See also: IRC log
<tlr> Date: 2007-05-29
<tlr> Date: 2007-05-29
<tlr> scribe: GilesHogben
<tlr> ScribeNick: GilesHogben
<tlr> Next meeting: 5 June, Frederick to chair, Konrad to scribe
Konrad will scribe next meeting
<tlr> http://www.w3.org/2007/05/ 22-xmlsec-minutes
No objections to minutes
<tlr> RESOLUTION: minutes accepted
<scribe> Done - share transform that does not depend on input
by Konrad
<tlr> ACTION-6 done; discuss at future meeting
<tlr> ACTION-26 continued
action 6 done - discuss at future mission
add a brief excursion into C14N draft?
<tlr> ACTION-28 moot
<tlr> ACTION-29 closed
<trackbot-ng> Sorry... I don't know how to close ACTION yet
<tlr> ACTION-30 closed
<trackbot-ng> Sorry... I don't know how to close ACTION yet
<tlr> http://www.w3.org/2007/xmlse c/ws/cfp.html
Call to be issued June 6 deadline for papers 14 Aug
IETF has meeting in last week of july - so good for propoganda
Review 2nd half of August
Giles OK for PC work - 2nd HALF of Aug
Ed should be OK but can't guarantee
Konrad has time - position papers are from where?
TLR should be within the group - there is some flexibility - you can write the posn paper early
2nd half of Aug to review the pp's we already got and to negotiate the agenda
Greg Whitehead Yes
<gberezow> gberezow is ok with 2nd half august
Sean - OK
Rob OK
JuanCarlos - Probably not (Holidays)
can work before
TLR critical mass for 2nd half Aug
<scribe> pending availlability of Frederick we should go for this schedule
accepted
<tlr> timeline seems ok, approved pending availability of Frederick
<tlr> ACTION-30 done
Action 30 closed
<tlr> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007May/0044.h tml
Konrad has sent a message to both wg's about xml-base
TLR Who can review this issue for a discussion in next call
<klanz2> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007May/att-00 44/Apendix.html
Konrad note appendix at bottom of message
to see Delta - appended some test-cases
above that is the correct version of the appendix
would like someone who is going to implement to see if he/she agrees
TLR is that appendix actually normative in C14N 1.1?
Konrad not sure but would guess it is if implementations are required to use the same cannonical output
There is still some potential to elaborate on details.
TLR Review before going into details
<tlr> ACTION: salz to review Konrad's message re xml:base by next call [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action01]
<trackbot-ng> Created ACTION-35 - Review Konrad\'s message re xml:base by next call [on Rich Salz - due 2007-06-05].
<tlr> ACTION: juan carlos to review KonraD's message re xml:base by next call [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action02]
<trackbot-ng> Sorry, couldn't find user - juan
<EdS> I'm taking a quick look at c14n 1.1 CR and do not see any indication Appendix A is not normative.
<tlr> ACTION: cruellas to review KonraD's message re xml:base by next call [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action03]
<trackbot-ng> Created ACTION-36 - Review KonraD\'s message re xml:base by next call [on Juan Carlos Cruellas - due 2007-06-05].
<tlr> ACTION: sean to review Konrad's message re xml:base by next call [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action04]
<trackbot-ng> Created ACTION-37 - Review Konrad\'s message re xml:base by next call [on Sean Mullan - due 2007-06-05].
<tlr> ACTION: ed to review Konrad's message re xml:base by next call [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action05]
<trackbot-ng> Created ACTION-38 - Review Konrad\'s message re xml:base by next call [on Ed Simon - due 2007-06-05].
<tlr> substantive discussion deferred to next call
<tlr> ACTION-33 closed
<trackbot-ng> Sorry... I don't know how to close ACTION yet
<tlr> ACTION-31, ACTION-32 closed
Action 31 on Juan C to propose a reference processing modelling summary
Sean to propose a different langauge for validator and generator part
<tlr> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007May/0042.h tml
mostly done on ML. End of that thread see url above
proposed slightly different text for the note
is there any need for further discussioon of this text
or do we adopt the editor's draft accordingly
Konrad do we get a new version of the redline doc?
<EdS> A search on the word "normative" in c14n 1.1 CR reveals only 1 instance -- that saying only the English version is normative. So it would appear the whole c14n 1.1 CR document, including the appendix, is normative.
TLR Will send around the editor's draft
have people looked at the text?
would people prefer to see the editor's draft
JCarlos agree with changes
<tlr> juan carlos: fine
<tlr> sean: looks fine
<EdS> I looked at the text changes and they look fine to me.
<tlr> ACTION: thomas to update editor's draft according to http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007May/0042.h tml [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action06]
<trackbot-ng> Created ACTION-39 - Update editor\'s draft according to http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007May/0042.h tml [on Thomas Roessler - due 2007-06-05].
<tlr> ACTION-19 closed
<trackbot-ng> Sorry... I don't know how to close ACTION yet
<tlr> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007May/0041.h tml
Konrad: had a look at Gregor's message and proposed new text for bullets in section 2.
please copy to chat
<sean> please copy to chat
<tlr> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007May/0041.h tml
I just try to be precise where DNames appear or not
<klanz2> 2.
<klanz2> * The |X509IssuerSerial| element, which contains an X.509
<klanz2> issuer distinguished name/serial number pair. The X.509
<klanz2> issuer distinguished name SHOULD be compliant with the DNAME
<klanz2> encoding rules at the end of this section and the serial
<klanz2> number is represented as a decimal integer,
<klanz2> * The |X509SubjectName| element, which contains an X.509
<klanz2> subject distinguished name that SHOULD be compliant with the
<klanz2> DNAME encoding rules at the end of this section,
Konrad concerned about & and opening tag bracket but as discussed with Thomas, this can be handled by saying it is text to be added
Should it be done in CDATA section or by escaping?
<klanz2> sorry lost the call
<tlr> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007May/0041.h tml
<tlr> http://www.w3 .org/2007/xmlsec/Drafts/xmlenc-decrypt.html
Frederick has done some basic edits
<tlr> http://www.w3.org/2007/xmlsec/Drafts/xmlenc-decrypt.html#sec-xml-process ing
first set of edits in processing rules section
there is a definition of decrypt XML and second subpoint of second step deals with inheritance
<klanz2> go ahead
<klanz2> sure
please paste into IRC (proposed change)
<tlr> If a node-set is replacing an element from N whose parent element is not in N, then its apex elements MUST inherit xml:lang and xml:space attributes associated with the XML namespace from the parent element, such as [XML-C14N11]. The xml:base, xml:lang and xml:space attribute from the XML namespace MUST be processed as specified in Canonical XML 1.
Decrypt algorithm in sec 3.1 - main proposed change to replace explicit mention of certain specific attributes according to C14N 1.1
<tlr> "As a result, D for N is a node-set consisting ..."
In 3.3, below examples is an editorial change to fix erratum 1.
In 3.4.2, inheriting attributes - ref to C14N - any comments?
TLR propose that at next meeting we propose this draft become last call
<klanz2> http://lists.w3.org/Archives/Public/xml-encryption/2005Mar/0000.html
<klanz2> http://lists.w3.org/Archives/Public/xml-encryption/2005Mar/0001.html
Konrad: is this the guy who actually found the problem (see URL) - could we get back to him with some feedback
on how we fixed it
TLR: yes good idea
<tlr> ACTION: klanz2 to contact CAO Yongsheng confirming treatment of E1 in Decryption Transform [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action07]
<trackbot-ng> Created ACTION-40 - Contact CAO Yongsheng confirming treatment of E1 in Decryption Transform [on Konrad Lanz - due 2007-06-05].
TLR no comments and no objections to Frederick's changes on Decrypt transform
propose we issue this version with updated namespace URI's
<tlr> as LC WD at next meeting
if anyone wants to raise review comments, do so next week
<tlr> http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2007May/0041.h tml
1st bullet step 2 - is basically done
inside the X509 issuer there is a serial
there are 2 values inside - one the DName, the other the SNumber
the previous text was not very concise about this
but only the DName is affected - just clarified what was affected
next message was the test case - a challenging DName
Sean 1st bullet of second - second sentence is a runon - would just say
<tlr> "The X.509 issuer distinguished name SHOULD be compliant with the DNAME encoding rules at the end of this section. The serial number is represented as a decimal integer."
konrad: The test case - tried to get all escapeable chars in and RFC 2253 compliant
paste into XML problem with &
maybe we need to make explicity need to escape &
give guidance on whether to escape or put into CDATA
as long as people don't touch it until verification it won't affect a lot
in many cases the keyinfo is not signed but in some cases it is
not sure if it's really a problem
Konrad you can identify the key either by supplying it as a cert
just needs to be identified , and can also be signed to ensure non-substitution
when you're identifying it you have to do it in CDATA - otherwise you break the XML
Sean: I'll take an action to look at what our implementation does
<tlr> ACTION: sean to check his implementation wrt DNAME erratum [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action08]
<trackbot-ng> Created ACTION-41 - Check his implementation wrt DNAME erratum [on Sean Mullan - due 2007-06-05].
TLR worth having a look at testcase
JC: Looks like there was a common view that the text of the Dname should be put in a CDATA section
but reading the text, it clearly speaks about escaping & and "-"
i.e. the text is saying to escape it in the XML - not in CDATA
values may be used for comparing values of DName by other apps - like Xades [?]
In order to check if the cert used for generating the sig is the one referenced
you have to check the one used with the DName string
so it may break an app
<tlr> Also, strings in DNames (X509IssuerSerial,X509SubjectName, and KeyName if approriate) should be encoded as follows:
TLR: this is not an ecoding which deals with making it XML Safe - it's to do with backslash character
so can't see in rec text that there is entity encoding explicitlyl
Konrad: also has same perception as JC
a lot of people seem to interpret it that way
in a lot of cases where encoding of entities is needed, it's done rather than being put into CDATA section
the spec is silent about what should happen
TLR: isn't that silence the right thing
q
Sean: Silence is not the right thing
<EdS> Suggest we continue the discussion on /2007May/0041.html next week so we can think about this more over the week.
<tlr> +1 to ed
Konrad - silence would be good if it would canonicalize
but don't see how strings in XML are to be canonicalised if signed
rather have it robust than lose canonicalisation
TLR: There is a canonicalisation step before things are signed and hashed
Action is on JC and Konrad to come up with an example where the current silence can break an app
<tlr> ACTION: cruellas to produce example for breakage due to current E01 language [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action09]
<trackbot-ng> Created ACTION-42 - Produce example for breakage due to current E01 language [on Juan Carlos Cruellas - due 2007-06-05].
JC: agrees
<tlr> ACTION: klanz to produce example for breakage due to current E01 language [recorded in http://www.w 3.org/2007/05/29-xmlsec-minutes.html#action10]
<trackbot-ng> Sorry, couldn't find user - klanz
Konrad: agres
agrees
<klanz2> http://www.w3.org/TR/xml-c14n11/ (section 1.1 says CDATA sections are replaced with their character content)
<tlr> rragent, please draft minutes
<klanz2> can I listen in