See also: IRC log
<trackbot> Date: 16 July 2008
Hello Everyone,
<fjh> Scribe: Konrad Lanz
fjh: Introducing himself - work for Nokia, chairing this group, was chair of previous XML Security Specifications Maintenance WG. Participated in original XML Signature and Encryption working groups and XKMS. Active in OASIS, including the Board and SAML TC.
brich: intro ...
SC: intro ... working for Nokia, on SAML OpenID ...
bal: intro ... XMLSEC, WSS, ...
hal: intro ... WSS, WS-SX, SSTC - Co-Chair, Oasis Technical Advisor ...
tlr: intro ,,, team contact, means I'm your man in W3C ...
klanz2: ... XML Toolkit @ IAIK/SIC
jcc: upc ... standardization
csolc: five years in the area with adobe
gerald: client of XMLDSIG ...
sean: intro ... SUN, XML sec implementions, JSR105 ...
@all: please augment where needed ...
RESOLUTION: Dinner @21:00, all are coming
rdmiller: intro ... MITRE
Supports US Dept. of Defense, daily contact with XML and
XMLSEC, user perspective and best practices pperspective
... update crypto, NSA suite B
magnus: inro ... working for RSA, standardization PKCS
<rmiller> silence
setting up again
<tlr> yes, we got dropped
<tlr> sorry
lost the bridge
fjh: minutes @ every
meeting
... on the irc chat
... notes during the meeting, you are encouraged to augment and
correct them
... minutes are public
...
... minutes are in general public, n
... but we might make them private until approved
... part of the job of scribing is cleaning the minues at the
end
fjh: its cumbersome to move minutes around from private to public
klanz: member-list
tlr: yes, the member list, ...
RESOLUTION: Scribe will post the minutes once edited to member-list and as soon as approved to the public-list
Subject: [minutes-draft], [minutes-approved] to be used ...
klanz2: we can then use the list searc features to list all the minutes ...
<fjh> scribe instructions http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html
http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html
http://tinyurl.com/find-minutes-approved
http://tinyurl.com/find-minutes-draft
fjh: volunteer for scribing,
....
We will share scribing round robin in the WG, apart from the
Chair and Team contact.
Wed morning (16 July am) - Konrad
Wed afternoon (16 July pm) - Hal
Thursday morning (17 July am) - Bruce
Thursday afternoon (17 July pm) - Sean
hal: leaving tomorrow ...
brich: thursday morning
sean: thursday afternoon
fjh: one hour to little, need two hours
<fjh> http://www.w3.org/2002/09/wbs/42458/xmlsec2008telco/
RESOLUTION: Tuesdays 10am ET, two hours
fjh: one more F2F, tech planary
colocated
... 20-21. Oct. 2008
... What joint meeting do we need?
... EXI, XML Core,
klanz: namespace inheritance
-> xml core
... enveloping signatures
<klanz22> hal: encapsulation
<scribe> ACTION: fjh to arrange joint meetings on the coordination call [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action01]
<trackbot> Created ACTION-4 - Arrange joint meetings on the coordination call [on Frederick Hirsch - due 2008-07-23].
fjh: telco starting on time, ...
we start on time ... try to be on time
... charter, do we need the infoset, what to do with C14n, doe
we need transforms ...
hal: need to be aware of interdependencies and conflicting goals
fjh: we need to take advantage of
members as resource for editing, actions etc ....
... maintaining issues lists
... workshop results last year, went into requirements ...
that one ?: http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0006.html
http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0007.html
hal: ECC SuiteB, (IPR ... ), no
one from NIST or NSA here ?
... Encryption and Signature in hardware?
rdmiller: have contact into both areas, re SuiteB and hardware
<trackbot> ACTION-27 -- Robert Miller to contact crypto hardware and suiteB experts in NSA regarding XML Security WG and possible involvement -- due 2008-08-08 --OPEN
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/27
bal: even if do not get direct
involvement, we hope we can obtain feed back ...
... on request.
http://www.w3.org/2008/xmlsec/w3c101#(1)
hal: heart beat requirement?
tlr: draft every three month for each deliverable
bal: Don Eastlake? IETF?
hal: Encryption not an RFC ...
tlr: minutes, we value
availability over perfection
... vCal availiable for tracker items ... there is a feed
<fjh> can enter action-# to get link to it
<fjh> action-001
<tlr> action-001?
<trackbot> ACTION-1 -- Thomas Roessler to test trackbot-ng -- due 2007-04-12 -- CLOSED
<trackbot> http://www.w3.org/2008/xmlsec/track/actions/1
NOTE: Update the association with the new Workgroup, and associate Products
<tlr> COI policy http://www.w3.org/2005/10/Process-20051014/policies.html#coi
<sean> ack
general discussion on IPR
tlr: WG notes are not covered by the IPR policy
brich: did we have any under the maintenance group?
tlr: test cases, best practices ...
hal: distinction between public review and WG issues raised?
fjh: process wise different
... external comments will be discussed ... internal one have
to be specific ....
... we need to more formal to get get more review ...
tlr: use working relations and formal contact where suited ...
hal: there is a difference between getting plain feedback vs. formal feed back from other groups that might not even be existence any more ...
<scribe> ACTION: fjh to check how the formal OASIS liasion is working. [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action06]
<trackbot> Created ACTION-5 - Check how the formal OASIS liasion is working. [on Frederick Hirsch - due 2008-07-23].
hal: the conflict of interest policy is section 3.1.1 W3C process ...
<tlr> http://www.w3.org/2001/11/StdLiaison#OASIS needs update, incidentally. That's an action on me. I suspect.
<anil> zamkim, code?
fjh: home page simple, if you
want to enhance please do so its in cvs
... we should get a wiki, wiki didn't work to good in the
past
... volunteers for main page?
... tracker, lists issues and actions ...
<jcc> FH; something that we did not used: tool for creating new issues
<anil> http://www.w3.org/2006/WSC/track/issues/200
<anil> example ^^^
<jcc> Link: www.w3.org/2008/xmlsec/track/issues/new
<jcc> FH: certain basic rules for new issues, including meaningful information categories
<jcc> details in www.w3.org/2002/ws/policy/
<jcc> actually in http://www.w3.org/2002/ws/policy/#issues
fjh: issues lists is a good tool to move issues through states
<tlr> ISSUE: tracker doesn't get its e-mails through
<trackbot> Created ISSUE-2 - Tracker doesn't get its e-mails through ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/2/edit .
fjh: we need a volunteer to take responsibility of making sure external issues get on the list
Gerald: Volunteered to take care of issue Tracking
fjh: Thanks
<Zakim> anil, you wanted to mention that the spec can be updated at places with issue numbers and dealt with as and when completed
<rmiller> Rob Miller is going offline and will not return until tomorrow morning.
<fjh> Pratik has been working on best practices, interested in streaming
fjh: versioning policy constrains us
work on xml enc is limited to dsig compatability and algs
updates to c14n will be jointly issued by us and xml core in order to retain IPR commitments
members of the wg are encouraged to nominate other groups who we should coordinate with
thomas to act as informal liasion with IETF
hal, jcc & fjh will liaise with OASIS TCs
bruce to informally liaise with WS-Fed
need to add ebxml tcs to list of OASIS TCs
sean to investigate ebxml liasion
<scribe> ACTION: sean to investigate ebxml liasion [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action07]
<trackbot> Created ACTION-6 - Investigate ebxml liasion [on Sean Mullan - due 2008-07-23].
<scribe> ACTION: bruce to informally liaise with WS-Fed [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action08]
<trackbot> Created ACTION-7 - Informally liase with WS-Fed [on Bruce Rich - due 2008-07-23].
<anil> I am getting involved in some healthcare security standard groups (no one in particular)
hal & fjh to liaise with WS-I BSP
will use workshop mailing list to communicate with interested parties
bruce & sean to liaise with Java community
klanz: need to tradeoff between maint and major changes
... need requirements discussion first
hal: could do low impact items first, but risk of not driving adoption of later step
sean: can have actions on wg members to provide proposals on different areas
fjh: need to focus on reqs
sean: tag with risk level
fjh: do best practices and maint in parallel
bal: whan we gather reqs will see
a break btw simple and hard
... then we can decide tactics
... worry about task force idea
... relatively small group
fjh: make easy decisions up front
bal: will be pressure to produce
short term spec
... will be easier to get impls
tlr: have ability to split or join specs
fjh: want to defer this for now
fjh: principles and
requirements
... valuable exercise to go through ...
... walking through slide with original requirements ...
... design for security and mitigate attacks ...
... some workshop feed-back shows that there was a *lot* of
balancing going on ...
... maybe solve through profiling ...
... revisit extensibility requirements ...
... interoperability and compatibility are important, and new
since we're talking about Vnext ...
... should recognize layered architecture of implementations
...
... I probably missed some principles ...
<tlr> http://www.w3.org/2008/xmlsec/f2f-2008-07-16/rqmts/2008-07-12-xmlsec-rqmts.ppt
RESOLUTION: have a list of principles as basis for work
bal: needed both principles and usecases
klanz: may find things which are
incompatible with principles
... principles SHOULD be followed
bal: principles may be in conflict
hal: propose 4 categories: security, performance, new features, operational errors
fjh: how should we process workshop papers?
bal: create reading groups
<bal> and schedule a few
workshop papers/presentations for discussion each week during
the conf call
... review batch for each call to generate issues
and suggestions
klanz: possibility of requesting profile of xslt?
<tlr> XSL is being chaired by Sharon Adler, IBM
<tlr> http://www.w3.org/2006/06/XML/xsl.html
klanz: noted that might need xslt transform to be able to sign including the whitespace generated by transform
bal: xsl came in as a part of web
arch
... need to take a look at actual use
... maybe need to drop things which cause security
problems
... may not need to carry forward all requirements from orginal
dsig
klanz: most of our customers use XSLT
<EdS> XSLT can also be used as a means to collect and meld data from a variety of sources before hashing.
<fjh> review original requirements of dsig
bal: RDF was a requirement at W3C at that time
<pdatta> can you share the URL for this original requirements document
<fjh> http://www.w3.org/TR/xmldsig-requirements
bal: 3.2-4 was a reaction to CMS
limitations
... 3.2 supports compound documents
<tlr> look at pkcs1 in 6.4.2
<tlr> it includes an identifier for the hash algorithm
<tlr> (rsa-sha1 algorithm)
general uncertainty about purpose of 3.3 point 3; likely interpretation: data in XML Signature takes precedence over data in crypto blob
hal: notes support for derived keys in various ws* specs, should consider those requirements and attempt to unify
hal: use cases?
magnus: not really there, indeed
brich: derived keys that WS-SecureConversation makes use of
... can proposal be extended to cover use cases there?
... are that will have to be done sooner or later
magnus: do not see why not; maybe take this conversation offline
hal: specs using derived keys are wss username
token, ws-trust, ws-securitypolicy
... and ws-secureconversation
brich: bulk in secure conversation
not latest: http://www.oasis-open.org/specs/index.php#wssecconv1.3
fjh: editor per spec vs. editor
team
... should use XMLSPEC
... need to set up properly to use ant
... compatable with any XSLT stream
... already have editors for best practices
<tlr> ACTION: thomas to read this action's number [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action09]
<trackbot> Created ACTION-8 - Read this action's number [on Thomas Roessler - due 2008-07-23].
<scribe> ACTION: gerald to test Issues entry and list generation [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action10]
<trackbot> Sorry, couldn't find user - gerald
<scribe> ACTION: tlr to fix Tracker [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action11]
<trackbot> Created ACTION-9 - Fix Tracker [on Thomas Roessler - due 2008-07-23].
RESOLUTION: No call
on July 22nd or 5 August.
... No call on Aug 5
<tlr> for context: http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
<klanz2> http://www.w3.org/TR/xmldsig-core/#sec-Secure
<klanz2> reviewing 8.1.1 - 8.1.3 : A quote from 8.1.3: Some applications might operate over the original or intermediary data but should be extremely careful about potential weaknesses introduced between the original and transformed data.
RESOLUTION: Accept Best Practices as a Work Item, based on previous work
bal: need to consider best practices for new specs
<bal> and whether some of these turn into a processing model for applications verifying sigs
RESOLUTION: Pratik to continue editing best practices document
konrad: does best practice require implementation experience?
hal: should be sure it works
<scribe> ACTION: fjh to update wg page to include issues link [recorded in http://www.w3.org/2008/07/16-xmlsec-minutes.html#action12]
<trackbot> Created ACTION-10 - Update wg page to include issues link [on Frederick Hirsch - due 2008-07-23].
bruce: put non-normative info in back of spec, could have best practices there as well
tlr: process, once approved add to errata document, but non-normative until new edition published
... decide on update of REC when appropriate, enough docs
... not update REC or red-line at this time
<fjh> WG should review the errata and we will decide whether to approve on next call
<fjh> document section link http://www.w3.org/TR/xml-c14n11/#Example-DocSubsetsXMLAttrs
<fjh> issue link http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Jun/0021.html
<klanz2> http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec-102
<klanz2> http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec2-102