[VOTE] - Release Apache Santuario - XML Security for Java 2.0.6

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[VOTE] - Release Apache Santuario - XML Security for Java 2.0.6

Colm O hEigeartaigh-2
Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.6

Sean Mullan
+1

--Sean

On 12/04/2015 07:37 AM, Colm O hEigeartaigh wrote:

> This is a vote to release Apache Santuario - XML Security for Java 2.0.6.
>
> Issues fixed:
>
> https://issues.apache.org/jira/browse/SANTUARIO/fixforversion/12333015
>
> Maven artifacts:
>
> https://repository.apache.org/content/repositories/orgapachesantuario-1010/
>
> SVN tag:
>
> https://svn.apache.org/repos/asf/santuario/xml-security-java/tags/xmlsec-2.0.6/
>
> +1 from me.
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.6

Cantor, Scott
In reply to this post by Colm O hEigeartaigh-2
+1

On 12/4/15, 7:37 AM, "Colm O hEigeartaigh" <[hidden email]> wrote:



>This is a vote to release Apache Santuario - XML Security for Java 2.0.6.
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] - Release Apache Santuario - XML Security for Java 2.0.6

Colm O hEigeartaigh-2
With 3 binding +1 votes, and no other votes, this vote passes. I'll promote the artifacts.

Colm.

On Fri, Dec 4, 2015 at 2:54 PM, Cantor, Scott <[hidden email]> wrote:
+1

On 12/4/15, 7:37 AM, "Colm O hEigeartaigh" <[hidden email]> wrote:



>This is a vote to release Apache Santuario - XML Security for Java 2.0.6.



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

XMLDSig 1.1

Clement_Pellerin
In reply to this post by Cantor, Scott
What is the status of Santuario for Java 2.0.6 with respect to these recommendations?
- XML Signature Syntax and Processing Version 1.1, W3C Recommendation 11 April 2013
- XML Encryption Syntax and Processing Version 1.1, W3C Recommendation 11 April 2013

The java index page on the Santuario web site only mentions these recommendations:
>> XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002
>> XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002.


Reply | Threaded
Open this post in threaded view
|

RE: XMLDSig 1.1

Clement_Pellerin
I asked the same question about XMLDSig 2.0 years ago.
Santuario responded they will never implement XMLDSig 2.0 since the object model is incompatible.

The Santuario 1.5.3 release notes mention:
>> This release features support for new XML Signature 1.1 KeyInfo extensions.

Is the goal of Santuario to support all of XMLDSig 1.1 and XMLEnc 1.1?
How far are we in that project?


>> On Monday, December 07, 2015 11:44 AM, Clement Pellerin said:
>>
>> What is the status of Santuario for Java 2.0.6 with respect to these recommendations?
>> - XML Signature Syntax and Processing Version 1.1, W3C Recommendation 11 April 2013
>> - XML Encryption Syntax and Processing Version 1.1, W3C Recommendation 11 April 2013
>>
>> The java index page on the Santuario web site only mentions these recommendations:
>> >> XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002
>> >> XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002.


Reply | Threaded
Open this post in threaded view
|

Re: XMLDSig 1.1

Cantor, Scott
On 12/10/15, 9:45 AM, "Pellerin, Clement" <[hidden email]> wrote:



>I asked the same question about XMLDSig 2.0 years ago.
>Santuario responded they will never implement XMLDSig 2.0 since the object model is incompatible.

2.0 was just a proposal that was abandoned out of lack of interest from implementers. Concretely it had some small wins but did nothing to address the primary issues that led people to abandon XML so wouldn't have helped anything.

>The Santuario 1.5.3 release notes mention:
>>> This release features support for new XML Signature 1.1 KeyInfo extensions.

Yes, some of that work was done by my project and donated.

>Is the goal of Santuario to support all of XMLDSig 1.1 and XMLEnc 1.1?
>How far are we in that project?

I'm fairly certain most of XMLEnc 1.1 isn't, seeing as ECDH was the major change there and it isn't supported AFAIK. GCM is, but hasn't seen much testing since Java 8 is the first version to include it.

I doubt there's a lot of XMLSig 1.1 that isn't already done.

-- Scott

Reply | Threaded
Open this post in threaded view
|

Re: XMLDSig 1.1

Sean Mullan
I am pretty sure we support all of the MUST/SHOULD requirements in the
XML Signature 1.1 specification. If not, it should be treated as a bug.

