[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Minutes of 29 May 2001 Security Services TC/Focus telecon
Minutes of the OASIS Security Services Technical Committee telecon and the Focus Subcommittee telecon 29 May 2001 Please note the ACTION items below. If you see anything that needs correction, please REPLY to this message. Administrative ============== - Membership report: new/removed members (Heather) See the end of these minutes. - Roll call (Heather) Attendance list appears at the end of these minutes. Quorum reached (32/28). - Approval of minutes for the last telecon: http://lists.oasis-open.org/archives/security- services/200105/msg00136.html Approved. - Approval of/additions to this agenda None. - Burton Group speaker slot Eve will choose person based on timestamp of response (Jahan Moreh, Joe Pato, Alex Berson, and Marc Chanliau responded). The conference is 22-25 July in San Diego. - News from Jeremy: WebSec is also looking for speakers: http://www.misti.com/conference_show.asp?id=WS01 ACTION items ============ ACTION: Bob Blakley to develop and circulate a Word template for all specification contributors to use. - Not done yet; new target date 1 June ACTION: Bob Blakley to propose simplified assertion data structures based on Phill's new document. - Not done yet; new target date 1 June ACTION: Conformance group to review the traceability of use cases against Phill's design and release a rough draft for review before the next TC telecon. - Will get progress report in subgroup reports; won't list this as an action item in future ACTION: Prateek to do traceability review before the next TC telecon. - Moving slower than Prateek hoped; trying to get bindings report out and will look at traceability when done ACTION: Jeff Hodges to update the Glossary to reflect F2F #2 decisions. - Still in progress; new target date 12 June 01 ACTION: Eve to create Evite page with F2F #3 information. - Will do once receive today's voting members list ACTION: Prateek to produce draft of bindings doc to go to whole group by Tuesday 22-May. - Will wait for binding subgroup report; Prateek will commit to sending 29 May; won't list this as an action item in future ACTION: Prateek will create or point to a use case for ValidityDependsOn. - Prateek has initiated thread on a related topic that may help; there is an issue on this in the issues document; won't list this as an action item in future because it will get taken up as a regular issue ACTION: Eve to create master bibliography and provide bibliography section for document guidelines. - Eve will do this by June 5 focus call ACTION: Jeff to send out email about possible URI constraints and identity definitions we should consider imposing in the case of SAML's unique identifiers. - Jeff is trying to get this out 29 or 30 May (see the rest of these minutes for new actions) F2F #3 ====== - Meeting page: has been updated; URL is in emails Eve has sent out - Evite status: - Goals for this F2F: . Review and approve as much of the design as possible . Assess plans for implementation and conformance . Figure out the end-game schedule We must be realistic but not slip our due date very much. Eve suspects we will have to slip date by one quarter but does not want to slip two quarters. Eve will finalize pre-meeting materials by COB 18 June. ACTION: Subgroup leaders to get new materials to BobB (and security- editors list) by COB June 14 in preparation for publishing the F2F versions of the spec. Meeting starts June 25 in Newark office of Sun, near Fremont, CA. NOTE: no telecon on June 26; replaced with F2F meeting that day. Subcommittee reports ==================== - Issues list (Hal) Major change is a "color code" in which previously closed issues will be greyed out; blue is "just been closed" and open/actively discussed/newly created will be yellow; other open issues will be in white, In the footer there is a color sample so that grey-scale printing may be matchable. Previous list had just the use case/requirements issues; added a section on design issues. Put out a second revision but haven't changed blue to grey. New version has been made pretty. Agreed to close group 0 issues in this latest version. Please look at issues list/versions to track what we are doing. - Focus (Eve) Last time came up with one recommendation for discussion today. Discussed the meta-issue of how to make progress. Agreed on 75% approval standard before recommending to TC at large; will generally use straw polls in telecons rather than email ballots. In the latest Focus minutes there are a number of links to other interesting topics, including use of URI as unique identifier. - Bindings (Prateek) There is a draft that should go out today to be discussed on bindings con call this Thursday. Been a number of contributions, including terminology (from Jeff) discussing types of bindings. Types of bindings: addition of SAML assertions to various protocols/object frameworks (how do you insert SAML assertion into a SOAP document?). Other type concerned with layering response protocols on top of (e.g.) HTTP. Currently using the term "SAML protocol binding" for this latter type of binding (eg SMAL request/response layered on top of HTTP); inserting SAML into other protocol flows is a "profile" (eg a web browser profile or a SOAP profile for SAML). Other piece is a submission of an HTTP protocol binding; this is being integrated into the document. Third piece is a web-browser profile (calling out of different interaction steps when using a web browser when moving document from one to another). - Conformance (Krishna) Need two documents: conformance clause and conformance plan. Have sent out outline and are getting responses/feedback. - Security and Privacy Considerations (Jeff) Jeff has been collecting materials. Has not been terribly active. - Sessions (Hal) Appear to have closure on requirements. Open issue of multiple time-out values has been resolved. Moved into discussing message flows (login, logout by user, forced logout by admin, timeout). Timeout can be viewed as two phases (timeout and execution); phases are all the same so know that flows will be. Going off to explore in detail. - Pass-through (Stephen) No report as Stephen not on call. Liaison reports =============== Election and Voter Services TC: Krishna Sankar said they may be a "customer" for SAML. XKMS: Joe Pato is chairing W3C XKMS workshop on July 19 to decide if W3C should make XKMS a working group. Technical issues to discuss/approve =================================== - Focus subcommittee recommendations: http://lists.oasis-open.org/archives/security- services/200105/msg00139.html . "RECOMMENDATION: We recommend that the design not incorporate any provision for wildcarding for resources, as doing this is essentially to accomplish a policy statement, and policy is out of scope for SAML (draft-sstc-saml-reqs-00 page 6)." Point of information: This means specifically all references to accessible resources. Debate on the motion: Phill: Did not like this as he thinks that people will invent a way to do this. If we insist on "our" way, people will try to circumvent (and break SAML?). Evan: We don't want a SAML standard that includes policy. Eve: Interjected with references to what was discussed in Focus subcommittee. Rationale came down to "there is a job that SAML is trying to do and this isn't it." Hal: Wants to do a complete job; we are being asked to do an incomplete job that will be incompatible with XACML Bob: A name based regular expression match is not the only, nor the best, way to do this. People may want to do this, but this may not be the right way to do this. Jeff: Supports Bob. Prateek: Have this problem between PDP and PEP. One way to do this is to develop a specific syntax that is a reasonable fit to the problem domain. There may be a nice syntax for hierarchical file systems but if we 'bake' it into the spec, we are all forced to implement it. Tim: Phill's example is handled if you treat directory as ??? Nigel: Does issuing authority mean same thing as relying party? Does file system directory always mean that or does it mean an index/html? Jeff: Even though path portion of a URI may look like a file system path, you cannot presume that is what it is. Irving: URLs imply a hierarchical structure; we can relate permissions to that structure whether there is a physical file system behind it or not. Key point is that client and server must agree on who is on first. Is it useful to have the PEP giving a PDP a question that has a wildcard in it? The answer in the focus subgroup was yes; they are going to go and look at this independent of XACML. Do you want to support wildcarding in a policy database? This should be internal to a product and shouldn't be required of SAML. Nigel: speak against recommendation as worded; would like to refer to definition of policy as in one of our April drafts. This seems to equate policy to ACLs. What Nigel meant were assertions that could be such as "Nigel can access this set of resources." Hal: Reason that directory issue brought up was argued that simple wildcard scheme would be dead easy (access control in directory) but this presupposes particular implementation that may be false. What happened at focus group was scenario of enhanced/partial PEP makes requests, PDP says "not only can Joe access X, but Joe can access Y and Z" This is a partial policy/policy caching issue. Nigel: What is the "corollary" of this recommendation? Does this impact on other parts/examples/scenarios? Phill: Wildcards are currently not in the draft; if you added them, you would not have a well-formed URI. Eve: Summary: this is a design idea that came up. Focus group recommended NOT to add it to the spec. Hal: Noted later that there is a mention of wildcards on p. 6 of 07. VOTE: recorded as "wildcard vote" in Heather's voting list. - Any comments on requirements document? What does this say of the open issues that are in the requirements/use case area? Eve: All issues that were not explicitly listed last time were closed. There may be issues in issues list, but not in requirements doc. Much discussion on types of documents and what it means to have a committee spec vs draft spec vs RFC. We agreed that the requirements document is ready to be treated as a "Draft Committee Specification." Open mike (new issues) ====================== (See below for summary of open design issues) New issue (from Prateek) Audit of assertions - in email of 28 May. New issue (from Marlena) Do we do nesting of attributes (based on someone's def of roles as nested attributes). Tim: with minimal extensions, roles of principals, attributes for roles, it is clear how design accommodates Marlena: Are roles called out separately? Can roles be principals? New issue (from Phil/Tim): Should attributes and roles be identified as separate objects? New issue (from Phil/Tim): Should attributes have some 'attribute-value' type structure to them? These two issues are linked, in that if attributes have structure, roles should be atomic. New issue (from Phil/Tim): Do you want a mechanism to state that someone does not have a role? New issue (from Darren): Design seemed to be biased towards roles; wanted to see emphasis on rules. This is handled by above three issues. New issue (from Tim); What is the appropriate style for the request protocol. This is in the issues list - how does it come to closure? This will have to be discussed in Focus meeting. Adjourn at 12:38pm Central Time. Adjourn ======= (Next meeting: 5 June 2001 Focus telecon) Focus subcommittee agenda ========================= - We will focus on making issues concrete/decidable. Champions need to send candidate decidable wording by next Monday. Each should contain a brief description/analysis of the problem and concrete proposals for each option that solves the problem. - Latest issues list: http://lists.oasis-open.org/archives/security- services/200105/doc00011.doc - DS-1-01: Referring to Subject (p. 86) ACTION: Eve to ask BobB if he'll be its champion. - DS-1-01 (sic): Anonymity Technique ACTION: Marlena to champion this and confer with BobB and Phill. - DS-2-01: Wildcard Resources Closed today. - DS-3-01: DoNotCache ACTION: Hal to champion this. - DS-3-02: ClockSkew ACTION: Hal to see if the issue list text is sufficient or needs more explication. - DS-3-03: ValidityDependsUpon ACTION: Prateek to champion this. - DS-4-01: Top or Bottom Typing ACTION: Dave to champion this. - DS-4-02: XML Terminology (better to call it "Messages and Packaging"?) ACTION: Jeff to champion this. - DS-4-03: Assertion Request Template ACTION: Tim and Dave to brainstorm further on how to proceed. - DS-4-04: URIs for Assertion IDs Jeff already has an action on this, so we'll be satisfied with that for now. Attendance list =============== Voting members: Carlisle Adams Entrust Steve Anderson OpenNetwork Bob Blakley Tivoli Marc Chanliau Netegrity Nigel Edwards HP Jeremy Epstein webMethods Marlena Erdos Tivoli Mark Griesi OpenNetworks Robert Griffin Entrust Philip Hallam-Baker Verisign Heather Hinton Tivoli Jeff Hodges Oblix Maryann Hondo IBM Hal Lockhart Entegrity Michael Lyons OpenNetwork Eve Maler Sun Prateek Mishra Netegrity Ron Monzillo Sun Jahan Moreh Sigaba Tim Moses Entrust Sridhar Muppidi Tivoli David Orchard Jamcracker Tony Palmer Vordel Pramod Pathak Vordel Joe Pato HP Gilbert Pilz Jamcracker Darren Platt Securant Evan Prodromou Outlook Aravindan Ranganathan Sun Irving Reid Baltimore Jason Rouault HP Krishna Sankar Cisco Ed Simon Entrust Mark Vandenwauver Tivoli Ken Yagen Crosslogix New member report: Chris Ferris Sun <chris.ferris@east.sun.com> David Hofert Sun <david.hofert@sun.com> Regunathan Rajaiah Netscape <ragu@netscape.com> Zahid Ahmed CommerceOne <zahid.ahmed@commerceone.com> Shawn Campbell Windermere Group scampbell@witsusa.com Mark O'Neill Vordel mark.oneill@vordel.com Pramod Pathak Vordel pramod.pathak@vordel.com Bill Pope Bowstreet bpope@bowstreet.com Removed member report: Patrick McLaughlin Baltimore <pmclaughlin@baltimore.com> Alex Ceponkus Bowstreet <aceponkus@bowstreet.com> Duane Hamilton OpenNetwork <dhamilton@opennetwork.com> Eric Olden Securant <eric@securant.com> Ron Williams Tivoli ron.williams@tivoli.com Warwick Ford Verisign <WFord@verisign.com> Thane Plambeck Verisign <tplambeck@verisign.com> -- Eve Maler +1 781 442 3190 Sun Microsystems XML Technology Development eve.maler @ east.sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC