Minutes of SSTC/Focus 7 Aug 2001 telecon

Old minutes notes are in "" below. Let me know if you have any questions. -Gavenraj

Meeting Minutes from 07 August OASIS SSTC

Attendance

Minutes

"Agenda - August 7 Teleconf

Administrative

==============

- Membership report: new/removed members (Gavenraj)

- Roll call (Gavenraj)

- Approval of/additions to this agenda"

- Any items to be added to agenda:

- Heather should announce when she has her baby :-)

- Nothing else

ACTION items

============

"ACTION: Prateek to start traceability review before the next TC telecon using discussion-01 docs and going back to use cases"

- Traceability review - wait state

------

"ACTION: Jeff to create master bibliography and provide bibliography section for document guidelines based on Eve's draft submission to him. (Jeff was on the hook to try to get this done by 10-Aug)"

- Bibliography: In stack below security considerations stuff.

------

"ACTION: Marlena to champion DS-1-02, Anonymity Technique, and confer with BobB and Phill. Marlena has been on vacation (due back mid-Aug) - any progress beyond initial thread on list?"

- Sent two messages out. Had good discussion with Prateek.

- Are any folks interested, please contribute to thread.

------

"ACTION: Prateek to champion DS-3-03, ValidityDependsUpon."

- Will close this by the end of the week.

------

"ACTION: Jeff to champion DS-4-02, XML Terminology, aka Messages and Packaging."

- In stack with bibliography below security considerations.

------

"ACTION: Hal to take Jeff's work on classification and composition of Identifiers and "take it a step further"."

- still on hold, but getting closer. Bob will check with Jeff and Hal.

------

"ACTION: Phill, Prateek, Chris, and Dave to create core 12 (including stuff from the discussion docs described above and Phill's comments) that Prateek, Chris, David and Phill can agree upon amongst themselves. This item retained to allow Dave, who has just returned from vacation, to comment."

- Retained item for Dave Orchard to comment. Documents are in repository. Reasonable details of comments are available. Feeling is that action item has been met. Core 12 is not final specification, but reasonable base to work from. Dave's comments are to produce a draft for the F2F meeting. Doesn't think that they are fully accurately caught up. Prioritize and divergent from F2F meeting. Prateek does not feel that there is not a divergence from the F2F meeting. Devote some time on call for core 12. Suggestion is to discuss Dave's and Prateek's core 12? Both are comfortable that there are small areas of controversial at the element schema level.

------

"ACTION: Hal to comb thru core-12 post issuance and identify those issues that he feels it addresses (as a way to try cull the open issues in the Issues doc).

see: http://www.oasis-open.org/committees/security/docs/draft-sstc-saml-issues-04

.pdf"

- Still open. Comment is that Hal will commence this now.

------

"ACTION: Joe to Post Evite poll for detailed F2F#4 attendance."

- Will send out as soon as possible.

Subcommittee reports

====================

"- Issues list (Hal)"

- It is ready to go now. Decided to include issues raised in Krishna's and Prateek's conversation. Going through the F2F#3 issues, identified five action items:

1) Trim down issues list by getting rid of frivolous diagrams.

2) Request for dynamics sessions group to document between local and global session timeouts.

3) Issues word template.

4) Clean up document repository

5) Bob Blakely announced that he would discuss bearer subject. Canonical form about the name has only been discussed. Carlisle and Bob have been talking about this.

- Should add Item 2, 4, and 5 to action items list.

- Will send out message clearly outlined.

- Issues a short document of an accounting of where went where for issues from F2F, cross-referencing issues. Will be a mapping.

"- Focus (Jeff for now)"

- Core 12 is out and there have been some comments on it. Task of focus group is to move forward on resolving issues on design and working toward well-rounded specified design.

"- Bindings (Prateek)"

- Bindings group has completed bindings 04. Can address issues brought forward. Will send out note summarizing issues. One group of issues has to do with box caring SAML messages. More than a single request (e.g., HTTP request). Will TC support that at all, whether Binding group should be looking for binding solution.

- DSIG, developing a SAML profile of DSIG. What forms of signing, what parts of the spec, has input on spec. Specifically detached signatures. Evan Prodomou was working on this but Prateek needed to bring this out.

- Seem to be back to web browser profile. Appear to be two (2) web browser profiles: 1) passing small SAML artifact followed by poll step; 2) Use of a Post, where an assertion is carried within a post. Coming up is an examination of Shibboleth.

- Evan did post a message of DSIG several weeks ago.

"- Conformance (Robert Griffin)"

- Bob sent a note he can not make the call. He is organizing a call for Friday, August 17, 2001, discussing hopefully more test cases and reference implementations.

"- Considerations (Jeff for now)"

- Document is in skeleton format on security-considerations list. In IETF context, security considerations, Jeff will get this out this week as Jeff will be on vacation next week. Several people have stated interest to get involved. Hopefully use a document to focus a discussion.

- Action: Get document out this week.

"- Sessions (Hal)"

- Nothing has been happening. Hopefully get something out before F2F.

"- Pass-through (Stephen)"

- Not on call.

Liaison reports

===============

"XKMS, XML Encryption, XML Protocol, BEEP, Shibboleth, DSML, XACML..."

- Gavenraj: Request SAML information.

- Bob Morgan: Shibboleth created quite a lot of design. Looking to implement in June but did not. Looking to get it underway very shortly. No specific pointers.

"Doc Editor/Repository report"

============================

- Bob Blakely is not on call. Copy security-editors if you want to get anything in Document Repository. Will work with Joe this week.

- Would be nice to have whiteboard transcript. It is there in the minute's directory from webpage.

- Action item JeffH: Update F2F#3.txt file minutes for Hal's comments.

o Comment: Link is not obvious.

"Telecon July 24 Minutes approval ================================"

- Can we approve minutes from prior teleconference? Yes. Approved by acclamation.

Open mike (new issues)

- None.

Adjourn

=======

"Next Focus subgroup meeting: 14-Aug-2001 telecon; +1 334 262 0740 participant code #856956 Next official SSTC meeting: 21-Aug-2001 telecon; +1 334 262 0740 participant code #856956 Next Face-to-Face: 27-Aug-2001 - 29-Aug-2001, Waltham MA, Hitachi to host."

=======================================================================

Focus subcommittee agenda

=========================

"Discussion of Issues with Core-12 raised by Stephen Farrell, Tim Moses et.al."

- Been comments by Stephen, Dave Orchard, and Prateek. Iron out inconsistencies. Let's put to bed now.

- Items that are specific:

o Dave Orchard: Ok to punt for another week.

- Object resource and action, as described in minutes, do not have intermediary structure in core-12. Was in core-07 but not described in minutes. Disagree as working group member. As editor, no notion of intermediary structure.

- Prateek: F2F minutes do not indicate a container. Correct in assessment that no container was discussed.

- May be some value of having a container. Have Steve comment on this.

- If there is no container, do you have to add a namespace attribute?

- Can we have a container for both name space elements?

- As editors we should accurately record the will.

- Phillip Hallam Baker: Not clear that we expressed a will of the TC. Not fair to introduce procedures. If there is a problem let's discuss this on merit.

- Something was discussed in minutes that were not in document.

- It is not the job of the editor for the problems that arise.

- The group did not say anything about it.

- Proposal: Roll this out as an issue.

- No issues with that.

- JeffH: Let's work from the document. Let's propose a design on action and resource.

- Work of editors is to express the will of the group.

- Poor form to make these actuations.

- Editors went through a recycle to get from core-10 to core-12. Based on discussion on list, core-12 reflects concepts and thoughts on nominal design from F2F#3. Let's keep this in mind for F2F#4.

- An alternative proposals, please write the XML down and specifically in document and move forward with that.

- Rest of items:

- Item 0 is not worthwhile discussing.

- Item 2: Cardinalities. Not prepped for this issue

o Prateek: When you make an authentication query, specify a single authentication code or all authentication assertions. This is modeled in schema with cardinalities 0 or 1. 0 stands for any. Clarification (text) can go in doc. You can return an assertion with any authentication code.

o Phillip: It looks like we need to take out authentication code. Will send out note.

- Core-12 has idea that you will ship have every attribute that relying party will get. Comment: Does not go with Item 2. -Attribute query. Did we take into account privacy issues?

- Prateek: There was good discussion around this. Requestor will only receive of what requestor is entitled to.

- In 2.4.1, you can put attributes you are listing.

- Attribute query should have one name in it. Schema element. Medicore 0. Attribute line 739 and 740, is probably what Dave Orchard was pointing out. Subject query type and subject attribute type that had a mediocre of 0.

o Corresponds to give me the entire attribute for the subject.

o Comment: In F2F#3, didn't we say that we would not cover this.

o Prateek: In SAML attribute discussion, following issue#19, there is a listing of several different attribute queries, including giving all attributes for the subject.

o Basically listing 0 name spaces.

o Found source of confusion following heading of 2.4. All requested items you are entitled to see. Text needs to be updated.

- Wondering about completeness specifier.

o Others were also.

o Seemed to be: give me back all attributes or any. With all, I want all of these or don't give me any. Would we solve this by stating "All or nothing?"

o Completeness specifier falls into Issues 20 and 21 (which is related).

o Agreed that this is one cut to resolving the issues.

o All or nothing may clarify debate.

o Any objections? Suggestion is to propose it on the list as part of Core-13.

� Any may become any committed.

o Hal, which issues identifier should we use? All items will be in issues list numbering scheme. Original sources are identified in body.

o Once new version of issues list is out should identifier issues in issues list. Mapping should work out anyways which Hal is creating.

- Other higher level concerns for completeness specifier for what you get back is what you get back, gist of Issue 20 and 21 in minutes.

- Should we go to item 3? Yes

o Section 1611, 1612 in core-12. Basically, it looks like we are missing attribute value can't be defined by schema wildcard. Cuts down on what business partners can view.

o Irving: Value pair can show where value pair is suggested.

o Prateek: Name can support any number of values, XMLSchema wildcards.

o Comment: Wondering about replacing name with value which is any, which is any format of attribute.

o Comment: Let's defer on discussion three (3).

o Action: Ask Dave Orchard on Item three (3).

o Defined values by attribute schema.

- Item 4: Rejection

o Minutes suggest 2 or 3 forms of attributes.

o Role of XPath, as query language

o Founed in discussion in minutes

o DaveO had problems with Attribute Query

o Need to look further at minutes and Core-12.

o Request for Deferring

o DaveO should respond to Prateek's reply.

o Line 726 of Core-12 calls out SAML attribute. Query type carries an attribute element. Probably a naming problem.

o Just a specifier

o Role of attribute here is to provide attribute names for what is called out.

o Rename attribute element in Line 726 to some other element.

o Further discussion is required.

o Looking at Line 442, calling for attribute in query. From F2F#3, we didn't want to do this.

o Suttle observation on Dave's part.

o Attribute must have a name and one or more values.

� Attributes do not have to have values

� Currently specified at any number of values

o Looking for reference in minutes.

o We need to make a decision.

� May not go with minutes.

o Dave needs to respond to Prateek's comments with proposed name elements.

- #2, Someone needs to quantify on issues.

o DaveO needs to clarify.

- #3

- #4

o DaveO needs to clarify and provide concrete proposals.

- Item0: whether rhetorical comments schema changes should be noted?

- Prateek - should link back to F2F#3 minutes. How reasonable does it meet intent of minutes?

- Any other comments?

o Point Stephen Farrell made, as to specifiy client processing.

o Thoughts and symantics should be specified as reasonably possible

� Server

� Client (range of options available)

- JeffH: More needs to be put in for server/client behavior.

o Comment: Examples of questions to be asked and answered should be used as guidelines.

- Phillip: Some isseues are minor wording changes.

- JeffH: Process needs to be worked out.

o Can we live with it in this way for version 1??

o We need to work through this.

- Naming - naming of elements and types

- Statements for consistent naming elements.

� Would have a lot of fallout if left not done.

- Prateek - agree with first three (3) comments

- Phillip - produce schema with changes of names

� Produces document of structure changes

� Schema URI - can we use schema in repository for right now?

� Nominally ok.

- First 3 points are in agreement.

o Must talk to David Orchard.

o We have agreement on objective

- Phillip � Forward naming to DaveO for further comments

- Next week, focus concall will be handled by Joe Pato.

SSTC Meeting

Attendance: Voting Members

Gavenraj Sodhi Access360

Soke Wan Chua Access360

Irving Reid Baltimore

Mack Hicks Bank of America

Larry Hollowood Bank of America

Krishna Sankar Cisco

Ken Yagen Crosslogix

Hal Lockhart Entegrity

Fred Moses Entitlenet

Alex Berson Entrust

Tim Moses Entrust

Don Flinn Hitachi

Nigel Edwards HP

Jason Rouault HP

David Orchard Jamcracker

Gilbert Pilz Jamcracker

Prateek Mishra Netegrity

Adam Prishtina Netscape

Jeff Hodges Oblix

Charles Knouse Oblix

Steve Anderson OpenNetwork

Mark Griesi OpenNetwork

Michael Lyons OpenNetworks

Darran Platt Securant

Evan Prodromou Securant

Eve Maler Sun

Aravindan Ranganathan Sun

Marlena Erdos Tivoli

Bob Morgan UWashington

Phillip Hallam-Baker Verisign

Tony Palmer Vordel

Other Attendance (Prospective Members and Observers)

Simon Godik Crosslogix

Kris McLaren Netegrity

security-services message