OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Minutes of 3 April 2001 Security Services TC telecon


Minutes of the OASIS Security Services Technical Committee telecon
3 April 2001

Thanks to Krishna Sankar and Jeff Hodges for doing note-taking duty!

Please note the ACTION items below.  If you see anything that needs
correction, please reply to this message.


Administrative
==============
- Membership report: new/removed members (Krishna)

   No new members.  Members removed after not having attended the 20
   March telecon:

   Taylor Boon             Bionetrix
   Dave Jablon             Netegrity
   Sumner Blount           Netegrity
   Paul Ashley             Tivoli
   Tony Palmer             Vordel

- Roll call (Krishna)

   Attendance list appears at the end of these minutes.  Quorum
   reached.

- Approval of minutes for the last telecon:
   http://lists.oasis-open.org/archives/security-services/200103/msg00076.html

   Approved.

- Approval of/additions to this agenda

   Stephen Farrell mentioned that he wanted to add a brief discussion
   of SASL to the agenda. Eve added it to the end.  The rest of the
   agenda was approved.

- Discussion of latest XACML status/proposal (Simon Blackwell):
   http://lists.oasis-open.org/archives/security-services/200103/msg00084.html

   Simon discussed the planned formation of the new XACML TC and
   its statement of purpose, whose details were discussed.  The TC
   will settle on representation of what's contained within a PDP,
   and they will have to be in sync with whatever an SAML attribute
   authority representation turns out to be.

   JeffH mentioned that RFC 3060 - Policy core information model --
   is likely applicable to the XACML work as-stated.  Simon said he'd
   heard of it and they'd go take a look at it.
   http://www.ietf.org/rfc/rfc3060


F2F #2
======
Meeting page:
http://www.oasis-open.org/committees/security/f2f2-18April2001.shtml
- Reminder: send in your Evite RSVPs for the F2F and the dinner!

   ACTION: Everyone to send their Evite responses.

- Final agenda and reading list will be published by 11 April

   This will not include subgroup presentations; these will be made
   available later.

- Goals for this F2F:
     . Settle on the final scope issues
     . Settle on terminology and models
     . Enable the subgroups to dig deeply into design work


Models
======
- Continued discussion of the "three-cornered model."

- Continued discussion of producer/consumer and relationship model.

- Discussion of Tim Moses's Core subgroup ballot:
   http://lists.oasis-open.org/archives/security-core/200103/msg00063.html
   and Prateek's response:
   http://lists.oasis-open.org/archives/security-core/200104/msg00000.html
   ...essentially suggesting that -core consider "specializations" or
   "refinements" to the use case work.

- Continued discussion of producer/consumer and relationship model:
   http://lists.oasis-open.org/archives/security-editors/200104/msg00001.html
   DaveO and Hal felt that the use case issues being discussed later
   on the agenda would effectively discuss several of the open issues
   with this model doc.


Glossary
========
http://www.oasis-open.org/committees/security/docs/draft-sstc-glossary-00.html
- Discussion about the need to reduce listings of synonyms still
   further.

   JeffH asserts that it may be too soon to boil down the glossary
   because in some cases it may be perfectly reasonable for there
   to be overlapping terminology. E.g. that used in the Use Case &
   Reqs context may well overlap with that used in Core Assertions
   & Protocol and Bindings -- but the latter groups may have good
   reason to want to use their own particular slice of the overall
   terminology. An example is the terms "principal" and "subject".
   UC&R is using just the former, while the other group may use both
   with carefully defined semantics.

   Tim Moses: try to use glossary terms where possible, invent where
   necessary.

   ACTION: Everyone to review the glossary by 9 April.
   ACTION: JeffH to try to get new revision out by 11 April.


Use Case subgroup issues
========================
- Discuss authorization decisions:
   http://lists.oasis-open.org/archives/security-services/200103/msg00101.html

  Hal: the sticky part has to do with the response. How do we represent
  what the question is?  PEP-PDP case: If you can ask the question then
  you can represent it, and can you use that for the answer?

  Phill: PDP needs to say something more than just yes or no.
  There's a thread in the -core list on this.
  There's an example in XKMS along this line.
  Hopes to get another example out soon.

  summary (Hal): There's a simple, common case(s) that we can optimize.

  Eve: authz decision assertion -- what all does it contain, that's the
  question.

  DaveO: We're getting into an area that's controversial and complex.
  Maybe we should leave for a later version of SAML. Likes the idea of
  keeping things simple at this point and doing just "yes"/"no" at
  this time. Content negotiation in HTTP and difficulties thereof is
  an example of the complex stuff.

  Phill: seconds that, content negotiation was not implemented correctly
  across implementations.

  Eve: Sounds like the concern is legitimate.

