See also: IRC log
<trackbot> Date: 29 November 2011
<scribe> ScribeNick: fjh
Next call is 13 Dec
Approve minutes, 8 November 2011
http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/att-0005/minutes-2011-11-08.html
RESOLUTION: Minutes from 8 November 2011 are approved.
Changed AES128-GCM from Optional to REQUIRED, left AES-192-GCM as Optional, added warning, paper reference, new security consideration
* http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0006.html (Frederick)
* Correction to URL for new rsa-oaep algorithm, see http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0008.html
* Added algorithm to Security Algorithm Cross-Reference, http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0009.html
ECC added to OpenSSL, http://www.imperialviolet.org/2011/11/22/forwardsecret.html (Hal)
scantor: possible issue of companies choosing to ship
hal: RC4 might be an issue in that implementation?
scantor: red hat 6 does not support ECC, will be around some time
Pratik sent suggested mitigations to Juraj, http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0012.html
response from Juraj, http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0013.html
hal: rough summary, such countermeasures are broken
... note last sentence regarding WS-Policy, does this mean implementations don't necessarily enforce WS-Policy
... extra encryption can open new attacks, which can be counter intuitive; another issue is that signature verification, decryption then authorization check order means that decryption can happen even when not authorized, since check happens too late
pdatta: need authentication tag otherwise all encryption modes are broken
hal: creating low level primitives for apps to use may be risky approach in general?
scantor: for SAML any reason not to take approach of signing over encryption?
hal: no, that seems still good
http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0018.html
pdatta: working on interop related to encryption, could use help to create common set of use cases
brich: considering resourcing, no other steps at this point
pdatta: can bruce and brian and others please review possible scenarios for interop, to help reduce the number of possible combinations
The 2.0 specs have been stable and have completed Last Call in May, all comments have been resolved (need to confirm)
proposed RESOLUTION: Publish CR drafts of Canonical XML 2.0, XML Signature 2.0 and Streaming Profile of XPath 1.0 this month
<scribe> ACTION: fjh to send CfC for resolution to Publish CR drafts of Canonical XML 2.0, XML Signature 2.0 and Streaming Profile of XPath 1.0 this month [recorded in http://www.w3.org/2011/11/29-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-858 - Send CfC for resolution to Publish CR drafts of Canonical XML 2.0, XML Signature 2.0 and Streaming Profile of XPath 1.0 this month [on Frederick Hirsch - due 2011-12-06].
general sense on the call is to advance 2.0 to CR
<scribe> ACTION: fjh to send CfC to move XML Encryption 1.1 CipherReference Processing using 2.0 Transforms to LC [recorded in http://www.w3.org/2011/11/29-xmlsec-minutes.html#action02]
<trackbot> Created ACTION-859 - Send CfC to move XML Encryption 1.1 CipherReference Processing using 2.0 Transforms to LC [on Frederick Hirsch - due 2011-12-06].
Both CfC run from now until 9 December
ACTION-238?
<trackbot> ACTION-238 -- Thomas Roessler to update the proposal associated with ACTION-222 and send to list. -- due 2011-09-30 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/238
ACTION-717?
<trackbot> ACTION-717 -- Pratik Datta to document the Performance improvements with 2.0 -- due 2010-11-09 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/717
defer to later
ACTION-841?
<trackbot> ACTION-841 -- Pratik Datta to add link to canonical XML 2.0 samples into the spec -- due 2011-10-11 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/841
<scribe> in progress
<scribe> ACTION: fjh to review ACTION-841 [recorded in http://www.w3.org/2011/11/29-xmlsec-minutes.html#action03]
<trackbot> Created ACTION-860 - Review ACTION-841 [on Frederick Hirsch - due 2011-12-06].
ACTION-847?
<trackbot> ACTION-847 -- Pratik Datta to propose update to 2.0 algorithm requirements to encourage authenticating mode -- due 2011-10-18 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/847
<pdatta> need to create a link from the canonical xml 2.0 document to the canonical xml 2.0 testcases document
close ACTION-841
<trackbot> ACTION-841 Add link to canonical XML 2.0 samples into the spec closed
reopen ACTION-841
<trackbot> ACTION-841 Add link to canonical XML 2.0 samples into the spec re-opened
close ACTION-860
<trackbot> ACTION-860 Review ACTION-841 closed
pdatta: 2.0 does not include encryption
fjh: right, we should close this action
close ACTION-847
<trackbot> ACTION-847 Propose update to 2.0 algorithm requirements to encourage authenticating mode closed
ACTION-848?
<trackbot> ACTION-848 -- Bruce Rich to contact OASIS ebXML community regarding large data issue and GCM -- due 2011-10-25 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/848
brich: have discussed internally, in progress, will talk to TC chair
ACTION-850?
<trackbot> ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security considerations and propose changes in light of today's discussion -- due 2011-10-25 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/850
ACTION-851?
<trackbot> ACTION-851 -- Pratik Datta to propose text regarding KeyLength and PBKDF2, assuming we do not change the schemna -- due 2011-10-25 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/851
pdatta: need to add text, in progress
ACTION-856?
<trackbot> ACTION-856 -- Brian LaMacchia to discuss with magnus possible encryption algorithms suitable for streaming -- due 2011-11-15 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/856
ACTION-857?
<trackbot> ACTION-857 -- Pratik Datta to ask regarding risk of use of GCM without checking tag during processing -- due 2011-11-15 -- OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/857
answered in http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0013.html
ACTION-857 answered in http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0013.html
close ACTION-857
<trackbot> ACTION-857 Ask regarding risk of use of GCM without checking tag during processing closed
close ACTION-854
<trackbot> ACTION-854 Talk with thomas about encouraging implementation support for AES-GCM in existing algorithms closed
close ACTION-855
<trackbot> ACTION-855 Update XML Encryption 1.1 draft for AES-GCM mandatory to implement closed
ISSUE-230?
<trackbot> ISSUE-230 -- CBC attack on XML Encryption, http://www.nds.rub.de/research/publications/breaking-xml-encryption/ -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/230
changed algorithm requirements, so that should close issue
<scribe> ACTION: fjh to send message re closing ISSUE-230 [recorded in http://www.w3.org/2011/11/29-xmlsec-minutes.html#action04]
<trackbot> Created ACTION-861 - Send message re closing ISSUE-230 [on Frederick Hirsch - due 2011-12-06].
ISSUE-229?
<trackbot> ISSUE-229 -- Mask generation function for RSA-OAEP as defined in 5.5.2 of XML Encryption 1.1 appears to be limited to MGF1 with SHA1 -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/229
ISSUE-229: added algorithm to address this, rsa-oaep
<trackbot> ISSUE-229 Mask generation function for RSA-OAEP as defined in 5.5.2 of XML Encryption 1.1 appears to be limited to MGF1 with SHA1 notes added
close ISSUE-229
<trackbot> ISSUE-229 Mask generation function for RSA-OAEP as defined in 5.5.2 of XML Encryption 1.1 appears to be limited to MGF1 with SHA1 closed
ISSUE-227?
<trackbot> ISSUE-227 -- CR of XML Encryption 1.1 requires update to namespace refs, http://lists.w3.org/Archives/Public/public-xmlsec/2011Jun/0017.html -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/227
ISSUE-122?
<trackbot> ISSUE-122 -- Explain peformance improvements and rationale, relationship to earlier work, document, benchmarks -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/122
ISSUE-91?
<trackbot> ISSUE-91 -- ECC can't be REQUIRED -- open
<trackbot> http://www.w3.org/2008/xmlsec/track/issues/91
none