--Sean

On 12/10/2015 10:00 AM, Cantor, Scott wrote:

> On 12/10/15, 9:45 AM, "Pellerin, Clement" <[hidden email]> wrote:
>
>
>
>> I asked the same question about XMLDSig 2.0 years ago.
>> Santuario responded they will never implement XMLDSig 2.0 since the object model is incompatible.
>
> 2.0 was just a proposal that was abandoned out of lack of interest from implementers. Concretely it had some small wins but did nothing to address the primary issues that led people to abandon XML so wouldn't have helped anything.
>
>> The Santuario 1.5.3 release notes mention:
>>>> This release features support for new XML Signature 1.1 KeyInfo extensions.
>
> Yes, some of that work was done by my project and donated.
>
>> Is the goal of Santuario to support all of XMLDSig 1.1 and XMLEnc 1.1?
>> How far are we in that project?
>
> I'm fairly certain most of XMLEnc 1.1 isn't, seeing as ECDH was the major change there and it isn't supported AFAIK. GCM is, but hasn't seen much testing since Java 8 is the first version to include it.
>
> I doubt there's a lot of XMLSig 1.1 that isn't already done.
>
> -- Scott
>
Reply | Threaded
Open this post in threaded view
|

RE: XMLDSig 1.1

Clement_Pellerin
In reply to this post by Cantor, Scott
My project runs on Java 7.
Can it use all of XMLDSig 1.1 in Santuario, or parts of it require Java 8?

> On December 10, 2015 10:00 AM, Scott Cantor wrote:
>
> >I asked the same question about XMLDSig 2.0 years ago.
> >Santuario responded they will never implement XMLDSig 2.0 since the object model is incompatible.
>
> 2.0 was just a proposal that was abandoned out of lack of interest from implementers. Concretely it had some small wins but did nothing to address the primary issues that led people to abandon XML so wouldn't have helped anything.
>
> >The Santuario 1.5.3 release notes mention:
> >>> This release features support for new XML Signature 1.1 KeyInfo extensions.
>
> Yes, some of that work was done by my project and donated.
>
> >Is the goal of Santuario to support all of XMLDSig 1.1 and XMLEnc 1.1?
> >How far are we in that project?
>
> I'm fairly certain most of XMLEnc 1.1 isn't, seeing as ECDH was the major change there and it isn't supported AFAIK. > GCM is, but hasn't seen much testing since Java 8 is the first version to include it.
>
> I doubt there's a lot of XMLSig 1.1 that isn't already done.

Reply | Threaded
Open this post in threaded view
|

Re: XMLDSig 1.1

Sean Mullan
On 12/10/2015 10:13 AM, Pellerin, Clement wrote:
> My project runs on Java 7.
> Can it use all of XMLDSig 1.1 in Santuario, or parts of it require Java 8?

I think for the required parts, it should generally work fine JDK 7 and
up. One issue I can think of is that there are some internal JDK API
dependencies for parsing EC-based keys/signatures which may not be
available on all JDK implementations. I am hoping to clean this up and
eliminate these internal dependencies soon. Please file bugs if you find
things that don't work as expected, as some of this may be able to be
fixed in the Apache library and not require fixes in the underlying JDK.

--Sean

>
>> On December 10, 2015 10:00 AM, Scott Cantor wrote:
>>
>>> I asked the same question about XMLDSig 2.0 years ago.
>>> Santuario responded they will never implement XMLDSig 2.0 since the object model is incompatible.
>>
>> 2.0 was just a proposal that was abandoned out of lack of interest from implementers. Concretely it had some small wins but did nothing to address the primary issues that led people to abandon XML so wouldn't have helped anything.
>>
>>> The Santuario 1.5.3 release notes mention:
>>>>> This release features support for new XML Signature 1.1 KeyInfo extensions.
>>
>> Yes, some of that work was done by my project and donated.
>>
>>> Is the goal of Santuario to support all of XMLDSig 1.1 and XMLEnc 1.1?
>>> How far are we in that project?
>>
>> I'm fairly certain most of XMLEnc 1.1 isn't, seeing as ECDH was the major change there and it isn't supported AFAIK. > GCM is, but hasn't seen much testing since Java 8 is the first version to include it.
>>
>> I doubt there's a lot of XMLSig 1.1 that isn't already done.
>
Reply | Threaded
Open this post in threaded view
|

Re: XMLDSig 1.1

Colm O hEigeartaigh-2
In reply to this post by Sean Mullan
None of the "Key Agreement" tests are supported though.

Colm.

On Thu, Dec 10, 2015 at 3:08 PM, Sean Mullan <[hidden email]> wrote:
I am pretty sure we support all of the MUST/SHOULD requirements in the XML Signature 1.1 specification. If not, it should be treated as a bug.

--Sean


On 12/10/2015 10:00 AM, Cantor, Scott wrote:
On 12/10/15, 9:45 AM, "Pellerin, Clement" <[hidden email]> wrote:



I asked the same question about XMLDSig 2.0 years ago.
Santuario responded they will never implement XMLDSig 2.0 since the object model is incompatible.

2.0 was just a proposal that was abandoned out of lack of interest from implementers. Concretely it had some small wins but did nothing to address the primary issues that led people to abandon XML so wouldn't have helped anything.

The Santuario 1.5.3 release notes mention:
This release features support for new XML Signature 1.1 KeyInfo extensions.

Yes, some of that work was done by my project and donated.

Is the goal of Santuario to support all of XMLDSig 1.1 and XMLEnc 1.1?
How far are we in that project?

I'm fairly certain most of XMLEnc 1.1 isn't, seeing as ECDH was the major change there and it isn't supported AFAIK. GCM is, but hasn't seen much testing since Java 8 is the first version to include it.

I doubt there's a lot of XMLSig 1.1 that isn't already done.

-- Scott




--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com