- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Fri, 04 Feb 2000 12:32:28 -0500
- To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
From: "Joseph M. Reagle Jr." <reagle@w3.org> Resent-Date: Thu, 3 Feb 2000 15:27:07 -0500 (EST) Resent-Message-Id: <200002032027.PAA27520@www19.w3.org> Message-Id: <3.0.5.32.20000203152701.00a8d9c0@localhost> Date: Thu, 03 Feb 2000 15:27:01 -0500 To: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org> >As always, comments, correction, and discussion are welcome. > >http://www.w3.org/Signature/Minutes/000203-tele > > 00-February-03 > Chairs: Donald Eastlake and Joseph Reagle > Note Taker: Joseph Reagle > >Participants > > * Donald Eastlake 3rd, IBM IBM -> Motorola > * Joseph Reagle, W3C > * Ed Simon , Entrust Technologies Inc. > * David Solo, Citigroup > * Barb Fox, Microsoft > * Mark Bartel, JetForm Corporation > * Winchel "Todd" Vincent III, GSU > * John M. Boyer, UWI.com > * David Smiley, Sagasoftware > * Mike Meyers, VeriSign > * Bill Curtain, DISA > > Status of documents < 5 minutes > > * Requirements is now in RFC-editors queue. Not really but should be very soon now that tweaked version has been posted as an Internet-Draft. <http://http://www.rfc-editor.org/queue.html>. > Signature Syntax & Processing draft questions: > > Editorial: > > 1. Remove Core from title? > ACTION Reagle: Remove core and try to label sections as required > versus optional better. > Simon: someone who read the document found it to be very > intimidating, not sure what they needed to implement. > Reagle: we need a lot of editorial/exposition work to make the > document read better, so if you have any suggestions or get > comments on that note, please let us know. > 2. Signature versus Authenticator? > There is concern that if we support secret key MACs, it shouldn't > be called a Signature but an Authenticator. > Eastlake: put a sentence or two up front making the distinction > between Signature and Authenticator and say we use Signature > generally as public key will be the common case. I'm sure I didn't say exactly that as I'm not at all sure whether public key will be used more often. If XMLDSIG is used in lower level protocols, it might turn out that secret key was used more often. I think we should just say that "for readability and consistency with earlier documents, we use the single term signature in this document to refer to both public key signatures and secret key authenticators" or something like that. > Reagle: Connolly mentioned removing the HMAC specification. Fox: > wants to retain HMAC, as does Bartel. ConCall wishes to retain > "Signature" but use the term carefully; no one wants to remove > HMAC either. > > FTF: > > 1. - FAQ/Scenarios. > People should send comments. Not a normative document, but before > we populate it with examples, we should make sure we are in > agreement. > 2. - C14N Report > 1. character model: multiple ways of representing the character > model. > Presently, normalize according to character model. Simon and > Eastlake aren't keen on this. > Simon: They really need feedback from implementors who have > experience, but it isn't required for security purposes -- > though is likely to be more complex. > 2. How to treat XPath results that aren't well formed XML (e.g., > a series of attributes, or text string or a series of > elements without a root.) > Eastlake: I read of a well balanced fragment somewhere. The magic phrase is "a well-formed external general parsed entity", a phrase which occurs in the XSLT Recommendation <http://www.w3.org/TR/1999/REC-xslt-19991116>. > Simon: that was in the Fragment spec, they specified that for > any piece you will always send enough information so it can > be understood. > Simon: will write that we've identified this issue though it > is not one the XML C14N need worry about. > ACTION Simon: will send text on both these issues today. List > has one week to discuss before it is prepared to be sent to > the XML working group as this group's consensus position. > 3. Interopability > Simon: an autoresponder would be neat, but presently the > implementations out there are just keeping up with the spec. > Eastlake: IPSec had a big 40 vendor test. I was commenting that the formality of interolperability testing dependins on the number of participants, among other factors, and that we didn't need the formality of the huge IPSEC bake offs. > Simon: a little early, but important two months from now. > > LIST: > > 1. - URI/IDREF > Slight discussion similar to email disussion. Eastlake: At FTF we > agreed to go with present exposition and see what last call > comments were. > Reagle: it doesn't seem this issue isn't going anywhere on the > basis of arguing about principle. Would be useful if someone feels > strong enough to write a "plug-and-play" proposal such that we can > look at it and say, "yes" that makes sense. > > DOCUMENT > [5]http://www.w3.org/Signature/Edits.html > > ... > > >_________________________________________________________ >Joseph Reagle Jr. >Policy Analyst mailto:reagle@w3.org >XML-Signature Co-Chair http://www.w3.org/People/Reagle/ Donald
Received on Friday, 4 February 2000 12:32:18 UTC