W3C

XML Security Working Group Teleconference

15 May 2012

Agenda

See also: IRC log

Attendees

Present
Frederick_Hirsch, Chris_Solc, Ed_Simon, Scott_Cantor, Hal_Lockhart, Pratik_Datta, Brian_LaMacchia, Gerald_Edgar, Bruce_Rich
Regrets
Chair
Frederick_Hirsch
Scribe
fjh

Contents


<trackbot> Date: 15 May 2012

<scribe> ScribeNick: fjh

Administrative

fjh: still waiting for a PAG meeting to happen so that the PAG issue can be resolved, hoping this will happen soon
... it seems the PAG is nearing a conclusion but there was still some discussion, hopefully to be resolved soon
... also thanks to Pratik for fixing links in test case document

Minutes Approval

Approve minutes, 24 April 2012

http://lists.w3.org/Archives/Public/public-xmlsec/2012Apr/att-0009/minutes-2012-04-24.html

RESOLUTION: Minutes from 24 April 2012 are approved.

Updates to draft XML Signature 1.1 and XML Encryption 1.1 interop test reports

Agree to proposed updates (remove unnecessary tests)

http://lists.w3.org/Archives/Public/public-xmlsec/2012May/0002.html

http://lists.w3.org/Archives/Public/public-xmlsec/2012May/0003.html

RESOLUTION: WG agrees to update the interop test reports as proposed and to not interop test items that have been tested as previous Recommendations

<scribe> ACTION: fjh to update interop test reports to remove unneeded tests [recorded in http://www.w3.org/2012/05/15-xmlsec-minutes.html#action01]

<trackbot> Created ACTION-886 - Update interop test reports to remove unneeded tests [on Frederick Hirsch - due 2012-05-22].

Remaining XML Signature 1.1 interop tests

http://www.w3.org/2008/xmlsec/wiki/AdditionalSignature11TestCases

fjh: we have six items listed that need to be interop tested before we can go to Rec with XML Signature 1.1, in addition to PAG resolution
... most are of nature of finding the key and then validating a signature, in addition to OCSPResponse, and HMACOutputLength

scantor: has implementation for #3 and #5, DerEncodedKeyValue and KeyInfoReference, would prefer not to see these dropped
... also X509Digest, #2
... what do we have to do to demonstrate interop?

fjh: not have to prove output, but vouch that able to process, e.g. in original XML Signature interop output was table of Y and N for tests (merlin)

bal: that is right

scantor: need to recognize syntax but not build a CA infrastructure

bal: yes, limit the amount of work

scantor: have limited resources for testing

fjh: So we only need to go as far as parsing the XML and finding the X509Digest, for example, that should suffice for interop. Is there someone else on the call that has implementations of #2, #3, #5 that could also test these?

[silence]

fjh: bal can you please check with Magnus and his team regarding these tests and possible participation or resolution...

brich: possible but no commitment 2, 3, 4,6

fjh: does #6 need an interop test? HMacOutputLength?

scantor: perhaps not, it is a security test, if not tested we are not going to remove from the spec are we?

bal: this might have been put into 1.0 as a patch

fjh: has this already been tested?

bal: ability to truncate may have been removed in some implementations

hal: these things are trivial to implement

scantor: question of degree of 1.1 implementation

hal: should add truncation as a best practice to the best practices document
... I'm planning to do this

<scribe> ACTION: hal to draft text on HMAC truncation for XML Signature best practices [recorded in http://www.w3.org/2012/05/15-xmlsec-minutes.html#action02]

<trackbot> Created ACTION-887 - Draft text on HMAC truncation for XML Signature best practices [on Hal Lockhart - due 2012-05-22].

XML Encryption 1.1

fjh: XML Encryption 1.1 has more interop work to be done

http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core1-interop/Overview.src.html

please review this and indicate if you have implementation that can be tested

Other 1.1 interop notes

fjh: Expect GHC will simply remain at CR and not move forward
... Expect Signature Properties can move forward with at-risk items removed, due to Widget Signature interop
... but expect to wait with moving it forward until we can also move other items like XML Signature 1.1, so we move stuff forward together
... will also need publication of algorithm cross reference etc at that time (changes are already in place in the editors drafts)

XML Security 2.0

fjh: focus on moving 1.1 to Rec, but please indicate if any work required on 2.0 at this point

Action review

ACTION-238?

<trackbot> ACTION-238 -- Thomas Roessler to update the proposal associated with ACTION-222 and send to list. -- due 2012-01-31 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/238

need info from Thomas on what this is, and what the status is

ACTION-717?

<trackbot> ACTION-717 -- Pratik Datta to document the Performance improvements with 2.0 -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/717

defer to later

ACTION-883?

<trackbot> ACTION-883 -- Frederick Hirsch to review C14N 20 test cases document -- due 2012-04-10 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/883

still open

ACTION-885?

<trackbot> ACTION-885 -- Pratik Datta to update test cases document and send email clarifying changes -- due 2012-05-01 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/885

ACTION-885 closed

<trackbot> ACTION-885 Update test cases document and send email clarifying changes closed

ACTION-865?

<trackbot> ACTION-865 -- Frederick Hirsch to contact parties re participation in interop for 2.0 -- due 2011-12-20 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/865

ACTION-865 closedc

<trackbot> ACTION-865 Contact parties re participation in interop for 2.0 closed

ACTION-884?

<trackbot> ACTION-884 -- Frederick Hirsch to review CR features at risk for Signature Properties -- due 2012-05-01 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/884

ACTION-884 closed

<trackbot> ACTION-884 Review CR features at risk for Signature Properties closed

Other business

ed_simon: looked at EXI, and gave feedback
... suggested that members of xml security wg do not have time to work on this, but might be interested in review
... will continue to look at it with EXI group

fjh: XML Security WG is chartered to 30 June 2012.
... lack of PAG completion makes it more likely we will have to extend charter, as does need to complete interop
... Regarding upcoming calls, we have them scheduled for every week, but will cancel if there is no business.
... if we have limited business then the call will be short.
... please indicate any progress especially with regards to interop, on the list. We will use the list traffic to determine if we need a call.
... please review the interop testing and implementations to see how we can move this work forward.
... thanks

Adjourn

Summary of Action Items

[NEW] ACTION: fjh to update interop test reports to remove unneeded tests [recorded in http://www.w3.org/2012/05/15-xmlsec-minutes.html#action01]
[NEW] ACTION: hal to draft text on HMAC truncation for XML Signature best practices [recorded in http://www.w3.org/2012/05/15-xmlsec-minutes.html#action02]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2009-03-02 03:52:20 $