RE: [wss] Minutes from F2F #2

[Steve Anderson <sanderson@opennetwork.com>]

Day 2 afternoon summary and raw minutes (separated)

--
Steve


-----Original Message-----
From: Steve Anderson 
Sent: Friday, December 13, 2002 4:50 PM
To: OASIS WSSTC (E-mail)
Subject: [wss] Minutes from F2F #2


The minutes were taken by 4 different individuals, each taking different half-day shifts (starting with me).  Since we have a short timeframe before next Tuesday's call, I will post them essentially as-is.  

Some have summaries, some do not.  For those that have summaries, items in those summaries may have been addressed and resolved differently in subsequent sessions.

Therefore, I advise reading through these minutes (carefully) in the order posted.  Four postings to follow ...
--
Steve


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
ACTION on Ron Review issue 52 before next meeting. Mark issue 52 PENDING REVIEW.

ACTION on TC review response to Issue 56 for further edit.

Issue 59: Guillermo: Need more time; Phillip sent new version to Chris.  PENDING.

Issue 60: Guillermo -- leave OPEN - need more time.

ACTION on Tony to fix typos in Issue 61, Ron and Frederick re-review before next meeting. Issue 61 continues PENDING.

NEW ISSUE on XML Security Token Wrapper. ACTION on editors, Jerry. Ron - several issues, including labeling?  Chris - signing of SAML Token. We should think about whether we need it.  No scenario in XRML doc that needs it.  Jerry - There were other reasons, will reconstruct.

NEW ISSUE Grammar to express elements - l167 - ACTION on TC to Review.  Status PENDING.  Clarification  that fragments are illustrative (Tim Moses).  Only normative is referenced XSD.

NEW ISSUE Security considerations added by Tony: what should be signed (Ron - it wasnt covered in current doc).  See line 1500. Ron to review this new issue.  Took text from SAML binding, uses assertion - Tony will correct before issue of next draft.

ACTION Chris - put together a draft straw man of a potential interop script, mail to the general TC list.  Date: in 2 weeks = December 28, 2002.  

ACTION Kelvin - will ping Eric on use cases.

ACTION on chairs - add vote to affirm straw poll selected names to agenda for Tuesday call. secondary docs:  "web services security: tokenType Token Profile"
primary doc: "web services security: SOAP Message Security."

ACTION on IBM, Microsoft, and Verisign: we will try to get what we can on licensing on the WSS TC web site.
 
ACTION on group for all TC members to disclose IPR issues.  

ACTIONS arising from Liaison reports?

ACTION on TC to consider impact of policy/QoP work. 

ACTION ON CHAIRS - Create a subgroup to come up with requirements.

ACTION ON TC - Phone next Tuesday, December 17. Members who attended this F2F should make every effort to attend.

Start time of these minutes: 11:30 AM Thursday December 12, 2002 meeting already in progress.

Issue 47: Examples (Zahid Ahmed was not present) State PENDING

Issue 52: Security token references. State PENDING

Tony: two updates in Appendix B and in Security Token Reference where we outlined what will be in the non-normative summary of SecurityTokenReference in App B.  Chris sent a sep doc that is now app B on how to process STRs. (lines around 694 in diffmarked) Ron wanted a description of the processing model. Ron - Chris pointed to the processing model.  Ron - looked like alternative choices for references, wanted that.  Chris - mark PENDING so Ron can review before Tuesday.
ACTION on Ron Review issue 52 before next meeting.

Kelvin - anyone here who can't  be on the call on Tuesday?  Brief discussion about quorum, still short 2.

Issue 55: Line 395ff.  Leave PENDING as Frederick is out of the room.

Issue 56: Issue was consolidating to an appendix the wsu information, per Wednesday minutes. Robert Philpott - faults aren't in the appendix.  receive type.  Chris -- faults.  PENDING, Tony will get edit in.  A.3 covers type definition.  Someone asked about Delay.  
ACTION on TC review response to Issue 56 for further edit.

Issue 59: Guillermo: Need more time; Phillip sent new version to Chris.  PENDING.

Issue 60: Guillermo -- leave OPEN - need more time.

Issue 61: Frederick has worked on clarification, Ron - need to talk with Frederick. Lines 808ff. Jerry - element that we don't have; should be SecurityTokenReference? 
ACTION on Tony to fix typos, Ron and Frederick re-review. Continues PENDING.

Jerry Schwarz - XML security token wrapper - we agreed to do it, Tony had agreed to do it/take proposal. Tony would work with Jerry. Follow-on discussion of Issue 61, leading to a...

NEW ISSUE on this, ACTION on editors, Jerry. Ron - several issues, including labeling?  Chris - signing of SAML Token. We should think about whether we need it.  No scenario in XRML doc that needs it.  Jerry - There were other reasons, will reconstruct.

NEW ISSUE Grammar to express elements - l167 - ACTION on TC to Review.  Status PENDING.  Clarification  that fragments are illustrative (Tim Moses).  Only normative is referenced XSD.

NEW ISSUE Security considerations added by Tony: what should be signed (Ron - it wasnt covered in current doc).  See line 1500. Ron to review.  Took text from SAML binding, uses assertion - Tony will correct before issue of next draft.



NEXT ITEM ON AGENDA:  "Interop Draft"

Kelvin - Issue has been open for a while. People want to do an interop event.  There was mail to the list 2 months ago on interop draft.  Kelvin would like to do this in first 3 months of next year. We will need more than one such event. Will propose a strict set of scenarios to interoperate on.  

Discussion on the term "interoperability draft."

Chris - We need to create a script, and select a version of the spec that will be the [first] one to freeze for coding.  When we talk about an interoperability draft that's what we mean.

Kelvin - next F2F should be focused on interop and test of spec.  (viz. addendum where a lot of things got fixed) - sanity check point, get a jump start as we come out of this process to become a formal spec.

Martijn: generally a good idea, when we specify scenarios define a set of test vectors, which elements to protect, so people can test them.   Robert P. - We should write a detailed interop scenario or scenarios.

Lloyd Burch - This would need to be an open meeting, NOT a press event. Kelvin - Minutes would be taken. Purpose is to generate feedback on the spec. I will not call pcweek, etc.  This is not an embarrassment deal - it's to determine where there are issues and holes in the spec.  It will give us a chance to focus on the spec really well.  Lloyd - We would not taking notes on pass/fail? Kelvin - the TC will have to establish rules.  We will record actions for the editors to fix things that made interoperable implementations easier [meant "harder"] to implement.

Tony - will we get feedback from the use case group in the afternoon session? Kelvin - is there anyone on the group?  Eric was the driver, not here.

Several people - nothing has happened on that list.  Don Flinn - Don't stand on formality, post to the list!

Kelvin - We'll have to come up with scripts for the event as a TC.

Jerry - There's the suggestion of some special status to this draft we're about to issue at the end of this meeting. But the important doc is this scenario document, defining the bits that have to be done.  Why the special status? Bill - from interop work, the scenario is what's important, in effect profiling the base spec.

Kelvin - We need to do it this way because OASIS doesn't have a "candidate recommendation" designation. We want something frozen.

Robert P - The key doc is the scenario doc, it can say use version core-xx.  Jerry - Yes, can say in the scenario what draft is used.

Kelvin - We want to say that this is the version to work against.  Maryann - This draft should be a checkpoint, something concrete.  Robert - say which.  Doc editing - interoperability draft is designated. Jerry - what can I leave out?  Chris - The scenario doc doesn't reiterate the spec. 

Kelvin - There's no special secret meaning.  Robert P - Some didn't know, based on the agenda.  Kelvin - that's what mail said.

Ron - I agree that the script alluded to with use cases needs to be produced before we can lock down a draft. The drafts we have haven't been validated against (say) using X.509 certificates.  

Paul C - "No one" is a bold statement.  Robert - not all use cases.  Ron - need to validate before locking down scenarios. Gene Thurston - agrees. Kelvin - We can't wait for the use case group. Ron - There's a problem with the way that the use case group was kicked off, without participation of the chairs.  The TC agreed back at the first meeting that there wouldn't be a use case document, so they've had nothing specific to do.  Chris - We expected non-normative use cases, not for formal spec, use cases that we could possibly donate to WS-I. Ron - There was no sense that we needed use cases.  Robert - [The chairs?] asserted at 1st F2F that there was no need for use cases. Ron - if the TC agrees that there's an important need for use cases, shouldn't saw the use case group off at the knees.

Chris - general use cases [were discussed?], but also a specific proposal for the interoperability.

Kelvin - want to kick off.

Chris - I will take ACTION to put together a draft straw man of a potential interop script, mail to the general TC list.  Date: in 2 weeks.  ACTION Kelvin - will ping Eric on use cases.

Ron -  Now define and give them some weight. We want to show them interop over important use cases.  Paul C - Remember that "them" is us. We should disband the interop subgroup and do it as committee of the whole.

Chris - [We need a ] precise course through the core spec, where if you don't do it you're dead. Ron - that's a use case. Paul C - may need other use cases.  Chris - This will revitalize the people who want to do use cases.

Kelvin - At a future meeting we should set date for [the first] interoperability event.  I'd like to take a Straw poll on who is interested in coming to such a meeting? And for what purpose? [roughly 2/3 of group present raised their hands.] Comments from group on why people would come - to watch, to attempt to interoperate.

Chris - what kind of network infrastructure do we need to plan on?  Should combine with a F2F:  Spend the morning getting the code to work, the afternoon discussing.

Robert  - The SAML dry runs were similar.  There were two, one on each coast. Focus was on the script and figuring out how to make it work.  It was just a meeting, and it worked well (the marketing people not informed).

Chris - interrupting - don't want to do that.

Robert - (continuing) More of a working meeting.

Chris - So let's have a TC meeting with a "code focus," perhaps in February.

Discussion - Late March better. Won't have scenario/script until mid January.
Paul C - We should have two days of interop and then have the f2f meeting.

Tony - is there a motion on the floor to have this?  [Some comment on "websphere interoperability"] 

Chris - Some companies have huge issues about unreleased code on the internet. 


QUORUM AND PROCEDURAL DISCUSSIONS

Kelvin - We might have quorum, long discussion on what "attendance" means. Asked who would object to counting attendees that were not in the room as attending for quorum purposes. Objection from Bill regarding quorum calculation. Discussion on attendance for retaining membership, attendance for quorum. Counting of members who had attended at any time during the two day meeting was proposed, which would have reached quorum.  Chairs declined to rule that 


LUNCH

Afternoon: 1pm restart.

Planned revised agenda:
Naming committee - 5 minutes
Liaison activity - 5 minutes
QoP Discussion list - 25 minutes
Adjourn

Naming Committee

Rob Philpot - naming summary. Based on responses, not checking whether only voting members voted: main choices on core were "Core" or "SOAP Message Security" or "...Protection".  17/25 votes
Profile docs - move to "Profile documents" not "Binding Documents."

Chris - on Tuesday call, take a vote and put to rest.  ACTION on chairs - add vote to affirm straw poll selected names to agenda for Tuesday call.

Discussion on whether this was a vote. Email call for vote claimed, but some said we haven't ever done that.

Rob - summary of the leading choice: 
secondary docs:  "web services security: tokenType Token Profile"
primary doc: "web services security: SOAP Message Security."



Liaison:

Input from discussions in other groups.  No requirement for big discussion.

Tim Moses - XCML familiarity? around half of those present raised a hand.  Auth and access control in mind - policy. Submitting as OASIS standard in the near future.  Should be considered a jumping off point.  Quite a satisfying activity - broad range of participants.  Hal is co-chair of that group.

At the 11th hour there was a disruptive declaration by ContentGuard that they had IP that applied; In Tim's opinion this was mischievous, with unknown motives.  

WS-I LIAISON

Jerry Schwarz - WS-I has created working group on security with the expectation that future profiles will have some security use cases.  The first meeting (teleconference) is next Tuesday. Kelvin - I've talked with Eve Mahler (??), the Chair - several people on this TC are on that meeting, so next Tuesday WSS will start on time and finish in 90 minutes (half hour early).  We've agreed (?) that the WS-I meeting will not stay in that timeslot.

SAML LIAISON

Prateek - SAML liaison.  SAML has completed 1.0 standard.  Co-winner of PCWorld Award.  Now entering into the 1.1 process, which we expect to terminate first half 2003.  Rob is also co-chair with Prateek (?). Focus is on collecting input from implementation, of which there is a fair bit, and errata updates.  SAML metadata and browser profiles, extensions for [something].  SAML 1.1 won't complete in time for WSS 1.0.

Prateek is SAML schema-izing your information? yes, in 1.1.

GRID LIAISON (OGSA, Global Grid Forum)

Frank Siebenlist - OGSA [open grid services architecture, which has web services and other fluff around it) and Global Grid Forum (meets 3 times per year).  Introduced WSS in the OGSA security architecture. They have a prelude release that implemented WSS (?!) 6 months ago.

One of these GRID groups has also created and licensed a development toolkit, using a BSD style license. Many of the vendors here have ported to their own platforms.  There have been early questions on the licensing model; no answers to date, but promises and suggestions that we shouldn't worry about it.  Hope that it will resolve appropriately.

I have a few questions that I was asked by the [two GRID groups] with my proposed answers...

(1) what kind of licensing will apply to the OGSA security toolkit? - I don't know.

(2) When will you know? I don't know.

(3) How can we standardize without knowing the licensing? - I can't vote for the standard.

(4) Are there more members that have issues on this lack? - maybe a few. 
 (5) Could there be a substantial number that won't ratify with a bad IPR statement? - may well be.

(6) Isn't this a bad situation to be in? - I couldn't agree more.

(7) Are there any reasons this is not addressed? - submitters don't have their act together...

(8) Are there some Machiavellian things going on? - I vouch for the integrity of the submitting companies, they wouldn't be capable of doing anything like that.

(9) Isn't it hard to expect us to participate and contribute without knowing answers to these questions? - same answer, vouch for the integrity...

(10) Are we heading for a confrontation? - possibly, and that is bad.

(11) Did you manage to bring this to the attention of everyone? - I'm trying.  Lots of colleagues and coworkers are following the mailing list. My request to put this on the agenda was refused - not even acknowledged.

(12) Isn't that rude? - It was a mix-up, I vouch for the impartiality of the chairs.  The TC should be very careful to ack others requests for agenda status, not very polite.

Tony: Verisign put out an open source version of WSS; why can't you do the same to do that?

Frank - go back to your own company and ask about our request.

Tony - has been done.  But IBM, MS, and Verisign worked together on the original spec. 

Prateek - is there a URL where you can find out how to license this?

(no direct answer)

Frank - You guys are working for the submitters of this spec, and you don't have this together.

Chris - Kelvin offered to get the lawyers together (comments from the house - "and then do what?")

Kelvin - You're concerned about the TC, or the IPR statement that isn't part of the TC?

Frank - I don't know the licensing conditions. I never had any info except for IPR statement.

Chris - are you asking how to get the Terms & Conditions? Go to our URL for the original spec, it will point you to the T&Cs for the April spec.

Robert  - The Intellectual Property is relevant to each member of this TC. Kelvin - no one has submitted any further declarations.  The way I read your mail, I thought you had specific questions about the terms and conditions.  Your company's lawyers should talk to ours.

Robert - There's a letter of intent to the TC to contact RSA to receive licensing terms.

long discussion, re: timing of disclosures.  Hal - disclosure "at the earliest possible time." but no enforcement is in OASIS IPR statement.

Frank - more

Chris - ACTION on IBM, Microsoft, and Verisign: we will try to get what we can on licensing on the WSS TC web site.   
Chris - From my perspective, I've only known about this issue for 3 weeks, and this request is beyond what's required.  If you did the due diligence to go to the MS web site you would have seen.

ACTION on group requested by Robert for all TC members to disclose IPR issues.  

Ron [could have been Robert]- this may come up in many contexts.  Someone wants to profile WSS; are there unencumbered profiles of WSS without having licensed the core licenses?  IP others submit, e.g. the SAML SOAP binding might implicitly be subjected to this license!  What are the linkages of these profiles to the licenses? Hal - could be two versions of a profile, one of which infringes on another.  Chris - I can't answer that [Ron's question]; legal issues are beyond the scope of the TC. 


General comments suggesting that that is the case.


WSRP LIAISON

Bill - WSRP has issues with respect to roles; communication has started happening, I believe.

W3C LIAISON

Hal - Liaison from W3C Web Services Architecture. There was a note on 11/11 on WSAWG asking this group to provide WSDL references in the initial issue.  (from Dave Orchard)  Chris - have an action on this, but it's not clear whether this is appropriate - we're discussing it, but don't understand what is expected of us because it is not representable in its current form.  Not clear whether this was from Dave O or from the TAG or from the WSAG?  Hal - from the WSAG.

QoP READOUT - DON'T HAVE SLIDES

Tim Moses - QoP readout.  SLIDES AVAILABLE?

At the WSS F2F #1 - a need was identified.
Objections raised were schedule impact, absence of interested parties.
Solution taken - create a discussion group, liaison statement.

On schedule impact:
Chris - The schedule impact comment is a false claim; this is a hypothesis that majority of TC hasn't followed or discussed, hence no impact. Interested parties should have gone through OASIS procedures; experts should know that the activity is taking place. Only one additional person took part.

Tony - what is the scope of a discussion group? Tim - determined by its charter.
Tony - open environment, no rules associated with it?  Tim - follows OASIS group procedures.

Tim - There were people present that found this an important, and possibly urgent, activity. The group is reporting back to the TC on its work. Summarized (from slides):

WSS describes how to apply a chosen security policy to a SOAP message.

This leaves open:
How can the parties exchange their security policies? [SEE SLIDES]

Security Policy and QoP document have a normative flavor, but are not intended to conform to full OASIS requirements.

Issues: Confidentiality, integrity, origin authentication.
Which Parts to protect.
Authorization.
Privacy.

Full report is 25 pages; see (http://lists.oasis-open.org/archives/wss/200211/msg00179.html and link therein to http://www.entrust.com/resources/pdf/wssqopv09.pdf .)

How does the consumer find about providers policies, and the provider find out about consumers capabilities? SOAP for the consumer, WSDL for the provider. (???)

Tony - any reason the consumer is not also WSDL? Tim - responder may not define the schema for its response via WSDL, it may not have any WSDL.  Tony - can policies be combined? Tim - if any intermediaries have policies, the document addresses combining them.

John S - could you use the SOAP-based mechanism for that?
John S - do you envision this applying to broader policy, e.g. transactions or policy ports?
Tim - addressed general-purpose policy language (e.g. for authorization privacy); possible to extend as you described. We focused on security policies.  

John S - customer requirements - if doing reliable message exchange you would do one  kind of security, if not, do something else. if in completely separate domains, couldn't say anything about the cross product.

Ron - Need to express security policy associated with a context.  So you could define a union context.  John - I don't know what you mean by context. If I had a policy (trans, reliable messages) so have a security, transaction, and reliable message contexts? Are these separate from security contexts? Ron - generalize and re-factor at one level. May want to re-factor transaction policies in the same way.

John S - context vs policy? I think I'd have policy as distinct from context.

Ron - This is in effect a tree that could exist in multiple contexts.

John - should be able to define a policy that can apply to different contexts. E.g. transacted ops on Amazon are secure, non-transacted are not.  Higher-level framework in which to describe that and those policy descriptions.  I see context as separate from policy.

Ron - context is the thing that allows you to express all policies (of the client?) Describe the aspects of a security policy that you want to deploy. Could be your active event, express all of its properties.  One large area is its security policy.  Could be more than one security policy in a context.

Martijn - describe security attributes by getting some data, get list of books, and buy one of them. Not interested in security for all of this.

John S - important point. Many things out there need policies (choice of algorithms, etc)  Prateek - specs, even in life there are many policies.  John S - take this and express a general policy language.  Prateek - I'd be excited as a professional, but what does it have to do with OASIS?

Tim - how do we explain which security mechanisms need to be applied between the parties?  More broadly, this is an issue of policy and its expression.  But what do we do with this particular proposal?

John S - I'd like to see the industry come up with a general policy framework, and have ;the security policy be a specific set of nouns and verbs within. I'd hate a one off that would be replaced by that broader mechanism.

Jerry - People implementing web services and intending to use this standard want a mechanism to exchange the required information for things that are out of band.  If we don't do it here, they'll have to do case-by-case in a non-standard way.  The question is whether someone provides an interoperable standard way of doing it.

Tim - wrap this phase of the discussion, turn to what we do about this topic.

Ron - Let's say that [my understanding of John's point] is that there should be a way of expressing a unification framework for policies.  My question is "would you expect that to be built from common building blocks that are being reused? are you forcing this from the bottom up? would you end up with the same elements?

John - I want the group to think about the broader context, and that this isn't the end of the line. Determine that the mechanisms we define here have applicability beyond security.

Martijn - Say in mid 2003 WSS is standardized. Then we're told we can produce toolkits for adding things, but no WS client can really make use of WSS because it's a manual process defining what to sign, and error messages.  End up with WSS...

John S - We must solve this problem.  Martijn - delays a general framework until 2004 probably. We need way to express security policies pretty fast.

Tim - The Liaison Statement on mailing list [see earlier links] contains link to work we've done.  Referencing sec policy from SOAP and WSDL.

Tim will propose a Motion - That the WSS TC resolves to form a subcommittee and instructs its members to advance the work of the QoP discussion group to OASIS Standard by Summer 2003.

John S - We've said from first meeting of the TC that there's a need for a general policy framework - there are people at MS and other companies that have expertise, and we could bring them together. 

Frank - I stress that for the OSGA framework, we are using the WSS elements already for 6 months. We have a version of WS Trust, WS Policy, whatever these boxes[in Tim's slides] are.  Not giving any dates is very frustrating when we want to move on.

Tony - This brings up issues of OSGA also creating a general policy framework, inventing the same thing.

John S - Wouldn't it be great if we had a group put together to do something about policy in the broader sense.

Robert P - More general sooner? get some consensus around this description to get some interop going.  When you go to a service, accept it or not.

Monica - some people who would be actively interested.  Already discussions on this in WSRP and WSIA.

John S - Think of policy broadly.  A while back, when we originally talked of WSS, we said that we should have a roadmap of specs and a general policy language.  I've heard from a lot of partners and customers.  I'd hate to see people investing in a point solution when I know there are people out there thinking about the broader solution.  We should devote our energies to solving the broader solution, then the specific.

Jerry - If we had a motion, then you'd be opposed?

John S - I'd make a friendly amendment to determine interest in a broader solution before doing a point solution.

Frank - could we do this so minimal profiles can be defined to do this in the near future?

John S - that would be great.

Ron - This is a semantic model transformed into XML? Tim has captured a concrete representation of a semantic model. When someone comes up with a grand unification model, could reuse.

Tony - Don't want to formalize the 10-20 ways that service could be formalized. John is advocating a more general framework.  Then some group could do this.

Ron - There is a semantic model for policy that could be formalized and prepared for entry into WSDL. What you're suggesting allows for both things to go on at the same time. Grand semantic model, and at the same time have the specific profiles that we need.

Martijn - Define what are the tokens we need to describe (types, parameters), and way to exchange these policies. Probably not inside this group - dedicate to some other group.  Also, look at language for describing the semantics.  Add semantics to the tokens.

John S - Exactly what I'm looking for.  People inside and outside this room could bring expertise.

Chris - could bring in relevant MS people from various policies.  To have the right intellectual horsepower on it, we might create an unbalanced and unpleasant experience.

Frank - we need it for this WSS stuff, need negotiation.

Chris - we've achieved a refinement of work.  Published XML Signature; doing a good job on WSS. There are more steps that are needed.

Frank - if you throw this off the wall, everyone will invent their own.

Chris - but there will be a standards group that will address this. This is a point on a continuum.

Tim - Summary: some are naturally bottom-up, some top-down, and that will be illustrated when this is voted.

Don Flinn - Grand unification can take multiple years. We want baby solutions along the way. This is more than a process question.

Ron - Who's going to work on this problem? We're here to work on WSS so it's something we all could use.  Tim got people that are interested in policy together.

Tony - I agree we're trying to solve security problem. But even if I want to negotiate, what language and what level of expression to negotiate in?

Ron - Your reps could come to this forum and steer it.

John S - Your point is we have a bunch of "security people" but others have transaction, reliable messaging experts, and other kinds of experts, metadata experts.  They would like to participate in this, but don't have experience with what we have in security.  Let's talk about a detailed timeline?

Martijn - I want a sub-TC to express security policy with a link back to this TC.

Jerry - If this other group that you're hypothesizing actually existed, we'd probably want to form a liaison (or subcommittee) to work with this other group you're hypothesizing.  Form this subgroup as liaison to the grand unification committee when that committee actually exists.

John S - Scope the subcommittee to define the whole thing, or the pieces of policy that are relevant to security in the broader environment.

Martijn - define our expectations with respect to policy exchange infrastructure, and (if we have these features available) what they are and how they would work.

Kelvin - There will be a charter issue whatever way we want to go.  Bear in mind how we want to go. Depending on how much additional work is proposed, this will get into a charter discussion.

ACTION on TC to consider impact of policy/QoP work. 

Tim - There was not a great deal of support for WSDL liaison - editors didn't respond.
Discussion group ends this coming Sunday.

Frank - Should we extend this discussion group and its time period? Kelvin - We need a concrete action at the end of this discussion list's life.

Peter Furniss - Assume it fits in with whatever John's group does. Short term, need something about what level of WSS things are required by this TC.  Need at least a requirements document. This is not a permanent building with full architecture - an interim policy description, not committed to OASIS spec.

John S - Sounds very rational.

Tony - Was there a requirements doc?
Tim - One doc. No use cases.

Jerry - Concrete task for this possible subcommittee - Chris will come up with a scenario/script  with a lot of the info/docs we expect to exchange [for interoperability work].  That could be a useful input.  Chris - people go off and come back with a requirements document. 

ACTION ON CHAIRS? - Create a subgroup to come up with requirements.


Monica - There's an issue about the identity and propagation of roles brought up in the Security Joint Committee; there's a recommendation coming to take definitions from existing sources, compile them, and provide as input doc to the TAB.  (Board had feedback - don't do deliverables, don't do recommendations.) This will be input to the TAB as to how they recommend the formation of a TC to talk about the terms, relevance across the affected communities. No decision or advisement in the SJC.

Meeting closed at approximately 2:45pm.

ACTION ON TC - Phone next Tuesday, December 17. Members who attended this F2F should make every effort to attend.