OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] Minutes for Telecon, Tuesday 7 January 2003


Minutes for SSTC Telecon, Tuesday 7 January 2003
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson

======================================================================
                              Summary
======================================================================

  Votes:
  
    - Minutes from 10 December 2002 call accepted
    - 5 Nov 2002 date will be used for the finalized SAML v1 specs
  
  Previous Action Items Still Open:
  
    - AI-6. Jeff to determine if conformance language around the
      notions of profiles vs. extensions is really an issue
    - AI-12. Prateek to draft analysis of use of XML Encryption in SAML
    - AI-15. Editor (Eve) to update documents with Eve's fragment ID
      recommendations
    - AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig
      issues
    - AI-19. RobP will go back and look in issues list and see what he
      can come up with wrt item [A.3] in the SAML v1.1 to-do
      list.
    - AI-20. Eve to update specs to 1.0
    - AI-25. Eve to respond to Hal's IssuerName proposal with an
      attribute-based & an element-based solution
    - AI-26. Carlisle to update Mike Just's credentials collection
      proposal
    - AI-27. Prateek to rev draft-sstc-meta-data-00 and add in schema.
    - AI-28. RobP to have RSAS convey a new "statement of licensing 
      intent" to the SSTC that documents the additional two
      claimed applicable patents in addition to the prior two.
    - AI-29. Jahan to start and own Errata list for current specs
    - AI-30. Scott to produce use case document for destination site
      first flow using Web Browser Profiles (Target late January)
    - AI-31. Jeff to send email to list on his interpretation of IPR
      issues surrounding using Liberty material

  New Action Items:
  
	- Rob will draft a usecase for an Attribute Authority, to be 
      examined by the TC for profiling
    - Eve to update the charter based on discussion
    - Rob will pull single list of v1.1 To Do items

======================================================================
                             Raw Notes
======================================================================

> 
> Agenda:
> 
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved

> 
> 2. Accept minutes from previous meeting, 10 Dec
>    < http://lists.oasis-open.org/archives/security-services/
>      200212/msg00016.html >
>

- [VOTE] unanimous consent, accepted

>
> 3. Rob - brief update on OASIS migration to Kavi system
>

- OASIS is moving to new TC management system, named Kavi
- will be done over next 60-90 days
- system to help TCs run things, e.g. voting, members-only pages,
  content management
- training will be done in the next couple months
- believe it will require people to re-enroll
- targeted for March

>
> 4. Rob - Do we want to build profiles describing generalized use
>    of an Attribute Authority? Authz Decision Authority?
>

- Rob has had a request from a customer for profile for Attribute
  Authority
- Is anyone else interested in such generalized profiles
- Simon: needs more explanation
- Rob: customers have asked "what things must we ask for to use an
  attribute authority?"
- RLBob: sounds interesting
    - Shib is actively using attribute authorities
    - not sure how general we can be
    - would be happy to make Shib work available for generalization
- Rob: will be talking to customer again soon, and will send document
  from that conversation around
- Hal: agrees with concern over possibility of generalization
    - believes people will use attribute authorities in very different
      ways
    - thinks a list of questions might be useful, rather than a 
      profile
- Rob: might begin with a usecase
- Hal: agrees
- [ACTION] Rob will draft a usecase for an Attribute Authority, to 
  be examined by the TC for profiling

> 
> 5. Agenda Items Carried over from previous conference call
>
>    AI-6. Jeff to determine if conformance language around the
>          notions of profiles vs. extensions is really an issue
>

- still pending

>
>    AI-12. Prateek to draft analysis of use of XML Encryption in SAML
>

- still pending

>
>    AI-15. Editor (Eve) to update documents with Eve's fragment ID
>           recommendations
>
>           [Pending: related to AI-21; Eve: had not intended to do
>           any more than the fragment id change, not sure if other
>           approved changes were missed; hopes to have this done by
>           first Jan meeting]
>

- Eve: seems like a low priority, and she wanted to get some other 
  items addressed first
- still pending

>
>    AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig
>           issues
>

- still pending

>
>    AI-19. RobP will go back and look in issues list and see what he
>           can come up with wrt item [A.3] in the SAML v1.1 to-do
>           list.
>
>           [Pending: Rob: thought the question was just around SAML
>           versioning, but there may be more to this - will resolve
>           scope of this AI with Prateek - remains pending until
>           Prateek's return]
>

- still pending

>
>    AI-20. Eve to update specs to 1.0
>

- Eve: question: should she update them before OASIS comes to 
  agreement on naming standard?
    - the discussion on the OASIS chairs list is a low priority
- Jeff: thinks we can wait
- need to get the chairs discussion to conclude
- Jeff: we mainly need a number assigned (like IETF)
- Eve: will try to make progress before next call
- still pending

>
>    AI-25. Eve to respond to Hal's IssuerName proposal with an
>           attribute-based & an element-based solution
>

- Eve: posted a response today
  < http://lists.oasis-open.org/archives/security-services/
    200301/msg00002.html >
- Hal: would rather push this off to 2.0, in order to take the less-
  kludgey solution
- discussion of recent posting will ensue on list
- still pending

>
>    AI-26. Carlisle to update Mike Just's credentials collection
>           proposal
>

- Carlisle: new WS-Trust seems to do just what the credentials
  collector was expected to do
- so we could re-focus on profiling that
- Jeff: WS-Trust is a private spec
- Carlisle: it is publicly available, and presumably they'll be
  submitted to OASIS
- Carlisle: didn't we follow the same path with WS-Security?
- Rob: can speak to, as a listed author on that spec
- Rob: it is the full intent to submit these to a standards body
  "in the near term"
- Carlisle: so maybe we don't do anything immediately, but start
  examining their spec
- Rob: you can do this informally, but not as an official activity of
  the TC
- Jeff: yes, we can begin some groundwork
- Hal: challenging this, recalling that we did lots of work on WS-Sec
  6 months before it came to OASIS
- Jeff: we started work on a SOAP profile before WS-Security was even
  known about, then did some convergence work when it was known
- Eve: it may not have been wrong, but in may have been dangerous, in
  areas such as IPR
- Carlisle: good point
- Rob: seems reasonable to discuss it on the list
- Eve: a reasonable place to submit WS-Trust would be this TC
- Rob: another rev of this spec is very possible
- Carlisle: encourages anyone interested in the credential collector
  topic to read WS-Trust an participate in discussion on list
- still pending

> 
>    AI-27. Prateek to rev draft-sstc-meta-data-00 and add in schema. 
>

- still pending

>
>    AI-28. RobP to have RSAS convey a new "statement of licensing 
>           intent" to the SSTC that documents the additional two
>           claimed applicable patents in addition to the prior two. 
>
>           [Pending - could not get to it prior to the holidays;
>           will complete by 21-Jan meeting]
>

- still pending

>
>    AI-29. Jahan to start and own Errata list for current specs
>
>           [In Progress - Draft was started using info from the
>           following e-mails:
>           < http://lists.oasis-open.org/archives/security-services/
>             200212/msg00000.html >
>           < http://lists.oasis-open.org/archives/security-services/
>             200212/msg00002.html >
>           < http://lists.oasis-open.org/archives/security-services/
>             200212/msg00003.html] >
>

- Rob: encourages people to send any additional errata to Jahan
- still pending

>    AI-30. Scott to produce use case document for destination site
>           first flow using Web Browser Profiles (Target late 
>           January)
>
>           < http://lists.oasis-open.org/archives/security-services/
>             200212/msg00001.html >
>

- still pending

>
>    AI-31. Rob to talk with Joe Pato regarding OASIS process of
>           using Liberty material
>

- still pending
- [see Any Other Business for more discussion]

>
> 6. Additional agenda discussion items from mailing list
>
>    A. "datestamp for finalized SAML v1 specs"
>       < http://lists.oasis-open.org/archives/security-services/
>         200212/msg00017.html >
>

- Jeff: move that we use the 5 November 2002 date for the finalized
  SAML v1 specs
- [VOTE] unanimous consent, approved
- Jeff: this helps people to unambiguously reference our documents

> 
> 7. Additional agenda items
>

- Charter updates Eve sent out 14 Nov
  < http://lists.oasis-open.org/archives/security-services/
    200211/msg00022.html >
    - Rob: is it reasonable to vote on the charter today?
    - Eve: we should walk through it
        - Hal: we should either skip the dates or use very general
          timeframes for the deliverables
        - Eve: having some dates acts as a forcing function
        - agreeing on terms like "Summer 2003" and "End of 2003"
        - Rob: suggests referencing the TC homepage for the F2F 
          schedule
        - Eve: seems odd to mention something as dynamic as membership
          in the charter
        - there are no OASIS requirements on a TC charter
        - Hal: generally against duplicating information
        - Eve: proposes removing the membership and chairmanship
          sections
            - agreed
        - Policies and Procedures section
            - 2 does not require approval
            - 3 & 4 are not required by OASIS, but should be discussed
              and approved
                - Hal: technically, the RSA contributions are under
                  "mutually RF", which isn't "RF"
                - Hal: can't guard against someone claiming IPR later
                - Eve: wording requires TC to operate in good faith
            - Eve: does this section represent the sentiment of the 
              TC?
                - Hal: yes, just concerned with wording of 4
                - Carlisle: "in no event" and "under no circumstances"
                  wording is extremely strong. Can we not imagine any
                  exception cases?
                    - Eve: good point, and WS-Trust may turn out to be
                      such a case
                    - Rob: so we can soften the language
                    - Eve: softening it may render the statements
                      unuseful
                    - Hal: it would put responsibility on submitter to
                      justify an exception
            - Hal: suggests that we move the Policies and Procedures
              material out into a separate document, referenced by
              the charter
                - agreed 
        - [ACTION] Eve to update the charter based on discussion
- Simon: Kerberos was discussed some time ago. Was there any work 
  done? Is it on the list to work on?
    - Jeff: it is on the 2.0 list
    - Jeff: Hal sent a rather detailed analysis to the list quite a
      while ago

> 
> 8. Schedule timelines for 1.1 and 2.0?
>

- Jeff: we've already settled on what is to be done in 1.1
- refer to minutes from 26 Nov call for the v1.1 To Do List
- [ACTION] Rob will pull single list of v1.1 To Do items
- Rob: target for producing v1.1 will be early summer?
    - Eve: we'll need to plan for committee spec and public review, so
      we can schedule all that in
    - maybe we can shoot for end of May
    - Jeff: we'll need a committee last call before going to public
      review, so question is when do we think we can do that?
    - Hal: doesn't remember the state of the various 1.1 items
    - Jeff: thinks most everything has concrete proposals
    - Hal: we should be able to get general agreement by end of 
      quarter
    - agreement, with optimism for mid to late February
    - Eve has most work editing spec
        - Rob: offers to assist
- Rob: how do we plan a date for v2.0?
    - At next meeting, we will identify champions for each item
    - Jeff: suggests setting end of March as cut-off for new issues
    - Jeff: existing list is categorized, but unprioritized
    - emerging target date for end of year

> 
> 9. Any other business
>

- Returning to AI-31
    - Jeff: has looked into this, and has formulated an opinion
    - if Liberty folks wanted to submit specs, OASIS IPR process would
      need to have signoff that Terms & Conditions in are agreed to by
      each author
    - [UPDATE] Jeff takes over this AI, and will send email to list
      on his interpretation

> 
> 10. Adjourn
>

- Adjourned


-----------------------------------------------------------------------

Attendance of Voting Members:

  Allen Rogers Authentica
  Ronald Jacobson Computer Associates
  Hal  Lockhart Entegrity
  Carlisle Adams Entrust
  Jason Rouault HP
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Don Flinn Quadrasis
  Rob Philpott RSA Security
  Jeff Hodges Sun
  Eve Maler Sun
  Scott Cantor (individual)
  Simon Godik (individual)
  Bob Morgan (individual)


Attendance of Observers or Prospective Members:

  (none)
  

Membership Status Changes:

  (none)
  
--
Steve



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC