See also: IRC log
<trackbot> Date: 08 November 2011
ISSUE: CBC attack on XML Encryption, http://www.nds.rub.de/research/publications/breaking-xml-encryption/
<trackbot> Created ISSUE-230 - CBC attack on XML Encryption, http://www.nds.rub.de/research/publications/breaking-xml-encryption/ ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/230/edit .
<scribe> ScribeNick: fjh
added the 1.1 and 2.0 test case editors drafts to the XML Security WG publications wiki, see http://www.w3.org/2008/xmlsec/wiki/PublicationStatus#Publications
No call 22 November.
proposed RESOLUTION: Cancel teleconference on 15 November 2011.
RESOLUTION: Cancel teleconference on 15 November 2011
next call will be 29 November
Approve minutes, 18 October 2011
http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/att-0002/minutes-2011-10-18.html
RESOLUTION: Minutes from 18 October 2011 are approved.
paper describing the CBC attack on XML Encryption is available at http://www.nds.rub.de/research/publications/breaking-xml-encryption/
blog post, http://www.w3.org/QA/2011/10/some_notes_on_the_recent_xml_e.html
Potential means to mitigate attack, http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0000.html
Make GCM mandatory in 1.1? proposal: http://lists.w3.org/Archives/Member/member-xmlsec/2011Oct/0000.html
ACTION-850?
<trackbot> ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security considerations and propose changes in light of today's discussion -- due 2011-10-25 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/850
fjh: any reason not to make GCM mandatory?
hal: lack of implementation
brich: open source bouncy castle might include it
... got feedback that it would be improper to use in streaming mode, need to verify tag before returning any cleartext data
... could impact large xml document - need to buffer clear text until end
hal: what if you only want encryption property
... what is the actual security use case
scantor: difference between returning data while computing integrity versus waiting to return it until end
hal: dangerous if application starts using data before integrity is clear
... if we make GCM mandatory also need something else to allow streaming
bal: gcm for all plaintext not sections
... can expect gcm first, then streaming will be an issue
fjh: so we can use gcm for small items, then have issue for streaming of large message
... need to make AES-GCM mandatory then have another alg for streaming
scantor: AES-GCM is not in the mainline openssl now, might be in future release
... might need to discuss with vendors adding AES-GCM reports to existing implementations before making mandatory
<scribe> ACTION: fjh to talk with thomas about encouraging implementation support for AES-GCM in existing algorithms [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-854 - Talk with thomas about encouraging implementation support for AES-GCM in existing algorithms [on Frederick Hirsch - due 2011-11-15].
<brich> +1 for GCM as MTI in Enc1.1
fjh: what should we do here with regard to making GCM mandatory
... what is situation for WS*
bal: spoke at conference when presentation of attack was made, giving update on WG effort, and noting changes
... could have made GCM mandatory months ago
fjh: we decided not do so to implementation concerns
scantor: not all implmentations are worried about compiance
... have other mitigations in mind, not critical issue for SAML
fjh: is there any objection to making AES-GCM mandatory in 1.1
bal: not an interop problem; if CBC no longer mandatory that would be an issue
fjh: need warning about CBC in spec, even if mandatory
scantor: bigger concern is streaming, especially for 2.0
<Hal> + 1 for GCM MTI
RESOLUTION: change XML Encryption 1.1 to make AES-GCM mandatory to implement, add note regarding risk with CBC
bal also +1 GCM MTI
<scribe> ACTION: fjh to update XML Encryption 1.1 draft for AES-GCM mandatory to implement [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-855 - Update XML Encryption 1.1 draft for AES-GCM mandatory to implement [on Frederick Hirsch - due 2011-11-15].
fjh: need to be considering algorithm agility going forward
hal: e.g. we might find another channel besides errors and timing
fjh: hal, you can incorporate material from pdatta message on countermeasures as well
... can anyone help with streaming encryption algorithm?
<pdatta> preventing reuse of content encryption key
<Ed_Simon> * Ed_Simon: signing off
<scantor> many stds use per-message keys, and already include the need for replay/nonce checks, so enforcing that per-key is a small addition
hal: when streaming something like a movie, don't care about integrity, more about encryption, so this seems to be a new requirement
brich: sign then encrypt
... cbc attack still works here
<scribe> ACTION: bal to discuss with magnus possible encryption algorithms suitable for streaming [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-856 - Discuss with magnus possible encryption algorithms suitable for streaming [on Brian LaMacchia - due 2011-11-15].
pdatta: implementation needs to know it is streaming, could use GCM but choose to process without waiting until end
http://en.wikipedia.org/wiki/Galois/Counter_Mode
<scribe> ACTION: pdatta to ask regarding risk of use of GCM without checking tag during processing [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-857 - Ask regarding risk of use of GCM without checking tag during processing [on Pratik Datta - due 2011-11-15].
http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0018.html
Please review and provide feedback on these test cases
<pdatta> would like other vendors to actually run their implementations on these test cases
fjh: question about moving algorithms out of 2.0 for agility purposes, but might make it more confusing
pdatta: but this is signature not encryption
hal: typically don't add mandatory algorithm, but change algorithm in spec from optional to mandatory
fjh: so don't think we need to pull document apart for this, could be more work and more confusing than needed
pdatta: 2.0 is waiting for implementations
ACTION-238?
<trackbot> ACTION-238 -- Thomas Roessler to update the proposal associated with ACTION-222 and send to list. -- due 2011-09-30 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/238
ACTION-717?
<trackbot> ACTION-717 -- Pratik Datta to document the Performance improvements with 2.0 -- due 2010-11-09 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/717
ACTION-840?
<trackbot> ACTION-840 -- Pratik Datta to update XML Signature 1.1 and 2.0 with change in http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0006.html -- due 2011-10-11 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/840
ACTION-840: done
<trackbot> ACTION-840 Update XML Signature 1.1 and 2.0 with change in http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0006.html notes added
close ACTION-840
<trackbot> ACTION-840 Update XML Signature 1.1 and 2.0 with change in http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0006.html closed
ACTION-841?
<trackbot> ACTION-841 -- Pratik Datta to add link to canonical XML 2.0 samples into the spec -- due 2011-10-11 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/841
ACTION-847?
<trackbot> ACTION-847 -- Pratik Datta to propose update to 2.0 algorithm requirements to encourage authenticating mode -- due 2011-10-18 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/847
ACTION-848?
<trackbot> ACTION-848 -- Bruce Rich to contact OASIS ebXML community regarding large data issue and GCM -- due 2011-10-25 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/848
ACTION-850?
<trackbot> ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security considerations and propose changes in light of today's discussion -- due 2011-10-25 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/850
ACTION-851?
<trackbot> ACTION-851 -- Pratik Datta to propose text regarding KeyLength and PBKDF2, assuming we do not change the schemna -- due 2011-10-25 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/851
ACTION-853?
<trackbot> ACTION-853 -- Frederick Hirsch to add new security issue later this week -- due 2011-10-25 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/853
close ACTION-853
<trackbot> ACTION-853 Add new security issue later this week closed
ISSUE-230?
<trackbot> ISSUE-230 -- CBC attack on XML Encryption, http://www.nds.rub.de/research/publications/breaking-xml-encryption/ -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/230
ISSUE-229?
<trackbot> ISSUE-229 -- Mask generation function for RSA-OAEP as defined in 5.5.2 of XML Encryption 1.1 appears to be limited to MGF1 with SHA1 -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/229
fjh: believe we have dealt with this one, will double check
other issues remain relevant
none