[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for Telecon, Tuesday 7 January 2003
Minutes for SSTC Telecon, Tuesday 7 January 2003 Dial in info: +1 334 262 0740 #856956 Minutes taken by Steve Anderson ====================================================================== Summary ====================================================================== Votes: - Minutes from 10 December 2002 call accepted - 5 Nov 2002 date will be used for the finalized SAML v1 specs Previous Action Items Still Open: - AI-6. Jeff to determine if conformance language around the notions of profiles vs. extensions is really an issue - AI-12. Prateek to draft analysis of use of XML Encryption in SAML - AI-15. Editor (Eve) to update documents with Eve's fragment ID recommendations - AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig issues - AI-19. RobP will go back and look in issues list and see what he can come up with wrt item [A.3] in the SAML v1.1 to-do list. - AI-20. Eve to update specs to 1.0 - AI-25. Eve to respond to Hal's IssuerName proposal with an attribute-based & an element-based solution - AI-26. Carlisle to update Mike Just's credentials collection proposal - AI-27. Prateek to rev draft-sstc-meta-data-00 and add in schema. - AI-28. RobP to have RSAS convey a new "statement of licensing intent" to the SSTC that documents the additional two claimed applicable patents in addition to the prior two. - AI-29. Jahan to start and own Errata list for current specs - AI-30. Scott to produce use case document for destination site first flow using Web Browser Profiles (Target late January) - AI-31. Jeff to send email to list on his interpretation of IPR issues surrounding using Liberty material New Action Items: - Rob will draft a usecase for an Attribute Authority, to be examined by the TC for profiling - Eve to update the charter based on discussion - Rob will pull single list of v1.1 To Do items ====================================================================== Raw Notes ====================================================================== > > Agenda: > > 1. Roll call > - Attendance attached to bottom of these minutes - Quorum achieved > > 2. Accept minutes from previous meeting, 10 Dec > < http://lists.oasis-open.org/archives/security-services/ > 200212/msg00016.html > > - [VOTE] unanimous consent, accepted > > 3. Rob - brief update on OASIS migration to Kavi system > - OASIS is moving to new TC management system, named Kavi - will be done over next 60-90 days - system to help TCs run things, e.g. voting, members-only pages, content management - training will be done in the next couple months - believe it will require people to re-enroll - targeted for March > > 4. Rob - Do we want to build profiles describing generalized use > of an Attribute Authority? Authz Decision Authority? > - Rob has had a request from a customer for profile for Attribute Authority - Is anyone else interested in such generalized profiles - Simon: needs more explanation - Rob: customers have asked "what things must we ask for to use an attribute authority?" - RLBob: sounds interesting - Shib is actively using attribute authorities - not sure how general we can be - would be happy to make Shib work available for generalization - Rob: will be talking to customer again soon, and will send document from that conversation around - Hal: agrees with concern over possibility of generalization - believes people will use attribute authorities in very different ways - thinks a list of questions might be useful, rather than a profile - Rob: might begin with a usecase - Hal: agrees - [ACTION] Rob will draft a usecase for an Attribute Authority, to be examined by the TC for profiling > > 5. Agenda Items Carried over from previous conference call > > AI-6. Jeff to determine if conformance language around the > notions of profiles vs. extensions is really an issue > - still pending > > AI-12. Prateek to draft analysis of use of XML Encryption in SAML > - still pending > > AI-15. Editor (Eve) to update documents with Eve's fragment ID > recommendations > > [Pending: related to AI-21; Eve: had not intended to do > any more than the fragment id change, not sure if other > approved changes were missed; hopes to have this done by > first Jan meeting] > - Eve: seems like a low priority, and she wanted to get some other items addressed first - still pending > > AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig > issues > - still pending > > AI-19. RobP will go back and look in issues list and see what he > can come up with wrt item [A.3] in the SAML v1.1 to-do > list. > > [Pending: Rob: thought the question was just around SAML > versioning, but there may be more to this - will resolve > scope of this AI with Prateek - remains pending until > Prateek's return] > - still pending > > AI-20. Eve to update specs to 1.0 > - Eve: question: should she update them before OASIS comes to agreement on naming standard? - the discussion on the OASIS chairs list is a low priority - Jeff: thinks we can wait - need to get the chairs discussion to conclude - Jeff: we mainly need a number assigned (like IETF) - Eve: will try to make progress before next call - still pending > > AI-25. Eve to respond to Hal's IssuerName proposal with an > attribute-based & an element-based solution > - Eve: posted a response today < http://lists.oasis-open.org/archives/security-services/ 200301/msg00002.html > - Hal: would rather push this off to 2.0, in order to take the less- kludgey solution - discussion of recent posting will ensue on list - still pending > > AI-26. Carlisle to update Mike Just's credentials collection > proposal > - Carlisle: new WS-Trust seems to do just what the credentials collector was expected to do - so we could re-focus on profiling that - Jeff: WS-Trust is a private spec - Carlisle: it is publicly available, and presumably they'll be submitted to OASIS - Carlisle: didn't we follow the same path with WS-Security? - Rob: can speak to, as a listed author on that spec - Rob: it is the full intent to submit these to a standards body "in the near term" - Carlisle: so maybe we don't do anything immediately, but start examining their spec - Rob: you can do this informally, but not as an official activity of the