[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes March 20 meeting
---------------------------------------- DRAFT MINUTES OASIS WS-BRSP TC Meeting 20 March 2014, 11:00am to noon PDT ---------------------------------------- Scribe: Jacques Durand 0. Call to Order and roll call Jacques Durand calls the meeting to order and welcomes everyone. * Roll call: Alessio Soldano Ram Jeyaraman Gershon Janssen Doug Davis Jacques Durand Tom Rutt Pim Van Der Eijk Tom Link (observer) Mike DeNicola (observer) Excused: Micah Hainline This meeting is quorate. Agenda adopted: 1. Administrative: minutes Jan 16 , Feb 27. 2. Outcome of comment disposition ballot. 3. Decision about Candidate BP12, BP20, RSP10 for submitting as CSD + PR. 4. BSP1.1: - The case of SHA-1 issue in BSP11 . How to proceed further with BSP11.authorizing use of other SHA versions besides SHA-1 (see previous email), - Jim Ma feedback on possible bug in BSP11 test suite. Minutes: 1. Administrative: minutes Jan 16 , Feb 27. Tom Moves: approve Jan 16 + Feb 27 minutes. UNAN approved 2. Outcome of comment disposition ballot. - Ballot passed, unanimously. - Ram mentioned he intended to vote but got distracted last minute. - did we get back to comments author? Not needed. - Jacques: Point out that this recommendation was removed, as part of comment disposition: " When no such prior agreement exists and there is a need to advertise, the use of WS-Policy is RECOMMENDED over the use of the Conformance Claim Attachment Mechanisms." No one has a problem with this in this meeting. - Tom Rutt : the following packages include comment dispositions for BP12, BP20, RSP10: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/52539/bp12CSD02Package.zip https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/52541/bp20CSD02Package.zip https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/52542/rsp10CSD02Package.zip - Pim: spotted minimal issue (also sent to list) In the uploaded ZIP set, the front page of BasicProfile-v2.0.docx says .BasicProfile-v2.0.doc (Authoritative) but is a docx. 3. Decision about Candidate BP12, BP20, RSP10 for submitting as CSD + PR. - We confirm and verify that no conformance-bearing normative statement has been altered in its meaning. Only clarified. - MOTION (1): The TC approves Basic Profile Version 1.2, dated 17 March 2014 wd06 and all associated artifacts packaged together in: https://www.oasis-open.org/committees/download.php/52539/bp12CSD02Package.zip as Committee Specification Draft 02 and designate the PDF version of the specification as authoritative, and for a Public Review of 15 days. - Tom R. moves so. Alessio 2nd. No objection. UNAN approved. - MOTION (2): The TC approves Basic Profile Version 2.0, wd06, dated 17 March 2014 and all associated artifacts packaged together in: https://www.oasis-open.org/committees/download.php/52541/bp20CSD02Package.zip as Committee Specification Draft 02 and designate the PDF version of the specification as authoritative, and for a Public Review of 15 days. - Tom moves, Ram 2nd. No objection. UNAN approved. - MOTION (3): The TC approves Reliable Secure Profile Version 1.0, wd06, dated 17 March 2014 and all associated artifacts packaged together in: https://www.oasis-open.org/committees/download.php/52542/rsp10CSD02Package.zip as Committee Specification Draft 02 and designate the PDF version of the specification as authoritative, and for a Public Review of 15 days. - Tom moves so, Alessio 2nd. No objection. UNAN approved. 4. BSP1.1: - The case of SHA-1 issue in BSP11 . How to proceed further with BSP11.authorizing use of other SHA versions besides SHA-1 (see previous email), - Pim: presents the issue and its context. Users really need SHA-256. Pim proposes two options, one we alrady proposed on mail list. - Tom: The TC should use the new WD06 as the basis for the SHA issue resolution, Once resolved we can prepare WD07 and then go for CSD02 Jacques: Fix #1: make SHA-n a new extensibility point, and remove any mention of SHA-1 preferred. ("Any DIGEST_METHOD Algorithm attribute SHOULD have the value "http://www.w3.org/2000/09/xmldsig#sha1"). (R5421 Any SIGNATURE_METHOD Algorithm attribute SHOULD have a value of "http://www.w3.org/2000/09/xmldsig#hmac-sha1" or "http://www.w3.org/2000/09/xmldsig#rsa-sha1".) (R5210 Any STR_KEY_IDENTIFIER that references an X509_TOKEN which does not contain a SubjectKeyIdentifier extension MUST have a ValueType attribute with the value of "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 and MUST contain the value of the SHA1 of the raw octets of the X509_TOKEN that is referenced.") - also narrow the mandatory statements about SHA-1: (R5210b When the use of SHA-1 is agreed, any STR_KEY_IDENTIFIER that references an X509_TOKEN which does not contain a SubjectKeyIdentifier extension MUST have a ValueType attribute with the value of "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 and MUST contain the value of the SHA1 of the raw octets of the X509_TOKEN that is referenced .") - Jacques: New extensibility point: E0nnn Digest algorithms Use of algorithms other than SHA-1 is an extensibility point. - Tom: we have 2 options: (a) BSP11 quick fix as above, (b) BSP12 deeper fix removing SHA-1. - Ram: BSP12 would be better: users really need support for SHA-256. - Pim agrees a stronger fix is best, AND also in test suite. - Jacques: need investigate how easily test suite could be updated (e.g. just a string replacement for SHA-256 support?) - Jim Ma feedback on possible bug in BSP11 test suite: - Jacques: Jim has a good point: the BSP test tools are failing the SAML Token on R5206 while R5206 is for checking the X509_TOKEN only. We'll follow-up with a statement but need to reassure him ASAP on this. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]