security-services message

Subject: [security-services] Minutes for Telecon, Tuesday 19 Mar 2002

From: sanderson@opennetwork.com (Steve Anderson)
To: oasis sstc <security-services@lists.oasis-open.org>
Date: Tue, 19 Mar 2002 17:46:01 -0500

Minutes for SSTC Telecon, Tuesday 19 Mar 2002
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson


>
>
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved.

>
> 2. RSA IPR Questions
>

- Prateek: speaking as engineering member of Netegrity, raises concerns
  in 2 areas
    - situation where some new technology utilizes SAML for some
      small piece, and wants to patent it, this needs clarification
      on impact from RSA
    - if any enterprise is selling a toolkit that utilizes SAML, the
      end user of products must apply to RSA for a license -- this
      will have considerable impact
- Joe: in paragraph 2, what is reach of reciprocal agreements?
- agrees with Prateek about paragraph 3
- Joe asks Burt/John if he is reading properly
- Burt: these are valid questions
- in second paragraph, intent is to cover things that are relevant to
  the essential use of SAML
- is not intended to cover all other technology in the product
- Prateek: so you will grant a license for the SAML process as long
  as other parties do the same?
- Burt: roughly, when one is using SAML for signed assertions (e.g. in
  SAML profile), they want cross licensing
- Joe: clarifying that this is all relevant to SAML v1.0
- Burt: have deliberately left out version numbers to be more flexible
- RLBob: there is ambiguity in what is SAML profile, as other parties
  can develop SAML profiles
- Hal: a profile can't be an OASIS spec unless it is voted on
- so this can be the distinguishing factor
- Burt: on second question (from 3rd paragraph) involving toolkits,
  reciprocal arrangement is intended to be developer-to-developer
- whether you are developing the product from scratch or from a
  toolkit, they expect the same reciprocal arrangement
- Not the same for "end user"
- Hal: so you are making a distinction between developing for sale vs.
  own use?
- not clear
- Joe: speaking as an "end user", most of my "end use" will be using
  toolkits to build web services, which puts me in the "developer"
  category
- Hal: thinks issue is notice to RSA of use, noting JSR-155 project
- Prateek: is there any way paragraph can be designed in a flow-thru
  way, so end user doesn't have to return to RSA?
- Burt: if vendor wants to avoid end customers having to contact RSA,
  then vendors can make separate arrangements with RSA
- Jeff: reads this as statement of intent or terms, it is not a
  license, and it would be helpful if it were labeled as such
- Burt: fair enough, will do that

>
> 3. Issues
>

- Joe: asks Hal to run thru what happened recently
- Hal
    - re-issued issues list, with closed issues we voted on last week
    - decided to bundle in 4 outside issues that need champions
    - interesting part is status list
        - all of the stuff that was agreed upon and incorporated
          in latest docs (except Eve's suggestion on how to give
          credit) are listed in green
    - last week's vote to close/defer excluded too many items
        - specifically DS-14-14, DS-14-15, DS-14-16
    - status of 4 outside issues that lacked champions
        - 1 was championed by Hal, and recommended for deferral
        - 2 were answered by Phil & Prateek
        - 1 was dropped for lack of interest
    - Hal has new issues to bring up later in call
- Scott: had posted some status code proposal text, but didn't expect
  to have those in -28


- Joe: goal is to close this month
    - so proposals must have explicit text
    - any new issues MUST be offered today,
    - consider in issue discussion what would cause you to vote against
      the spec
- Hal to lead thru all red issues
    - DS-1-10 SubjectConfirmation Descriptions
        - Hal had proposed a resolution, and can create specific text
        - Irving: can they be removed from core and left to profiles?
        - Jeff: DS-1-13 are intertwined
        - Hal: they could be dealt with separately
        - general agreement (among those on call) that SubjectConf &
          AuthNMethod are distinct
        - Phill was primary dissenter, but is not currently on call
        - general agreement that lack of resolution would
    - DS-1-13
        - as in previous discussion, Phill primary dissenter
    - DS-4-12 URNs for Protocol Elements
        - Hal: this is only technically still open
        - RLBob: spoke with Karl
        - Karl agreed that use of "SAML" rather than "security-
          services" is appropriate
        - Joe: so is there a motion that we can vote on?
        - RLBob: moves that we adopt this as proposed, with allowance
          for editors to append to end of URNs whatever they feel is
          warranted
        - [VOTE] no opposition, passed
    - DS-4-13 Empty Strings
        - Hal recalls some discussion, but no counterproposal
        - Scott: in general the issue is where SAML imposes additional
          requirements on format, should that be levied in schema or
          in text of the spec?
        - Prateek: by simply remaining silent on this, what do we
          loose?
        - Irving: less of the validation would be done by XML parser
        - Scott: doesn't seem controversial
        - Prateek: doesn't think this is a blocking issue
        - implementors must decide what it means to have empty string
          for a required item, and if we change it later, it could
          have impact
        - Irving: a reasonable approach could be to define a new
          type, nonemptystring, and use it throughout spec
        - Jeff: is this something that should hold up the spec?
        - Motion to define a nonemptystring type, and a listing of all
          places for it to be used in spec (to be available tomorrow)
        - Scott: proposes that nonempty means at least 1 non-whitespace
          character
        - Hal: is whitespace well defined across all char sets?
        - apparently so
        - starts leading down a rathole
        - RLBob: advocates just enforcing non-zero length, but leave
          content facet, e.g. whitespace, alone
        - motion to change all strings to nonemptystrings, and do
          sanity check to see if there are any places where string
          should be retained
        - [VOTE] no objections, passed
        - [ACTION ITEM] Scott to do sanity check to find any instances
          where string should be retained
        - similar situation with URLs/URNs
        - motion to apply same approach to URLs/URNs
        - [VOTE] no objections, passed
        - [ACTION ITEM] Scott to do same sanity check on URLs/URNs
    - DS-4-15 Common XML Attributes
        - Prateek: doesn't see this as blocking
        - motion to defer this
        - Hal: notes that these will be painful to change later
        - Rob: echoes sentiment
        - growing consensus that there's no burning motivation to do it
          now, and doing it later would make less sense
        - [VOTE] no objections, passed (deferred)
    - DS-8-06: Issuer Format
        - RLBob: just sent msg withdrawing this for lack of interest
          and time
        - moves to close issue
        - [VOTE] no objections, passed (closed)
    - DS-9-14: Malformed Request
        - Scott: in what sense malformed? won't validate? it's almost
          a bindings issue
        - if you can't make out the request id, how can it be echoed
          in error response?
        - Scott: can't mandate that a response be sent, and can be
          left to bind to stipulate, for instance, a SOAP fault
        - Hal: since there is always a surrounding protocol, it can
          make a response, without a SAML-level response
        - Hal: is this worth stating in core, under error handling that
          a malformed request can be dropped on floor, and that binding
          must handle a response
        - Joe: contends that responder can always drop on floor,
          simulating a comm failure
        - Hal: a core-level response could omit InResponseTo
        - motion to make InResponseTo optional, with a few lines of
          text explaining the specific case where this is necessary
        - [VOTE] no objections, passes
        - [ACTION ITEM] Scott will produce text
        - Hal: had claimed MS-5-04 was dead, but didn't realize there
          was a related change to core
    - DS-12-06: RequestALLAttrbs
        - Hal: feels leaving it as is is unacceptable, suggests use of
          keyword "ALL"
        - Rob: agrees. what about using wildcard rather than keyword
        - Hal: wildcard suggests possibility of regular expressions,
          which we don't want
        - Joe: agrees
        - Hal: Not sure how to do it in XML, particularly if there
          might be an attribute named "ALL"
        - Scott: believes that simplest approach is for absence of
          attribute designators to mean "ALL"
        - Needs explicit wording in spec (core-28 section 3.3.4 line
          1317)
        - motion to treat absence of attribute designators to mean
          "ALL", and eliminate implementation discretion
        - [VOTE] no objections, passed
        - [ACTION] Hal to produce text for core-28 section 3.3.4
    - DS-14-19: Remove Advice
        - proposal was to remove Advice element, since there will be
          no motivation to derive a type from this
        - motion would be to remove <AdviceElement> and just stick
          with the wildcard, changing text in core section 2.3.2.2
          and in schema
        - Scott: offering to craft changes
        - [VOTE] no objections, passed
        - [ACTION ITEM] Scott to submit change text
    - DS-14-20: Reorder Conditions Contents
        - motion to make change as proposed in ELM-5, with friendly
          amendment that TargetRestrictionCondition has already been
          removed
          < http://lists.oasis-open.org/archives/security-services/
            200203/msg00042.html >
        - [VOTE] no objections, passed
        - [ACTION ITEM] Editors to incorporate
    - MS-1-03: Domain Component Terms
        - motion to correct as highlighted in issue text
        - [VOTE] no objections, passed
        - [ACTION ITEM] Editors to correct
    - MS-5-08: Publish WSDL
        - Irving: was never validated, and it should be before being
          published
        - Hal: Does Emily (being a Sun employee) have any resources
          for validating this?
        - Hal: proposes that we make it an appendix to bindings doc
        - Joe: would like to propose as a committee doc, separate from
          bindings
        - Irving: it is specific to the SOAP binding
        - Hal: since it is non-normative, what is value in making it a
          separate doc?
        - Joe: reacting in part to description of it being rapidly
          thrown together
        - Jeff: moves to defer it for now
        - [VOTE] no objections, passed (deferred)
        - msg reference is
          < http://lists.oasis-open.org/archives/security-services/
            200111/msg00022.html >
    - MS-5-07: SSO Confirmation
        - Jeff's response msg:
          < http://lists.oasis-open.org/archives/security-services/
            200203/msg00118.html >
        - RLBob also sent analysis in
          < http://lists.oasis-open.org/archives/security-services/
            200203/msg00121.html >
        - motion to accept proposal in Jeff's response msg
        - [VOTE] no objections, accepted
- Hal: people should take a look to see if

>
> 4. How to proceed from here
>

- Joe: feels we are in danger of not even reaching committee spec next
  week, much less get it in for next OASIS vote
- would vote NO as it stands now
- what we can do to assuage public perception is to get to committee
  spec and vote on it next week
- Scott: still has status code issue that needs vote
- Joe: might be able to do it here next
- Joe: we can freeze and package up and give to Karl, even though it
  can't be ratified until July 31st
- can proceed with interop efforts and other activities (e.g. SOAP
  profile)
- would also make more comfortable with quality of attestations


- Scott's status code issue
    - original proposal
      < http://lists.oasis-open.org/archives/security-services/
        200202/msg00160.html >
    - Eve's response
      < http://lists.oasis-open.org/archives/security-services/
        200202/msg00161.html >
    - Scott's response
      < http://lists.oasis-open.org/archives/security-services/
        200202/msg00162.html >
- Hal's new issues include one on SubjectConfirmation that can lead to
  a security attack
    - can be used to effectively guess password
- Scott: So it seems that it is unlikely to have a spec ready for vote
  next week
- RLBob: not ready to give up on date yet
- Scott would like to get his status code stuff out of the way
- motion to incorporate contents of Scott's original status code msg
- [VOTE] no objections
- [ACTION ITEM] Scott to resend proposed text
- [ACTION ITEM] Hal to send his issues and some proposals to list
- [ACTION ITEM] Phill to make change from AuthenticationLocality
  to SubjectLocality

>
> 5. Adjourn
>

- Adjourned


-----------------------------------------------------------------------

Attendance of Voting Members:

  Allen Rogers Authentica
  Irving Reid Baltimore
  Krishna Sankar Cisco
  Hal Lockhart Entegrity
  Joe Pato HP
  Jason Rouault HP
  Marc Chanliau Netegrity
  Prateek Mishra Netegrity
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Rob Philpott RSA Security
  Jahan Moreh Sigaba
  Jeff Hodges Sun
  Emily Xu Sun
  Bob Morgan UWashington


Attendance of Observers or Prospective Members:

  Scott Cantor OSU
  Tim Moses Entrust
  Burt Kaliski RSA
  John Linn RSA


--
Steve

begin:vcard 
n:Anderson;Steve
tel;fax:727-561-0303
tel;work:727-561-9500 x241
x-mozilla-html:FALSE
url:www.opennetwork.com
org:OpenNetwork Technologies
version:2.1
email;internet:sanderson@opennetwork.com
title:Product Architect
adr;quoted-printable:;;13577 Feather Sound Drive=0D=0ASuite 390;Clearwater;Florida;33762;USA
x-mozilla-cpt:;-6352
fn:Steve Anderson
end:vcard