[1]W3C [2]XML Encryption WG [1] http://www.w3.org/ [2] http://www.w3.org/Encryption/2001/Overview.html 2001-August-20 Chair: Joseph Reagle Note Taker: Joseph Reagle [3]text] [3] http://www.w3.org/Encryption/2001/Minutes/010820-tele.html,text Participants * Joseph Reagle, W3C * Blair Dillaway, Microsoft * Katherine Betz, IBM * Donald Eastlake 3rd, Motorola * Ed Simon, XMLSec * Eric Cohen, PricewaterhouseCoopers News * No news is good news. Status of documents * We'd like to go to last call, need to finish up a few of these issues. Reviewing [4]Previous Items [4] http://www.w3.org/Encryption/2001/Minutes/0720-Redwood/minutes.html#ResultingActionItems From FTF minutes. 1. [DEL: Eastlake: follow up the alternative to 5.5 and make changes in the document. :DEL] 2. [DEL: Eastlake: send proposal on nonce.Reagle: investigate default state of schema element modification. :DEL] 3. [DEL: Reagle: do the edits to xmlenc and xmldsig specs to address "surreptitious forwarding" :DEL] 4. Schaad: on DigestMethod/DigestValue send proposal for integrity to list within the week with the necessary changes. Action Eastlake: given Schaad's abense, send an email with this proposal. 5. [DEL: Eastlake: add a note to warn against reusing IV in stream ciphers. :DEL] 6. Dillaway: review section 4.3 on serialization and documentation. (Dillway will post this text as part of section 4 proposal this week.) 7. [DEL: Reagle: convene informal enc+soap task force. :DEL] 8. [DEL: Reagle: update document where name 3DES is used to TripleDES in both places referenced to get around number as first character. (e.g. http://www.w3.org/2001/04/xmlenc#3des-cbc) :DEL] 9. [DEL: Eastlake: remove the mandatory key words from the section on Canonicalization. :DEL] 10. [DEL: Eastlake: change the type / content of OAEP parameters to base 64. :DEL] 11. Eastlake: add real life examples in section 5.5 to illustrate. Requirements ... Draft * [5]XML Encryption Processing Model Some trickyness, for example, how to deal with a nodelist (without any parent element). The likely options include some fairly complex processing, or keeping it simple. Folks lean towards keeping it simple and letting the application figure out how to deal with it before (and if) the decrypted data needs to be parsed. Action Dillaway: tweak section 4.0 to represnt his understanding/proposal of recent discussions. * [6]Nonce: if we can't expect to change the content, do we need it to be part of the processing? Two options: 1. Encode the presense and length of a nonce within the encoded CipherValue. 2. Represent it with XML in the CipherData Structure. Simon, earlier understanding that option 1 was more efficient. Dillaway: but I'd like the default to be no nonce is expected. Reagle: then you need something in the XML telling you regardless, and if we do that, why not just include the length as well? Simon: why not represent it in XML, if people have problems will change. Action Reagle: make it a declaration within CipherData using Eastlake's nonce proposal text where necessary. * [7]Last Words on "Encrypt-then-Sign" issue Call: text is acceptable. [5] http://lists.w3.org/Archives/Public/xml-encryption/2001Aug/0031.html [6] http://lists.w3.org/Archives/Public/xml-encryption/2001Aug/0020.html [7] http://lists.w3.org/Archives/Public/xml-encryption/2001Aug/0034.html Misc. * Next call on September 10, 2001.