[security-services] Minutes for Telecon, Tuesday 11 June 2002

[sanderson@opennetwork.com (Steve Anderson)]

Minutes for SSTC Telecon, Tuesday 11 June 2002
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson


>
> Agenda:
>
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved

>
> 2. Appointing Eve Maler as Chair pro tem, with Prateek leading
>    technical discussion
>

- no objections

>
> 3. Overview of WS-Security, by Prateek
>

- ~6 months back, we were working on profiles, including a SOAP profile,
  where a SAML assertion is attached to SOAP header
- was developed to a fair point
- ~December, there was a concern over a missing layer in SOAP, covering
  the use of DSig
- turned out, we did not have bandwidth to carry this forward, so it
  was tabled, with intent to return to at a later date
- resulting document shows flows we intended
- subsequently, WS-Security doc was published in April, which directly
  addressed the issue of a DSig & encryption profile of SOAP messages
- recommends to proceed revising SOAP profile, using WS-Sec
- Eve: BobB, are you joining as a normal party, or as a WS-Sec author
  representative?
    - BobB: joining at Prateek's request, to answer questions on WS-Sec
    - expects to increase involvement, now that other commitments are
      winding down
- Marc: does WS-Sec supercede SAML SOAP Profile?
    - Prateek: sent note to list describing how he sees them as
      complementary
      < http://lists.oasis-open.org/archives/security-services/
        200204/msg00120.html >
    - SAML is one such token that can be carried in a WS-Sec based msg
    - revised title might be "SAML WS-Security Profile"
    - would call out specific processing model
    - Marc: so SAML WS-Security Profile would supercede the draft
      SAML SOAP Profile?
    - Prateek: yes
- Don: WS-Sec doesn't have schema, and it seems that you would want a
  schema for something this significant, so is anyone (us?) going to be
  writing a schema?
    - BobB: WS-Sec is an extension of the SOAP schema for headers
    - in particular, it describes these added elements being carried
      as octet strings, effectively opaque
    - oddly, it is intended that SAML assertions would be carried in
      the unsigned token elements, even though the assertions will
      be signed
- Eve: we're starting to accumulate questions, for brainstorming
    - Eve: What is standardization intention for WS-Sec?
        - Prateek: can we request this be done as basis for our work
          with it?
        - BobB: expects that interesting work will be carried out in
          OASIS, may come up in OASIS Joint Committee on Security
    - Eve: What is IPR situation?
        - still a big question mark
    - Hal: do our use cases match up to the WS-Sec use cases?
        - thinks we need to go through effort of matching ours to theirs
          and identify what we'll do now vs. later vs. won't do
        - Prateek: the way our B2B use cases worked out, they were at
          the "60,000 foot" level
        - Line 107 and on describe a concrete flow
        - would not have issue revisiting these flows
        - BobB: agrees this would be good
        - Hal: the press is already saying there's a battle between
          WS-Sec vs. SAML, which we know isn't true, but we need to be
          clear what we are going to tackle
        - BobB: WS-Security refers to a specific way to use XML Sig &
          XML Enc in SOAP msgs, and to attach security tokens
        - There is also a Web Services Security Roadmap that describes
          an overview
        - Hal: that distinction is lost on most of the world
        - BobB: we, in this group, need to keep that distinction clear
        - BobB: Prateek's proposal is to build a profile on top of
          WS-Sec
        - Hal: just wants us to be clear about what we are and are not
          doing
        - Eve describes use case of distributed transaction that she
          uses in presentations about SAML
        - we may have several profiles built on top of the SAML WS-
          Security Profile, as the other WS-XXXX specs evolve
        - Prateek: are you proposing an analysis use case committee?
        - Hal: something like that
        - BobB: is this something the SSTC should do, or the Joint
          Committee?
        - Eve: JC doesn't have any authority per se over what TCs do
        - BobB: withdraws question, agrees this is good thing to do
        - Eve: describing JC, to level expectation
            - basically just another TC, almost an extension of TCs
            - Hal: we (JC) don't have any deliverables
            - Eve: nothing normative will result unless all affected TCs
              concede
            - doesn't mean interesting work won't be done
        - Hal: suggests making a public statement now about how we see
          the intersection of not only the existing WS-Sec spec, but
          the others that are described in the Roadmap, to set public
          expectation, and preempt more of the confusion that we are
          already seeing now
        - Eve: none of the articles have gone into any detail about
          what it does, so would the media report on our profile of it?
        - Hal: they seem to be chomping at the bit
        - Hal: willing to accept that the authors of the WS Roadmap
          have articulated to a reasonable degree all the problems that
          fall under the umbrella of Web Services Security, so we can
          keep our focus to the scope in the Roadmap
        - Eve: (trying to summarize main points)
            - we should have guiding principals of urgency and
              guarding against scope creep
            - we need to rev our SOAP Profile to incorporate WS-Sec
                - RLBob: concerned that WS-Sec will radically change
                  "next week"
            - Eve: we want to analyze the use cases in the Roadmap doc
              to identify what SAML wants to weigh in on
    - Don: how important is it to us that WS-Sec get standardized?
        - Eve: it is concerning, due to its horizontal application, for
          example, there is nowhere to respond with comments after
          reading the spec
            - BobB: will look into how answers are obtained
            - Eve: but it's a problem that this mechanism requires
              effectively a favor from BobB
        - Phill: accepting comments becomes problematic, not only due
          to IPR, but also equity among who you accept feedback from
            - Eve: makes her more uncomfortable that this is a private
              effort
    - Rob: anyone familiar with other groups that are affected by
      WS-Sec, and what their reaction is?
        - Phill: XKMS' overlap is even closer, and they recognize they
          have to look at it
        - the public seems to expect that XKMS should be layered on
          WS-Sec, and if it isn't, they will probably wait until it is
        - Eve: can't report on ebXML
        - Hal: appears that they (and other groups) are proceeding with
          the hopes that someone else (like us) will solve the security
          issues
- Prateek: some summarization of next steps
    - should take the flow from Eve's presentation and discuss,
      starting today, with a possible vote on next call
        - [ACTION] Eve to send out her PPT presentation and start
          discussion
    - Prateek will generate a couple of examples
    - Prateek's proposal for incorporating WS-Sec into previous draft
      SAML SOAP Profile
      < http://lists.oasis-open.org/archives/security-services/
        200206/msg00001.html >
    - Eve: would be nice to see change-bar revision of draft profile
- Discussion of Joint Committee
    - Jeff & Joe were appointed as liaison from SSTC to JC
    - Eve: expects that others in SSTC may be interested in
      participation
- [ACTION] Hal to produce text on our response to WS Roadmap
- Prateek: moves that we make statement to the authors of WS Security
  urging them to bring the WS-Sec work to a standardization body
    - [prolonged attempt to craft wording]
    - Rob: suggests someone draft this and send it around
    - Eve: we should agree on principles
        - 1, it is important
        - 2, we do intend to build on it
        - 3, we want the work to be brought to an open standards body
        - 4, royalties will not be a problem, i.e. IPR issues will be
          addressed
    - [ACTION] Prateek to draft and RLBob to review text on statement

>
> 4. Other business
>

- couple of announcements from Hal
    - will be speaking at the SIMC meeting in NYC in June
    - Hal: is working on, and hopefully will publish, a credentials
      collector document, which will either show how it may be done, or
      will kill it forever
- Eve: proposing that 2 calls from now, we close out the requirements
  phase of this next profile
- Prateek: good goal, but a little aggressive, given Interop activities

>
> 5. Adjourn
>

- Adjourned


-----------------------------------------------------------------------

Attendance of Voting Members:

  Allen Rogers Authentica arogers@authentica.com
  Irving Reid Baltimore irving.reid@baltimore.com
  Ronald Jacobson Computer Associates Ronald.Jacobson@ca.com
  Hal Lockhart Entegrity hal.lockhart@entegrity.com
  Carlisle Adams Entrust carlisle.adams@entrust.com
  Robert Griffin Entrust robert.griffin@entrust.com
  Don Flinn Hitachi
  Marc Chanliau Netegrity
  Prateek Mishra Netegrity
  Steve Anderson OpenNetwork
  Rob Philpott RSA Security
  Eve Maler Sun
  Emily Xu Sun
  Bob Morgan UWashington
  Phillip Hallam-Baker Verisign


Attendance of Observers or Prospective Members:

  Simon Godik
  Scott Cantor OSU
  Bob Blakley Tivoli
  Tim Moses Entrust


Membership Status Changes:

  Simon Godik - granted voting member status

--
Steve

Attachment: sanderson.vcf
Description: Card for Steve Anderson