[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes from May 3, 2005
Agenda:
1. Call to order, roll call
2. Reading/approving minutes of last meeting (19th April [1] )
3. Gartner interop demo results/feedback/lessons learned
4. Issue list review & document status
5. Kerberos Interop status
6. Other business
7. Adjournment
[1] http://lists.oasis-open.org/archives/wss/200504/msg00016.html
1. Call to order, roll call
Attendance of Voting Members
Maneesh Sahu Actional Corporation
Gene Thurston AmberPoint
Hal Lockhart BEA
Thomas DeMartini ContentGuard
Sam Wei Documentum
Dana Kaufman Forum Systems
Kefeng Chen GeoTrust
Kojiro Nakayama Hitachi
Derek Fu IBM
Kelvin Lawrence IBM
Mike McIntosh IBM
Ron Williams IBM
Don Flinn Individual
Kate Cherry Lockheed Martin
Paul Cotton Microsoft
Vijay Gajjala Microsoft
Chris Kaler Microsoft
Richard Levinson Netegrity
Jeff Hodges NeuStar
Frederick Hirsch Nokia
Abbie Barbir Nortel
Vamsi Motukuru Oracle
Prateek Mishra Principal Identity
Ben Hammond RSA Security
Rob Philpott RSA Security
Pete Wenzel SeeBeyond
Ronald Monzillo Sun Microsystems
Jan Alexander Systinet
Symon Chang TIBCO
John Weiland US Navy
Hans Granqvist VeriSign
Membership Status Changes
Ramana Turlapati Oracle Withdrew 5/3/2005
Steve Orrin Watchfire Lost prospective status after 5/3/2005 meeting
2. Reading/approving minutes of last meeting (19th April [1] )
No issues, minutes accepted.
3. Gartner interop demo results/feedback/lessons learned
A large number of participants were at the interop. Thanks to all from Kelvin and Chris, especially Hal for leading the interop.
Please email interop issues to Hal so he can make a list for lessons learned.
Patrick Gannon, from Oasis, did a kick off speech. Kelvin and Chris did an intro, Hal did a quick pitch on what WS security is.
A user from Wachovia, who is using WS-Security conveyed a positive impression of his experience. His only issue was that
different products deploy different versions of the standards. Spec stability would resolve this issue, it should be behind us in the next year or two.
Most left the demo with a good impression of all companies working together, we achieved the goals that we at OASIS had for the event.
If lessons learned are forwarded to Hal, he will compile them and update the TC and forward to WSI BSP for consideration.
Chris and ViJay worked the issues
version 65 posted yesterday.
three pending review items.
371 X.509v1 Certificate support in 1.0 Errata
373 WSS spec legibility
374 TokenType URI for EncryptedKey
No comments if no objections proposed marked Closed
371, 373, and 374 Closed.
357 Need a Token Type URI in SAML token profile
- Ron Monzillo - will go into next version of profile rewrite Version2 for meeting after next. Assistance not required at this time,
profile needs to be changed - profiles define support for 1.1 and 2.0 describe backward compatibility issues to support one token or the other
Ron made a comment concerning the next interop: SAML Token Profile 1.1, with the exception of the Token Type attribute, in it's support for SAML 2.0 and
1.1 it is all accurate.
391 Tracking incorporation of SAML 2.0 is linked to 357. Document needs to be partitioned to support both versions of tokens.
376 Manveen: Input format to transform Closed
380 - 387 relating to Kerberose
Tony Not present hoping to get that out this week for review to be address next call
338 Hal: Proposed new work - WSS Templates - no change
366 SWA profile: Review MIME headers that are included in signature, make extensible; no action Closed
370 SWA profile: Add processing rules/guidance for SOAP and MIME intermediaries
one of two that Brian responded to 364. Reopen 364 - similar to 370 (remains open).
377 xenc:ReferenceList SwA comment
XML encryption - message 18 on the list 24th of April - changing the text to allow reference list to be less restrictive to Core
move to pending and incorporate
378 Deprecating or otherwise superceding documents - Open
379 Kerberos TP: Use Kerberos V GSS-API mechanism - conceptual agreement reached Pending
388 editorial comment on username token - no objections to having editors incorporate - Pending
389 ID Clash case http://lists.oasis-open.org/archives/wss/200504/msg00023.html -
Hal: Two identical ids in a message is currently a should rather than a must. Operating in a multiple environment passing around processes could unnecessarily
break things. The argument against this by Mike McIntosh - the mechanism of communication between the security layer and the application layer
might be such that the security layer would validate or verify signature over one set of text and the application would be under the impression that the
signature was validated over a different set of text; more of a design error then specification problem. If WSU:id or XML:id otherwise reject it could be
enforced.
Ron: Other than a direct reference, an ID can be arbitrary in the spec. In 1.0 assertion ids are being used as key identifiers so when someone references
a local assertion is by the assertion id reference rather than a direct reference. Chris did not see a security attack.
Hal: Should two ids, from a yet to be specified set, to have the same value be an error? Paul had a question on uniqueness constraint (namespace).
Chris: pointed out that if they have a different namespace and they have the same value and they are referenced from a signed info then you have a potential
attack. Other than that, schema aware applications may want to shut this down, but our spec does not mandate schema.
Chris proposed a security consideration: Any of the known attributes from id when referenced from a signed info and there is duplicate values is an error
then add another sentence that says Token Profile may describe additional constraints and something in the SAML token profile with 1.0.
Ron proposed: If you have a id used from signed info, you can't have two attributes within a document with the same value.
Chris suggested this was unenforceable because you don't know which are ids and non ids, processors should not have to parse the whole document looking for
duplicate attributes. Paul agreed with this.
Different attacks were discussed, published and speculative. Application layer suggestions to evaluate first reference as the message was serialized.
Proposed: Add wording to the id reference section of the Core that says
1. "For those id types recognized by this specification, their id values must be unique. If not then it should generate a fatal error."
2. "Any value reference by a signed info must be unique."
3. "In a canonical form of the message the unique id must be first in the canonical output."
No agreement was reached - Action to continue debate on list and decide at next meeting.
390 Section Numbering issue- pending
391 Tracking incorporation of SAML 2.0- pending
389 ID Clash case- note taken to list for discussion. Expectation is for resolution and vote on next call.
5. Kerberos Interop status
Vijay: Of three parts two are almost complete two more cases to go. These have been captured in issues list, along with some from SUN review.
At least two companies will have interop finished by Wednesday.
IBM, Microsoft and Data Power are doing Kerbose interop, all hopefully finished by end of next week, each company has their own KDP with scenarios
using local and remote KDPs.
Gudge will be publishing 1.1 interop scenarios this week or early next week.
6. Other business
Finishing 1.1:
Minimalist profile - posted a long time ago, with no comments in the past two years. Will it be part of 1.1?
Who is the editor, and is it consistent with 1.1 core.
Another posted document was a proposed value of usage attribute, could be rolled in to 1.1 document or a separate short document (Hal would be editor).
Editorial changes to Minimalist profile are not even up to 1.0 specs let alone 1.1. Document will be reviewed for action.
Issues for the list:
1. Keep track of Minimalist Profile.
2. Review proposed value of usage attribute.
3. Clear general call of other bits and pieces that should be part of 1.1.
Frederick - reopen 364 for SwA guidance to editor - review in the mail list.
7. Adjournment
Respectfully Submitted,
John R. Weiland
Information Technology Specialist
GS 2210 (APPSW) Code 38 Naval Medicine OnLine
Naval Medical Information Mngmt Cntr
Bldg 27
8901 Wisconsin Ave
Bethesda, Md. 20889-5605
301-319-1159
JRWeiland@us.med.navy.mil
http://navymedicine.med.navy.mil
"GIVE ME A PLACE TO STAND AND I WILL MOVE THE EARTH"
A remark of Archimedes quoted by Pappus of Alexandria
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]