[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Minutes of 3 April 2001 Security Services TC telecon
Minutes of the OASIS Security Services Technical Committee telecon 3 April 2001 Thanks to Krishna Sankar and Jeff Hodges for doing note-taking duty! Please note the ACTION items below. If you see anything that needs correction, please reply to this message. Administrative ============== - Membership report: new/removed members (Krishna) No new members. Members removed after not having attended the 20 March telecon: Taylor Boon Bionetrix Dave Jablon Netegrity Sumner Blount Netegrity Paul Ashley Tivoli Tony Palmer Vordel - Roll call (Krishna) Attendance list appears at the end of these minutes. Quorum reached. - Approval of minutes for the last telecon: http://lists.oasis-open.org/archives/security-services/200103/msg00076.html Approved. - Approval of/additions to this agenda Stephen Farrell mentioned that he wanted to add a brief discussion of SASL to the agenda. Eve added it to the end. The rest of the agenda was approved. - Discussion of latest XACML status/proposal (Simon Blackwell): http://lists.oasis-open.org/archives/security-services/200103/msg00084.html Simon discussed the planned formation of the new XACML TC and its statement of purpose, whose details were discussed. The TC will settle on representation of what's contained within a PDP, and they will have to be in sync with whatever an SAML attribute authority representation turns out to be. JeffH mentioned that RFC 3060 - Policy core information model -- is likely applicable to the XACML work as-stated. Simon said he'd heard of it and they'd go take a look at it. http://www.ietf.org/rfc/rfc3060 F2F #2 ====== Meeting page: http://www.oasis-open.org/committees/security/f2f2-18April2001.shtml - Reminder: send in your Evite RSVPs for the F2F and the dinner! ACTION: Everyone to send their Evite responses. - Final agenda and reading list will be published by 11 April This will not include subgroup presentations; these will be made available later. - Goals for this F2F: . Settle on the final scope issues . Settle on terminology and models . Enable the subgroups to dig deeply into design work Models ====== - Continued discussion of the "three-cornered model." - Continued discussion of producer/consumer and relationship model. - Discussion of Tim Moses's Core subgroup ballot: http://lists.oasis-open.org/archives/security-core/200103/msg00063.html and Prateek's response: http://lists.oasis-open.org/archives/security-core/200104/msg00000.html ...essentially suggesting that -core consider "specializations" or "refinements" to the use case work. - Continued discussion of producer/consumer and relationship model: http://lists.oasis-open.org/archives/security-editors/200104/msg00001.html DaveO and Hal felt that the use case issues being discussed later on the agenda would effectively discuss several of the open issues with this model doc. Glossary ======== http://www.oasis-open.org/committees/security/docs/draft-sstc-glossary-00.html - Discussion about the need to reduce listings of synonyms still further. JeffH asserts that it may be too soon to boil down the glossary because in some cases it may be perfectly reasonable for there to be overlapping terminology. E.g. that used in the Use Case & Reqs context may well overlap with that used in Core Assertions & Protocol and Bindings -- but the latter groups may have good reason to want to use their own particular slice of the overall terminology. An example is the terms "principal" and "subject". UC&R is using just the former, while the other group may use both with carefully defined semantics. Tim Moses: try to use glossary terms where possible, invent where necessary. ACTION: Everyone to review the glossary by 9 April. ACTION: JeffH to try to get new revision out by 11 April. Use Case subgroup issues ======================== - Discuss authorization decisions: http://lists.oasis-open.org/archives/security-services/200103/msg00101.html Hal: the sticky part has to do with the response. How do we represent what the question is? PEP-PDP case: If you can ask the question then you can represent it, and can you use that for the answer? Phill: PDP needs to say something more than just yes or no. There's a thread in the -core list on this. There's an example in XKMS along this line. Hopes to get another example out soon. summary (Hal): There's a simple, common case(s) that we can optimize. Eve: authz decision assertion -- what all does it contain, that's the question. DaveO: We're getting into an area that's controversial and complex. Maybe we should leave for a later version of SAML. Likes the idea of keeping things simple at this point and doing just "yes"/"no" at this time. Content negotiation in HTTP and difficulties thereof is an example of the complex stuff. Phill: seconds that, content negotiation was not implemented correctly across implementations. Eve: Sounds like the concern is legitimate. Phill: Wants to avoid an elaborate choreography, but a bit more than yes/no might be workable. E.g., the "respond" element from XKMS that he's waved around in the Core subgroup. A rules-based engine ought to be able to return more than yes/no. Can only really standardize what the intersection is of all the models. Hal: Pose question to group "is it NOT worth our time to try to propose specific stuff in this area?" Eve: Thinking along DaveO's lines that we shouldn't go down this path. Darren, Irving support Eve: XACML is perhaps doing this stuff. Eve: burden of proof is on those who can produce scenarios where simple yes/no answers aren't sufficient. ? - an example is scaling issues in database apps -- ask for yes/no on each item in a large result set? Phill: All we can do is write schema and give guidance -- can't be sure that folks won't use SAML technology inappropriately. Carlisle: Phill's proposal is okay because a requester can ask for yes/no plus additional stuff. Darren/Eve: use extension fields to add this stuff later. Eve: have discussed this for 1/2 hour -- have we come to any conclusions? Darren: Not really. Maybe "leaving for extension fields" is the way to go. Phill: Maybe we drop the specific policy stuff right now, and instead spend time on specifying how we do extensibility. Eve: Agreement. Eve: Maybe we boil down what Nigel proposed as documented in "question 4" in Darren's overview email message. The Use Case subgroup can consider this as feedback of the overall TC to them. 'nuff said for now. - Discuss pass-through authentication: http://lists.oasis-open.org/archives/security-services/200103/msg00099.html Hal: It's basically a cost/value question -- several of us represent companies that already "do this" -- the question is whether it's worth it to try to come up with an standardized way to do it. Irving brought up SASL on SteveF's behalf. Their present thinking is that we might use SASL in some ways in creating authn assertions. Some discussion about this with some asserting that this likely the case and others asserting the functionality SASL offers doesn't directly relate to authn assertions in the way we're thinking about them. ACTION: SteveF, Hal, JeffH, and Irving to discuss how SASL might apply in our pass-through authn and make a presentation on how we might make use of it at the next F2F. (Eve to allocate 15 minutes for it.) - Discuss sessions: http://lists.oasis-open.org/archives/security-services/200104/msg00003.html Agreement that "we need 'em," but not much agreement about "what they are." Hal noted that one likely has a session by virtue of having an authn assertion that's valid (e.g. timestamp-wise), while others asserted we will need some sort of "session authority" system entity that maintains some sort of notion of session state. Eve: Hal's type of session is just an emergent property, sort of dynamic and maybe not very interesting. It seems like we've got two notions of "session" here. Liaison reports =============== - Any thoughts on HailStorm? (Allen Brown?) Not discussed. Next meeting ============ - 18-19 April 2001 F2F (security-leaders meets on 10 April) Attendance ========== MEMBERS Stephen Farrell Baltimore Patrick McLaughlin Baltimore Irving Reid Baltimore Alex Ceponkus Bowstreet Krishna Sankar Cisco Brian Eisenburg DataChannel Hal Lockhart Entegrity Carlisle Adams Entrust Alex Berson Entrust Bob Griffin Entrust Tim Moses Entrust Ed Simon Entrust Nigel Edwards HP Joe Pato HP Jason Rouault HP Maryann Hondo IBM David Orchard Jamcracker Gilbert Pilz Jamcracker Alan Brown MS Marc Chanliau Netegrity Prateek Mishra Netegrity Adam Prishtina Netscape Jeff Hodges Oblix Charles Knouse Oblix Steve Anderson OpenNetwork Duane Hamilton OpenNetwork Michael Lyons OpenNetwork Mark Griesi OpenNetworks Eric Olden Securant Darren Platt Securant Eve Maler Sun Ron Monzillo Sun Aravindan Ranganathan Sun Mark Vandenwauver Tivoli Ron Williams Tivoli Bob Morgan UWashington Warwick Ford Verisign Philip Hallam-Baker Verisign Thane Plambeck Verisign Jeremy Epstein webMethods PROSPECTIVE MEMBERS Gavenraj Sodhi Access360 Jim Campbell Sentillion Jahan Moreh Sigaba Paul Ashley Tivoli OBSERVERS Simon Blackwell Psoom Bill Pope Bowstreet -- Eve Maler +1 781 442 3190 Sun Microsystems XML Technology Development eve.maler @ east.sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC