OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Minutes for Focus subgroup 19 June 2001 telecon


[caveat: I'm going to cut corners as I see fit such as capitalization,
filling-out full names, and such in order to crank these out more quickly, and
because they're "informal". pls lemme know if I cut a corner that's important to
you and we can negotiate it.

notation...

"core-08" refers to..
http://www.oasis-open.org/committees/security/docs/draft-sstc-core-08.pdf

"assertion-00" refers to..
http://www.oasis-open.org/committees/security/docs/draft-orchard-maler-assertion-00.pdf

"protocols-00" refers to..
http://www.oasis-open.org/committees/security/docs/draft-sstc-protocols-00.pdf


]


Attendees
=========
gaveraj 
irving
hal
fred
carlisle
tim 
jason
daveo
gil
prateek
darren
eve
phill 
thomasH


> 
> Running list of ACTION items
> ============================
> ACTION: Bob Blakley to develop and circulate a Word template for all
> specification contributors to use.
> - Target date 12 June

we have not seen word template yet.

> 
> ACTION: Bob Blakley to propose simplified assertion data structures based
> on Phill's new document. [subsummed by Dave/Eve's work/proposal?]

done.

> 
> ACTION: Prateek to do traceability review before the next TC telecon.
> [in wait-state]

in wait-state.

> 
> ACTION: Jeff Hodges to update the Glossary to reflect F2F #2 decisions.
> - target date 12 Jun 01

in wait-state.

> 
> ACTION: Eve to create master bibliography and provide bibliography section
> for document guidelines.
> - Target date 5 June 01


in wait-state.

> 
> ACTION: Subgroup leaders to get new materials to BobB (and security-
> editors list) by COB June 14 in preparation for publishing the F2F
> versions of the spec. [in-progress as this is written]

in-progess. [it's gotta be "done", for some definition of done, this week cuz
F2F #3 is next week]


> 
> ACTION: Marlena to champion DS-1-02, Anonymity Technique, and confer with
> BobB and Phill. [in progress]

in-progress [tho Marlena wasn't on the call to actually report on it.]

> 
> ACTION: Hal to see if the issue list text for DS-3-02, ClockSkew, is
> sufficient or needs more explication. [in progress]

done.


> 
> ACTION: Prateek to champion DS-3-03, ValidityDependsUpon. [in progress??]

in wait-state.

> 
> ACTION: Dave to champion DS-4-01, Top or Bottom Typing. [in progress??]

one side championed by assertion-00, but the opposing view (i.e. embodied in
core-08) hasn't been written up yet such that the entire package is in a
"decidable form".

At this point we're going to have ds-4-01 ref the two docs. this action itself
is done.  

More discussion surrounding the dichotomy between the two aforementioned docs in
the minutes below. 


> ACTION: Jeff to champion DS-4-02, XML Terminology, aka Messages and
> Packaging.

in wait-state. 

> 
> ACTION: Tim and Dave to brainstorm further on how to proceed with DS-4-03,
> Assertion Request Template.

have DS-4-03 ref core-08 and assertion-00. This action itself is done. 

eve: "what list of requests can saml authorities handle?" is the question. 

For example, the types of req. methods are captured in the "Request Methods"
section in assertion-00. 

More discussion surrounding the dichotomy between the two aforementioned docs in
the minutes below. 


> ACTION: [from 5 June 2001 focus telecon] Dave and Eve to come up with a small
> selection of diagrams that show different options in time for the next telecon.

done.

> ACTION: Dave and Eve will try to combine and flesh out their assertion
> proposals for the purposes of the F2F version of the spec, and check with
> Phill to see if he wants to move forward with that or propose a core-08
> alternative.  Whatever proposals are available will be put into the
> assertion chapter of the spec.

done. 

eve noted that core-08 and assertion-00 should be read side-by-side and are
arguably converging. 





> Design Discussions
> ==================
> 
> Background:
> 
>   Minutes for Focus subgroup 5 June 2001 telecon
>   http://lists.oasis-open.org/archives/security-services/200106/msg00026.html
> 
>   minutes of SSTC/Focus 12 June 2001 telecon
>   http://lists.oasis-open.org/archives/security-services/200106/msg00103.html
> 
> On the table: Core Assertion designs
> 
> 1. draft-sstc-core-08.pdf
> 
> http://www.oasis-open.org/committees/security/docs/draft-sstc-core-08.pdf
> 
> 2. draft-orchard-maler-assertion-00.pdf
> 
> http://www.oasis-open.org/committees/security/docs/draft-orchard-maler-assertion-00.pdf
> 
> Existing questions [from minutes of SSTC/Focus 12 June 2001 telecon]:
> 
> A. Are we designing our own query language, or are we intending to profile
> XML Query, or do we really need "queries" for our SAML requests?
> 
> B. There's a question about whether schemas for assertions are related to
> schemas for queries/requests.  We need to design the atoms in order to get
> guidance on the higher levels.
> 
> Item 1: Can we make decisions or at least narrow the undecided ground where the
> above two questions are concerned?
> 
> Item 2: Are there other overall systemic questions (i.e. we MUST decide them)
> like the above that we can identify in this session?


In trying to have a discussion of what we want to discuss at the F2F #3 next
week, we had a somewhat depth-first discussion of the array of issues in front
of us, nominally centered on items A and B in the quote from the agenda for this
meeting, above. Below is what seemed to me to be the significant observations
from the entire discussion, meshed together in what I hope is a sensible
fashion...


Eve suggested: can we brainstorm on what are the 5 of 10 big questions we need
to decide by end of f2f, and then use that to guide discussions today and at
f2f? E.g. req & response & assertions structures. [there was nominal agreement]

Highlights from the free-form discussion, as it pertains to our upcoming
discussions at the F2F #3 next week...

* (Eve) There's a desire on some folks' part to stay away from the intricities
of XML schema itself as much as possible. (DaveO) Remains to be seen how much
we'll be able to.

* (Phill) Maybe we need to think more about typing at the requst/resp level cuz
that'll mesh with wsdl better. factor out certain things to they can be handled
in a wsdl interf spec. Something to think about. 

  wsdl is being pronounced by some as "weasel"


* (Phill) shouldn't use xqery now, but leave it open to use it, but do use
concepts and techniques from it for now, i.e. "more formal" than what's
presently embodied in core-08 and assertion-00. strongly typed requests are
going to be necessary. current data models of currently deployed authz systems
are so different than the sql-style of xquery that trying to map the two will be
too onerous. 

* (DaveO) There's all sorts of good reasons to use XQuery (enumerated some of
them). [later in discussion] however, if the supposition is that we don't want
to ask very many different requests, then need for xml qery tends to decrease. 

* (Eve) if we decide on using xquery, not sharing structure between requests and
responses is decided. 

* (Hal) who asks what doesn't really matter, one can ask almost anything of any
authority. doesn't necessarily think the question looks like the answer.

* (several) What's the "authorization assertion" construct in assertion-00 for?
   dave eve darren: its a way to construct decision assertions. 

* (Phill) thinks "Authorization Claims" will be represented via attributes and
there isn't anything we can do about this. 

***ACTION: phill to write up this notion for the list.

* (Hal) disagrees whether there's an open question that an Authz Decision
Assertion can be more than "yes, x can do y".

* (eve) assertions aren't the be-all-end-all. [i.e. requests along with who's
sending what requests to whom, and for what purpose, is important to consider in
the overall picture]

* (JeffH) We need to be sure to fold the thinking embodied in protocols-00
  into our discussion. there's thinking therein about who is requesting what
  from whom (e.g. Table 1) that we don't need to necessarily reinvent, and
should
  consider. 

  Tim Moses said he'd arm Carlisle with appropriate slides to use to present 
  his/their thinking along these lines. 


* (darren) We need a rank-order list of reading material. 

***ACTION: JeffH/BobB to get such to the list asap. 



Discussion about the F2F #3 Agenda
===================================


We'd nominally thrown out these general catagories of discussions to have...

* how extensible/general do we want requests to be on a per-authority basis?

* discuss each kind of assertion structure and what they are
  in specific question is the purpose of the "Authz Assertion" in assertion-00

* how rich do we want the assertions themselves to be?
 

But Hal suggested that perhaps we need to slice the set of topics from another
perspective and discuss, each in turn, the assertion types plus their
associated/related requests/responses. 

The below skeleton agenda is what grew out of ensuing discussions...


Skeleton F2F #3 Agenda
======================

* presentations -- subcommitte reports
  * focus
    philosophical diffs presentation (see below)
  * bindings discussion
   - information transer: terminology, issues
   - extended discussion later (second day?)
  * conformance 
   - NIST folks, presntation?
  * sessions - Gil
  * passthru - irving to tug at Steve's sleve

* "authz dec assert" + related requests/responses

* "attr assert" + related requests/responses

* look at "authn assert"  + related requests/responses
 - poponent presentations?
 - capture issues

  phil - what's exactly this mean? has relations to bindings work. 
  [made a comment that in assertion-00 theres a subjet/object but no verb? or 
   was it subject/verb but no object?]

* now, what've we learned about reqs/responses overall? Is there commonality
  to factor out? Are there any nuances we need to factor back into the above
three
  categories in another iteration?

* detailed discussions about bindings

---

Eve: philosophical differences between assert-00 and core-08
* query syntax
  * using xquery
    want a fair number of reqs to be able to ask, allow for this
    allow for qests to change in future w/o rev'g the saml spec

* sep req struct from assert struct
  * in assesrt-00 reqs don't look liek resps
  * in core-08/07 they do



----------------------------------------

The below list from the agenda was not explicitly discussed. 

> Overall Issues and concerns
> ===========================
> 
> Item: How to prioritize issues resolution?
> 
> Current issues list is V02 (unless Hal updates it before 19 June):
> http://lists.oasis-open.org/archives/security-services/200105/doc00011.doc
> 
> Open issues (plus any waiting to be added by Hal):
> 
> UC-1-05: FirstContact (p. 13)
> UC-2-05: EMarketplace (p. 29)
> UC-7-01: Enveloping (p. 56)
> UC-7-02: Enveloped (p. 56)
> UC-8-02: IntermediaryAdd (p. 58)
> UC-8-03: IntermediaryDelete (p. 61)
> UC-8-04: IntermediaryEdit (p. 63)
> UC-8-05: AtomicAssertion (p. 65)
> UC-9-01: RuntimePrivacy (p. 67)
> UC-9-02: PrivacyStatement (p. 67)
> UC-13-07: Hailstorm Interoperability (p. 85)
> DS-1-01: Referring to Subject (p. 86) BobB?
> DS-1-01: Anonymity Technique (p. 86) Marlena
> DS-3-01: DoNotCache (p. 88) Hal
> DS-3-02: ClockSkew (p. 88) Hal
> DS-3-03: ValidityDependsUpon (p. 88) Prateek
> DS-4-01: Top or Bottom Typing (p. 89) Dave
> DS-4-02: XML Terminology (p. 89) Jeff
> DS-4-03: Assertion Request Template (p. 89) (Tim/Dave initially)
> DS-4-04: URIs for Assertion IDs (p. 89) (Jeff initially)
> 
> [others to add?]
> 


---
end


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC