OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Minutes of 29 May 2001 Security Services TC/Focus telecon


Minutes of the OASIS Security Services Technical Committee telecon
and the Focus Subcommittee telecon
29 May 2001

Please note the ACTION items below.
If you see anything that needs correction, please REPLY to this message.


Administrative
==============
- Membership report: new/removed members (Heather)

   See the end of these minutes.

- Roll call (Heather)
   Attendance list appears at the end of these minutes.  Quorum reached
   (32/28).

- Approval of minutes for the last telecon:

   http://lists.oasis-open.org/archives/security-
   services/200105/msg00136.html

   Approved.

- Approval of/additions to this agenda

   None.

- Burton Group speaker slot

   Eve will choose person based on timestamp of response (Jahan
   Moreh, Joe Pato, Alex Berson, and Marc Chanliau responded).
   The conference is 22-25 July in San Diego.

- News from Jeremy: WebSec is also looking for speakers:

   http://www.misti.com/conference_show.asp?id=WS01


ACTION items
============
ACTION: Bob Blakley to develop and circulate a Word template for all
specification contributors to use.
- Not done yet; new target date 1 June

ACTION: Bob Blakley to propose simplified assertion data structures based
on Phill's new document.
- Not done yet; new target date 1 June

ACTION: Conformance group to review the traceability of use cases against
Phill's design and release a rough draft for review before the next TC
telecon.
- Will get progress report in subgroup reports; won't list this as
   an action item in future

ACTION: Prateek to do traceability review before the next TC
telecon.
- Moving slower than Prateek hoped; trying to get bindings report
   out and will look at traceability when done

ACTION: Jeff Hodges to update the Glossary to reflect F2F #2 decisions.
- Still in progress; new target date 12 June 01

ACTION: Eve to create Evite page with F2F #3 information.
- Will do once receive today's voting members list

ACTION: Prateek to produce draft of bindings doc to go to whole group by
Tuesday 22-May.
- Will wait for binding subgroup report; Prateek will commit to
   sending 29 May; won't list this as an action item in future

ACTION: Prateek will create or point to a use case for ValidityDependsOn.
- Prateek has initiated thread on a related topic that may help;
   there is an issue on this in the issues document; won't list this
   as an action item in future because it will get taken up as a
   regular issue

ACTION: Eve to create master bibliography and provide bibliography section
for document guidelines.
- Eve will do this by June 5 focus call

ACTION: Jeff to send out email about possible URI constraints and identity
definitions we should consider imposing in the case of SAML's unique
identifiers.
- Jeff is trying to get this out 29 or 30 May

(see the rest of these minutes for new actions)

F2F #3
======
- Meeting page: has been updated; URL is in emails Eve has sent out
- Evite status:
- Goals for this F2F:
    . Review and approve as much of the design as possible
    . Assess plans for implementation and conformance
    . Figure out the end-game schedule

   We must be realistic but not slip our due date very much. Eve suspects
   we will have to slip date by one quarter but does not want to slip two
   quarters.  Eve will finalize pre-meeting materials by COB 18 June.

ACTION: Subgroup leaders to get new materials to BobB (and security-
editors list) by COB June 14 in preparation for publishing the F2F
versions of the spec.

   Meeting starts June 25 in Newark office of Sun, near Fremont, CA.

   NOTE: no telecon on June 26; replaced with F2F meeting that day.


Subcommittee reports
====================
- Issues list (Hal)

   Major change is a "color code" in which previously closed issues will be
   greyed out; blue is "just been closed" and open/actively discussed/newly
   created will be yellow; other open issues will be in white, In the
   footer there is a color sample so that grey-scale printing may be
   matchable. Previous list had just the use case/requirements issues;
   added a section on design issues. Put out a second revision but haven't
   changed blue to grey.  New version has been made pretty.  Agreed to
   close group 0 issues in this latest version.  Please look at issues
   list/versions to track what we are doing.

- Focus (Eve)

   Last time came up with one recommendation for discussion today.
   Discussed the meta-issue of how to make progress. Agreed on 75% approval
   standard before recommending to TC at large; will generally use straw
   polls in telecons rather than email ballots.

   In the latest Focus minutes there are a number of links to other
   interesting topics, including use of URI as unique identifier.

- Bindings (Prateek)

   There is a draft that should go out today to be discussed on bindings
   con call this Thursday. Been a number of contributions, including
   terminology (from Jeff) discussing types of bindings. Types of bindings:
   addition of SAML assertions to various protocols/object frameworks (how
   do you insert SAML assertion into a SOAP document?). Other type
   concerned with layering response protocols on top of (e.g.) HTTP.
   Currently using the term "SAML protocol binding" for this latter type of
   binding (eg SMAL request/response layered on top of HTTP); inserting
   SAML into other protocol flows is a "profile" (eg a web browser profile
   or a SOAP profile for SAML).

   Other piece is a submission of an HTTP protocol binding; this is being
   integrated into the document.

   Third piece is a web-browser profile (calling out of different
   interaction steps when using a web browser when moving document from one
   to another).

- Conformance (Krishna)

   Need two documents: conformance clause and conformance plan. Have sent
   out outline and are getting responses/feedback.

- Security and Privacy Considerations (Jeff)

   Jeff has been collecting materials. Has not been terribly active.

- Sessions (Hal)

   Appear to have closure on requirements. Open issue of multiple time-out
   values has been resolved. Moved into discussing message flows (login,
   logout by user, forced logout by admin, timeout). Timeout can be viewed
   as two phases (timeout and execution); phases are all the same so know
   that flows will be. Going off to explore in detail.

- Pass-through (Stephen)

   No report as Stephen not on call.


Liaison reports
===============
Election and Voter Services TC: Krishna Sankar said they may be a
"customer" for SAML.

XKMS: Joe Pato is chairing W3C XKMS workshop on July 19 to decide if W3C
should make XKMS a working group.


Technical issues to discuss/approve
===================================
- Focus subcommittee recommendations:

   http://lists.oasis-open.org/archives/security-
   services/200105/msg00139.html

    . "RECOMMENDATION: We recommend that the design not incorporate
      any provision for wildcarding for resources, as doing this is
      essentially to accomplish a policy statement, and policy is
      out of scope for SAML (draft-sstc-saml-reqs-00 page 6)."

   Point of information: This means specifically all references to
   accessible resources.

   Debate on the motion:

   Phill: Did not like this as he thinks that people will invent a way to
   do this. If we insist on "our" way, people will try to circumvent (and
   break SAML?).

   Evan: We don't want a SAML standard that includes policy.

   Eve: Interjected with references to what was discussed in Focus
   subcommittee.  Rationale came down to "there is a job that SAML is
   trying to do and this isn't it."

   Hal: Wants to do a complete job; we are being asked to do an incomplete
   job that will be incompatible with XACML

   Bob: A name based regular expression match is not the only, nor the
   best, way to do this. People may want to do this, but this may not be
   the right way to do this.

   Jeff: Supports Bob.

   Prateek: Have this problem between PDP and PEP. One way to do this is to
   develop a specific syntax that is a reasonable fit to the problem
   domain. There may be a nice syntax for hierarchical file systems but if
   we 'bake' it into the spec, we are all forced to implement it.

   Tim: Phill's example is handled if you treat directory as ???

   Nigel: Does issuing authority mean same thing as relying party? Does
   file system directory always mean that or does it mean an index/html?

   Jeff: Even though path portion of a URI may look like a file system
   path, you cannot presume that is what it is.

   Irving: URLs imply a hierarchical structure; we can relate permissions
   to that structure whether there is a physical file system behind it or
   not. Key point is that client and server must agree on who is on first.
   Is it useful to have the PEP giving a PDP a question that has a wildcard
   in it? The answer in the focus subgroup was yes; they are going to go
   and look at this independent of XACML. Do you want to support
   wildcarding in a policy database? This should be internal to a product
   and shouldn't be required of SAML.

   Nigel: speak against recommendation as worded; would like to refer to
   definition of policy as in one of our April drafts. This seems to equate
   policy to ACLs.

   What Nigel meant were assertions that could be such as "Nigel can access
   this set of resources."

   Hal: Reason that directory issue brought up was argued that simple
   wildcard scheme would be dead easy (access control in directory) but
   this presupposes particular implementation that may be false.

   What happened at focus group was scenario of enhanced/partial PEP makes
   requests, PDP says "not only can Joe access X, but Joe can access Y and
   Z" This is a partial policy/policy caching issue.

   Nigel: What is the "corollary" of this recommendation? Does this impact
   on other parts/examples/scenarios?

   Phill: Wildcards are currently not in the draft; if you added them, you
   would not have a well-formed URI.

   Eve: Summary: this is a design idea that came up. Focus group
   recommended NOT to add it to the spec.

   Hal: Noted later that there is a mention of wildcards on p. 6 of 07.

   VOTE: recorded as "wildcard vote" in Heather's voting list.

- Any comments on requirements document?

   What does this say of the open issues that are in the requirements/use
   case area?

   Eve: All issues that were not explicitly listed last time were closed.
   There may be issues in issues list, but not in requirements doc.

   Much discussion on types of documents and what it means to have a
   committee spec vs draft spec vs RFC.  We agreed that the requirements
   document is ready to be treated as a "Draft Committee Specification."

Open mike (new issues)
======================
(See below for summary of open design issues)

New issue (from Prateek) Audit of assertions - in email of 28 May.

New issue (from Marlena) Do we do nesting of attributes (based on
someone's def of roles as nested attributes).

Tim: with minimal extensions, roles of principals, attributes for roles,
it is clear how design accommodates

Marlena: Are roles called out separately? Can roles be principals?

New issue (from Phil/Tim): Should attributes and roles be identified as
separate objects?

New issue (from Phil/Tim): Should attributes have some 'attribute-value'
type structure to them?

These two issues are linked, in that if attributes have structure, roles
should be atomic.

New issue (from Phil/Tim): Do you want a mechanism to state that someone
does not have a role?

New issue (from Darren): Design seemed to be biased towards roles; wanted
to see emphasis on rules. This is handled by above three issues.

New issue (from Tim); What is the appropriate style for the request
protocol.

This is in the issues list - how does it come to closure? This will have
to be discussed in Focus meeting.

Adjourn at 12:38pm Central Time.

Adjourn
=======
(Next meeting: 5 June 2001 Focus telecon)


Focus subcommittee agenda
=========================
- We will focus on making issues concrete/decidable.  Champions
   need to send candidate decidable wording by next Monday.  Each should
   contain a brief description/analysis of the problem and concrete
   proposals for each option that solves the problem.

- Latest issues list:

   http://lists.oasis-open.org/archives/security-
   services/200105/doc00011.doc

- DS-1-01: Referring to Subject (p. 86)

ACTION: Eve to ask BobB if he'll be its champion.

- DS-1-01 (sic): Anonymity Technique

ACTION: Marlena to champion this and confer with BobB and Phill.

- DS-2-01: Wildcard Resources

   Closed today.

- DS-3-01: DoNotCache

ACTION: Hal to champion this.

- DS-3-02: ClockSkew

ACTION: Hal to see if the issue list text is sufficient or needs more
explication.

- DS-3-03: ValidityDependsUpon

ACTION: Prateek to champion this.

- DS-4-01: Top or Bottom Typing

ACTION: Dave to champion this.

- DS-4-02: XML Terminology (better to call it "Messages and Packaging"?)

ACTION: Jeff to champion this.

- DS-4-03: Assertion Request Template

ACTION: Tim and Dave to brainstorm further on how to proceed.

- DS-4-04: URIs for Assertion IDs

   Jeff already has an action on this, so we'll be satisfied with that for
   now.


Attendance list
===============
Voting members:

Carlisle  Adams     Entrust
Steve     Anderson  OpenNetwork
Bob  Blakley   Tivoli
Marc Chanliau  Netegrity
Nigel     Edwards   HP
Jeremy    Epstein   webMethods
Marlena   Erdos     Tivoli
Mark Griesi    OpenNetworks
Robert    Griffin   Entrust
Philip    Hallam-Baker   Verisign
Heather   Hinton    Tivoli
Jeff      Hodges    Oblix
Maryann   Hondo     IBM
Hal  Lockhart  Entegrity
Michael   Lyons     OpenNetwork
Eve  Maler     Sun
Prateek   Mishra    Netegrity
Ron  Monzillo  Sun
Jahan     Moreh     Sigaba
Tim  Moses     Entrust
Sridhar   Muppidi   Tivoli
David     Orchard   Jamcracker
Tony      Palmer    Vordel
Pramod    Pathak    Vordel
Joe       Pato HP
Gilbert   Pilz Jamcracker
Darren    Platt     Securant
Evan      Prodromou Outlook
Aravindan      Ranganathan    Sun
Irving    Reid      Baltimore
Jason     Rouault   HP
Krishna   Sankar    Cisco
Ed   Simon     Entrust
Mark      Vandenwauver   Tivoli
Ken  Yagen     Crosslogix

New member report:
Chris Ferris        Sun       <chris.ferris@east.sun.com>
David Hofert        Sun       <david.hofert@sun.com>
Regunathan Rajaiah  Netscape   <ragu@netscape.com>
Zahid Ahmed         CommerceOne    <zahid.ahmed@commerceone.com>
Shawn     Campbell  Windermere Group     scampbell@witsusa.com
Mark O'Neill        Vordel         mark.oneill@vordel.com
Pramod Pathak  Vordel         pramod.pathak@vordel.com
Bill Pope      Bowstreet bpope@bowstreet.com

Removed member report:
Patrick McLaughlin  Baltimore <pmclaughlin@baltimore.com>
Alex      Ceponkus  Bowstreet  <aceponkus@bowstreet.com>
Duane     Hamilton  OpenNetwork    <dhamilton@opennetwork.com>
Eric      Olden          Securant  <eric@securant.com>
Ron  Williams  Tivoli         ron.williams@tivoli.com
Warwick Ford   Verisign  <WFord@verisign.com>
Thane     Plambeck  Verisign  <tplambeck@verisign.com>
--
Eve Maler                                             +1 781 442 3190
Sun Microsystems XML Technology Development  eve.maler @ east.sun.com



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC