wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: [wss] Oct 8th minutes corrected again (2nd time)
- From: Kelvin Lawrence <klawrenc@us.ibm.com>
- To: wss@lists.oasis-open.org
- Date: Thu, 17 Oct 2002 16:09:41 -0600
One further update to the minutes, Vipin
Samar let me know he was also on the call.
It seems the majority of corrections
for each of our calls have been the attendance list. In future, to help
us get the roll call accurate the first time, as folks join the call, even
if late, please announce yourselves at a convenient moment. Please speak
up before the call ends or else we have no way to verify that people really
are or are not on the call. To date we have given people the benefit of
the doubt but I am considering making a proposal to adopt a stricter policy
here. I appreciate the cooperation of all members in this. We will also
try and implement a more rigorous roll call (air traffic control style)
where we (the chairs and/or secretary) positively acknowledge that we heard
you when you do respond to the roll call or announce yourselves. This will
avoid people who do speak up still getting missed which has happened a
few times as well I will agree. I appreciate everyone's best efforts to
help us get an accurate roll call and as this directly affects membership
status it is important we get this right. Updated minutes follow:
-----------
Web Services Security TC Meeting Minutes
October 8th , 2002
Minutes taken by Bob Morgan.
Agenda (as posted prior to the meeting)
1. Introductions & welcome
2. Roll
call
3. Reading
of the minutes of our previous meeting
(9/24)
4. Brief
report from the naming sub-committee
5. Brief
report from the Use Cases sub-committee
6. Update
on the SJC charter
7. Progress
report from the editors
8. Review
of documents
9. Review
and status of actions and issues
10. Any
other business
11. Adjournment
The meeting began at 7:05am Pacific Time
Roll call was taken.
Those present
Voting Members
First Last
Company
Don Adams
TIBCO
Zahid Ahmed
Commerce One
Steve Anderson
OpenNetwork
Conor Cahill
AOL
Paul Cotton
Microsoft
Martijn de Boer
SAP
Thomas DeMartini
ContentGuard
Yassir Elley
Sun Microsystems
Jeremy Epstein
webMethods
Don Flinn
Quadrasis
Peter Furniss
Choreology
Eric Gravengaard
Reactivity
Sam Greenblatt
Computer Associates
Phillip Hallam-Baker
Verisign
Geff Hanoian
Overxeer
Jeff Hodges
Sun Microsystems
Merlin Hughes
Baltimore Technologies
Chris Kaler
Microsoft
Charles Knouse
Oblix
Yutaka Kudo
Hitachi
Kelvin Lawrence
IBM
Hal Lockhart
Entegrity Solutions
Monica Martin
Drake Certivo, Inc.
Ronald Monzillo
Sun Microsystems
Bob Morgan
(individual)
Tim Moses
Entrust
Joel Munter
Intel
Anthony Nadalin
IBM
Nataraj Nagaratnam
IBM
Toshihiro Nishimura
Fujitsu
Rob Philpott
RSA Security
William Pope
Choreology
Rajesh
Raman BEA
Systems
Irving
Reid Baltimore
Technologies
Peter Rostin
RSA Security
Vipin Samar
Oracle
Krishna Sankar
Cisco
Jerry Schwarz
Oracle
Shawn Sharp
Cyclone Commerce
John Shewchuk
Microsoft
Frank Siebenlist
Argonne National Lab
Andre Srinivasan
E2open
Gene Thurston
AmberPoint
Steve Trythall
Sonic Software
Sirish Vepa
Sybase
Ganesh Vaideeswaran
Documentum
Rob Weltman
Netscape/AOL
Pete Wenzel
SeeBeyond
Prospective Members
Maryann Hondo
IBM
Prateek Mishra
Netegrity
Jason Rouault
HP
William Cox
BEA
Anne Manes
(individual)
Ron Moritz
Computer Associates
Toufic Boubez
Level-7
Guillermo Lao
ContentGuard
John Weiland
Navy
Observers
Tim Hall
Talking Blocks
Chair’s note: As a result of this meeting, several of the prospective
members, having now attended 3 meetings, became voting members. We will
update the records and publish new information to the list and the web
page.
Objections to last minutes as sent out?
KL: those who attended who aren't on the list will be added with
this correction, minutes unanimously accepted
Report from naming subcommittee
Rob Philpott: results of discussion submitted to list several
recommendations made for doc names
"web services security:" prefix for all doc names
followed by more specific per-doc name
several options for current "core" doc
others to be labelled as "profiles" for Kerberos etc
Hal Lockhart: some comments, but no alternatives proposed
so seems we should proceed to vote?
Jerry Schwartz:
concern that people think we're doing all of "WS security"
so, removing the ":" in the name would help ...
Chris K: OK
chairs will encourage review and comment, with vote on next concall
Report from use cases subcommittee?
Zahid A: no meetings held
KL: Phil Griffin had sent invitation to chairs to join OASIS SJC
Hal: SJC is clarifying charter, always intended that WSS should join
some confusion about which other committees should join
KL: so should be no more contention, chairs will follow up
Hal: chairs should join next SJC concall
Report from document editors
Tony Nadalin: just four comments
editors pulling out comments for inclusion in their docs
Ron Monzillo: agreed with Prateek's comments, not yet included
Jeff Hodges: will we have document repository?
KL: yes, website coord has been busy, but will do that
Review of documents
CK: a few comments on list
should this be interpreted as consent or inattention?
various: give a deadline
KL: useful deadline is to go to committee draft
CK: OK, please raise issues by one week from today
with intent to have vote on committee spec in two weeks
Hal: various process steps:
public review, attestation of "use" by three companies
need to define "use" since OASIS guidelines are minimal
RM: need to consider impact of existing issues
Bill Cox:
problem is that people don't read docs until they look "ready"
so how about longer deadlines
CK: part of schedule is scheduling F2F, November looking unlikely
various: is F2F during comment period a bad idea?
Review of issues
John Shewchuk: sent out revised issues list
issue #1: alternative methods of sig/enc, Zahid is owner
ZA: will produce proposal for alternative this week
Q: is this proposal for XML sig/end or alternative?
ZA: no, not alternative, just how to use XML DS/E
Prateek: interesting use case was proposed by Monica
discussion:
should consider extensibility even if no specific alternatives
are fully specified at this time
since our docs will likely not be perfect for all time
current doc says "MUST XML enc/sig, but MAY others", is
that OK?
objection: should make alternative methods in XML the problem
of XML sig/enc committees, not ours
but question is about use of existing non-XML methods, eg S/MIME
JS: proposal: continue to say XML enc/sig MUST be implemented
specify how to add others as profiles if desired
RM: think of these mechanisms as "proofs"
considering high-level abstraction indicating what is being proved
eg, how is knowledge of time-stamp incorporated?
maybe need is to indicate "type" of signature
eg, digested username/password token is a kind of proof,
someone: all signature can ever do is demonstrate knowledge of key
discussion:
does this permit anything to be a profile?
what about combination of profiles?
as long as parties agree, you can combine them ...
PHB: only likely extension would be use of the
many sign&encrypt protocols
PKCS7 would likely better be done with separate header
JerryS: does more extensibility imply need for negotiation?
CK: we already have several types, imply out-of-band agreements
JerryS: WS-I wants to
BM: how can we know whether extensibility will work without a
concrete example?
CK: Phil Griffin's proposal is first step in that direction
Paul Cotton: having extensibility doesn't change compliance
with core stuff, as long as core isn't redefined by it
MOTION:
conformant implementations must support XML sig/enc
and MAY support additional mechanisms
and editors are so directed
motion is seconded
Hal: does this imply that we might change spec to eliminate barriers
to such extensibility? eg in consideration of PG's proposal?
discussion: yes
comment:
please check with Phil Griffin whether this addresses his issue
KL: yes, so notes
motion unanimously carried
issue #3: indicate token semantics
Hal: close to closure, but recent discussion is departure
will send summary/proposal to list within two days
also some important security considerations go along with this
issue #4: why is token not child of keyinfo?
PHB: have to do Kerberos as token
relates to issue #5 too
CK: so let's combine issues 4 and 5
and note that resolution of #3 must be consistent with that
issue #6: submission of roadmap
KL: modifications to footers made
BM: just a matter of putting it in committee repository?
KL: this requires substantial legal clearance
surely don't want to put every referenced doc in our repository?
JShewchuk: so, doc owners will obtain fixed URL
remains open
issue #9:
instruct use-case authors to consider whether or not they need this doc
remains open
issue #10: interop fest
postponed until closer to finished docs
issue #13: element ordering
has proposal been made? JerryS: not yet
may just be clarity issue
editors are instructed to clarify wording under consideration
remains open
issue #14: recipient should authenticate
this is specific to SAML profile? yes
RM: general statement is that recipient should validate claim
may need to be said in core doc
RM will propose modification to doc
remains open
issue #15: use of term "role" in spec
Prateek: need to reference that Role is defined in SOAP 1.2
and when using SOAP 1.1 this means "actor"
editors directed to make text along this line
remains open
issue #16: replay
Prateek: really about nature of example, will raise new issue
closed
issue #17: question about lines 1139-1141 of core
clarification needed by editors about meaning of these lines
remains open
issue #18: 1224-1226 reference "send time" that is undefined
CK: intent is to calculate delay time, no attribute implied
no change to text needed
closed
issue #19: special case of username/password
RM: useful to unify notion of proof
to achieve semantic model of proof and validation
related to proposal to indicate semantics in label
also covers issues 23 and 24
RM directed to participate with PHB, TN in resolution of
labelling and POP
remains open
issue #20: security token propagation
editors need to clarify intention regarding propagation
remains open
F2F discussion
KL: early November is a problem due to chair availability. OASIS
conference is week of 12/8 in Baltimore , W3C AC meeting is week of 11/18,
religious holidays first week of December. Looking at 2-day meeting
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC