[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for SSTC Telecon, Tuesday Dec 11
Minutes for SSTC Telecon, Tuesday Dec 11
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson
>
> 1 -- Roll Call
>
- Attendance attached to bottom of these minutes
- Quorum achieved.
>
> 2 -- Review of agenda
>
- Joe: Two items to add
- Dealing with the issues list
- Changes to docs from present action items list
>
> 3 -- Approve Minutes from last call: < http://lists.oasis-open.org/
> archives/security-services/200111/msg00064.html >
>
- [APPROVED]
>
> 4 -- Confirm Last-Call process < http://lists.oasis-open.org/
> archives/security-services/200112/msg00009.html > as amended by
> Eve: I think sec-conform and glossary must be part of the
> deliverables.
>
- BobG: discussion of conformance issues
- Joe: seeking consensus on motion
- Jeff: quote of Eve should reference just "conform" rather than
"sec-conform"
- [APPROVED]
- Jeff: clarified that sec considerations and conformance and
glossary are effectively added to core and bindings as deliverables
>
> 5 -- Confirm Editor Availability: All editors and the issue list
> editor will have to confirm their high availability in December
> and January to make this work.
>
- Eve: superceded by events, as Eve has herself stepped in
- Many thanks to Eve for doing so
- Doc status
- Core: in good hands
- Bindings: in good hands
- Sec considerations: may be on different (longer) timeline
- Glossary: Marc now owns & will generate something this week.
Some holes, but in pretty good shape for now
- Conformance: There are 2 difference approaches proposed in this,
which require discussion today
- Domain Model: phantom doc, which Eve believes should be
integrated in Concepts section of core
- Hal: how about combining with glossary
- Eve: could work, some pros, some cons
- JeffH: would prefer it to go into core, predicting most
people will pick up core first
- Candidate date for last call announcement: Jan 8
- Candidate date for final vote: 2 weeks later, Jan 22
- Hal: is this intended to proceed as all 5 docs together, or will
the docs proceed independently?
- E.g., conformance approach hasn’t been seriously discussed yet
- Sec-considerations is still in first draft state as well
- Idea given consideration
- Eve uncomfortable proceeding without all 5 docs synchronized
- Chris: notes that changes to something like sec-considerations
may produce changes to other docs like core
- We should shift our attention to conformance and sec-
considerations to bring them up to speed, so they can all be
presented in last call announcement
- So, guarantees pushing out last call to February
- Will this affect publicized March date?
- no
- Will there be 3 implementations by March?
- We want a more defined criteria than what OASIS requires
- Would we need a sixth F2F?
- Would be a good interop opportunity
- For each organization that can state implementation or plan for
implementation of standard, please email committee chairs this week
- Prefer to keep this off of main list for now
- Please state degree of completeness in email
- Also indicate comfort level with making your implementation
claims/plans public
- Summary: we’ve identified that sec-considerations & conformance docs
are on critical path for last call process
- Eve: realistic to shoot for 9 Jan release of fresh drafts of all 5
docs, plus FAQ
- Joe: makes 8 Jan Conf Call very important
>
> 6 -- Review status of milestones
>
>
> [M1 - Prateek] - publish bindings-07 during week of Dec 3.
>
> Status: Document available 6-Dec < http://lists.oasis-open.org/
> archives/security-services/200112/msg00028.html >
> Comments due 12-Dec.
>
- Doc available. Comments coming in.
>
> [M2 - Tim, Simon, Irving] - detailed reviews: Tim - section 4.1;
> Simon - section 3.1; Irving - section 4.2
>
> Status: Comments due 12-Dec.
>
> Simon: http://lists.oasis-open.org/archives/security-services/
> 200112/msg00038.html
>
- Tim has published some comments today
- Irving at IETF today, but will try to get deliverables in tomorrow
>
> [M3 - Prateek] - publish bindings-08 during week of Dec 17.
>
- Prateek: still believes it is doable, with some small possible
slippage
- Joe: any feeling among the group that there will be any larger class
of issues that the ones that have been coming in?
- Not really
>
> 7 -- Review status of action items - and move to resolution
>
> [A3: Prateek] - Section 3.1.5, need to further define error cases
>
> Status: Still open pending issuance of bindings-07, need to confirm
> core reflects changes
>
- Actually, it is a core issue, which is still open
- Changing ownership of this item to Phill
- Change wording to reflect that bindings did its task
>
> [A4: Prateek] - Section 4.1.1, create a diagram for this section
>
> Status: still open pending -07
>
- done
- [CLOSED]
>
> [A5: BobB] - Section 4.1.3 472-473, text to clarify construction of
> ID (w.r.t. uniqueness)
>
> Status: open
>
- Joe will contact BobB offline directly
>
> [A6: Prateek] - Line 565, capture the threat (leading to requiring a
> <saml:audience>, then decide to leave it, change it, or strike it
>
> Status: open pending -07
>
- Bindings-07 removed this material, and includes appropriate
justification
- [CLOSED]
>
> [A7: Simon] - text for "things you might do in step 6"
>
> Status: proposed text < http://lists.oasis-open.org/archives/
> security-services/200112/msg00040.html >
>
- no feedback to Simon’s proposed text
- not in bindings-07, so will go into --08
- no concerns on call with Simon’s proposal
- [CLOSED]
> [A9: Irving] - line 788-791, provide clarifying language for
> application level error handling. Tied to Scott's status code
> proposal
> < http://lists.oasis-open.org/archives/security-services/200111/
> msg00049.html >
>
> Status: open pending -07
>
- Prateek: believes this is distinct from the status codes issue, and
Irving has given clarifying text on this
- Scott: agrees
- [CLOSED]
>
> [A11: Irving] - line 824-829, Irving to research and propose language
> to weaken requirement on signing over entire message (body and
> headers). The proposal is to require signing over assertion headers
> and body only. Other components are to be signed by agreement between
> sender and receiver (out of scope for us).
>
> Status: < http://lists.oasis-open.org/archives/security-services/
> 200112/msg00020.html >
>
> pending -07
>
- Done
- [CLOSED]
>
> [A12: Irving] - line 847-848, change "subject" to "sender"
>
> Status: pending -07
>
- in -07
- [CLOSED]
>
> [A13: Prateek] - add text on threat model and security counter
> measures
>
> Status: pending -07
>
- in -07
- [CLOSED]
>
> [A15: Chris] - Write up advice on how to use current approach to
> generic slots for attributes
>
> Status: Thread beginning: < http://lists.oasis-open.org/
> archives/security-services/200112/msg00006.html >
>
- Chris: written up, but still not sure where to put this
- Prateek: this is issue for core
- Eve: could be appendix
- Chris: fine with that
- This could be integrated in the section on value and used as an
example, so long as its non-normative status is clear
- Joe: objects to using color coding to convey normative vs. non-
normative status, due to printing issues and color-blind readers
- Will leave open until Eve has chance to do another edit
>
> [A18: Phill] - completion of error code specification for core
>
> Status: still open
>
- Still open
>
> [A20: Prateek] - Need for additional ConfirmationMethod identifiers
> (Prateek and Phil)
>
> Bindings-06 uses two identifiers not found in core: HolderOfKey and
> SenderVouches. It is important to understand that no change in schema
> is being proposed, only new text and constants for Section 5 of core.
> Prateek to send Phil necessary text.
>
> Status - Still open
>
- Prateek published note this morning
- Still must be integrated by Phill
- Still open
>
> [A22: Irving] - core line 752, return code for completeness specifier:
>
> < http://lists.oasis-open.org/archives/security-services/
> 200111/msg00031.html >
>
> Status: still open
>
- Still pending Phill
- Code has been published
- Owner changes to Phill
- Semantic meaning is still unresolved
- Scott leans to less security-related interpretation,
which suggests option ‘b’ (in mail list reference above)
- Hal: sees it as a way for implementations to avoid doing some
work, when a set of attrs are requested, and not all are returned
- Hal will write up if necessary, but is there anyone who still
wants this?
- Doesn’t view it as essential, since requestor can still detect the
condition and react as necessary
- <<discussion>>
- Eve: proposes removing completeness specifier, adding a simple status
code "non-complete results due to reasons other than processing
failures" where partial result will be returned
- Should the causes for not returning all attrs be treated with
different codes?
- Hal: this completeness specifier was explicitly requested last
summer, so we should give fair notice before dropping it
- Eve will write up complete proposal and submit to list
- Scott will finish this for Eve if Eve doesn’t finish before leaving
for vacation
>
> [A24: Phill] - Bring together Tim's etc. text for the Authentication
> mechanism section.
>
> Status - [In progress] still open
>
- Eve: apologizes, but didn’t know about it, or it would have gone into
core-21
- JeffH: was this approved?
- Tim: doesn’t think it’s had discussion, and he thought getting it
into draft would cause discussion
- Joe: expected Phill to add to core as action item from F2F#5, so we
must have given tacit approval
- JeffH: in F2F#5, day #2 raw notes, found evidence that we decided to
add this to core
- Tim to send pointer to Eve, and Eve will add to core-22
- Open pending Eve’s edits
>
> [A25: Phill & Eve] - Eve's reorganization of preamble
>
> Status - still open - in Eve's control this week
>
- Done
- [Closed]
>
> [A26: Phill] - text on the <RespondWith> option voted for at F2F#5
>
> Status - still open
>
- still open, remains Phill’s
>
> 8 -- Dealing with the issues list
>
- Issues-06 is out of date
- Hal has been unofficially out for a while, but will now get back on
track, and be available through February
>
> 9 -- Changes to docs from present action items list
>
- Working itself out
>
> 10 -- Conformance
>
- Candidate approaches
- BobG: we’ve always planned for "levels" of conformance
- Conformance-07 defines these levels in terms of the domain model
entities
- Has found lots of overlap of assertions used by various domain model
entities
- Has also found that implementations don’t appear that they will
follow that model
- Looking at going back with an assertion-specific approach to
conformance levels, with producer/consumer qualifiers
- Reflected in a version of the doc, conformance-07a
- Proposes sending both docs out for discussion
- Eve had suggested a questionnaire for implementers to use to identify
conformance requirements, which BobG has taken a stab at
- Alternate proposal leaves possibility for implementations to claim
conformance, but not interoperate
- Hal: uncomfortable with claims to conformance still leaving real
possibility of no interop
- Eve: suggests attaching names to conformance levels to make vendor
claims more clear
- BobG: must accommodate different bindings
- Scott: already identified trust model to be out of scope, and some
app-specific implementation details, so interop challenges will
always exist
- Prateek: bindings and profiles feel like feature material, where core
feels like concrete, conformance-testable material
- [ACTION ITEM] BobG will send out both versions of the spec, along
with draft of questionnaire for discussion
- Hopes to include discussion of this in next week’s focus group call
>
> 11 -- Eve’s comments on Core-21
>
- Not enough time to cover
>
> 12 -- Additional Items
>
- Proposal to eliminate SingleAssertion and AbstractAssertion, and
rename MultipleAssertion to Assertion
- [ACCEPTED]
>
> 13 -- Adjourn
>
- Adjourned
-----------------------------------------------------------------------
Attendence of Voting Members:
Allen Rogers Authentica
Larry Hollowood Bank of America
Ken Yagen Crosslogix
Simon Godik Crosslogix
Hal Lockhart Entegrity
Carlisle Adams Entrust
Robert Griffin Entrust
Tim Moses Entrust
Don Flinn Hitachi
Joe Pato HP
Jason Rouault HP
Chris McLaren Netegrity
Marc Chanliau Netegrity
Prateek Mishra Netegrity
Jeff Hodges Oblix
Charles Knouse Oblix
Steve Anderson OpenNetwork
Jeff Bohren OpenNetwork
Darren Platt RSA
Jahan Moreh Sigaba
Eve Maler Sun
Emily Xu Sun
Bob Morgan UWashington
Attendance of Observers or Prospective Members:
Scott Cantor OSU
Membership Status Changes:
Gavenraj Sodhi BusinessLayers -- re-instated after leave of absence
Alex Berson Entrust -- granted voting status after 3 meetings during
prospective status
Maryann Hondo IBM -- lost voting status by missing 3 consecutive
meetings
Sridhar Muppidi Tivoli -- lost voting status by missing 3 consecutive
meetings
--
Steve Anderson
OpenNetwork Technologies
sanderson@opennetwork.com
727-561-9500 x241
begin:vcard n:Anderson;Steve tel;fax:727-561-0303 tel;work:727-561-9500 x241 x-mozilla-html:FALSE url:www.opennetwork.com org:OpenNetwork Technologies version:2.1 email;internet:sanderson@opennetwork.com title:Product Architect adr;quoted-printable:;;13577 Feather Sound Drive=0D=0ASuite 330;Clearwater;Florida;33762;USA x-mozilla-cpt:;-15216 fn:Steve Anderson end:vcard
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC