[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for Telecon, Tuesday 11 June 2002
Minutes for SSTC Telecon, Tuesday 11 June 2002 Dial in info: +1 334 262 0740 #856956 Minutes taken by Steve Anderson > > Agenda: > > 1. Roll call > - Attendance attached to bottom of these minutes - Quorum achieved > > 2. Appointing Eve Maler as Chair pro tem, with Prateek leading > technical discussion > - no objections > > 3. Overview of WS-Security, by Prateek > - ~6 months back, we were working on profiles, including a SOAP profile, where a SAML assertion is attached to SOAP header - was developed to a fair point - ~December, there was a concern over a missing layer in SOAP, covering the use of DSig - turned out, we did not have bandwidth to carry this forward, so it was tabled, with intent to return to at a later date - resulting document shows flows we intended - subsequently, WS-Security doc was published in April, which directly addressed the issue of a DSig & encryption profile of SOAP messages - recommends to proceed revising SOAP profile, using WS-Sec - Eve: BobB, are you joining as a normal party, or as a WS-Sec author representative? - BobB: joining at Prateek's request, to answer questions on WS-Sec - expects to increase involvement, now that other commitments are winding down - Marc: does WS-Sec supercede SAML SOAP Profile? - Prateek: sent note to list describing how he sees them as complementary < http://lists.oasis-open.org/archives/security-services/ 200204/msg00120.html > - SAML is one such token that can be carried in a WS-Sec based msg - revised title might be "SAML WS-Security Profile" - would call out specific processing model - Marc: so SAML WS-Security Profile would supercede the draft SAML SOAP Profile? - Prateek: yes - Don: WS-Sec doesn't have schema, and it seems that you would want a schema for something this significant, so is anyone (us?) going to be writing a schema? - BobB: WS-Sec is an extension of the SOAP schema for headers - in particular, it describes these added elements being carried as octet strings, effectively opaque - oddly, it is intended that SAML assertions would be carried in the unsigned token elements, even though the assertions will be signed - Eve: we're starting to accumulate questions, for brainstorming - Eve: What is standardization intention for WS-Sec? - Prateek: can we request this be done as basis for our work with it? - BobB: expects that interesting work will be carried out in OASIS, may come up in OASIS Joint Committee on Security - Eve: What is IPR situation? - still a big question mark - Hal: do our use cases match up to the WS-Sec use cases? - thinks we need to go through effort of matching ours to theirs and identify what we'll do now vs. later vs. won't do - Prateek: the way our B2B use cases worked out, they were at the "60,000 foot" level - Line 107 and on describe a concrete flow - would not have issue revisiting these flows - BobB: agrees this would be good - Hal: the press is already saying there's a battle between WS-Sec vs. SAML, which we know isn't true, but we need to be clear what we are going to tackle - BobB: WS-Security refers to a specific way to use XML Sig & XML Enc in SOAP msgs, and to attach security tokens - There is also a Web Services Security Roadmap that describes an overview - Hal: that distinction is lost on most of the world - BobB: we, in this group, need to keep that distinction clear - BobB: Prateek's proposal is to build a profile on top of WS-Sec - Hal: just wants us to be clear about what we are and are not doing - Eve describes use case of distributed transaction that she uses in presentations about SAML - we may have several profiles built on top of the SAML WS- Security Profile, as the other WS-XXXX specs evolve - Prateek: are you proposing an analysis use case committee? - Hal: something like that - BobB: is this something the SSTC should do, or the Joint Committee? - Eve: JC doesn't have any authority per se over what TCs do - BobB: withdraws question, agrees this is good thing to do - Eve: describing JC, to level expectation - basically just another TC, almost an extension of TCs - Hal: we (JC) don't have any deliverables - Eve: nothing normative will result unless all affected TCs concede - doesn't mean interesting work won't be done - Hal: suggests making a public statement now about how we see the intersection of not only the existing WS-Sec spec, but the others that are described in the Roadmap, to set public expectation, and preempt more of the confusion that we are already seeing now - Eve: none of the articles have gone into any detail about what it does, so would the media report on our profile of it? - Hal: they seem to be chomping at the bit - Hal: willing to accept that the authors of the WS Roadmap have articulated to a reasonable degree all the problems that fall under the umbrella of Web Services Security, so we can keep our focus to the scope in the Roadmap - Eve: (trying to summarize main points) - we should have guiding principals of urgency and guarding against scope creep - we need to rev our SOAP Profile to incorporate WS-Sec - RLBob: concerned that WS-Sec will radically change "next week" - Eve: we want to analyze the use cases in the Roadmap doc to identify what SAML wants to weigh in on - Don: how important is it to us that WS-Sec get standardized? - Eve: it is concerning, due to its horizontal application, for example, there is nowhere to respond with comments after reading the spec - BobB: will look into how answers are obtained - Eve: but it's a problem that this mechanism requires effectively a favor from BobB - Phill: accepting comments becomes problematic, not only due to IPR, but also equity among who you accept feedback from - Eve: makes her more uncomfortable that this is a private effort - Rob: anyone familiar with other groups that are affected by WS-Sec, and what their reaction is? - Phill: XKMS' overlap is even closer, and they recognize they have to look at it - the public seems to expect that XKMS should be layered on WS-Sec, and if it isn't, they will probably wait until it is - Eve: can't report on ebXML - Hal: appears that they (and other groups) are proceeding with the hopes that someone else (like us) will solve the security issues - Prateek: some summarization of next steps - should take the flow from Eve's presentation and discuss, starting today, with a possible vote on next call - [ACTION] Eve to send out her PPT presentation and start discussion - Prateek will generate a couple of examples - Prateek's proposal for incorporating WS-Sec into previous draft SAML SOAP Profile < http://lists.oasis-open.org/archives/security-services/ 200206/msg00001.html > - Eve: would be nice to see change-bar revision of draft profile - Discussion of Joint Committee - Jeff & Joe were appointed as liaison from SSTC to JC - Eve: expects that others in SSTC may be interested in participation - [ACTION] Hal to produce text on our response to WS Roadmap - Prateek: moves that we make statement to the authors of WS Security urging them to bring the WS-Sec work to a standardization body - [prolonged attempt to craft wording] - Rob: suggests someone draft this and send it around - Eve: we should agree on principles - 1, it is important - 2, we do intend to build on it - 3, we want the work to be brought to an open standards body - 4, royalties will not be a problem, i.e. IPR issues will be addressed - [ACTION] Prateek to draft and RLBob to review text on statement > > 4. Other business > - couple of announcements from Hal - will be speaking at the SIMC meeting in NYC in June - Hal: is working on, and hopefully will publish, a credentials collector document, which will either show how it may be done, or will kill it forever - Eve: proposing that 2 calls from now, we close out the requirements phase of this next profile - Prateek: good goal, but a little aggressive, given Interop activities > > 5. Adjourn > - Adjourned ----------------------------------------------------------------------- Attendance of Voting Members: Allen Rogers Authentica arogers@authentica.com Irving Reid Baltimore irving.reid@baltimore.com Ronald Jacobson Computer Associates Ronald.Jacobson@ca.com Hal Lockhart Entegrity hal.lockhart@entegrity.com Carlisle Adams Entrust carlisle.adams@entrust.com Robert Griffin Entrust robert.griffin@entrust.com Don Flinn Hitachi Marc Chanliau Netegrity Prateek Mishra Netegrity Steve Anderson OpenNetwork Rob Philpott RSA Security Eve Maler Sun Emily Xu Sun Bob Morgan UWashington Phillip Hallam-Baker Verisign Attendance of Observers or Prospective Members: Simon Godik Scott Cantor OSU Bob Blakley Tivoli Tim Moses Entrust Membership Status Changes: Simon Godik - granted voting member status -- Steve
Attachment:
sanderson.vcf
Description: Card for Steve Anderson
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC