wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Minutes from August 24 meeting
- From: Paula K Austel <pka@us.ibm.com>
- To: wss@lists.oasis-open.org
- Date: Tue, 24 Aug 2004 12:07:01 -0400
1. Call to order, roll call
Paula Austel - minutes
Steve Anderson - roll call
Attendance of Voting Members
Gene Thurston AmberPoint
Frank Siebenlist Argonne National
Lab
Hal Lockhart BEA
Corinna Witt BEA
Merlin Hughes Betrusted
Thomas DeMartini ContentGuard
Guillermo Lao ContentGuard
Sam Wei Documentum
Tim Moses Entrust
Dana Kaufman Forum Systems
Toshihiro Nishimura Fujitsu
Kefeng Chen GeoTrust
Irving Reid HP
Kojiro Nakayama Hitachi
Paula Austel IBM
Maryann Hondo IBM
Kelvin Lawrence IBM
Anthony Nadalin IBM
Nataraj Nagaratnam IBM
Bob Morgan Internet2
Kate Cherry Lockheed Martin
Vijay Gajjala Microsoft
Alan Geller Microsoft
Chris Kaler Microsoft
Richard Levinson Netegrity
Prateek Mishra Netegrity
Frederick Hirsch Nokia
Abbie Barbir Nortel
Lloyd Burch Novell
Charles Knouse Oblix
Steve Anderson OpenNetwork
Vamsi Motukuru Oracle
Ben Hammond RSA Security
Andrew Nash RSA Security
Rob Philpott RSA Security
Martijn de Boer SAP
Coumara Radja Sarvega
Pete Wenzel SeeBeyond
Jeff Hodges Sun Microsystems
Ronald Monzillo Sun Microsystems
Jan Alexander Systinet
Symon Chang TIBCO
John Weiland US Navy
Phillip Hallam-Baker VeriSign
Maneesh Sahu Westbridge Technology
Attendance of Prospective Members
Chong-Jen Hsu CommerceOne
Membership Status Changes
Nazrul Islam CommerceOne - Requested
membership 8/16/2004
Chong-Jen Hsu CommerceOne - Requested
membership 8/23/2004
Steven Lewis Booz Allen Hamilton -
Lost voting status after 8/24/2004 call
2. Reading/approving minutes of last meeting (August 10th)
Approved
3. Quick update on chair actions (mostly web page updates)
Kelvin -
Rebuilt web page from scratch to update links.
The web page points to public errata #1 instead of
errata #2. This needs to be fixed. Could not find version 2 in Kavi. Will
update web page as soon as the new version (#3) is ready.
People need to specify when a document should be public
(by default will make document private).
4. Public review status
REL and SAML specs in public review.
There was a question about whether there was one comment
on SAML profile. Ron had not seen the comment so it should be brought to
his attention if there is a comment.
Security Services (SAML) TC has announced review of
SAML token profile but the group has been busy with the SAML 2.0.
5. Errata status
No normative changes for fixing errata. Tony can fix
non-normative issues if people agree. Do we need a new vote?
Chris: editors to get errata updated as quickly as
possible and have an electronic vote.
Other activity is merging errata into new working
draft.
Ron - few more edits needed to X509 profile for conversion
to V3. This is part of Issue 293.
6. Status of other profiles
Frederick - sent out version 8 for SwA profile, fixes
issues 312 and 309.
Tony update on Kerberos - not many comments. Need
to clarify that AP-REQ is at GSS level.
Ron - Why are we defining wire protocols based on
APIs?
Chris - GSS is not an API
Ron - not a bad idea to have GSS support
AP-REQ part of Kerberos spec and GSS API wraps AP-REQ
with wrapper.
Ron - can we have both? Can we have a GSS binding?
For a Kerberos mechanism it should be more native to Kerberos.
Hal - type identifier to distinguish between tgt and
service tickets. Can we extend the type identifier?
Ron - agrees, but processing model for GSS is different
Chris - I don't think the processing model is different
ACTION Tony - Investigate the use of GSS to
see if it is consistent with AP-REQ in Kerberos. If so, use BST type to
distinguish.
Comment - Do not want GSS API when used here to mean
MUST be Kerberos
7. Issue list review
Version 47 of issue list
Pending Issues:
Issue 282,290: no update
Issue 298: come back to this
Issue 309: 2 issues, SwA is fixed, general comment
about core. non-normative.
Action for editors to review 309 for version
3 of errata
Open issues:
Issue 310:
2 new comments on the list. What's the difference
between 310 and 298. 298 - token ordering in the core. 310 - Vijay sent
a note to the list.
Vijay - Use issuer/serial has issues on what certificate
to use. Hash on the certificate in case SKI is not present. Presented an
alternate solution.
Hal - what is the issue with issuer/serial?
Based on X500 name matching.
Chris - a lot of people have interop problems on X500
matching because they use shortname and there is not a lot of consistency
in this space
Hal - can insist on exact binary match.
Chris - if you want to use issuer/serial then go ahead,
if you want to use Key Identifier can we specify an algorithm?
Chris - RFCs give just a digest of public key
Hal - using thumbprint
Chris- thumbprint unambiguous
Hal - no document that defines thumbprint but it is
common in industry
Ron - we have products that store certs.
Chris - leave this as open and come back to this in
next call
Ron - if there isn't an SKI - don't use SKIs?
Chris - what to do if there isn't an SKI, can we come
up with a SHA-1 that is unambiguous.
Ron - Issue: May need to have control over indexing
of cert store.
Chris - does every store do index by issuer/serial?
Hal - more likely for this kind of thumbprint
Phil - putting certificates in a directory not a good
idea anyway.
Need to revisit this issue
Issue 312:
mark as pending for people to review draft 8 of SwA
profile
http://www.oasis-open.org/apps/org/workgroup/wss/download.php/8893/wss-swa-profile-1.0-draft-08-diff.pdf
Part of 312 is an action against core:
Reference lists can be in more than one place. Ambiguous
in core which you need to use in some circumstances.
Make clarification: If encrypted data is referenced
from encrypted key within the security header you don't need separate ref
list as a child of security header.
http://www.oasis-open.org/archives/wss/200408/msg00043.html
ACTION: Capture as a separate issue
Need encrypted data in security header for attachments.
Issue 313:
Pending new errata
Issue 314:
Pending new errata
Issue 315:
Dana - provide PKI example
Dana - in the core doc there are no PKI examples.
Should we add one?
Chris - people did not want a forward reference from
core to other token profiles.
Dana - can we clarify that the lack of a PKI example
does not mean that it is not recommended?
Chris - spec specifies that any token type can be
used.
Hal - add text to specify why examples are limited
in the core. Direct readers to look at examples in relevant profile documents.
Action on Hal - Draft proposed errata text
for above.
Issue 316:
SwA - fixed in draft 8, mark as closed. Minor namespace
issue.
Dana - does this also apply to core?
Frederick - I don't think so.
Issues 317-318:
New proposals related to deferred items. Sent to the
list late yesterday.
Alan - encrypted header proposal - standardize treating
headers that are encrypted with new EncryptedHeader element.
http://www.oasis-open.org/archives/wss/200408/msg00057.html
Ron - are you suggesting this for the core doc?
Alan - yes
Alan - the next document is a separate profile - EncryptedKey
as a token profile
http://www.oasis-open.org/archives/wss/200408/msg00058.html
Refer to an EncrypedKey in another(future) message.
Can be done with no changes to core.
last proposal - signature confirmation - demonstrate
that the response is for the request that was sent.
http://www.oasis-open.org/archives/wss/200408/msg00059.html
Leave these open - people should review and discuss
on the list.
Postponed items:
Issue 67:
Hal - posted document, named profile but not really
a profile. Defines 5 symbols for usage value.
http://www.oasis-open.org/archives/wss/200408/msg00064.html
Mark this as open and TC should review.
8. Interop planning status (Kerberos, SwA)
SwA interop - Frederick (Blake could not attend today)
7 out of 8 companies can participate
Most companies can make end of Oct to mid Nov
2 proposed dates: week of Oct 25 or week of Nov 15
Need to have people vote on which date they prefer.
Document for scenarios should be ready for next meeting.
Alan - no updates on Kerberos interop
9. Other business
Kelvin - Public review ends on the 29th. Have not
seen any comments. If there is one on SAML then no-one knows about it.
Rob - will repost a request to the SAML TC
Hal - WS-I BSP did not find much with the SAML spec
(there is a question about a MUST statement)
New issue: SAML spec listed as an interim draft not
a committee draft
New Issue: Currently named WSS-SAML-15 - needs official
committee draft naming
Need to make changes and reapprove as committee draft.
Kelvin - model it on naming from the past - don't
have exact numbers yet
New Issue: REL profile needs updating too (for naming).
Can't change drafts until after public review period.
Hal - no substantial comments from BSP group.
Kelvin - Need new sponsors for calls
10. Adjournment
Adjourned at 11:09am EDT
----------------------------------------------------------
Paula K. Austel
Web Services Security
IBM T.J. Watson Research Center
(914)784-5025
Tieline 863-5025
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]