- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Mon, 19 Nov 2001 16:14:49 -0500 (EST)
- To: <xml-encryption@w3.org>
http://www.w3.org/Encryption/2001/Minutes/011119-tele.html
W3C XML Encryption WG
2001-November-19
Chair: Joseph Reagle
Note Taker: Joseph Reagle [ascii]
Participants
* Joseph Reagle, W3C
* Blair Dillaway, Microsoft
* Ed Simon, XMLsec
* Christian Geuer-Pollmann, University of Siegen
* Eric Cohen, PwC
News
Status of documents
* Last Call ended November 9th. I've sent a nagmail to SOAP, SAML,
and Schema WGs since I got them to agree to consider the Last
Call, but they never responded with a date of response -- nor
comments obviously.
Reviewing Previous Items
1. Eastlake: add real life examples in section 5.5 to illustrate.
Pending. Open for re-assignment.
2. Action Hughes: ( XML Encryption Processing Model) Will investigate
and send an email on Xerces implementation using XNI, or DOM when
processing Element or Element Content.
Pending.
Requirements
...
Draft
Pending
* Ed Simon
1. Should the CarriedKeyName attribute really be a child
element?
ACTION Reagle: change to a child element, cc: Merlin/Takeshi
to see if they oppose.
2. Section 3.5: The ReferenceList Element In the schema
definition, why not use <choice> rather than <sequence>?
ACTION Reagle: change to choice.
* Christian Geuer-Pollmann
1. (Many editorial comments)
2. Should we add a warning into section "3.1 EncryptedType" that
it is not allowed (or could cause problems) if an
EncryptedData element becomes the DocumentElement of a new
Document with @Type="ElementContent" ?
ACTION Reagle: add warning text on this point if it doesn't
already exist, "decrypted content may not be well-formed
XML."
* Herzberg's comments on Decryption Transform
1. Requests a decrypt:Remove which indicates the identified
element should not be part of the Signature.
Reagle: I believe this functionality is addressed directly by
XML Signature.
Telecon participants agree.
* Takeshi Imamu
1. Should a nonce be associated with an EncryptedKey? A nonce
cannot be used for encrypting a key, right? So I just thought
that, if a user was trying to use a nonce for encrypting a
key, it would be helpful to warn the user of the illegal use
of nonce. Our implementation just ignores such a nonce,
though.
Reagle: I expect I'm not understanding the issue well, while
I appreciate the algorithm itself might provide for a nonce,
how would this redundancy hurt anything?
Dillaway: agrees with Takeshi, EncryptedKey shouldn't have a
nonce because it can complicate the algorithms. For example,
some algorithms expect particular key sizes that this would
confuse.
ACTION Reagle: remove Nonce attribute from Encrypted Key.
(Section 5)
* Ronald Rivest
1. Does this support "new combined "encryption+integrity" modes
of operation
Yes, one can specify the approriate algorithm and
identifier."
2. "You have provisions for referring to some elements
indirectly (e.g. through a URI), but you may need some way to
ensure that what you retrieve is what was intended (e.g.
through a hash of the element to be retrieved). Perhaps this
is implicitly handled already..."
Dillaway: this might be accomplished via a Transform that
contains a digest within a CipherReference.
ACTION Simon: send email to a list exploring this scenario.
3. "There are of modes of encryption that won't fit your model,
but which are very useful. For example, "secret-sharing"
allows encryption of a document into several pieces, or
shares, in such a way that a requisite number of them are
required to decrypt/reconstruct the document. Just be sure
you don't preclude somehow expansion to handle this sort of
thing later on."
Dillaway: way back when, we decided not to address threshold
schemes. When Barb Fox asked the question, there was a
resounding "no." However, I don't have a prolbem with someone
layering it on top of what we specified.
Reagle: do we then have some obligation to show how it can be
done? Is anyone interested in this enough to take that on?
Dillaway: Might have time in three weeks time.
Simon: Perhaps we could ask Rivest to point out if it can't
be done.
4. "I'm very uncomfortable with allowing the encryption
algorithm to be "understood" between the sender and the
recipient; you should force the sender to be explicit.
Non-explicitness is the cause of very many protocol
failures."
Reagle: we made SignatureMethod optional in xmldsig...
Dillaway: Agrees it can be dangerous, but its difficult to
keep people from doing it in their protocol if they always
use a particular algorithm, just seems redundant to them
then.
Reagle: Do people on this call support any scenarios
presently where this information isn't sent?
Dillaway: Not yet, but I can think of a couple of protocol
scenarios where this is unnecessary overhead.
ACTION Reagle: add warning text if there's a place where it
seem approriate, assume they both know and they are wrong.
Reagle: is there a security problem when it relates to
signing, where someone signs the ciphertext, but subsitutes a
different message with different algorith?... Suppose not, as
we already say if people want to secure plain text, that's
what they need to sign.
Simon: someone encrypted a flower, but gets white noise, the
plaintext should've been signed.
* Blake Dournaee
1. Is Canonical XML really a recommended serialization
algorithm; when exactly must one use it?
ACTION Eastlake: tweak the c14n in section 5, include
exclusive canonicalization as an algorithm.
* Yongge Wang
1. "Is it possible to change the order of the input to KM so
that it will look like:"
ACTION Eastlake: Edit section 5.5 .
* Jiandong Guo
1. Nonce and Key Wrap Algorithm: "It seems to me that with the
key wrap algorithm specified in section 5.6.2, there is no
way a nonce can be used, although you may still set up one in
the corresponding CipherData element by the document."
Defer until Eastlake can respond.
* Christian Geuer-Pollmann
1. I want it fixed that 168 bit keys are transported in 192 bit
form, that's all.
Defer to Eastlake.
* Blake Dournaee
1. <AgreementMethod> question. "it doesn't look like XML
Encryption actually specifies the logistics to perform the
key agreement without also specifying actual encrypted data,
which is impossible because the shared key hasn't been
generated "
Defer to Eastlake.
Resolved
* Blake Dournaee:
1. Is the Nonce attribute of type intenger?
Reagle: Yes.
* Christian Geuer-Pollmann:
1. Encrypting IV in ECB
Eatlake/Dillaway: Use a nonce.
Misc.
* Reagle: just to repeat, if you know folks from related communities
that should review our specification, please do a little arm
twisting.
* Simon: The MS Web Services Security Language (WS-Security) Draft
combines xmldsig, xenc, and web protocols/services and is perhaps
a good source of issues for how these things will work together.
Received on Monday, 19 November 2001 16:14:49 UTC