Minutes for WSS conf call, 2003-11-04

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

Sorry for the delay.

 - RL "Bob"

---

Minutes for OASIS WSS-TC conference call, Tuesday 04 November 2003
Scribe:  RL "Bob" Morgan

Summary:

  *  Minutes from previous call (2003-10-21) accepted unanimously
  *  no other votes
  *  major issues discussed:
       domain attribute in UsernameToken
       SOAP 1.1 vs 1.2
       SOAP mustUnderstand
       SOAP message normalization

Agenda:

1.  roll call:  attendance at end of this note, quorum achieved

2.  review/approve minutes from previous call (2003-10-21)
[VOTE]  approved, unanimous consent

3.  Public Review status/ status of document updates / next steps

core and username token documents (Tony Nadalin):
  target date of 11/15 for docs ready for review
    both core and username token
  Kelvin:  still owes TC proposal on namespaces

X.509 token doc (Kelvin):  new document posted, status not clear
  Phill Hallam-Baker not on call

SAML token doc (Ron Monzillo)
  some discussion on list ...
SAML interop spec posted (Rich Levinson)

Hal:  ask for consideration of "value type" comment from Dave Orchard
  as new issue

4.  Issues list review

[31]  Kelvin still to provide proposal

[127]  Hal to provide non-normative text on non-visible namespaces
Hal:  text provided on list a couple of months ago
  he will dig up message reference, incorporate comments from Merlin

[133]  changes accepted, editors to make changes

[134]  closed based on Merlin's rec

[135]  will be addressed by proposal re issue 31

[136]  remains pending

[137]  PasswordDigest in username profile, nonce first or last
Hal:  appeared to be resolved via list discussion
  no technical change required, perhaps take text as rationale
  Hal will propose text

[138] - [162]  remain pending waiting on editors to incorporate
  some may have been incorporated into X.509, don't know yet

[169]  replay token to different receiver
Jerry made posting re including domain in hash
Hal:  if domain is part of username (eg foo@bar) then it's already
  included
Jerry:  but user wouldn't add it
Hal:  but client has to know it, and would add it
Hal:  if it's included, should be element, not attribute
Hal:  proposed text taken from WS-I document
TC instructed to review messages and consider issue

[171] - [172]  remain pending waiting on editors to incorporate

[173]  SOAP 1.1 vs 1.2 terminology
Hal:  plan has been to (a) support all SOAP versions; (b) have normative
  text and examples be 1.1; (c) Hal will create appendix about changes
  required for 1.2; but is this will of TC?
  biggest problem is Dsig apparently being undefined for SOAP 1.2
  Dave Orchard suggested possible approaches in msg
Bob:  is it that Dsig can't be used with SOAP 1.2?
Rich:  it is possible to create 1.2 messages that can't be signed
  because they have no non-Infoset serialization
Rich:  section 5 of core would have to be rewritten
  make clear that 1.2 can be used with XML 1.0 serialization
(long discussion of mustUnderstand issue)
  how to resolve?
    ask OASIS TAB for guidance that would apply across many TCs?
      yes, but need to make progress more quickly
  participants will summarize positions to the list
Hal:  please make issue 190 Open rather than Pending
  Kelvin:  OK
Kelvin:  173 will remain Open, will cover both editorial and tech issues

[196]  QNames and URIs
TC:  read W3C document on this topic, consider its implications

[200]  normalization and intermediaries and signature breakage
Hal:  should recommend new transform (SOAP message normalization)
  may not need it in case of security token reference
Rich:  yes, need this normalization in various cases
Hal:  but this is an untested normalization, introduced at last minute ...
Ron:  is this related to 1.2, since it's an Infoset norm?
Hal:  should make supporting both 1.1 and 1.2 easier

[206]  multiple encryptions and ordering
Hal:  approach is agreed on, just have to make text clear
  probably general cleanup needed in doc about processing rules/order

[217]  awaiting proposal from Jerry, Kelvin will check

[233]  security considerations improvements
Paula:  working with Tony on draft

[234]  SAML ...
Ron will update

Irving:  back to [190] ...
  made posting at end of October proposing handling of mustUnderstand
    encourage TC to read and consider
  another question:  in absence of mU, can implementation handle only
    part of an extension, or must it implement the whole thing
  Bob:  a new Issue?
  Irving:  part of defining mU ...

5.  Other business

Rich L re SAML interop doc
  need to agree on high-level objectives of scenarios
    may lead to layering of scenarios, simple, signed, SSL, etc
  (more discussion of signing and SSL)
  testing of SSL may not be important for interop ...
  Ron:  use of authn assertions/statements may not be that useful

Hal:  note that current issues list is not clear enough about dispositions
  of issues
  Kelvin:  yes, will go thru and do that


6.  Adjournment


----------------------------------------------------------------------

Attendance of Voting Members:

  Gene Thurston AmberPoint
  Frank Siebenlist Argonne National Lab
  Merlin Hughes Baltimore Technologies
  Peter Dapkus BEA
  Hal Lockhart BEA
  Thomas DeMartini ContentGuard
  Guillermo Lao ContentGuard
  TJ Pannu ContentGuard
  Sam Wei Documentum
  John Hughes Entegrity
  Tim Moses Entrust
  Toshihiro Nishimura Fujitsu
  Irving Reid HP
  Jason Rouault HP
  Yutaka Kudo Hitachi
  Derek Fu IBM
  Kelvin Lawrence IBM
  Anthony Nadalin IBM
  Nataraj Nagaratnam IBM
  Ron Williams IBM
  Don Flinn Individual
  Bob Morgan Individual
  Paul Cotton Microsoft
  Vijay Gajjala Microsoft
  Ellen McDermott Microsoft
  Prateek Mishra Netegrity
  Frederick Hirsch Nokia
  Abbie Barbir Nortel
  Lloyd Burch Novell
  Ed Reed Novell
  Charles Knouse Oblix
  Vipin Samar Oracle
  Jerry Schwarz Oracle
  Eric Gravengaard Reactivity
  Rob Philpott RSA Security
  Martijn de Boer SAP
  Pete Wenzel SeeBeyond
  Yassir Elley Sun Microsystems
  Jeff Hodges Sun Microsystems
  Ronald Monzillo Sun Microsystems
  Jan Alexander Systinet
  Don Adams TIBCO
  John Weiland US Navy

Attendance of Prospective Members or Observers

  Coumara Radja Sarvega
  Kefeng Chen GeoTrust
  Blake Dournaee Sarvega
  Richard Levinson Netegrity
  Davanum Srinivas CA
  Paula Austel IBM
  David  Orchard BEA Systems
  Chris Ferris IBM

Membership status changes

  Coumara Radja Sarvega - Granted voting status after 11/4/2003 call
  Kefeng Chen GeoTrust - Granted voting status after 11/4/2003 call
  Jonathan Tourzan Sony - Lost voting status after 11/4/2003 call
  Andrew Nash RSA Security - Lost voting status after 11/4/2003 call