiko shares text on list, see ACTION-711 -- due 2011-01-20 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/732

<fjh> ACTION-774 closed

<trackbot> ACTION-774 Apply ID/IncludedXPath change to additional selection type closed

fjh: We need to decide about updating drafts or we just keep trying for last call.

Need to work on examples and XPath items.

Pratik: We have consensus to have XPath profile to be consistent with 2.0, but not add anything for 2.0.

Not forcing anyone to use 1.0.

fjh: Are we having two separate XPath documents?

<mjensen> +1 for one document!

<Cynthia> +1 as long as we can clarify the requirements

+1 for one document

<fjh> +1 for one document for ease of maintenance and consistency of the two

PROPOSED RESOLUTION: One document to cover both XPath 1.0 and 2.0

RESOLUTION: One XPath Profile to cover both XPath 1.0 and 2.0

<mjensen> +1 for publish now and last call next month

<fjh> proposed RESOLUTION: publish updated WD of 2.0 requirements, C14N2, XML Signature 2.0 and XML Signature Streaming Profile of XPath 1.0 on 24 March 2011

RESOLUTION: publish updated WD of 2.0 requirements, C14N2, XML Signature 2.0 and XML Signature Streaming Profile of XPath 1.0 on 24 March 2011

fjh will ensure docs meet publishing reqs.

<fjh> ACTION: fjh to prepare publication drafts for validity, links and initial pubrules [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action03]

<trackbot> Created ACTION-783 - Prepare publication drafts for validity, links and initial pubrules [on Frederick Hirsch - due 2011-03-15].

<fjh> ACTION: tlr to prepare 2.0 drafts for publication on 24 March 2011 [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action04]

<trackbot> Created ACTION-784 - Prepare 2.0 drafts for publication on 24 March 2011 [on Thomas Roessler - due 2011-03-15].

Pratik hopes to complete his 2.0 work in 3 weeks.

fjh will share change to language re bas64 re use as transform and algorithm; not to affect publication sched

<fjh> will put change in after publication

<Cynthia> http://www.w3.org/2008/xmlsec/track/issues/open

Issues Review

<fjh> http://www.w3.org/2008/xmlsec/track/issues/open

<fjh> performance documentation issues, ISSUE-86, ISSUE-122

<fjh> ISSUE-156?

<trackbot> ISSUE-156 -- Threat for signature from use of namespace prefixes with corresponding unsigned namespace declarations leading to wrapping like attacks -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/156

<fjh> ISSUE-156: resolved with 2.0 work

<trackbot> ISSUE-156 Threat for signature from use of namespace prefixes with corresponding unsigned namespace declarations leading to wrapping like attacks notes added

<fjh> ISSUE-156 closed

<trackbot> ISSUE-156 Threat for signature from use of namespace prefixes with corresponding unsigned namespace declarations leading to wrapping like attacks closed

<fjh> ISSUE-132 needs review before last call publication

<fjh> ISSUE-159?

<trackbot> ISSUE-159 -- Address/document potential security issues due to mismatch of security and application processing, including wrapping attacks -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/159

<fjh> ISSUE-159: addressed as much as possible with best practices

<trackbot> ISSUE-159 Address/document potential security issues due to mismatch of security and application processing, including wrapping attacks notes added

<fjh> ACTION: mjensen to confirm that best practices have been documented for ISSUE-159 [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action05]

<trackbot> Created ACTION-785 - Confirm that best practices have been documented for ISSUE-159 [on Meiko Jensen - due 2011-03-15].

<fjh> ISSUE-159: in best practices 2.2.5

<trackbot> ISSUE-159 Address/document potential security issues due to mismatch of security and application processing, including wrapping attacks notes added

<fjh> ISSUE-159 closed

<trackbot> ISSUE-159 Address/document potential security issues due to mismatch of security and application processing, including wrapping attacks closed

<fjh> ACTION-785 closed

<trackbot> ACTION-785 Confirm that best practices have been documented for ISSUE-159 closed

<fjh> ISSUE-198?

<trackbot> ISSUE-198 -- How to determine if arbitrary text content contains prefixes? Might need to do a lot of searching because text content can be large -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/198

<pdatta> Note: The algorithm for prefix scanning doesn't cover all kinds of prefix embedding. For example if a text node's value is a space separate list of qnames, this algorithm will not detect the prefixes of these qnames. It will only detect two kinds of embedding, a) when the entire text node or attribute is a qname, and b) when a text node is an XPath expression containing prefixes.

<fjh> ISSUE-198: text in C14N2 note http://www.w3.org/2008/xmlsec/Drafts/c14n-20/#sec-Canonicalization-Parameters, Note in 2nd to last paragraph

<trackbot> ISSUE-198 How to determine if arbitrary text content contains prefixes? Might need to do a lot of searching because text content can be large notes added

<fjh> ISSUE-198 closed

<trackbot> ISSUE-198 How to determine if arbitrary text content contains prefixes? Might need to do a lot of searching because text content can be large closed

<fjh> ISSUE-202?

<trackbot> ISSUE-202 -- How to define parameter sets in document, vs conformance criteria -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/202

<fjh> ISSUE-202: removed concept of parameter sets for small set of always-required parameters

<trackbot> ISSUE-202 How to define parameter sets in document, vs conformance criteria notes added

<fjh> ISSUE-202 closed

<trackbot> ISSUE-202 How to define parameter sets in document, vs conformance criteria closed

<fjh> ISSUE-204?

<trackbot> ISSUE-204 -- Integrated recognition of QName content -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/204

<fjh> ISSUE-204: 2.0 adresses QName content as needed

<trackbot> ISSUE-204 Integrated recognition of QName content notes added

<fjh> ISSUE-204 closed

<trackbot> ISSUE-204 Integrated recognition of QName content closed

<fjh> ISSUE-208?

<trackbot> ISSUE-208 -- List 2.0 algorithms in algorithms cross-reference -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/208

<fjh> ISSUE-210?

<trackbot> ISSUE-210 -- Restructuring of Signature 2.0 "uncomplicate" section 4.4.3 by -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/210

<fjh> ISSUE-210: restructuring pass was completed

<trackbot> ISSUE-210 Restructuring of Signature 2.0 "uncomplicate" section 4.4.3 by notes added

<fjh> ISSUE-210 closed

<trackbot> ISSUE-210 Restructuring of Signature 2.0 "uncomplicate" section 4.4.3 by closed

<fjh> ISSUE-217?

<trackbot> ISSUE-217 -- XML Signature 2.0 needs 2.0 mode examples, e.g. , verification, selection etc. -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/217

<fjh> ISSUE-218?

<trackbot> ISSUE-218 -- For canonical xml 2.0 is eliminating inclusive c14n an issue for xml:base etc (which use cases are impacted), and should QName aware be mandatory -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/218

<fjh> ISSUE-219?

<trackbot> ISSUE-219 -- Status of Reference Type attribute in 2.0? -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/219

<fjh> ISSUE-221?

<trackbot> ISSUE-221 -- Clarify xml:space and xml:base, section 6.7.1.1 , http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-subtrees-with-exclusions -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/221

<fjh> ISSUE-221 closed

<trackbot> ISSUE-221 Clarify xml:space and xml:base, section 6.7.1.1 , http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-subtrees-with-exclusions closed

<fjh> ISSUE-221: see http://www.w3.org/2008/xmlsec/Drafts/c14n-20/#sec-Canonicalization-Parameters

<trackbot> ISSUE-221 Clarify xml:space and xml:base, section 6.7.1.1 , http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-subtrees-with-exclusions notes added

<fjh> ISSUE-218: see http://www.w3.org/2008/xmlsec/Drafts/c14n-20/#sec-Canonicalization-Parameters, also ISSUE-221

<trackbot> ISSUE-218 For canonical xml 2.0 is eliminating inclusive c14n an issue for xml:base etc (which use cases are impacted), and should QName aware be mandatory notes added

<fjh> ISSUE-218 closed

<trackbot> ISSUE-218 For canonical xml 2.0 is eliminating inclusive c14n an issue for xml:base etc (which use cases are impacted), and should QName aware be mandatory closed

<fjh> ISSUE-222?

<trackbot> ISSUE-222 -- Review URI definitions in Signature 2.0 , also consider indicating usage in URI, e.g. /transforms -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/222

<fjh> ISSUE-222 closed

<trackbot> ISSUE-222 Review URI definitions in Signature 2.0 , also consider indicating usage in URI, e.g. /transforms closed

<fjh> ISSUE-223?

<trackbot> ISSUE-223 -- Requirement to "respect XML architecture" may lead to issue related to simplification and vs need to implement -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/223

<fjh> ISSUE-225?

<trackbot> ISSUE-225 -- Whether to ignore xml:space and relationship to TrimTextNodes -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/225

<fjh> ISSUE-225 closed

<trackbot> ISSUE-225 Whether to ignore xml:space and relationship to TrimTextNodes closed

<fjh> ISSUE-225: see http://www.w3.org/2008/xmlsec/Drafts/c14n-20/#sec-Canonicalization-Parameters

<trackbot> ISSUE-225 Whether to ignore xml:space and relationship to TrimTextNodes notes added

<fjh> ACTION: tlr to update PAG charter to fix broken link to mailing list archive, Archive is misspelled, correct link is http://lists.w3.org/Archives/Member/member-xmlsec-pag/ [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action06]

<trackbot> Created ACTION-786 - Update PAG charter to fix broken link to mailing list archive, Archive is misspelled, correct link is http://lists.w3.org/Archives/Member/member-xmlsec-pag/ [on Thomas Roessler - due 2011-03-15].

Adjourn

Summary of Action Items

[NEW] ACTION: fjh to prepare publication drafts for validity, links and initial pubrules [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action03]
[NEW] ACTION: mjensen to confirm that best practices have been documented for ISSUE-159 [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action05]
[NEW] ACTION: scantor to update draft with change to 10.7.2 [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action02]
[NEW] ACTION: tlr to check on commit message mechanism for xmlsec [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action01]
[NEW] ACTION: tlr to prepare 2.0 drafts for publication on 24 March 2011 [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action04]
[NEW] ACTION: tlr to update PAG charter to fix broken link to mailing list archive, Archive is misspelled, correct link is http://lists.w3.org/Archives/Member/member-xmlsec-pag/ [recorded in http://www.w3.org/2011/03/08-xmlsec-minutes.html#action06]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2009-03-02 03:52:20 $