[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] Minutes for Telecon, Tuesday 4 February 2002
Hi folks-- Sorry I've been unable to join the last couple of calls. Some updates, comments, and questions; sorry for quoting the whole set of minutes, but context seems like a good thing here: Steve Anderson wrote: > Minutes for SSTC Telecon, Tuesday 4 February 2002 > Dial in info: +1 334 262 0740 #856956 > Minutes taken by Steve Anderson > > ====================================================================== > Summary > ====================================================================== > > Votes: > > - Minutes from 21 January 2003 call accepted > > Previous Action Items Still Open: > > - AI-6. Jeff to determine if conformance language around the > notions of profiles vs. extensions is really an issue > - AI-15. Editor (Eve) to update documents with Eve's fragment ID > recommendations > - AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig > issues > - AI-20. Eve to update specs to 1.0 > - AI-28. RobP to have RSAS convey a new "statement of licensing > intent" to the SSTC that documents the additional two > claimed applicable patents in addition to the prior two. > - AI-31. Jeff to send email to list on his interpretation of IPR > issues surrounding using Liberty material > - AI-32. Rob will draft a usecase for an Attribute Authority, to > be examined by the TC for profiling > - AI-33. Eve to update the charter based on discussion > - AI-35. Rob to propose changes to the current spec regarding > versioning > - AI-36. Prateek to draft the 1.1 doc set list > > New Action Items: > > - AI-37. Scott to email list with intent and proposal to modify > core around signature recommendations > - AI-38. Jahan, Scott & Prateek to draft changes to profiles for new > destination site first flows > - AI-39. Prateek to propose WSDL along with metadata > - AI-40. Jeff to find 2.0 work items list > > ====================================================================== > Raw Notes > ====================================================================== > > >>Agenda: >> >>1. Roll call >> > > > - Attendance attached to bottom of these minutes > - Quorum achieved > > >>2. Accept minutes from previous meeting, 21 Jan >> < http://lists.oasis-open.org/archives/security-services/ >> 200301/msg00013.html > >> > > - [VOTE] unanimous consent, accepted > > >>3. Review (and approve?) V1.1 work items >> >> < http://lists.oasis-open.org/archives/security-services/ >> 200208/msg00010.html > >> >> Acceptance Criteria: >> - Bugs that are backwards-compatible (targeted to 1.1) >> - Functionality that's backwards-compatible/orthogonal and >> high-priority >> - The list as a whole can be completed in 3-6 months >> - Any decision that needs to be made in the short term >> >> The below items are in no particular order [A.* numbering taken >> from original list]: >> >> [A.1] Metadata for formalizing operational agreements >> between sites. >> 1. See AI-27 below. >> 01 draft and response to reviewers comments published in >> < http://lists.oasis-open.org/archives/security-services/ >> 200301/msg00020.html > >> < http://lists.oasis-open.org/archives/security-services/ >> 200301/msg00021.html > >> < http://lists.oasis-open.org/archives/security-services/ >> 200302/msg00002.html > > > > - Action for Prateek > - several detailed contents received > - last evening, published version 01, along with schema > - still making progress > > >> [A.2] WS-Security profile ([3], possibly to go to WSS TC) >> 1. Closed. >> [A-3] Figure out versioning of modularly published profile >> and binding specs >> 1. See AI-19, which was previously closed. > > > - Rob will make proposal > > >> [A-4] Sharpen conformance language around the notions of >> profiles vs. extensions >> 1. See AI-6 below > > > - Action for Jeff > - Jeff still working on it > > >> [A-5] Express that an assertion should not be cached >> 1. Hal Lockhart's proposal: >> < http://lists.oasis-open.org/archives/ >> security-services/200211/msg00011.html > > > > - proposal has been made > > >> [A-6] Fix fragment identifier gaffe [4] >> 1. Approved proposal on this. >> 2. Needs to be incorp'd in specs. >> 3. See AI-15. > > > - has been closed for a while > - text has been proposed This is correct. >> [A-7] Standardize issuer name formats >> 1. See AI-25 below. >> 2. Original request came from XACML: >> < http://lists.oasis-open.org/archives/ >> security-services/200211/msg00012.html > > > > - Action for Eve > - Hal: Eve did comment on it > - intention was to defer it to 2.0, because changes would not be > backward-compatible > - XACML group discussed it, and they are content to wait for SAML 2.0 (This is regarding AI-25 also.) Does this mean that the group has agreed in principle to the element-based solution (the backwards-incompatible one)? This would be enough for me or someone else to go off and sketch the exact schema and text changes needed. I hesitate to take such an AI right now, since I can't scrape together a lot of time (obviously :-), but maybe Scott Cantor or others are interested in taking a crack at it. My analysis was here: http://lists.oasis-open.org/archives/security-services/200301/msg00002.html (I realize that a 2.0 item doesn't have to be settled right now, but it would be nice to have a concrete proposal waiting for us.) >> [A-8] Fix xmldsig issues >> 1. For 1.1, Scott's dsig doc to become a non-normative >> component of the spec set. >> < http://lists.oasis-open.org/archives/ >> security-services/200212/msg00007.html > >> 2. Also see AI-18. >> > > > - Scott: is there any plan to change the language in the core doc to make > it backward-compatible? > - most of his changes were to binding doc > - Jeff: thought we were going to do this > - Scott: didn't pose any text for core doc, and there was an > suggestion to change core doc to recommend exclusive c14n, rather > than inclusive > - Jeff: thinks tightening up language in core doc is appropriate > - Jeff: signature document recommends to do it different than the > binding docs now recommend > - Prateek: of the three concrete manifestations of SAML (2 profiles, > 1 binding), only the POST profile requires use of signatures, and > the problem has been addressed in that doc > - (discussion on appropriateness of modifying core in this area) > - [ACTION] Scott to email list with intent and proposal to modify > core around signature recommendations > > >> Additional Proposed V1.1 Work Items: >> >> [A-9] Fix items from the Errata List (see AI-29) >> >> Jahan has published new version capturing errors to date >> < http://lists.oasis-open.org/archives/security-services/ >> 200302/msg00000.html> > > > - Jahan: emailed list yesterday > - proposes knocking out at least 'easy' ones on next call > - proposes an agenda item for this for next call > > >> Additional web browser flows as suggested by interop and Shib >> experiences >> >> Scott has published use-cases describing the proposed new >> flows extending the SAML 1.0 web browser profiles >> >> < http://lists.oasis-open.org/archives/security-services/ >> 200302/msg00003.html> > > > - Scott published last night > - (discussion of doc) > - Prateek: next step is for group to digest these flows > - Scott: then it's a question of scoping > - Prateek: goal is to conclude this discussion by next call > - Hal: what is intended outcome? modifications to profiles for 1.1? > - Scott: thinks so > - Hal: you can accelerate process by proposing changes to profiles > for this purpose > - Jeff: we've had a canonical list of 1.1 items, and we need to be > clear about adding something to this list > - have to consider impacts to timeline > - previous discussion was to deliver 1.1 at end of Q1 / beginning Q2 > of this year > - Scott: then I would probably vote to defer > - Hal: since 2.0 probably will be another 6 months away, the question > is how urgent the desire is for this > - Scott: could go ahead > - Prateek: based on interop demo, where this flow had to be invented, > thinks there is value in this, even for 1.1 > - Jahan: agrees > - [ACTION] Jahan, Scott & Prateek to draft changes to profiles for new > destination site first flows > > >> Review SAML error model; message from Carlisle >> >> < http://lists.oasis-open.org/archives/security-services/ >> 200302/msg00001.html > > > > - Prateek: thinks there was fairly extensive discussion in 1.0 > - Scott: discussion at top level subsumed any possible discussion at > lower level > - Carlisle: when was that? > - Scott: it was fairly late > - Seems that the questions in this email could be dealt with in substatus > - Jeff: looking through archives, and discussion was Q1-Q2 2002 > - Prateek: seems that discussion did encompass how to indicate this sort > of information > - Scott: interop issue is what is being raised > - you find it difficult to react appropriately to the different kinds of > errors > - Carlisle: that is exactly it > - Hal: believes there was one issue in the issues list > - Carlisle: is there any interest in addressing this more carefully in > 1.1 / 2.0? > - Rob: thinks this needs careful consideration, so as not to give away > to much info in an error condition, and weaken the security aspects > - Hal: thinks we should spend time between now & next call considering > whether this is needed in 1.1 or 2.0 > - Jeff: would be helpful to hear from implementors > - Scott: need to be careful not to get into errors above the SAML layer > - however, the new flows discussed above may involve carrying status > info in a SAML message > - Carlisle: was not involved in interop demo last year, but anyone who > was please send thoughts on this > - Hal: echoes Rob's concern, pointing to previous SSL hack involving > different responses in different situations > - Jeff: instinct is that proper consideration requires deferring to 2.0 > - doesn't mean we should shoot down any discussion > - Prateek: will leave as consideration for 1.1, and will get final vote > for inclusion later > > >> Prateek to draft the 1.1 doc set list (related to AI-36) >> > > > - Scott: would like to make small addition to this list, for WSDL > extension to metadata > - [ACTION] Prateek to propose WSDL along with metadata > - Hal: if anyone has a WSDL expert in their organization, have them > review this > - this is why we didn't make this normative in 1.0 > > >> Are there additional work items? We plan to VOTE and CLOSE the >> SAML v1.1 list on February 17, 2003. > > > - > > >>4. Action Item review >> >> AI-6. Jeff to determine if conformance language around the >> notions of profiles vs. extensions is really an issue >> > > > - still open > > >> AI-12. Prateek to draft analysis of use of XML Encryption in SAML >> > > > - no champion, deferred to SAML 2.0 > - Hal: thought we were always talking about this in the 2.0 timeframe > > >> AI-15. Editor (Eve) to update documents with Eve's fragment ID >> recommendations >> > > > - Prateek: is this not [A-6]? > - Rob: thinks we just need Eve on call to close this > - Jeff: thinks this is the step of incorporating the proposal into the > docs > - still open That's correct, it's still open. I'm sorry about this. On the last call that I took part in, Rob mentioned he could help with some editorial tasks, and I thought I sent him mail asking if he's interested in taking this on. But I just heard today from hal that Rob has had some email problems, and I can't find my copy anyway, so maybe it wasn't seen/sent. So, Rob...are you interested? :-) >> AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig >> issues >> > > > - still open > > >> AI-20. Eve to update specs to 1.0 >> > > > - still open Here's the status on this. I asked, in the last call I took part in, if I should update the specs before vs. after the OASIS staff gets the unique numbering system for specs in place. (It would be like the IETF RFC numbering.) I was told to wait until they do that. But that depends, somewhat, on my finishing the filenaming proposal that the TC chairs have been working on, and convincing Karl that it's baked enough for him to go ahead and do the assignments of all the numbers. I've finished the filenaming proposal, finally, and just need to format it and send it out. I will be able to do that in the next day. But then Karl still needs to assign the numbers, and that's an external variable. If you want me to update the specs prior to all that, let me know... >> AI-25. Eve to respond to Hal's IssuerName proposal with an >> attribute-based & an element-based solution >> > > > - deferred to 2.0 I completed this AI; see the mail archive link provided above. >> AI-26. Carlisle to update Mike Just's credentials collection >> proposal >> > > > - Carlisle is owner but deferred to SAML 2.0 > > >> AI-27. Prateek to rev draft-sstc-meta-data-00 and add in schema. >> > > > - done > > >> AI-28. RobP to have RSAS convey a new "statement of licensing >> intent" to the SSTC that documents the additional two >> claimed applicable patents in addition to the prior two. >> > > > - Rob: still waiting for legal > - hopes to have done by next call > - still open > > >> AI-30. Scott to produce use case document for destination site >> first flow using Web Browser Profiles (Target late >> January) >> > > > - done > > >> AI-31. Jeff to send email to list on his interpretation of IPR >> issues surrounding using Liberty material >> > > > - still open > > >> AI-32. Rob will draft a usecase for an Attribute Authority, to >> be examined by the TC for profiling >> > > > - still open > > >> AI-33. Eve to update the charter based on discussion >> > > > - still open Here's the status. I was supposed to (a) make some editorial changes, and also (b) check with some Sun legal people and some LegalXML TC people about options for and meanings of various IPR formulations. I wrote to the LegalXML people, but still need to check around with Sun lawyers and think about what I've been told. I can make the editorial changes, prior to coming up with an IPR recommendation; I will do that (and hopefully both) by early next week. >> AI-35. Rob to propose changes to the current spec regarding >> versioning >> > > > - still open > > >> AI-36. Prateek to draft the 1.1 doc set list >> > > > - (discussed above, at end of list of 1.1 work items) > - still open > - Rob: is there a 2.0 list, to keep track of that as well? > - Jeff: there is, re-sent it to list around Christmas > - [ACTION] Jeff to find 2.0 work items list > > >>5. Any other business >> > > > - none > > >>6. Adjourn >> > > > - Adjourned > > > ---------------------------------------------------------------------- > > Attendance of Voting Members: > > Allen Rogers Authentica > Irving Reid Baltimore > Hal Lockhart BEA > Ronald Jacobson Computer Associates > Carlisle Adams Entrust > Prateek Mishra Netegrity > Charles Knouse Oblix > Steve Anderson OpenNetwork > Rob Philpott RSA Security > Jahan Moreh Sigaba > Bhavna Bhatnagar Sun > Jeff Hodges Sun > Emily Xu Sun > Phillip Hallam-Baker Verisign > Scott Cantor (individual) > Simon Godik (individual) > Bob Morgan (individual) > > > Attendance of Observers or Prospective Members: > > Robert Griffin Entrust > John Hughes Entegrity Solutions > > > Membership Status Changes: > > Bill Haase Tivoli - granted voting status after call > > -- > Steve > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > That's all! Eve -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Technologies and Standards eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC