OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Minutes -- 8 January teleconference Agenda

Attendance - call to order

quorum reached.

	Approval of Minutes for 18 Dec Meeting



Status review of document set for 9 Jan 
	Security Considerations

Added Issues Doc to this item for discussion


General Comment: Documents should note burning issues in the status section
at the beginning of the document.

Contributors: if your name is missing from a document, please send a message
to the list and the editor for the document.

==Security Considerations - so far Chris McClaren has only received one
comment on the list (aside from stylistic considerations).
	- Irving is near end of his review and will be sending comments
	- A number of others expect to have content discussion soon.
	- Eve: A fair amount of text exists in "red" which duplicates text
in the bindings doc.
	- Chris: intention was to expand on what exists in the bindings doc,
but is ok with removing it.
	- Prateek: The thinking is that the specific threats and
countermeasures would stay in bindings doc, and more general background
would be in the security consideration document.
	- Eve: much of the text that was copied from bindings contains
normative text and inappropriate for security considerations document
we decided that the stuff that's in bindings-model-08 should stay there
it's normative. 
	- Joe: Chris do you have time to go ahead and add the additional
	- Chris: needs input from the rest of the committee to augment the
	- Nothing in security considerations should be normative.
	- for more general issues, bindings should have pointers to security
considerations document.

	** Joe: please pay special attention to this document to make sure
we haven't left stones unturned - at F2F#5 we were concerned that this
review process may require substantive changes in core and binding.

	- Prateek: bindings sub-group has done some of this, so not as
concerned, but agrees that committee should pay attention here soon.

	- Hal: what of the "yellow highlight" text
	- Chris & Eve: this must come out and will be addressed
	- Hal: what about privacy considerations
	- Chris: he has only been considering security considerations
	- Chris: Commits to taking the privacy material from the document
and the list and integrating into a more clearly privacy note.

==Conformance - december meeting has led to a third model reflecting
bindings rather than a partition of assertions - this has led to both an
easier model for working and for developing test cases.
	This document needs review as it has first emerged this week. There
are several detailed editorial items (e.g., references in the body of text
and stylistic concerns).

	- Jeff: are there near term "must dos" before the last call working
draft set?
	- Bob: two sections need to move up, test suite - first version of
document explicitly states that there is no commitment to a suite; third
party certification - not developed in this generation of the doc. Plan is
to leave these section headers with text that states that this will be
addressed in later revisions of the spec.
	send issues to list by noon ET tomorrow , then can get out by end of
	- (Forward reference, philosophical note on what aspects of spec are
mandatory to implement will appear in the status section of Conformance

== Bindings Doc
	No known outstanding issues, Prateek has a note from Tim covering
non-normative text. Would have liked to have seen some level of review in
the last few weeks, but this has not really happened - but Prateek does not
see any issues in the doc.

	- Eve: now that we have two web-browser profiles, wonders if we need
to variants of the SOAP profile. (one each for holder-of-key and
	- Jeff: from F2F#5 recollects - but can't find in minutes a
discussion that we were only going to do one profile...
	- Prateek: at one time Hal had been concerned with the plurality of
profiles, but we have continued to proceed with multiple.
	- Discussion on the philosophy driving the number of mandatory to
implement bindings, profiles etc. will appear in the conformance document.
	- Mods from Tim will appear before Last Call - prateek asserts that
there are no substantive issues outstanding

== Core Doc
	Eve will produce rough text for section 1.3 (Phill will send some
rough notes)
	Phill will cycle a core-24 that will integrate Krishna's core-23
with some additional rough items.

== Glossary
	We will go with -02 as a base note, and there will be some editorial
changes applied - in particular notes from Marc Chanliau (won't happen this
week, but will go in during the next 3 week review and edit period).

== Issues List Document
	Hal - published document hasn't kept current with closed issues or
with new issues added. This should be done by tomorrow, then Hal will
produce a list of recommended resolutions for "obvious" issues.
	- Jeff: particularly interested in the sweeping of the mailing list
for championed issues. Want to make sure that nothing falls through the
cracks that has been discussed over the past few months.
	- Prateek: there are a small number of issues (mostly amendments to
core23/22) which will be the beginning of the process to last call.
	- Jeff: 5 normative documents produced, Hal prepares Issues List
document, and an additional issue tracking note. This is what we will move
from for last call.
	- Reminder: if you have an issue that has not been addressed by any
of the documents, resend an alert to the mailing list.

Action Tracking

4 -- Review status of action items - and move to resolution

[A3: Phill] - Section 3.1.5, need to further define error cases

- Joe would like comments on the alternatives between the proposals on
  the list
- If no comments, power left to Phill and Eve to choose during editing
- Status: we have proposal on table, open to comments, no consensus

Scott will issue a new "final" proposal for a more complete error structure
to be considered before issuing last call

Phill has gone through doc to coalesce reason codes from document - is in

[A5: BobB] - Section 4.1.3 472-473, text to clarify construction of
ID (w.r.t. uniqueness)

- Joe has not contacted Bob yet
- stays open

[A15: Chris] - Write up advice on how to use current approach to
generic slots for attributes

- Just waiting on integration into doc
- Chris not sure if Eve has included yet or not
- Joe to Chris: please sent note to list when you see it in draft

Still not in. This is the problem with removing attribute value type. Bob,
Chris and Phill will caucus and send resolution to mailing list.

[A20: Prateek and Phil] - Need for additional ConfirmationMethod identifiers
(Prateek and Phil)

- Scott: was there a previous issue from Eve over the use of URIs
  versus strings?
- Need to ask Eve
- Joe: We will re-confirm this in Jan

Prateek, these are now included. Eve comfortable with closure.
issue closed.

> [A22: Irving] - core line 752, return code for completeness specifier:

- Joe: directs Phill (and Eve) to go ahead and integrate this change
- verify status

eve had sent a proposal to the list. if there're no objections, we should
include this. add a new return code "incomplete" 

phill believes it is done. 

scott believes that status reason field is being used to carry additional
codes, but it's supposed to be used for a textual message. 

phill - ah.

> [A24: Phill] - Bring together Tim's etc. text for the Authentication
> mechanism section.

- Still open, for tracking
in core-22

> [A26: Phill] - text on the <RespondWith> option voted for at F2F#5

- Phill has updated the schema for this
- Believes he updated core
- Stays open

in core-22, discussion on list

Closing note: We will hold weekly voting meetings through March to close the

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC