# XML Security Working Group Teleconference ## 14 Aug 2012 [Agenda][3] See also: [IRC log][4] ## Attendees Present Frederick_Hirsch, Hal_Lockhart, Scott_Cantor Regrets Bruce_Rich, Gerald_Edgar, Pratik_Datta Chair Frederick_Hirsch Scribe fjh ## Contents * [Topics][5] 1. [Administrivia: Scribe confirmation, Agenda review, Liaisons, Announcements.][6] 2. [Minutes Approval][7] 3. [PAG Update][8] 4. [Editorial update][9] 5. [Interop][10] 6. [HMACOutputLength minimum length test][11] 7. [SHA-224 test vectors][12] 8. [Roadmap][13] 9. [Additional XML Encryption 1.1 security considerations][14] 10. [Upcoming meetings][15] 11. [Adjourn][16] * [Summary of Action Items][17] * * * Date: 14 August 2012 ScribeNick: fjh ### Administrivia: Scribe confirmation, Agenda review, Liaisons, Announcements. XML-Security for C++, V1.7.0 has been released (AES-GCM, RSA_OAEP, bug fixes) : [http://lists.w3.org/Archives/Public/public-xmlsec/2012Jul/0033.html][18] scantor: this is basically done, cannot add the pad key wrap with too much work. ### Minutes Approval Approve minutes, 24 July 2012 [http://lists.w3.org/Archives/Public/public- xmlsec/2012Jul/att-0032/minutes-2012-07-24.html][19] **RESOLUTION: Minutes from 24 July 2012 are approved.** ### PAG Update Anticipate conclusion of PAG work in August, however have not seen any announcement. ### Editorial update fjh: I updated all editors drafts to ReSpec v3, added comment to xenc- schema.xsd for xenc:MGF schema note: [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/0006.html][20] styling change, [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/0004.html][21] proposed RESOLUTION: Updated styling of editors drafts is acceptable to WG, e.g. XML Signature 1.1 proposed RESOLUTION: WG approves addition of xenc:MGF comment to xenc- schema.xsd **RESOLUTION: Updated styling of editors drafts is acceptable to WG, e.g. XML Signature 1.1** fjh: and the second one: **RESOLUTION: WG approves addition of xenc:MGF comment to xenc-schema.xsd** Added SHA-224 digest method to XML Signature 1.1 and 2.0. [http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0009.html][22] **RESOLUTION: WG agrees to addition of SHA-224 to XML Signature 1.1 and XML Signature 2.0** thanks to Pratik for catching the omission of SHA-224 ### Interop fjh: I updated XML Encryption 1.1 Test Report document - review comments? [http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0000.html][23] proposed RESOLUTION: WG agrees to update "XML Encryption 1.1 Test Report" to mark SHA-384, AES-128-GCM, and RSA-OAEP Key Transport as completed. **RESOLUTION: WG agrees to update "XML Encryption 1.1 Test Report" to mark SHA-384, AES-128-GCM, and RSA-OAEP Key Transport as completed.** scantor: no concern about this algorithm, but not sure why there was a problem in the case I tried with original algorithm **ACTION:** fjh to share AES-128-GCM on list and add to the test cases document [recorded in [http://www.w3.org/2012/08/14-xmlsec- minutes.html#action01][24]] Created ACTION-896 - Share AES-128-GCM on list and add to the test cases document [on Frederick Hirsch - due 2012-08-21]. ### HMACOutputLength minimum length test ACTION-888? ACTION-888 -- Pratik Datta to distribute test case and result for testing XML Signature 1.1 HMACOutputLength minimum length -- due 2012-06-19 -- OPEN [http://www.w3.org/2008/xmlsec/track/actions/888][25] ACTION-888 closed ACTION-888 Distribute test case and result for testing XML Signature 1.1 HMACOutputLength minimum length closed see [http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0007.html][26] scantor: will test this, also SHA-224 ### SHA-224 test vectors [http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0007.html][26] scantor: will test this ### Roadmap Items planned to be removed from XML Signature 1.1 at end of August: ECDSA- SHA224, HMAC-SHA224, RSAwithSHA224, X509Data OCSPResponse, X509Digest; KeyInfo DEREncodedKeyValue, KeyInfoReference, HMACOutputLength Items planned to be removed from XML Encryption 1.1 at end of August: AES-128/192/256-pad Symmetric Key Wrap, Key Agreement (ECDH, DH) **ACTION:** tlr to confirm whether two implementations from one author are ok for DEREncodedKeyValue and KeyInfoReference specifically [recorded in [http://www.w3.org/2012/08/14-xmlsec-minutes.html#action02][27]] Created ACTION-897 - Confirm whether two implementations from one author are ok for DEREncodedKeyValue and KeyInfoReference specifically [on Thomas Roessler - due 2012-08-21]. fjh: we need an answer to this question before scott does any work on a second implemention ACTION-897: we need an answer to this question before scott does any work on a second implemention ACTION-897 Confirm whether two implementations from one author are ok for DEREncodedKeyValue and KeyInfoReference specifically notes added Thomas confirmed that WG should plan to return to Last Call to remove features or update at-risk sections, [http://lists.w3.org/Archives/Public/public- xmlsec/2012Aug/0005.html][28] ### Additional XML Encryption 1.1 security considerations scantor: disabling older algorithms can reduce risks ... impact on compatibility if disabled, however fjh: does this mean changing from MUST to SHOULD, to allow implementation to make choice hal: SSL prevents attacker from obtaining cipher text scantor: JOSE approach seems right now; cannot leave older algorithms enabled fjh: seems like disabling algorithms is the right approach scantor: people using it are just not paying attention fjh: we should move from REQUIRED to OPTIONAL scantor: agree **ACTION:** fjh to draft proposal and CfC on list to change algorithm requirement for RSA v1.5 [recorded in [http://www.w3.org/2012/08/14-xmlsec- minutes.html#action03][29]] Created ACTION-898 - Draft proposal and CfC on list to change algorithm requirement for RSA v1.5 [on Frederick Hirsch - due 2012-08-21]. hal: agree ### Upcoming meetings **RESOLUTION: Cancel teleconference 9 October, 30 October, 20 November, 18, 25 December , 1 January** upcoming meeting schedule is here [https://www.w3.org/2008/xmlsec/Group/Overview.html#meetings:][30] ### Adjourn ## Summary of Action Items **[NEW]** **ACTION:** fjh to draft proposal and CfC on list to change algorithm requirement for RSA v1.5 [recorded in [http://www.w3.org/2012/08/14 -xmlsec-minutes.html#action03][29]] **[NEW]** **ACTION:** fjh to share AES-128-GCM on list and add to the test cases document [recorded in [http://www.w3.org/2012/08/14-xmlsec- minutes.html#action01][24]] **[NEW]** **ACTION:** tlr to confirm whether two implementations from one author are ok for DEREncodedKeyValue and KeyInfoReference specifically [recorded in [http://www.w3.org/2012/08/14-xmlsec-minutes.html#action02][27]] [End of minutes] * * * Minutes formatted by David Booth's [scribe.perl][31] version 1.135 ([CVS log][32]) $Date: 2009-03-02 03:52:20 $ [1]: http://www.w3.org/Icons/w3c_home [2]: http://www.w3.org/ [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0010.html [4]: http://www.w3.org/2012/08/14-xmlsec-irc [5]: #agenda [6]: #item01 [7]: #item02 [8]: #item03 [9]: #item04 [10]: #item05 [11]: #item06 [12]: #item07 [13]: #item08 [14]: #item09 [15]: #item10 [16]: #item11 [17]: #ActionSummary [18]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Jul/0033.html [19]: http://lists.w3.org/Archives/Public/public- xmlsec/2012Jul/att-0032/minutes-2012-07-24.html [20]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0006.html [21]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0004.html [22]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0009.html [23]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0000.html [24]: http://www.w3.org/2012/08/14-xmlsec-minutes.html#action01 [25]: http://www.w3.org/2008/xmlsec/track/actions/888 [26]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0007.html [27]: http://www.w3.org/2012/08/14-xmlsec-minutes.html#action02 [28]: http://lists.w3.org/Archives/Public/public-xmlsec/2012Aug/0005.html [29]: http://www.w3.org/2012/08/14-xmlsec-minutes.html#action03 [30]: https://www.w3.org/2008/xmlsec/Group/Overview.html#meetings: [31]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [32]: http://dev.w3.org/cvsweb/2002/scribe/