  Phill: Wants to avoid an elaborate choreography, but a bit more than
  yes/no might be workable.  E.g., the "respond" element from XKMS that
  he's waved around in the Core subgroup.  A rules-based engine ought
  to be able to return more than yes/no. Can only really standardize what
  the intersection is of all the models.


  Hal: Pose question to group "is it NOT worth our time to try to propose
  specific stuff in this area?"

  Eve: Thinking along DaveO's lines that we shouldn't go down this path.

  Darren, Irving support Eve: XACML is perhaps doing this stuff.

  Eve: burden of proof is on those who can produce scenarios where simple
  yes/no answers aren't sufficient.

  ? - an example is scaling issues in database apps -- ask for yes/no on
   each item in a large result set?

  Phill: All we can do is write schema and give guidance -- can't be sure
  that folks won't use SAML technology inappropriately.

  Carlisle: Phill's proposal is okay because a requester can ask for
  yes/no plus additional stuff.

  Darren/Eve: use extension fields to add this stuff later.

  Eve: have discussed this for 1/2 hour -- have we come to any
  conclusions?

  Darren: Not really. Maybe "leaving for extension fields" is the way
  to go.

  Phill: Maybe we drop the specific policy stuff right now, and instead
  spend time on specifying how we do extensibility.

  Eve: Agreement.

  Eve: Maybe we boil down what Nigel proposed as documented in
  "question 4" in Darren's overview email message.  The Use Case
  subgroup can consider this as feedback of the overall TC to them.
  'nuff said for now.


- Discuss pass-through authentication:
   http://lists.oasis-open.org/archives/security-services/200103/msg00099.html

   Hal: It's basically a cost/value question -- several of us represent
   companies that already "do this" -- the question is whether it's
   worth it to try to come up with an standardized way to do it.

   Irving brought up SASL on SteveF's behalf. Their present thinking is
   that we might use SASL in some ways in creating authn assertions.

   Some discussion about this with some asserting that this likely the
   case and others asserting the functionality SASL offers doesn't
   directly relate to authn assertions in the way we're thinking about
   them.

   ACTION: SteveF, Hal, JeffH, and Irving to discuss how SASL might
   apply in our pass-through authn and make a presentation on how we
   might make use of it at the next F2F.  (Eve to allocate 15 minutes
   for it.)

- Discuss sessions:
   http://lists.oasis-open.org/archives/security-services/200104/msg00003.html

   Agreement that "we need 'em," but not much agreement about "what
   they are."

   Hal noted that one likely has a session by virtue of having an authn
   assertion that's valid (e.g. timestamp-wise), while others asserted
   we will need some sort of "session authority" system entity that
   maintains some sort of notion of session state.

   Eve: Hal's type of session is just an emergent property, sort of
   dynamic and maybe not very interesting.  It seems like we've got
   two notions of "session" here.


Liaison reports
===============
- Any thoughts on HailStorm? (Allen Brown?)
   Not discussed.


Next meeting
============
- 18-19 April 2001 F2F (security-leaders meets on 10 April)


Attendance
==========
MEMBERS
Stephen Farrell         Baltimore
Patrick McLaughlin      Baltimore
Irving Reid             Baltimore
Alex Ceponkus           Bowstreet
Krishna Sankar          Cisco
Brian Eisenburg         DataChannel
Hal Lockhart            Entegrity
Carlisle Adams          Entrust
Alex Berson             Entrust
Bob Griffin             Entrust
Tim Moses               Entrust
Ed Simon                Entrust
Nigel Edwards           HP
Joe Pato                HP
Jason Rouault           HP
Maryann Hondo           IBM
David Orchard           Jamcracker
Gilbert Pilz            Jamcracker
Alan Brown              MS
Marc Chanliau           Netegrity
Prateek Mishra          Netegrity
Adam Prishtina          Netscape
Jeff Hodges             Oblix
Charles Knouse          Oblix
Steve Anderson          OpenNetwork
Duane Hamilton          OpenNetwork
Michael Lyons           OpenNetwork
Mark Griesi             OpenNetworks
Eric Olden              Securant
Darren Platt            Securant
Eve Maler               Sun
Ron Monzillo            Sun
Aravindan Ranganathan   Sun
Mark Vandenwauver       Tivoli
Ron Williams            Tivoli
Bob Morgan              UWashington
Warwick Ford            Verisign
Philip Hallam-Baker     Verisign
Thane Plambeck          Verisign
Jeremy Epstein          webMethods

PROSPECTIVE MEMBERS
Gavenraj Sodhi          Access360
Jim Campbell            Sentillion
Jahan Moreh             Sigaba
Paul Ashley             Tivoli

OBSERVERS
Simon Blackwell         Psoom
Bill Pope               Bowstreet
--
Eve Maler                                             +1 781 442 3190
Sun Microsystems XML Technology Development  eve.maler @ east.sun.com



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC