Minutes of 20 March 2001 Security Services TC telecon

["Eve L. Maler" <eve.maler@east.sun.com>]

Minutes of the OASIS Security Services Technical Committee telecon
20 March 2001

Please note the ACTION items below.  If you see anything that needs
correction, please reply to this message.


Administrative
==============
-  Membership report: new/removed members (Heather)
    No new members.  Two members voluntarily moved to observer: Tim
    Winston and Greg Wilson.

-  Roll call (Heather)
    Attendance list appears at the end of these minutes.  Quorum
    reached.

- Approval of minutes for F2F #1:

   http://lists.oasis-open.org/archives/security-
   services/200103/msg00015.html
   Accepted.

- Approval of minutes for the last telecon:

   http://lists.oasis-open.org/archives/security-
   services/200103/msg00024.html
   Accepted.

- Approval of/additions to this agenda
   Accepted, with a note that that minutes can be found on the group
   page:

   http://www.oasis-open.org/committees/security/


F2F #2
======
- Location/date information
   Hosted by Netegrity.  Information available from the meeting page,
   which is linked from the group page.

-  Hotel room requirements
    Netegrity has group rate at DoubleTree which is walking distance
    Reserve earlier and get cookies in bed.

- Goals for this F2F:
    . Settle on the final scope issues ("Strawman #5")
    . Come to final agreement about terminology and models
    . Enable the subgroups to dig deeply into design work

- Attendance requirements:
   Attendance on first day counts towards good standing.  Attendance on
   second day ONLY does not count towards good standing as you will
   miss too much information.  The 2 days count as one meeting.  Note:
   this is not intended to be an incentive to leave after day 1, but to
   not punish those FEW people who cannot make both days due to prior
   commitments. Bob B pointed out that we could move to a "committee as
   a whole" mode for design work for day 2, meaning that quorum is not
   as much of an issue.


Discussion of models
====================
Models are for the whole TC to decide, though subgroups are doing good
work.  We may settle on several models, each of which provides a
different "view" of the problem space and/or design solution.

Much discussion, of which only a very small portion is noted:

Hal's diagram answers who has the info and who needs it. It doesn't
show a flow.  David's diagram captures all static relationships and
their cardinality.

Bob B. objected to use of the term "credential" in place of what he
claims is "authorization information". Some people objected to Bob's
raising this issue after all the mailing list discussion. Some people
nevertheless agreed with Bob's point.

ACTION: Use Case subgroup to discuss again and present their
recommendations to the TC. If there is still debate, we may need to
move to a TC vote on the appropriate term.

Discussion on whether a Policy Enforcement Point (PEP) is allowed to
receive more than a Y/N input. Many people came close to categorically
stating that if the PEP receives anything more than Y/N, then the PEP
must include authorization decision information and is therefore a
PDP. Discussion then moved to the possibilibilty of sending the PEP an
"entitlement" type piece of information (such as "Heather is entitled
to each chips while on the phone") as a more detailed form of a Y/N
input (where Heather eating chips is a Y, and "Heather is NOT entitled
to eat chips while on the phone" would be a N).

ACTION: Use Case subgroup to add examples to the definitions of all
the terms found in David's model.

ACTION: Use Case subgroup to try to cast each box in Hal's diagram as
a (logical) function.

The Protocol subgroup's model showed administrative domains, not
security domains.  Though two domains are shown, we think we should
assume that any SAML construct should be standalone enough to survive
crossing domains at each stage.

In Phill's three-cornered model, we discussed ticket size and usage.

ACTION: Bindings group to research and determine the size constraints
on a ticket, considering the different versions of browsers, other
devices like cell phones, etc.


Liaison reports
===============
- Should we identify official liaisons for the Shibboleth work?

   Bob Morgan and Marlena Erdos will be our representatives.


Attendance List
===============
Bill Perry              Aventail
Stephen Farrell         Baltimore
Irving Reid             Baltimore
Alex Ceponkus           Bowstreet
Krishna Sankar          Cisco
Ken Yagen               Crosslogix
Brian Eisenburg         DataChannel
Hal Lockhart            Entegrity
Carlisle Adams          Entrust
Alex Berson             Entrust
Robert Griffin          Entrust
Tim Moses               Entrust
Ed Simon                Entrust
Nigel Edwards           HP
Jason Rouault           HP
Maryann Hondo           IBM
Kelly Emo               Jamcracker
David Orchard           Jamcracker
Marc Chanliau           Netegrity
Prateek Mishra          Netegrity
Adam Prishtina          Netscape
Jeff Hodges             Oblix
Charles Knouse          Oblix
Duane Hamilton          OpenNetwork
Michael Lyons           OpenNetwork
Evan Prodromou          Outlook
Eric Olden              Securant
Darren Platt            Securant
Eve Maler               Sun
Ron Monzillo            Sun
Aravindan Ranganathan   Sun
Bob Blakley             Tivoli
Marlena Erdos           Tivoli
Heather Hinton          Tivoli
Sridhar Muppidi         Tivoli
Mark Vandenwauver       Tivoli
Bob Morgan              UWashington
Philip Hallam-Baker     Verisign
Alan Byrne              Vordel
Jeremy Epstein          webMethods

Voting Members removed after missing today's meeting:
Taylor Boon             Bionetrix
Dave Jablon             Netegrity
Paul Ashley             Tivoli
Sumner Blount           Netegrity
Tony Palmer             Vordel
--
Eve Maler                                             +1 781 442 3190
Sun Microsystems XML Technology Development  eve.maler @ east.sun.com