Minutes March 20 meeting

[Jacques Durand <JDurand@us.fujitsu.com>]

----------------------------------------

DRAFT MINUTES

OASIS WS-BRSP TC Meeting

20 March 2014, 11:00am to noon PDT

----------------------------------------

 

Scribe: Jacques Durand

0. Call to Order and roll call

Jacques Durand calls the meeting to order and welcomes everyone.

 

* Roll call:

 

Alessio Soldano

Ram Jeyaraman

Gershon Janssen

Doug Davis

Jacques Durand

Tom Rutt

Pim Van Der Eijk

 

Tom Link (observer)

Mike DeNicola (observer)

 

Excused:

Micah Hainline

 

 

This meeting is quorate.

 

 

Agenda adopted:

 

1. Administrative: minutes Jan 16 , Feb 27.

2. Outcome of comment disposition ballot.

3. Decision about Candidate BP12, BP20, RSP10 for submitting as CSD + PR.

4. BSP1.1:

- The case of SHA-1 issue in BSP11 . How to proceed further with BSP11.authorizing use of other SHA versions besides SHA-1

(see previous email),

-  Jim Ma feedback on possible bug in BSP11 test suite.

 

 

Minutes:

 

 

1. Administrative: minutes Jan 16 , Feb 27.

Tom Moves: approve Jan 16 + Feb 27 minutes. UNAN approved

 

2. Outcome of comment disposition ballot.

- Ballot passed, unanimously.

- Ram mentioned he intended to vote but got distracted last minute.

- did we get back to comments author? Not needed.

- Jacques: Point out that this recommendation was removed, as part of comment disposition:

" When no such prior agreement exists and there is a need to advertise, the use of WS-Policy is RECOMMENDED

over the use of the Conformance Claim Attachment Mechanisms." No one has a problem with this in this meeting.

- Tom Rutt : the following packages include comment dispositions for BP12, BP20, RSP10:

https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/52539/bp12CSD02Package.zip

https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/52541/bp20CSD02Package.zip

https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/52542/rsp10CSD02Package.zip

- Pim: spotted minimal issue (also sent to list) In the uploaded ZIP set,  the front page of BasicProfile-v2.0.docx

says .BasicProfile-v2.0.doc (Authoritative) but is a docx.

 

3. Decision about Candidate BP12, BP20, RSP10 for submitting as CSD + PR.

- We confirm and verify that no conformance-bearing normative statement has been altered in its meaning. Only clarified.

 

- MOTION (1): The TC approves Basic Profile Version 1.2, dated 17 March 2014

wd06 and all associated artifacts packaged together in:

https://www.oasis-open.org/committees/download.php/52539/bp12CSD02Package.zip

as Committee Specification Draft 02 and designate the PDF version of the specification as authoritative,

and for a Public Review of 15 days.

- Tom R. moves so. Alessio 2nd. No objection. UNAN approved.

 

- MOTION (2): The TC approves  Basic Profile Version 2.0, wd06,  dated 17 March 2014 and all

associated artifacts packaged together in:

https://www.oasis-open.org/committees/download.php/52541/bp20CSD02Package.zip

as Committee Specification Draft 02 and designate the PDF version of the specification as authoritative,

and for a Public Review of 15 days.

- Tom moves, Ram 2nd. No objection. UNAN approved.

 

- MOTION (3): The TC approves  Reliable Secure Profile Version 1.0,  wd06,  dated 17 March 2014 and all

associated artifacts packaged together in:

https://www.oasis-open.org/committees/download.php/52542/rsp10CSD02Package.zip

as Committee Specification Draft 02 and designate the PDF version of the specification as authoritative,

and for a Public Review of 15 days.

- Tom moves so, Alessio 2nd. No objection. UNAN approved.

 

4. BSP1.1:

 

- The case of SHA-1 issue in BSP11 . How to proceed further with BSP11.authorizing use of other SHA versions besides SHA-1

(see previous email),

- Pim: presents the issue and its context. Users really need SHA-256. Pim proposes two options,

one we alrady proposed on mail list.

- Tom: The TC should use the new WD06 as the basis for the SHA issue resolution, 

Once resolved we can prepare WD07 and then go for CSD02

 

Jacques:  Fix #1: make SHA-n a new extensibility point, and remove any mention of SHA-1 preferred.

("Any DIGEST_METHOD Algorithm attribute SHOULD have the value "http://www.w3.org/2000/09/xmldsig#sha1").

(R5421 Any SIGNATURE_METHOD Algorithm attribute SHOULD have a value of "http://www.w3.org/2000/09/xmldsig#hmac-sha1"

or "http://www.w3.org/2000/09/xmldsig#rsa-sha1".)

(R5210 Any STR_KEY_IDENTIFIER that references an X509_TOKEN which does not contain a SubjectKeyIdentifier extension

MUST have a ValueType attribute with the value of

"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1

and MUST contain the value of the SHA1 of the raw octets of the X509_TOKEN that is referenced.")

- also narrow the mandatory statements about SHA-1:

(R5210b When the use of SHA-1 is agreed, any STR_KEY_IDENTIFIER that references an X509_TOKEN which does not contain

a SubjectKeyIdentifier extension MUST have a ValueType attribute with the value of

"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 and

MUST contain the value of the SHA1 of the raw octets of the X509_TOKEN that is referenced .")

- Jacques: New extensibility point: E0nnn  Digest algorithms  Use of algorithms other than SHA-1 is an extensibility point.

- Tom: we have 2 options: (a) BSP11 quick fix as above, (b) BSP12 deeper fix removing SHA-1.

- Ram: BSP12 would be better: users really need support for SHA-256.

- Pim agrees a stronger fix is best, AND also in test suite.

- Jacques: need investigate how easily test suite could be updated (e.g. just a string replacement for SHA-256 support?)

 

-  Jim Ma feedback on possible bug in BSP11 test suite:

- Jacques: Jim has a good point: the BSP test tools are failing the SAML Token on R5206 while

R5206 is for checking the X509_TOKEN only. We'll follow-up with a statement but need to reassure him ASAP on this.