TC - Jeff: yes, we can begin some groundwork - Hal: challenging this, recalling that we did lots of work on WS-Sec 6 months before it came to OASIS - Jeff: we started work on a SOAP profile before WS-Security was even known about, then did some convergence work when it was known - Eve: it may not have been wrong, but in may have been dangerous, in areas such as IPR - Carlisle: good point - Rob: seems reasonable to discuss it on the list - Eve: a reasonable place to submit WS-Trust would be this TC - Rob: another rev of this spec is very possible - Carlisle: encourages anyone interested in the credential collector topic to read WS-Trust an participate in discussion on list - still pending > > AI-27. Prateek to rev draft-sstc-meta-data-00 and add in schema. > - still pending > > AI-28. RobP to have RSAS convey a new "statement of licensing > intent" to the SSTC that documents the additional two > claimed applicable patents in addition to the prior two. > > [Pending - could not get to it prior to the holidays; > will complete by 21-Jan meeting] > - still pending > > AI-29. Jahan to start and own Errata list for current specs > > [In Progress - Draft was started using info from the > following e-mails: > < http://lists.oasis-open.org/archives/security-services/ > 200212/msg00000.html > > < http://lists.oasis-open.org/archives/security-services/ > 200212/msg00002.html > > < http://lists.oasis-open.org/archives/security-services/ > 200212/msg00003.html] > > - Rob: encourages people to send any additional errata to Jahan - still pending > AI-30. Scott to produce use case document for destination site > first flow using Web Browser Profiles (Target late > January) > > < http://lists.oasis-open.org/archives/security-services/ > 200212/msg00001.html > > - still pending > > AI-31. Rob to talk with Joe Pato regarding OASIS process of > using Liberty material > - still pending - [see Any Other Business for more discussion] > > 6. Additional agenda discussion items from mailing list > > A. "datestamp for finalized SAML v1 specs" > < http://lists.oasis-open.org/archives/security-services/ > 200212/msg00017.html > > - Jeff: move that we use the 5 November 2002 date for the finalized SAML v1 specs - [VOTE] unanimous consent, approved - Jeff: this helps people to unambiguously reference our documents > > 7. Additional agenda items > - Charter updates Eve sent out 14 Nov < http://lists.oasis-open.org/archives/security-services/ 200211/msg00022.html > - Rob: is it reasonable to vote on the charter today? - Eve: we should walk through it - Hal: we should either skip the dates or use very general timeframes for the deliverables - Eve: having some dates acts as a forcing function - agreeing on terms like "Summer 2003" and "End of 2003" - Rob: suggests referencing the TC homepage for the F2F schedule - Eve: seems odd to mention something as dynamic as membership in the charter - there are no OASIS requirements on a TC charter - Hal: generally against duplicating information - Eve: proposes removing the membership and chairmanship sections - agreed - Policies and Procedures section - 2 does not require approval - 3 & 4 are not required by OASIS, but should be discussed and approved - Hal: technically, the RSA contributions are under "mutually RF", which isn't "RF" - Hal: can't guard against someone claiming IPR later - Eve: wording requires TC to operate in good faith - Eve: does this section represent the sentiment of the TC? - Hal: yes, just concerned with wording of 4 - Carlisle: "in no event" and "under no circumstances" wording is extremely strong. Can we not imagine any exception cases? - Eve: good point, and WS-Trust may turn out to be such a case - Rob: so we can soften the language - Eve: softening it may render the statements unuseful - Hal: it would put responsibility on submitter to justify an exception - Hal: suggests that we move the Policies and Procedures material out into a separate document, referenced by the charter - agreed - [ACTION] Eve to update the charter based on discussion - Simon: Kerberos was discussed some time ago. Was there any work done? Is it on the list to work on? - Jeff: it is on the 2.0 list - Jeff: Hal sent a rather detailed analysis to the list quite a while ago > > 8. Schedule timelines for 1.1 and 2.0? > - Jeff: we've already settled on what is to be done in 1.1 - refer to minutes from 26 Nov call for the v1.1 To Do List - [ACTION] Rob will pull single list of v1.1 To Do items - Rob: target for producing v1.1 will be early summer? - Eve: we'll need to plan for committee spec and public review, so we can schedule all that in - maybe we can shoot for end of May - Jeff: we'll need a committee last call before going to public review, so question is when do we think we can do that? - Hal: doesn't remember the state of the various 1.1 items - Jeff: thinks most everything has concrete proposals - Hal: we should be able to get general agreement by end of quarter - agreement, with optimism for mid to late February - Eve has most work editing spec - Rob: offers to assist - Rob: how do we plan a date for v2.0? - At next meeting, we will identify champions for each item - Jeff: suggests setting end of March as cut-off for new issues - Jeff: existing list is categorized, but unprioritized - emerging target date for end of year > > 9. Any other business > - Returning to AI-31 - Jeff: has looked into this, and has formulated an opinion - if Liberty folks wanted to submit specs, OASIS IPR process would need to have signoff that Terms & Conditions in are agreed to by each author - [UPDATE] Jeff takes over this AI, and will send email to list on his interpretation > > 10. Adjourn > - Adjourned ----------------------------------------------------------------------- Attendance of Voting Members: Allen Rogers Authentica Ronald Jacobson Computer Associates Hal Lockhart Entegrity Carlisle Adams Entrust Jason Rouault HP Charles Knouse Oblix Steve Anderson OpenNetwork Don Flinn Quadrasis Rob Philpott RSA Security Jeff Hodges Sun Eve Maler Sun Scott Cantor (individual) Simon Godik (individual) Bob Morgan (individual) Attendance of Observers or Prospective Members: (none) Membership Status Changes: (none) -- Steve
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC