security-services message

Subject: Minutes for Focus subgroup 17 July 2001 telecon]
From: Jeff Hodges <jhodges@oblix.com>
To: oasis sstc <security-services@lists.oasis-open.org>
Date: Tue, 17 Jul 2001 11:39:35 -0700
Jeff Hodges wrote:
> 
> Meeting date: Tuesday, 17 Jul 2001
> Meeting time ( see also http://www.timezoneconverter.com ):
>            Europe/Dublin  5-7pm
>            US/Eastern     12noon-2pm
>            US/Central     11am-1pm
>            US/Pacific     9am-11am
> 
> Call-in information (good through end of September):
>            Call-in number: (334) 262-0740
>            Participant code #856956

Participants:

Gil P.
Joe P.
Hal L.
Prateek M.
Chris M.
Simon G.
Gavenraj S.
Don F.
Carlisle A.
Irving R.
Darren P.
Marlena E.
JeffH


> ACTION items
> ============
> ACTION: Bob Blakley to develop and circulate a Word template for all
> specification contributors to use.
> 
> - Target date? Should someone else take this on? BobB noted at F2F #3 that if
>   someone else takes this on, please subsum the word template embedded in the
>   draft-sstc-ftf3-* docs (that were sent to the list, see..
> 
>   http://lists.oasis-open.org/archives/security-services/200106/msg00150.html
>   http://lists.oasis-open.org/archives/security-services/200106/msg00151.html
>   http://lists.oasis-open.org/archives/security-services/200106/msg00141.html
>   )
> 
> - BobB said last week that he has a template that he'll circulate as soon as his
> mail starts working.

ACTION: Gil signed up for this. 


> ACTION: Prateek to do traceability review before the next TC telecon.
> - definitely in wait-state, gated by consensus draft from F2F #3.

waiting.


> ACTION: Jeff Hodges to update the Glossary to reflect F2F #2 decisions.
> - Target date 20-Jul
> - in-progress, issuance imminent.

Done.



> ACTION: Eve to create master bibliography and provide bibliography section
> for document guidelines.
> - In wait-state. Eve has sent to JeffH draft bib section guidelines for comment,
> otherwise this is in wait-state as she's on vacation for much of Jul]
> - Jeff will intersperse his comments and send to group and Eve. After
> glossary-01 is done.

waiting.



> ACTION: Marlena to champion DS-1-02, Anonymity Technique, and confer with
> BobB and Phill.
> - In progress. Marlena feels we are missing a form for anonymous subjects; will
> confer with Phill and Bob and get a draft out.

Has conferred with Phill, he agrees that we are missing something in the subject
and it needs to be extended to cover this. Nominal name for this is "opaque
identifier". She'll endevor to send at least a pointer to prior relevant
discussion to the list [Marlena will be on vacation for 17 days as of ~18-Jul]


> ACTION: Prateek to champion DS-3-03, ValidityDependsUpon.
> - In wait-state. Prateek will

waiting. 


> ACTION: Jeff to champion DS-4-02, XML Terminology, aka Messages and
> Packaging.
> - in queue after Glossary.

need to do. 


> ACTION: Hal to take Jeff's work on classification and composition of identifiers
> and "take it a step further".

Issues list first. Then this. 



> ACTION: Phill & Prateek to work together to distill'n'refine the notion of a
> "SAML artifact" from..
> http://www.oasis-open.org/committees/security/docs/draft-sstc-bindings-model-04.pdf
> http://www.oasis-open.org/committees/security/docs/draft-sstc-core-phill-07.pdf

Prateek's understanding is that this is closed. 

Marlena has comments on the artifact, and is raising them with Prateek. They're
going to get the discussion out on the list. Prateek notes the present thread
about the artifact on the bindings list. 


> ACTION: Tim Moses to call out some details from "Tim's document" (has this been
> sent to security-editors?) in the context of the revival of
> ISSUE:[UC-1-05:FirstContact]

Hal believes the "Tim's document" is protocols-00 that's being referred to. 
(Tim not on call to confirm)

otherwise this is waiting on Tim. 


> ACTION: Dave Orchard, Phillip Hallam-Baker, and Prateek Mishra to produce a
> "consensus draft" incorporating results of F2F #3 discussions as documented in
> F2F #3 minutes
> (http://www.oasis-open.org/committees/security/minutes/SSTC-F2F-3-Minutes-00.txt)
> - outlook deadline from last meeting was given as Friday, July 20

Prateek: Chris McLaren (Netegrity) is helping out (JeffH: apologies to Chris for
not including him in the list above). Schema is getting stable, close to
agreement among the co-authhors. A lot of progress is being made. Chris &
Prateek are working on issues discussion & traceability doc, connects "consensus
draft" to the f2f #3 minutes. 

The "consensus draft" will formally be "draft-sstc-core-10".




> Open discussion
> ===============


glossary
--------
Gil noted that there's XACML aspects to add (e.g. "authorization policy"). We
can talk about it at the XACML F2F tomorrow. 
Hal (?) noted that PIP (?) and PRP (?) need to be added. 
JeffH requested comments on the glossary be sent to the list, and he'll work on
incorporating them. However, he asked if anyone else might be interested in
taking it over as editor? <no takers at this time>  Will solicit for such on the
list. 



security considerations
-----------------------
Don Flinn asked about security considerations work.

JeffH noted that he is presently the stuckee leader of the security
considerations subgroup. Has stuff that he needs to gather in a pile, and then
once core-10 is issued and we're looking in detail at applying xml-dsig (and
perhaps xml-encrypt) to it, it's relevant to begin looking at it. 

Prateek noted that sec considerations have much to do with bindings work. JeffH
concurred, noting that sec considerations run the gamut of analysis of a
protocol's msgs, application of dsig &| encryption thereof, to guidelines wrt
binding to underlying protocols and operational considerations thereof. 

In anycase, JeffH will endevor to kick this discussion off once core-10 is out,
and before he goes on vacation 11-Aug. Will be soliciting active participation
from others. 




F2F #4 Planning
----------------

after a fair bit of discussion, we decided that we need to solicit the list for
input wrt these axes...


dates: Wed 22- thru Fri 24-Aug   or   Mon 27- thru Wed 29-Aug

duration: 2 or 3 days?  (tho several folks mentioned feeling that 3 days is 
                         going to be easily justified)

location: Austin or MA ? 


Hosting options...

Firm offer from Bob Blakley to host in Austin TX.

Don Flinn to check whether Hitachi can host in Waltham MA. 

Hal: Entegrity doesn't have the space to host in-house, but Hal
will have their travel folks figure out whether there's rentable space in his
neighborhood (MA) for 40..50 people and what the costs are, as another option
(e.g. do a cost-sharing arrangement amongst participants). 


ACTION: JeffH to solicit the list for input on the abaove F2F #4 options.



other details...

consensus was that 31-Aug Fri is not a good day to include. 

Don noted that ususally he finds beg. or end of week works the best for folks
(general agreement). 

Darren: can't make it end of aug, will be on vacation. 

Marlena: likely can't do Austin -- travel restr. Can if meeting is local (i.e.
in MA) 


Joe: can do 2.5 of those days (27-29-Aug). Has to be in PA 30-Aug. 

carlisle: can do 2 days of 27-29-Aug, has conflict on 29th, but mebbe Tim would
be going.  would like to see 22..24 as an option

Several folks noted that it might be tough for JeffH and BobB to prep for F2F on
22-24-Aug due to vacation the week beforehand (JeffH concurred).  

JeffH noted that if we didn't do the issuance-of-special-docs-for-the-f2f thing,
then prepping for f2f gets a little easier for some. There was some concern
about folks issuing docs right before the f2f. But there's the "submission cut
off date" concept that can mitigate this. In any case, this is a separable
discussion to take to the list (it was mentioned at F2F #3 and is in the minutes
in the "editor's report" subsection). 



> Overall Issues and concerns
> ===========================
> 
> Item: How to prioritize issues resolution?

Hal: 

No issues have been closed since before the F2F #3. 

the consensus draft (core-10) SHOULD implicitly close a bunch of the below
issues. 

ACTION: Hal to comb thru core-10 post issuance and identify those issues that he
feels it addresses. 

> 
> Current issues list is -04:
> http://www.oasis-open.org/committees/security/docs/draft-sstc-saml-issues-04.doc
> 
> Open issues (plus any waiting to be added by Hal; how current is this list?):
> 
> UC-1-05: FirstContact (p. 13)
> UC-2-05: EMarketplace (p. 29)
> UC-7-01: Enveloping (p. 56)
> UC-7-02: Enveloped (p. 56)
> UC-8-02: IntermediaryAdd (p. 58)
> UC-8-03: IntermediaryDelete (p. 61)
> UC-8-04: IntermediaryEdit (p. 63)
> UC-8-05: AtomicAssertion (p. 65)
> UC-9-01: RuntimePrivacy (p. 67)
> UC-9-02: PrivacyStatement (p. 67)
> UC-13-07: Hailstorm Interoperability (p. 85)
> DS-1-01: Referring to Subject (p. 86) BobB?
> DS-1-01: Anonymity Technique (p. 86) Marlena
> DS-3-01: DoNotCache (p. 88) Hal
> DS-3-02: ClockSkew (p. 88) Hal
> DS-3-03: ValidityDependsUpon (p. 88) Prateek
> DS-4-01: Top or Bottom Typing (p. 89) Dave
> DS-4-02: XML Terminology (p. 89) Jeff
> DS-4-03: Assertion Request Template (p. 89) (Tim/Dave initially)
> DS-4-04: URIs for Assertion IDs (p. 89) (Jeff initially)
> 
> [others to add?]
> 
> ---
> end
> 
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: security-services-request@lists.oasis-open.org