OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Minutes for SSTC Telecon, Tuesday Dec 11

Minutes for SSTC Telecon, Tuesday Dec 11
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson

> 1 -- Roll Call

- Attendance attached to bottom of these minutes
- Quorum achieved.

> 2 -- Review of agenda

- Joe: Two items to add
    - Dealing with the issues list
    - Changes to docs from present action items list

> 3 -- Approve Minutes from last call: < http://lists.oasis-open.org/
>      archives/security-services/200111/msg00064.html >


> 4 -- Confirm Last-Call process < http://lists.oasis-open.org/
>      archives/security-services/200112/msg00009.html > as amended by
>      Eve: I think sec-conform and glossary must be part of the
>      deliverables.

- BobG: discussion of conformance issues
- Joe: seeking consensus on motion
- Jeff: quote of Eve should reference just "conform" rather than
- Jeff: clarified that sec considerations and conformance and
  glossary are effectively added to core and bindings as deliverables

> 5 -- Confirm Editor Availability:  All editors and the issue list
>      editor will have to confirm their high availability in December
>      and January to make this work.

- Eve: superceded by events, as Eve has herself stepped in
- Many thanks to Eve for doing so
- Doc status
    - Core: in good hands
    - Bindings: in good hands
    - Sec considerations: may be on different (longer) timeline
    - Glossary: Marc now owns & will generate something this week.
      Some holes, but in pretty good shape for now
    - Conformance: There are 2 difference approaches proposed in this,
      which require discussion today
    - Domain Model: phantom doc, which Eve believes should be
      integrated in Concepts section of core
        - Hal: how about combining with glossary
        - Eve: could work, some pros, some cons
        - JeffH: would prefer it to go into core, predicting most
          people will pick up core first
- Candidate date for last call announcement: Jan 8
- Candidate date for final vote: 2 weeks later, Jan 22
- Hal: is this intended to proceed as all 5 docs together, or will
  the docs proceed independently?
    - E.g., conformance approach hasn’t been seriously discussed yet
    - Sec-considerations is still in first draft state as well
    - Idea given consideration
    - Eve uncomfortable proceeding without all 5 docs synchronized
    - Chris: notes that changes to something like sec-considerations
      may produce changes to other docs like core
    - We should shift our attention to conformance and sec-
      considerations to bring them up to speed, so they can all be
      presented in last call announcement
- So, guarantees pushing out last call to February
- Will this affect publicized March date?
    - no
- Will there be 3 implementations by March?
    - We want a more defined criteria than what OASIS requires
- Would we need a sixth F2F?
    - Would be a good interop opportunity
- For each organization that can state implementation or plan for
  implementation of standard, please email committee chairs this week
    - Prefer to keep this off of main list for now
    - Please state degree of completeness in email
    - Also indicate comfort level with making your implementation
      claims/plans public
- Summary: we’ve identified that sec-considerations & conformance docs
  are on critical path for last call process
- Eve: realistic to shoot for 9 Jan release of fresh drafts of all 5
  docs, plus FAQ
- Joe: makes 8 Jan Conf Call very important

> 6 -- Review status of milestones
> [M1 - Prateek] - publish bindings-07 during week of Dec 3.
> Status: Document available 6-Dec < http://lists.oasis-open.org/
>         archives/security-services/200112/msg00028.html >
>         Comments due 12-Dec.

- Doc available.  Comments coming in.

> [M2 - Tim, Simon, Irving] - detailed reviews: Tim - section 4.1;
> Simon - section 3.1; Irving - section 4.2
> Status: Comments due 12-Dec.
>     Simon: http://lists.oasis-open.org/archives/security-services/
>            200112/msg00038.html

- Tim has published some comments today
- Irving at IETF today, but will try to get deliverables in tomorrow

> [M3 - Prateek] - publish bindings-08 during week of  Dec 17.

- Prateek: still believes it is doable, with some small possible
- Joe: any feeling among the group that there will be any larger class
  of issues that the ones that have been coming in?
    - Not really

> 7 -- Review status of action items - and move to resolution
> [A3: Prateek] - Section 3.1.5, need to further define error cases
> Status: Still open pending issuance of bindings-07, need to confirm
> core reflects changes

- Actually, it is a core issue, which is still open
- Changing ownership of this item to Phill
- Change wording to reflect that bindings did its task

> [A4: Prateek] - Section 4.1.1, create a diagram for this section
> Status: still open pending -07

- done

> [A5: BobB] - Section 4.1.3 472-473, text to clarify construction of
> ID (w.r.t. uniqueness)
> Status: open

- Joe will contact BobB offline directly

> [A6: Prateek] - Line 565, capture the threat (leading to requiring a
> <saml:audience>, then decide to leave it, change it, or strike it
> Status: open pending -07

- Bindings-07 removed this material, and includes appropriate

> [A7: Simon] - text for "things you might do in step 6"
> Status: proposed text < http://lists.oasis-open.org/archives/
> security-services/200112/msg00040.html >

- no feedback to Simon’s proposed text
- not in bindings-07, so will go into --08
- no concerns on call with Simon’s proposal

> [A9: Irving] - line 788-791, provide clarifying language for
> application level error handling. Tied to Scott's status code
> proposal
> < http://lists.oasis-open.org/archives/security-services/200111/
>   msg00049.html >
> Status: open pending -07

- Prateek: believes this is distinct from the status codes issue, and
  Irving has given clarifying text on this
- Scott: agrees

> [A11: Irving] - line 824-829, Irving to research and propose language
> to weaken requirement on signing over entire message (body and
> headers). The proposal is to require signing over assertion headers
> and body only. Other components are to be signed by agreement between
> sender and receiver (out of scope for us).
> Status: < http://lists.oasis-open.org/archives/security-services/
> 200112/msg00020.html >
> pending -07

- Done

> [A12: Irving] - line 847-848, change "subject" to "sender"
> Status: pending -07

- in -07

> [A13: Prateek] - add text on threat model and security counter
> measures
> Status: pending -07

- in -07

> [A15: Chris] - Write up advice on how to use current approach to
> generic slots for attributes
> Status: Thread beginning: < http://lists.oasis-open.org/
> archives/security-services/200112/msg00006.html >

- Chris: written up, but still not sure where to put this
- Prateek: this is issue for core
- Eve: could be appendix
- Chris: fine with that
- This could be integrated in the section on value and used as an
  example, so long as its non-normative status is clear
- Joe: objects to using color coding to convey normative vs. non-
  normative status, due to printing issues and color-blind readers
- Will leave open until Eve has chance to do another edit

> [A18: Phill] - completion of error code specification for core
> Status: still open

- Still open

> [A20: Prateek] - Need for additional ConfirmationMethod identifiers
> (Prateek and Phil)
> Bindings-06 uses two identifiers not found in core: HolderOfKey and
> SenderVouches. It is important to understand that no change in schema
> is being proposed, only new text and constants for Section 5 of core.
> Prateek to send Phil necessary text.
> Status - Still open

- Prateek published note this morning
- Still must be integrated by Phill
- Still open

> [A22: Irving] - core line 752, return code for completeness specifier:

> < http://lists.oasis-open.org/archives/security-services/
>   200111/msg00031.html >
> Status: still open

- Still pending Phill
- Code has been published
- Owner changes to Phill
- Semantic meaning is still unresolved
- Scott leans to less security-related interpretation,
  which suggests option ‘b’ (in mail list reference above)
- Hal: sees it as a way for implementations to avoid doing some
  work, when a set of attrs are requested, and not all are returned
- Hal will write up if necessary, but is there anyone who still
  wants this?
- Doesn’t view it as essential, since requestor can still detect the
  condition and react as necessary
- <<discussion>>
- Eve: proposes removing completeness specifier, adding a simple status
  code "non-complete results due to reasons other than processing
  failures" where partial result will be returned
- Should the causes for not returning all attrs be treated with
  different codes?
- Hal: this completeness specifier was explicitly requested last
  summer, so we should give fair notice before dropping it
- Eve will write up complete proposal and submit to list
- Scott will finish this for Eve if Eve doesn’t finish before leaving
  for vacation

> [A24: Phill] - Bring together Tim's etc. text for the Authentication
> mechanism section.
> Status - [In progress] still open

- Eve: apologizes, but didn’t know about it, or it would have gone into
- JeffH: was this approved?
- Tim: doesn’t think it’s had discussion, and he thought getting it
  into draft would cause discussion
- Joe: expected Phill to add to core as action item from F2F#5, so we
  must have given tacit approval
- JeffH: in F2F#5, day #2 raw notes, found evidence that we decided to
  add this to core
- Tim to send pointer to Eve, and Eve will add to core-22
- Open pending Eve’s edits

> [A25: Phill & Eve]  - Eve's reorganization of preamble
> Status - still open - in Eve's control this week

- Done
- [Closed]

> [A26: Phill] - text on the <RespondWith> option voted for at F2F#5
> Status - still open

- still open, remains Phill’s

> 8 -- Dealing with the issues list

- Issues-06 is out of date
- Hal has been unofficially out for a while, but will now get back on
  track, and be available through February

> 9 -- Changes to docs from present action items list

- Working itself out

> 10 -- Conformance

- Candidate approaches
- BobG: we’ve always planned for "levels" of conformance
- Conformance-07 defines these levels in terms of the domain model
- Has found lots of overlap of assertions used by various domain model
- Has also found that implementations don’t appear that they will
  follow that model
- Looking at going back with an assertion-specific approach to
  conformance levels, with producer/consumer qualifiers
- Reflected in a version of the doc, conformance-07a
- Proposes sending both docs out for discussion
- Eve had suggested a questionnaire for implementers to use to identify
  conformance requirements, which BobG has taken a stab at
- Alternate proposal leaves possibility for implementations to claim
  conformance, but not interoperate
- Hal: uncomfortable with claims to conformance still leaving real
  possibility of no interop
- Eve: suggests attaching names to conformance levels to make vendor
  claims more clear
- BobG: must accommodate different bindings
- Scott: already identified trust model to be out of scope, and some
  app-specific implementation details, so interop challenges will
  always exist
- Prateek: bindings and profiles feel like feature material, where core
  feels like concrete, conformance-testable material
- [ACTION ITEM] BobG will send out both versions of the spec, along
  with draft of questionnaire for discussion
- Hopes to include discussion of this in next week’s focus group call

> 11 -- Eve’s comments on Core-21

- Not enough time to cover

> 12 -- Additional Items

- Proposal to eliminate SingleAssertion and AbstractAssertion, and
  rename MultipleAssertion to Assertion
    - [ACCEPTED]

> 13 -- Adjourn

- Adjourned


Attendence of Voting Members:

  Allen Rogers Authentica
  Larry Hollowood Bank of America
  Ken Yagen Crosslogix
  Simon Godik Crosslogix
  Hal Lockhart Entegrity
  Carlisle Adams Entrust
  Robert Griffin Entrust
  Tim Moses Entrust
  Don Flinn Hitachi
  Joe Pato HP
  Jason Rouault HP
  Chris McLaren Netegrity
  Marc Chanliau Netegrity
  Prateek Mishra Netegrity
  Jeff Hodges Oblix
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Jeff Bohren OpenNetwork
  Darren Platt RSA
  Jahan Moreh Sigaba
  Eve Maler  Sun
  Emily Xu Sun
  Bob Morgan UWashington

Attendance of Observers or Prospective Members:

  Scott Cantor OSU

Membership Status Changes:

  Gavenraj Sodhi BusinessLayers -- re-instated after leave of absence
  Alex Berson Entrust -- granted voting status after 3 meetings during
                         prospective status
  Maryann Hondo IBM -- lost voting status by missing 3 consecutive
  Sridhar Muppidi Tivoli -- lost voting status by missing 3 consecutive

Steve Anderson
OpenNetwork Technologies
727-561-9500 x241

tel;work:727-561-9500 x241
org:OpenNetwork Technologies
title:Product Architect
adr;quoted-printable:;;13577 Feather Sound Drive=0D=0ASuite 330;Clearwater;Florida;33762;USA
fn:Steve Anderson

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC