[wss] Minutes for January 28, 2003 Conference Call

["Mishra, Prateek" <pmishra@netegrity.com>]

1. Roll Call
Quorum achieved (Steve will provide the roll-call details).


2. 

Kelvin:  

(a) OASIS is moving to the Kavi system for managing the activities of
working groups. It will
include facilities for voting etc. 

(b) Sponsors for WSS TC conference call are urgently needed. Participants
are strongly urged
to sponsor a call; approximately 45-55 people call in.


(c) Revised minutes have been posted and are available at:

http://lists.oasis-open.org/archives/wss/200301/msg00064.html

John Shewchuk: clarifications around the discussion of policy in the
minutes.

Minutes are accepted modulo John's clarifications which he will post to the
list.


(d) Rob Philpott: naming conventions for WSS documents

Discussion has been ongoing for some time. 

Suggested names for the core documents:

Web Services Security : SOAP Message Security
Web Services Security : Core Specification


Suggested names for the "binding" documents

Web Services Security : <Token-Type> Token Profile
Web Services Security : <Token-Type> Token Binding

The Token Profile choice was preferred by many individuals.

Kelvin: would like to take a vote and close this issue.

John Shewchuk: concern that "Web Services Security : SOAP Message Security"
sounds limiting
as additional specifications (some of which have already been published)
leverage this specification
to solve additional problems. These problems go beyond solving just the
issue of "SOAP Message Security".

Rob Phillpott: Does that not suggest that this specification should stay
focussed on "SOAP Message Security"?

Ed Reed: Concern that name should clarify distinction between this and other
security-related efforts such as, 
for example, various other "Web Service" Security specifications published
in December.

Kelvin : There will be also a formal OASIS name that formally and
unambiguously identifies this effort. 

Kelvin: call for vote on the choices.

Steve takes the vote:

34 (option 1) 13 (option 2)

37 (option 1) 11 (OPTION 2)

THerefore, the names 


Web Services Security : SOAP Message Security

Web Services Security : <Token-Type> Token Profile

are chosen.


ACTION: Editors to make changes to document names.


(e) John Shewchuk: in contact with Ron Monzillo and Tim Moses on the issue
of Policy specifications etc.
Will respond in greater detail later.

(f) 

Editors speak to the current state of the documents.

Ron Monzillo: 

SAML Token Profile
http://lists.oasis-open.org/archives/wss/200212/msg00100.html

Some comments on Sender Vouches have been received. Additional issue is a
missing transform
description. Ron will publish new version addressing issues in the next
week.

Tony Nadalin:

SOAP Message Security Document

http://lists.oasis-open.org/archives/wss/200301/msg00062.html

Main achievement is the separation of password issues from the main
document. (Issue 53).

The user-name and password token is now described separately in document 

http://lists.oasis-open.org/archives/wss/200301/msg00067.html


Ron Monzillo: concern about the exact split between the two documents.

Phil Hallan-Baker

Revised XRML Profile document is ready and now that naming conventions are
ready,
should be able to publish soon.

Have not received any comments on Kerberos and X.509 Profile document.
Comments are
solicited.

Phil plans to publish fresh versions of all three profiles later in the
week. 


(g) 

Chris Kaler: Are the drafts mature enough for inter-operability testing?

Zahid Ahmed: are there specific dates for the inter-op demo?

Chris, Kelvin: Sometime in March was considered a reasonable target.

WSS TC Co-Chairs begin to work through the current issues list.

http://lists.oasis-open.org/archives/wss/200301/msg00019.html

ISSUE 06: Closed.
ACTION: Kelvin to update Road Map URL in WSS TC pages to the permanent URL.

ISSUE 09: Closed.

ISSUE 10, 11: Deferred.

ISSUE 19: Pending.

ISSUE 25: Deferred to POST-interOp.

ISSUE 28: Closed.

ISSUE 46: Deferred until scenarios discussion completes.

ISSUE 47: Closed.

ISSUE 48, 49: Closed.

ISSUE 50: Closed.

Ron: Has Chris Kaler's use model for tokens be added to the SOAP message
security document?
Tony, Chris: it has been added as an appendix.

ISSUE 52: Closed.

ISSUE 53: Closed.

ISSUE 56: Closed.

ACTION: Kelvin to speak with Karl Best concerning OASIS namespace linked to
OASIS web site.

Jeff Hodges: concern that IPR statement does not reference the wsu component
of the document.
Chris: IPR statement does not reference any namespace only relevant
document. 

ISSUE 59: Pending (Phil will post new version of XRML Profile).

ISSUE 60: Pending.

Tom DeMartini: concern about use of term of "proof of possession" in various
drafts. What does it
mean?

Ron Monzillo: support this concern. Mostly used in the profiles, but does
occur in one place in the core. 
If that could be removed carefully, then it could be systematically removed
from all the profiles.

Phil H-B: prefer authentication to proof of possession. 

Ron Monzillo: message senders provide proof, message recipients authenticate
senders.

Phil H-B: concern that proof of possession is being used in a non-standard
way.

Ron will propose text to move this forward.

Thomas Demartini: points to message

http://lists.oasis-open.org/archives/wss/200301/msg00006.html

General discussion driven by Ron and Thomas. 

ACTION: Tony, Ron and Thomas to propose text and update main and subsidiary
drafts.


ISSUE 61: Pending

ACTION: Tony to work with Frederick to resolve.


ISSUE 62: Deferred to POST-interop draft.

Chris, what is this issue really?
Ron: This has to do with independent versioning of the profiles.

ISSUE 63: Resolved. 

ACTION: Tony, Ron and Chris will define a transform that will help settle
this issue.

Don Flinn: This is an important issue. It should be settled before the
interOp.

Ron Monzillo: Jerry has published a note on this issue.

http://lists.oasis-open.org/archives/wss/200212/msg00104.html


ISSUE 64, 65: Deferred to Post InterOp.


(h)

Chris Kaler: Are there any other issues (other than ISSUE 63, and user-name
and password)
that are blocking before we consider the drafts mature enough for an
inter-operability.

Ron Monzillo: issue of working with tokens that are signed in the SOAP
header but
the token itself is found elsewhere.

Gene Thurston, Ron Monzillo: Perhaps there is a need for a generic security
token
reference form?

LOOK AT ACTION 63 ABOVE.


Prateek: concern that current draft of the password model
requires availability of plain text password in the security system. I view
this as
a blocking issue for the interOperability draft. This issue is described in:

http://lists.oasis-open.org/archives/wss/200212/msg00063.html

Ron: SUN lawyers would like to look at the IPR and legal details. 
Kelvin: Please contact me for IBM position on IPR and legal issues.
Chris: Microsoft has published their information to the list.


Kelvin: proposal is to work towards an inter-operability scenarios on the
list.


Discussion on use-case scenarios. (Eric) The original use-case and primer
sub-group has
not made much progress in this space. Motion to adjourn.

Chris Kurt identified himself on the call.