OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Minutes of SSTC/Focus 10 July 2001 telecon


Thanks to Heather Hinton for taking the notes!


Minutes of the OASIS Security Services Technical Committee telecon
and the Focus Subcommittee telecon
10 July 2001

Please note the ACTION items below.  If you see anything that needs
correction, please reply to this message.



> Administrative
> ==============
> - Membership report: new/removed members (Heather)

Included below. 

> 
> - Roll call (Heather)
>   - quorum?

Attendance list included below, quorum met.

> 
> - Approval of/additions to this agenda

Added discussion of SAML-related talks at 2002 RSA Conference to Open Mike
section.

> Solicitation of new recording secretary

Gavenraj Sodhi volunteered; many thanks; will take effect for meeting (August
14) after next (24-Jul).


> 
> F2F #3 Minutes approval
> =======================
> 
> The minutes of the SSTC F2F #3 meeting, which was essentially an informal
> Focus group meeting due to lack of official F2F #3 quorum are here..
> 
>   Minutes of OASIS Security Services Technical Committee F2F #3
> 
> http://www.oasis-open.org/committees/security/minutes/SSTC-F2F-3-Minutes-00.txt
> 
> Are there additions/corrections to these minutes?
> 
> Is there a motion to approve the minutes from F2F #3 and accept the
> decisions and issues therein as being decisions and issues formally of
> the SSTC?
> 
> [If folks subsequently come up with corrections/additions to the approved
> minutes, the minutes can be ammended at a future SSTC meeting (telecon or
> F2F), so we shouldn't necessarily let that concern balk us.]


Motion to table this until next TC meeting; seconded (Hal, Phill HB)

Discussion:

Group recommended for stable spec on 1 Dec 2001, shoot for submission to
OASIS as a whole by 1 March 2002.

Motion passed;

We can figure out what to do with the F2F #3 minutes and discuss them over the
next
couple of weeks.



> ACTION items
> ============
> ACTION: Bob Blakley to develop and circulate a Word template for all
> specification contributors to use.
> 
> - Target date? Should someone else take this on? BobB noted at F2F #3 that if
>   someone else takes this on, please subsum the word template embedded in the
>   draft-sstc-ftf3-* docs (that were sent to the list, see..
> 
>   http://lists.oasis-open.org/archives/security-services/200106/msg00150.html
>   http://lists.oasis-open.org/archives/security-services/200106/msg00151.html
>   http://lists.oasis-open.org/archives/security-services/200106/msg00141.html
>   )


Bob has a template that he will circulate as soon as his mail starts
working


> ACTION: Prateek to do traceability review before the next TC telecon.
> - definitely in wait-state, gated by consensus draft from F2F #3.


Discussed last week, stil in wait state; no further discussion.


> ACTION: Jeff Hodges to update the Glossary to reflect F2F #2 decisions.
> - Target date 20-Jul

Jeff will attempt to complete by end of week (tho 20-Jul is more realistic).



> ACTION: Eve to create master bibliography and provide bibliography section
> for document guidelines.
> - In wait-state. Eve has sent to JeffH draft bib section guidelines for comment,
> otherwise this is in wait-state as she's on vacation for much of Jul]

Jeff will intersperse his comments and send to group and Eve.


> ACTION: Marlena to champion DS-1-02, Anonymity Technique, and confer with
> BobB and Phill.
> - In progress.

Marlena feels we are missing a form for anonymous subjects; will confer
with Phill and Bob and get a draft out.

> ACTION: Prateek to champion DS-3-03, ValidityDependsUpon.
> - In wait-state. Will be another couple of weeks to get out doc discussing the
> overall set of issues here.

As soon as a draft incorporating the F2F #3 white board proposal (known as "the
consensus draft") is published, Prateek will work on this.

> ACTION: Jeff to champion DS-4-02, XML Terminology, aka Messages and
> Packaging.
> - in queue after Glossary.

no discussion.


> ACTION: Phill to write up notion of "Authorization Claims", which are putatively
> represented via attributes.
> - in wait-state

Phill feels authz claims got "killed" at F2F. It will be possible to
resurrect them in future versions, which Phill is happy with.




> Subcommittee reports
> ====================
> - Issues list (Hal)

Nothing to report, should get new issues list this week; Any new issues
should be reported to Hal

> - Focus (Jeff for now)

Minutes of F2F comprise the state of the focus group; big item is for
consensus draft based on F2F. There are some detailed items based on XML
encryption and Dsig that need to be discussed in detail. Until consensus
draft surfaces, not much more to say.

> - Bindings (Prateek)

Con call last Thurs; Minutes of which are availabe in the list archives..

http://lists.oasis-open.org/archives/security-services/200107/msg00020.html

worked through submission from Tim Moses as well as
review of web browser profile. Focused on standard web browser client for
inter-domain single-sign-on. Couple of issues that are already on agenda.
For preview, issue "uc-1-05" ? user approaches destination site first and is
redirected to AP: does SAML need to formalize a specific protocol for this
space? Issue "saml artifact", something like a ticket: should this be
located in bindings group, what is its relationship to a ticket proposal
that Phill gave in an earlier document?

> - Conformance (Robert Griffin)

No report; Bob on vacation; there is a con call some time next week.

> - Considerations (Jeff for now)

Nothing new to report; most info in minutes of F2F #3.

> - Sessions (Hal)

Nothing new to report.

> - Pass-through (Stephen)

No report; Stephen on vacation.


> Liaison reports
> ===============
> XKMS, XML Encryption, XML Protocol, BEEP, Shibboleth, DSML, XACML...

Do we want to formally respond to their latest draft? Might be tough to get
a TC report in the short term, but individual reports from members may be
more effective (and will be faster)
Deadline for comments is Friday, July 13 2001
We don't have time to get a TC response
For those individuals who do provide a response, please cross post to SSTC
as well as XML Encryption
Evan P is looking at this; he will try and post his comments to the list to
solicit other comments and put together a report that is signed by
individual members of the SSTC but is not a formal SSTC reponse

> <new> Doc Editor/Repository report
> ==================================
> 
> Are there some docs that were sent only to Security-services that need to go
> into the Doc repository? Please re-send to security-editors.


If you sent a document to "security-services" without copying
"security-editors", and were hoping to get it into the repository, please check
the repository to make sure that it is in fact there. If it isn't, please resend
to security-editors.



> Schedule for a new, consolidated Core Assertions & Protocols spec
> =================================================================
> 
> What's the outlook for issuance of the first cut of a consolidated Core
> Assertions & Protocols spec (aka the "consensus draft") as a result of F2F #3 as 
> represented in the minutes thereof?]

Outlook deadline is Friday, July 20
If there are comments, based on the F2F minutes, please send them to the
list.


> Open mike (new issues)
> ======================
> 
> Prateek: revival of (ISSUE:[UC-1-05:FirstContact])

Model assumes that user is at site of Asserting Party (AP) and the goes to
the Relying Party (RP). What happens if user goes to destination site/RP
FIRST? Do we need a protocol? An extension of this is "daisy chaining" of
information from one RP to another? Core issue: do we want to call out a
protocol that describes how redirection works.
Gil: Dasiy chaining is a use case that falls under sessions
Darren: Kept this open to make sure didn't fall off table; if bindings
group considers this, Darren is happy to let it drop
Phill: This may lead to a requirement for a new message pair
Tim: Will call out some details from Tim's document to facilitate
discussion


> Prateek: "SAML artifact architecture", in..
> 
> http://www.oasis-open.org/committees/security/docs/draft-sstc-bindings-model-04.pdf
> 
> ..as opposed to "ticket" in..
> 
> http://www.oasis-open.org/committees/security/docs/draft-sstc-core-phill-07.pdf

Prateek wanted to make people aware that there is a formal proposal for a
SAML artifact, a small piece of info that can be moved, via browser, from
one security domain to another. This facilitates cross-domain work. Note
that there are differences with this and Phill's previous ticket proposal.

There is also a binding issue: should this mechanism be supported in other
(non-web browser) environments? IT seems reasonable to put into bindings
doco now, and them move it to other documents later if this turns out to be
generally applicable.

Phill's document is not formally part of SAML spec (there are no competing
documents/specs); it is a high level proof of concept/examples document to
show that a ticket/artifact is possible and necessary. The ticket
"def/spec" is non-normative.

Phill and Prateek will work together to refine the SAML artifact.


> SAML-related talks at 2002 RSA Conference

Jeremy Epstein pointed out that lots of individual submissions may be a
sub-optimal approach; it may be more efficient (for SAML, at least) to have one
or two "group" submissions. A standards track submission with several
individuals and companies might be more attractive/taken more seriously.

People who have submissions in progress should try and work together to get
a heavy weight talk/presentation (for standards and development track) for
submission. We might also want to try and get an XML-alphabet soup panel on
what the different, but related standards (SAML, XACML, XML Encryption,
etc) are each trying to accomplish, where they overlap, where they don't,
etc

> Adjourn
> =======
> (Next meeting: 24 July 2001 Focus telecon; +1 334 262 0740 participant code
> #856956)

Meeting Adjourned.


> Focus subcommittee agenda
> =========================
> 
> Any specific issues with how our rough consensus at F2F #3 was documented in..
> 
>   Minutes of OASIS Security Services Technical Committee F2F #3
> 
> http://www.oasis-open.org/committees/security/minutes/SSTC-F2F-3-Minutes-00.txt
> 
> ?
> 
> Discussion of specific issues raised in the F2F #3 minutes?

Hal: Important open issue is "what would identifiers look like" We need a
discussion of how we are going to settle this issue.
Jeff: we don't have just one type of identifier ? there are several types.
We need to make a decision about how to use identifiers/classes of
identifiers
Jeff had been waiting to see what turned up in the consensus draft
Hal: Trying to call out these types of issues in the consensus draft
without identifying what they are/look like

Useful first step: summarize categories of identifiers (eg identifiers that
need to be unique)
Jeff asserts that there are at least 4 categories of identifiers: issuer,
assertion id, plus XML specific stuff (schema names, element names), Jeff's
summary message is on the list "URI as general purpose identifiers", here..

  URIs as general-purpose identifiers, and identifiers in general 
  http://lists.oasis-open.org/archives/security-services/200106/msg00074.html


Initial messages beginning two threads on the list about AssertionIDs
and Issuer IDs...

  composition of AssertionID (Issue: DS-4-04: URIs for Assertion IDs) 
  http://lists.oasis-open.org/archives/security-services/200106/msg00025.html

  composition of Issuer identifier (also: "dns-date" URN NID) 
  http://lists.oasis-open.org/archives/security-services/200106/msg00082.html


Present summary messages in those threads...

  Re: composition of AssertionID (Issue: DS-4-04: URIs for Assertio nIDs) 
  http://lists.oasis-open.org/archives/security-services/200106/msg00158.html

  Re: composition of Issuer identifier (also: "dns-date" URN NID) 
  http://lists.oasis-open.org/archives/security-services/200106/msg00159.html


Hal volunteered to take Jeff's work (pointed to above) and the Church of
Identifier syntax" list from the F2F #3 whiteboard discussion and take it a step
further.

The latter is captured in the F2F #3 minutes
(http://www.oasis-open.org/committees/security/minutes/SSTC-F2F-3-Minutes-00.txt),
and was..

  the "church of identifier syntax"
    URI, string, OID, type/value pairs, XML doc, DNS domain name, other?


 
Adjourn at 12:30 Central Time

> Attendance & Membership report...

SSTC Meeting Attendance
Kelvin Beeck   TalkingBlocks
Bob  Blakley   Tivoli
Steve Anderson      OpenNetwork
Irving Reid    Baltimore
Ken  Yagen     Crosslogix
Hal  Lockhart  Entegrity
Carlisle Adams      Entrust
Kelly Emo           Jamcracker
David Orchard  Jamcracker
Gilbert Pilz   Jamcracker
Prateek Mishra      Netegrity
Adam      Prishtina      Netscape
Jeff      Hodges    Oblix
Charles Knouse      Oblix
Darren Platt   Securant
Jahan     Moreh          Sigaba
Eve Maler           Sun
Aravindan Ranganathan    Sun
Bob  Morgan    UWashington
Phillip Hallam-Baker     Verisign
Soke Wan Chua  Access360
Mark Griesi    OpenNetwork
Michael Lyons  OpenNetwork
Jeremy Epstein      webMethods
Gavenraj Sodhi      Access360
Fred      Moses          Entitlenet
Alex Berson    Entrust
Tim  Moses     Entrust
Marc Chanliau  Netegrity
Ron  Monzillo  Sun
Paul      Ashley    Tivoli
Marlena Erdos  Tivoli
Heather Hinton      Tivoli
Mark O'Neill   Vordel
Tony      Palmer    Vordel

New Members
None

Removed Members
Michah Lerner  AT&T
Emmy Chen      NetFish
Frank Paynter  SandHill Technology


> ---
> end


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC