W3C XML Encryption WG

2002-February-04
Chair: Joseph Reagle
Note Taker: Joseph Reagle

Participants

News

Status of documents

Reviewing Previous Items

  1. Eastlake: tweak text.  Remove text saying a nonce prevents CBC IV attack?
  2. Eastlake: DH: RFC2631 versus PKCS3
  3. Eastlake:Nonces and IVs: "It is unclear to me what "algorithm dependent length" is referring to in the second sentence. "
  4. Reagle: write up issue of URIs and Mediatypes on list and talk to TimBL.
  5. Reagle: more discussion (continue with Takeshi Imamu) about what a "XML encoded" key means (as distinct from a ds:KeyValue) and propose some text for the spec explaining when to use EncryptedData versus EncryptedKey.
  6. Eastlake: add real life examples in section 5.5 to illustrate.

    Pending. (Still need that later example?)

  7. Action Hughes: (XML Encryption Processing Model) Will investigate and send an email on Xerces implementation using XNI, or DOM when processing Element or Element Content.

    Will not be able to investigate.

Requirements

...

Draft

Pending

  1. Encrypting the IV: Do we encrypt the IV?

    Not enough consensus to include in spec, should be specified externally. (First as a seperate document, then maybe in the Additional XML Security URIs?)

    Reagle: Is section 5.2 too constraining? I think there is some confusion about its interpration, but the intention isn't too preclude externally specified algorithms from processing the IV as they see fit. I could make a tweak to make this more clear. ACTION Eastlake: since Don has change control on section 5 he can review this text.

  2. Password Derivation: Is Christian's understanding of what a password derivation is accurate? Do we still wish to not specify this ourselves?

    Same understanding as the encrypted IV, start off with it being externally specified.

Misc.

Performance

  1. Reagle: Given our recent brush with performance issues with XPath, have folks played with the xmldsig-decryption-transorm? Merlin and Blair have played with it, didn't seem to encounter any problems at the time.
  2. Reagle: since we are entering CR we could say something about on performance?

    Eastlake: wouldn't hurt to say we're interested in feedback about performance.

  3. (Since folks are on the call: Reagle asks Merlin about Boyer's message, Merlin will respond with some numbers.)
  4. Ok, when Don gives me the section 5 tweaks we'll be ready to advance out of CR. Targetted publication of this month.