[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Minutes of 29 May 2001 Security Services TC/Focus telecon
Minutes of the OASIS Security Services Technical Committee telecon
and the Focus Subcommittee telecon
29 May 2001
Please note the ACTION items below.
If you see anything that needs correction, please REPLY to this message.
Administrative
==============
- Membership report: new/removed members (Heather)
See the end of these minutes.
- Roll call (Heather)
Attendance list appears at the end of these minutes. Quorum reached
(32/28).
- Approval of minutes for the last telecon:
http://lists.oasis-open.org/archives/security-
services/200105/msg00136.html
Approved.
- Approval of/additions to this agenda
None.
- Burton Group speaker slot
Eve will choose person based on timestamp of response (Jahan
Moreh, Joe Pato, Alex Berson, and Marc Chanliau responded).
The conference is 22-25 July in San Diego.
- News from Jeremy: WebSec is also looking for speakers:
http://www.misti.com/conference_show.asp?id=WS01
ACTION items
============
ACTION: Bob Blakley to develop and circulate a Word template for all
specification contributors to use.
- Not done yet; new target date 1 June
ACTION: Bob Blakley to propose simplified assertion data structures based
on Phill's new document.
- Not done yet; new target date 1 June
ACTION: Conformance group to review the traceability of use cases against
Phill's design and release a rough draft for review before the next TC
telecon.
- Will get progress report in subgroup reports; won't list this as
an action item in future
ACTION: Prateek to do traceability review before the next TC
telecon.
- Moving slower than Prateek hoped; trying to get bindings report
out and will look at traceability when done
ACTION: Jeff Hodges to update the Glossary to reflect F2F #2 decisions.
- Still in progress; new target date 12 June 01
ACTION: Eve to create Evite page with F2F #3 information.
- Will do once receive today's voting members list
ACTION: Prateek to produce draft of bindings doc to go to whole group by
Tuesday 22-May.
- Will wait for binding subgroup report; Prateek will commit to
sending 29 May; won't list this as an action item in future
ACTION: Prateek will create or point to a use case for ValidityDependsOn.
- Prateek has initiated thread on a related topic that may help;
there is an issue on this in the issues document; won't list this
as an action item in future because it will get taken up as a
regular issue
ACTION: Eve to create master bibliography and provide bibliography section
for document guidelines.
- Eve will do this by June 5 focus call
ACTION: Jeff to send out email about possible URI constraints and identity
definitions we should consider imposing in the case of SAML's unique
identifiers.
- Jeff is trying to get this out 29 or 30 May
(see the rest of these minutes for new actions)
F2F #3
======
- Meeting page: has been updated; URL is in emails Eve has sent out
- Evite status:
- Goals for this F2F:
. Review and approve as much of the design as possible
. Assess plans for implementation and conformance
. Figure out the end-game schedule
We must be realistic but not slip our due date very much. Eve suspects
we will have to slip date by one quarter but does not want to slip two
quarters. Eve will finalize pre-meeting materials by COB 18 June.
ACTION: Subgroup leaders to get new materials to BobB (and security-
editors list) by COB June 14 in preparation for publishing the F2F
versions of the spec.
Meeting starts June 25 in Newark office of Sun, near Fremont, CA.
NOTE: no telecon on June 26; replaced with F2F meeting that day.
Subcommittee reports
====================
- Issues list (Hal)
Major change is a "color code" in which previously closed issues will be
greyed out; blue is "just been closed" and open/actively discussed/newly
created will be yellow; other open issues will be in white, In the
footer there is a color sample so that grey-scale printing may be
matchable. Previous list had just the use case/requirements issues;
added a section on design issues. Put out a second revision but haven't
changed blue to grey. New version has been made pretty. Agreed to
close group 0 issues in this latest version. Please look at issues
list/versions to track what we are doing.
- Focus (Eve)
Last time came up with one recommendation for discussion today.
Discussed the meta-issue of how to make progress. Agreed on 75% approval
standard before recommending to TC at large; will generally use straw
polls in telecons rather than email ballots.
In the latest Focus minutes there are a number of links to other
interesting topics, including use of URI as unique identifier.
- Bindings (Prateek)
There is a draft that should go out today to be discussed on bindings
con call this Thursday. Been a number of contributions, including
terminology (from Jeff) discussing types of bindings. Types of bindings:
addition of SAML assertions to various protocols/object frameworks (how
do you insert SAML assertion into a SOAP document?). Other type
concerned with layering response protocols on top of (e.g.) HTTP.
Currently using the term "SAML protocol binding" for this latter type of
binding (eg SMAL request/response layered on top of HTTP); inserting
SAML into other protocol flows is a "profile" (eg a web browser profile
or a SOAP profile for SAML).
Other piece is a submission of an HTTP protocol binding; this is being
integrated into the document.
Third piece is a web-browser profile (calling out of different
interaction steps when using a web browser when moving document from one
to another).
- Conformance (Krishna)
Need two documents: conformance clause and conformance plan. Have sent
out outline and are getting responses/feedback.
- Security and Privacy Considerations (Jeff)
Jeff has been collecting materials. Has not been terribly active.
- Sessions (Hal)
Appear to have closure on requirements. Open issue of multiple time-out
values has been resolved. Moved into discussing message flows (login,
logout by user, forced logout by admin, timeout). Timeout can be viewed
as two phases (timeout and execution); phases are all the same so know
that flows will be. Going off to explore in detail.
- Pass-through (Stephen)
No report as Stephen not on call.
Liaison reports
===============
Election and Voter Services TC: Krishna Sankar said they may be a
"customer" for SAML.
XKMS: Joe Pato is chairing W3C XKMS workshop on July 19 to decide if W3C
should make XKMS a working group.
Technical issues to discuss/approve
===================================
- Focus subcommittee recommendations:
http://lists.oasis-open.org/archives/security-
services/200105/msg00139.html
. "RECOMMENDATION: We recommend that the design not incorporate
any provision for wildcarding for resources, as doing this is
essentially to accomplish a policy statement, and policy is
out of scope for SAML (draft-sstc-saml-reqs-00 page 6)."
Point of information: This means specifically all references to
accessible resources.
Debate on the motion:
Phill: Did not like this as he thinks that people will invent a way to
do this. If we insist on "our" way, people will try to circumvent (and
break SAML?).
Evan: We don't want a SAML standard that includes policy.
Eve: Interjected with references to what was discussed in Focus
subcommittee. Rationale came down to "there is a job that SAML is
trying to do and this isn't it."
Hal: Wants to do a complete job; we are being asked to do an incomplete
job that will be incompatible with XACML
Bob: A name based regular expression match is not the only, nor the
best, way to do this. People may want to do this, but this may not be
the right way to do this.
Jeff: Supports Bob.
Prateek: Have this problem between PDP and PEP. One way to do this is to
develop a specific syntax that is a reasonable fit to the problem
domain. There may be a nice syntax for hierarchical file systems but if
we 'bake' it into the spec, we are all forced to implement it.
Tim: Phill's example is handled if you treat directory as ???
Nigel: Does issuing authority mean same thing as relying party? Does
file system directory always mean that or does it mean an index/html?
Jeff: Even though path portion of a URI may look like a file system
path, you cannot presume that is what it is.
Irving: URLs imply a hierarchical structure; we can relate permissions
to that structure whether there is a physical file system behind it or
not. Key point is that client and server must agree on who is on first.
Is it useful to have the PEP giving a PDP a question that has a wildcard
in it? The answer in the focus subgroup was yes; they are going to go
and look at this independent of XACML. Do you want to support
wildcarding in a policy database? This should be internal to a product
and shouldn't be required of SAML.
Nigel: speak against recommendation as worded; would like to refer to
definition of policy as in one of our April drafts. This seems to equate
policy to ACLs.
What Nigel meant were assertions that could be such as "Nigel can access
this set of resources."
Hal: Reason that directory issue brought up was argued that simple
wildcard scheme would be dead easy (access control in directory) but
this presupposes particular implementation that may be false.
What happened at focus group was scenario of enhanced/partial PEP makes
requests, PDP says "not only can Joe access X, but Joe can access Y and
Z" This is a partial policy/policy caching issue.
Nigel: What is the "corollary" of this recommendation? Does this impact
on other parts/examples/scenarios?
Phill: Wildcards are currently not in the draft; if you added them, you
would not have a well-formed URI.
Eve: Summary: this is a design idea that came up. Focus group
recommended NOT to add it to the spec.
Hal: Noted later that there is a mention of wildcards on p. 6 of 07.
VOTE: recorded as "wildcard vote" in Heather's voting list.
- Any comments on requirements document?
What does this say of the open issues that are in the requirements/use
case area?
Eve: All issues that were not explicitly listed last time were closed.
There may be issues in issues list, but not in requirements doc.
Much discussion on types of documents and what it means to have a
committee spec vs draft spec vs RFC. We agreed that the requirements
document is ready to be treated as a "Draft Committee Specification."
Open mike (new issues)
======================
(See below for summary of open design issues)
New issue (from Prateek) Audit of assertions - in email of 28 May.
New issue (from Marlena) Do we do nesting of attributes (based on
someone's def of roles as nested attributes).
Tim: with minimal extensions, roles of principals, attributes for roles,
it is clear how design accommodates
Marlena: Are roles called out separately? Can roles be principals?
New issue (from Phil/Tim): Should attributes and roles be identified as
separate objects?
New issue (from Phil/Tim): Should attributes have some 'attribute-value'
type structure to them?
These two issues are linked, in that if attributes have structure, roles
should be atomic.
New issue (from Phil/Tim): Do you want a mechanism to state that someone
does not have a role?
New issue (from Darren): Design seemed to be biased towards roles; wanted
to see emphasis on rules. This is handled by above three issues.
New issue (from Tim); What is the appropriate style for the request
protocol.
This is in the issues list - how does it come to closure? This will have
to be discussed in Focus meeting.
Adjourn at 12:38pm Central Time.
Adjourn
=======
(Next meeting: 5 June 2001 Focus telecon)
Focus subcommittee agenda
=========================
- We will focus on making issues concrete/decidable. Champions
need to send candidate decidable wording by next Monday. Each should
contain a brief description/analysis of the problem and concrete
proposals for each option that solves the problem.
- Latest issues list:
http://lists.oasis-open.org/archives/security-
services/200105/doc00011.doc
- DS-1-01: Referring to Subject (p. 86)
ACTION: Eve to ask BobB if he'll be its champion.
- DS-1-01 (sic): Anonymity Technique
ACTION: Marlena to champion this and confer with BobB and Phill.
- DS-2-01: Wildcard Resources
Closed today.
- DS-3-01: DoNotCache
ACTION: Hal to champion this.
- DS-3-02: ClockSkew
ACTION: Hal to see if the issue list text is sufficient or needs more
explication.
- DS-3-03: ValidityDependsUpon
ACTION: Prateek to champion this.
- DS-4-01: Top or Bottom Typing
ACTION: Dave to champion this.
- DS-4-02: XML Terminology (better to call it "Messages and Packaging"?)
ACTION: Jeff to champion this.
- DS-4-03: Assertion Request Template
ACTION: Tim and Dave to brainstorm further on how to proceed.
- DS-4-04: URIs for Assertion IDs
Jeff already has an action on this, so we'll be satisfied with that for
now.
Attendance list
===============
Voting members:
Carlisle Adams Entrust
Steve Anderson OpenNetwork
Bob Blakley Tivoli
Marc Chanliau Netegrity
Nigel Edwards HP
Jeremy Epstein webMethods
Marlena Erdos Tivoli
Mark Griesi OpenNetworks
Robert Griffin Entrust
Philip Hallam-Baker Verisign
Heather Hinton Tivoli
Jeff Hodges Oblix
Maryann Hondo IBM
Hal Lockhart Entegrity
Michael Lyons OpenNetwork
Eve Maler Sun
Prateek Mishra Netegrity
Ron Monzillo Sun
Jahan Moreh Sigaba
Tim Moses Entrust
Sridhar Muppidi Tivoli
David Orchard Jamcracker
Tony Palmer Vordel
Pramod Pathak Vordel
Joe Pato HP
Gilbert Pilz Jamcracker
Darren Platt Securant
Evan Prodromou Outlook
Aravindan Ranganathan Sun
Irving Reid Baltimore
Jason Rouault HP
Krishna Sankar Cisco
Ed Simon Entrust
Mark Vandenwauver Tivoli
Ken Yagen Crosslogix
New member report:
Chris Ferris Sun <chris.ferris@east.sun.com>
David Hofert Sun <david.hofert@sun.com>
Regunathan Rajaiah Netscape <ragu@netscape.com>
Zahid Ahmed CommerceOne <zahid.ahmed@commerceone.com>
Shawn Campbell Windermere Group scampbell@witsusa.com
Mark O'Neill Vordel mark.oneill@vordel.com
Pramod Pathak Vordel pramod.pathak@vordel.com
Bill Pope Bowstreet bpope@bowstreet.com
Removed member report:
Patrick McLaughlin Baltimore <pmclaughlin@baltimore.com>
Alex Ceponkus Bowstreet <aceponkus@bowstreet.com>
Duane Hamilton OpenNetwork <dhamilton@opennetwork.com>
Eric Olden Securant <eric@securant.com>
Ron Williams Tivoli ron.williams@tivoli.com
Warwick Ford Verisign <WFord@verisign.com>
Thane Plambeck Verisign <tplambeck@verisign.com>
--
Eve Maler +1 781 442 3190
Sun Microsystems XML Technology Development eve.maler @ east.sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC