OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes from August 24 meeting



1. Call to order, roll call
Paula Austel - minutes
Steve Anderson - roll call
Attendance of Voting Members
 
  Gene Thurston AmberPoint
  Frank Siebenlist Argonne National Lab
  Hal Lockhart BEA
  Corinna Witt BEA
  Merlin Hughes Betrusted
  Thomas DeMartini ContentGuard
  Guillermo Lao ContentGuard
  Sam Wei Documentum
  Tim Moses Entrust
  Dana Kaufman Forum Systems
  Toshihiro Nishimura Fujitsu
  Kefeng Chen GeoTrust
  Irving Reid HP
  Kojiro Nakayama Hitachi
  Paula Austel IBM
  Maryann Hondo IBM
  Kelvin Lawrence IBM
  Anthony Nadalin IBM
  Nataraj Nagaratnam IBM
  Bob Morgan Internet2
  Kate Cherry Lockheed Martin
  Vijay Gajjala Microsoft
  Alan Geller Microsoft
  Chris Kaler Microsoft
  Richard Levinson Netegrity
  Prateek Mishra Netegrity
  Frederick Hirsch Nokia
  Abbie Barbir Nortel
  Lloyd Burch Novell
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Vamsi Motukuru Oracle
  Ben Hammond RSA Security
  Andrew Nash RSA Security
  Rob Philpott RSA Security
  Martijn de Boer SAP
  Coumara Radja Sarvega
  Pete Wenzel SeeBeyond
  Jeff Hodges Sun Microsystems
  Ronald Monzillo Sun Microsystems
  Jan Alexander Systinet
  Symon Chang TIBCO
  John Weiland US Navy
  Phillip Hallam-Baker VeriSign
  Maneesh Sahu Westbridge Technology
 
 
Attendance of Prospective Members
 
  Chong-Jen Hsu CommerceOne
 
 
Membership Status Changes
 
  Nazrul Islam CommerceOne - Requested membership 8/16/2004
  Chong-Jen Hsu CommerceOne - Requested membership 8/23/2004
  Steven Lewis Booz Allen Hamilton - Lost voting status after 8/24/2004 call
 

2. Reading/approving minutes of last meeting (August 10th)
Approved
 
3. Quick update on chair actions (mostly web page updates)
Kelvin -
Rebuilt web page from scratch to update links.
The web page points to public errata #1 instead of errata #2. This needs to be fixed. Could not find version 2 in Kavi. Will update web page as soon as the new version (#3) is ready.
People need to specify when a document should be public (by default will make document private).  
4. Public review status
REL and SAML specs in public review.
There was a question about whether there was one comment on SAML profile. Ron had not seen the comment so it should be brought to his attention if there is a comment.
Security Services (SAML) TC has announced review of SAML token profile but the group has been busy with the SAML 2.0.
5. Errata status
No normative changes for fixing errata. Tony can fix non-normative issues if people agree. Do we need a new vote?
Chris: editors to get errata updated as quickly as possible and have an electronic vote.
Other activity is merging errata into new working draft.
Ron - few more edits needed to X509 profile for conversion to V3. This is part of Issue 293.
6. Status of other profiles
Frederick - sent out version 8 for SwA profile, fixes issues 312 and 309.
Tony update on Kerberos - not many comments. Need to clarify that AP-REQ is at GSS level.
Ron - Why are we defining wire protocols based on APIs?
Chris - GSS is not an API
Ron - not a bad idea to have GSS support
AP-REQ part of Kerberos spec and GSS API wraps AP-REQ with wrapper.
Ron - can we have both? Can we have a GSS binding? For a Kerberos mechanism it should be more native to Kerberos.
Hal - type identifier to distinguish between tgt and service tickets. Can we extend the type identifier?
Ron - agrees, but processing model for GSS is different
Chris - I don't think the processing model is different
ACTION Tony - Investigate the use of GSS to see if it is consistent with AP-REQ in Kerberos. If so, use BST type to distinguish.
Comment - Do not want GSS API when used here to mean MUST be Kerberos

7. Issue list review
Version 47 of issue list
Pending Issues:
Issue 282,290: no update
Issue 298: come back to this
Issue 309: 2 issues, SwA is fixed, general comment about core. non-normative.
Action for editors to review 309 for version 3 of errata
Open issues:
Issue 310:
2 new comments on the list. What's the difference between 310 and 298. 298 - token ordering in the core. 310 - Vijay sent a note to the list.
Vijay - Use issuer/serial has issues on what certificate to use. Hash on the certificate in case SKI is not present. Presented an alternate solution.
Hal - what is the issue with issuer/serial?
Based on X500 name matching.
Chris - a lot of people have interop problems on X500 matching because they use shortname and there is not a lot of consistency in this space
Hal - can insist on exact binary match.
Chris - if you want to use issuer/serial then go ahead, if you want to use Key Identifier can we specify an algorithm?
Chris - RFCs give just a digest of public key
Hal - using thumbprint
Chris- thumbprint unambiguous
Hal - no document that defines thumbprint but it is common in industry
Ron - we have products that store certs.
Chris - leave this as open and come back to this in next call
Ron - if there isn't an SKI - don't use SKIs?
Chris - what to do if there isn't an SKI, can we come up with a SHA-1 that is unambiguous.
Ron - Issue: May need to have control over indexing of cert store.
Chris - does every store do index by issuer/serial?
Hal - more likely for this kind of thumbprint
Phil - putting certificates in a directory not a good idea anyway.
Need to revisit this issue

Issue 312:
mark as pending for people to review draft 8 of SwA profile
http://www.oasis-open.org/apps/org/workgroup/wss/download.php/8893/wss-swa-profile-1.0-draft-08-diff.pdf
Part of 312 is an action against core:
Reference lists can be in more than one place. Ambiguous in core which you need to use in some circumstances.
Make clarification: If encrypted data is referenced from encrypted key within the security header you don't need separate ref list as a child of security header.
http://www.oasis-open.org/archives/wss/200408/msg00043.html  
ACTION: Capture as a separate issue
Need encrypted data in security header for attachments.
Issue 313:
Pending new errata
Issue 314:
Pending new errata
Issue 315:
Dana - provide PKI example
Dana - in the core doc there are no PKI examples. Should we add one?
Chris - people did not want a forward reference from core to other token profiles.
Dana - can we clarify that the lack of a PKI example does not mean that it is not recommended?
Chris - spec specifies that any token type can be used.
Hal - add text to specify why examples are limited in the core. Direct readers to look at examples in relevant profile documents.
Action on Hal - Draft proposed errata text for above.
Issue 316:
SwA - fixed in draft 8, mark as closed. Minor namespace issue.
Dana - does this also apply to core?
Frederick - I don't think so.
Issues 317-318:
New proposals related to deferred items. Sent to the list late yesterday.
Alan - encrypted header proposal - standardize treating headers that are encrypted with new EncryptedHeader element.
http://www.oasis-open.org/archives/wss/200408/msg00057.html
Ron - are you suggesting this for the core doc?
Alan - yes
Alan - the next document is a separate profile - EncryptedKey as a token profile
http://www.oasis-open.org/archives/wss/200408/msg00058.html
Refer to an EncrypedKey in another(future) message.  Can be done with no changes to core.
last proposal - signature confirmation - demonstrate that the response is for the request that was sent.
http://www.oasis-open.org/archives/wss/200408/msg00059.html
Leave these open - people should review and discuss on the list.
Postponed items:
Issue 67:
Hal - posted document, named profile but not really a profile. Defines 5 symbols for usage value.
http://www.oasis-open.org/archives/wss/200408/msg00064.html
Mark this as open and TC should review.

8. Interop planning status (Kerberos, SwA)
SwA interop - Frederick (Blake could not attend today)
7 out of 8 companies can participate
Most companies can make end of Oct to mid Nov
2 proposed dates: week of Oct 25 or week of Nov 15
Need to have people vote on which date they prefer.
Document for scenarios should be ready for next meeting.

Alan - no updates on Kerberos interop
 
9. Other business
Kelvin - Public review ends on the 29th. Have not seen any comments. If there is one on SAML then no-one knows about it.
Rob - will repost a request to the SAML TC
Hal - WS-I BSP did not find much with the SAML spec (there is a question about a MUST statement)
New issue: SAML spec listed as an interim draft not a committee draft
New Issue: Currently named WSS-SAML-15 - needs official committee draft naming
Need to make changes and reapprove as committee draft.
Kelvin - model it on naming from the past - don't have exact numbers yet
New Issue: REL profile needs updating too (for naming).
Can't change drafts until after public review period.
Hal - no substantial comments from BSP group.

Kelvin - Need new sponsors for calls

10. Adjournment
Adjourned at 11:09am EDT


----------------------------------------------------------
Paula K. Austel
Web Services Security
IBM T.J. Watson Research Center
(914)784-5025
Tieline 863-5025

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]