OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] Minutes for Telecon, Tuesday 11 June 2002

A quick comment on the minutes, which mostly look awesome; see comment 
near the end:

Steve Anderson wrote:
> Minutes for SSTC Telecon, Tuesday 11 June 2002
> Dial in info: +1 334 262 0740 #856956
> Minutes taken by Steve Anderson
>>1. Roll call
> - Attendance attached to bottom of these minutes
> - Quorum achieved
>>2. Appointing Eve Maler as Chair pro tem, with Prateek leading
>>   technical discussion
> - no objections
>>3. Overview of WS-Security, by Prateek
> - ~6 months back, we were working on profiles, including a SOAP profile,
>   where a SAML assertion is attached to SOAP header
> - was developed to a fair point
> - ~December, there was a concern over a missing layer in SOAP, covering
>   the use of DSig
> - turned out, we did not have bandwidth to carry this forward, so it
>   was tabled, with intent to return to at a later date
> - resulting document shows flows we intended
> - subsequently, WS-Security doc was published in April, which directly
>   addressed the issue of a DSig & encryption profile of SOAP messages
> - recommends to proceed revising SOAP profile, using WS-Sec
> - Eve: BobB, are you joining as a normal party, or as a WS-Sec author
>   representative?
>     - BobB: joining at Prateek's request, to answer questions on WS-Sec
>     - expects to increase involvement, now that other commitments are
>       winding down
> - Marc: does WS-Sec supercede SAML SOAP Profile?
>     - Prateek: sent note to list describing how he sees them as
>       complementary
>       < http://lists.oasis-open.org/archives/security-services/
>         200204/msg00120.html >
>     - SAML is one such token that can be carried in a WS-Sec based msg
>     - revised title might be "SAML WS-Security Profile"
>     - would call out specific processing model
>     - Marc: so SAML WS-Security Profile would supercede the draft
>       SAML SOAP Profile?
>     - Prateek: yes
> - Don: WS-Sec doesn't have schema, and it seems that you would want a
>   schema for something this significant, so is anyone (us?) going to be
>   writing a schema?
>     - BobB: WS-Sec is an extension of the SOAP schema for headers
>     - in particular, it describes these added elements being carried
>       as octet strings, effectively opaque
>     - oddly, it is intended that SAML assertions would be carried in
>       the unsigned token elements, even though the assertions will
>       be signed
> - Eve: we're starting to accumulate questions, for brainstorming
>     - Eve: What is standardization intention for WS-Sec?
>         - Prateek: can we request this be done as basis for our work
>           with it?
>         - BobB: expects that interesting work will be carried out in
>           OASIS, may come up in OASIS Joint Committee on Security
>     - Eve: What is IPR situation?
>         - still a big question mark
>     - Hal: do our use cases match up to the WS-Sec use cases?
>         - thinks we need to go through effort of matching ours to theirs
>           and identify what we'll do now vs. later vs. won't do
>         - Prateek: the way our B2B use cases worked out, they were at
>           the "60,000 foot" level
>         - Line 107 and on describe a concrete flow
>         - would not have issue revisiting these flows
>         - BobB: agrees this would be good
>         - Hal: the press is already saying there's a battle between
>           WS-Sec vs. SAML, which we know isn't true, but we need to be
>           clear what we are going to tackle
>         - BobB: WS-Security refers to a specific way to use XML Sig &
>           XML Enc in SOAP msgs, and to attach security tokens
>         - There is also a Web Services Security Roadmap that describes
>           an overview
>         - Hal: that distinction is lost on most of the world
>         - BobB: we, in this group, need to keep that distinction clear
>         - BobB: Prateek's proposal is to build a profile on top of
>           WS-Sec
>         - Hal: just wants us to be clear about what we are and are not
>           doing
>         - Eve describes use case of distributed transaction that she
>           uses in presentations about SAML
>         - we may have several profiles built on top of the SAML WS-
>           Security Profile, as the other WS-XXXX specs evolve
>         - Prateek: are you proposing an analysis use case committee?
>         - Hal: something like that
>         - BobB: is this something the SSTC should do, or the Joint
>           Committee?
>         - Eve: JC doesn't have any authority per se over what TCs do
>         - BobB: withdraws question, agrees this is good thing to do
>         - Eve: describing JC, to level expectation
>             - basically just another TC, almost an extension of TCs
>             - Hal: we (JC) don't have any deliverables
>             - Eve: nothing normative will result unless all affected TCs
>               concede
>             - doesn't mean interesting work won't be done
>         - Hal: suggests making a public statement now about how we see
>           the intersection of not only the existing WS-Sec spec, but
>           the others that are described in the Roadmap, to set public
>           expectation, and preempt more of the confusion that we are
>           already seeing now
>         - Eve: none of the articles have gone into any detail about
>           what it does, so would the media report on our profile of it?
>         - Hal: they seem to be chomping at the bit
>         - Hal: willing to accept that the authors of the WS Roadmap
>           have articulated to a reasonable degree all the problems that
>           fall under the umbrella of Web Services Security, so we can
>           keep our focus to the scope in the Roadmap
>         - Eve: (trying to summarize main points)
>             - we should have guiding principals of urgency and
>               guarding against scope creep
>             - we need to rev our SOAP Profile to incorporate WS-Sec
>                 - RLBob: concerned that WS-Sec will radically change
>                   "next week"
>             - Eve: we want to analyze the use cases in the Roadmap doc
>               to identify what SAML wants to weigh in on
>     - Don: how important is it to us that WS-Sec get standardized?
>         - Eve: it is concerning, due to its horizontal application, for
>           example, there is nowhere to respond with comments after
>           reading the spec
>             - BobB: will look into how answers are obtained
>             - Eve: but it's a problem that this mechanism requires
>               effectively a favor from BobB
>         - Phill: accepting comments becomes problematic, not only due
>           to IPR, but also equity among who you accept feedback from
>             - Eve: makes her more uncomfortable that this is a private
>               effort
>     - Rob: anyone familiar with other groups that are affected by
>       WS-Sec, and what their reaction is?
>         - Phill: XKMS' overlap is even closer, and they recognize they
>           have to look at it
>         - the public seems to expect that XKMS should be layered on
>           WS-Sec, and if it isn't, they will probably wait until it is
>         - Eve: can't report on ebXML
>         - Hal: appears that they (and other groups) are proceeding with
>           the hopes that someone else (like us) will solve the security
>           issues
> - Prateek: some summarization of next steps
>     - should take the flow from Eve's presentation and discuss,
>       starting today, with a possible vote on next call
>         - [ACTION] Eve to send out her PPT presentation and start
>           discussion
>     - Prateek will generate a couple of examples
>     - Prateek's proposal for incorporating WS-Sec into previous draft
>       SAML SOAP Profile
>       < http://lists.oasis-open.org/archives/security-services/
>         200206/msg00001.html >
>     - Eve: would be nice to see change-bar revision of draft profile
> - Discussion of Joint Committee
>     - Jeff & Joe were appointed as liaison from SSTC to JC
>     - Eve: expects that others in SSTC may be interested in
>       participation
> - [ACTION] Hal to produce text on our response to WS Roadmap
> - Prateek: moves that we make statement to the authors of WS Security
>   urging them to bring the WS-Sec work to a standardization body
>     - [prolonged attempt to craft wording]
>     - Rob: suggests someone draft this and send it around
>     - Eve: we should agree on principles
>         - 1, it is important
>         - 2, we do intend to build on it
>         - 3, we want the work to be brought to an open standards body
>         - 4, royalties will not be a problem, i.e. IPR issues will be
>           addressed
>     - [ACTION] Prateek to draft and RLBob to review text on statement
>>4. Other business
> - couple of announcements from Hal
>     - will be speaking at the SIMC meeting in NYC in June
>     - Hal: is working on, and hopefully will publish, a credentials
>       collector document, which will either show how it may be done, or
>       will kill it forever
> - Eve: proposing that 2 calls from now, we close out the requirements
>   phase of this next profile
> - Prateek: good goal, but a little aggressive, given Interop activities

I think we agreed that it should be possible to close out the 
requirements phase at the *next* call, and that we should try as hard as 
we can to come out with a credible draft for public review by the call 
after that.  It was pointed out that this would have the advantage of 
showing, during the Catalyst timeframe, that we're serious about SAML 
futures.  (Since the draft doesn't have to be pitch-perfect and since 
Prateek will be creating a review draft within the next week, I hope and 
expect that this goal can be met.)

>>5. Adjourn
> - Adjourned
> -----------------------------------------------------------------------
> Attendance of Voting Members:
>   Allen Rogers Authentica arogers@authentica.com
>   Irving Reid Baltimore irving.reid@baltimore.com
>   Ronald Jacobson Computer Associates Ronald.Jacobson@ca.com
>   Hal Lockhart Entegrity hal.lockhart@entegrity.com
>   Carlisle Adams Entrust carlisle.adams@entrust.com
>   Robert Griffin Entrust robert.griffin@entrust.com
>   Don Flinn Hitachi
>   Marc Chanliau Netegrity
>   Prateek Mishra Netegrity
>   Steve Anderson OpenNetwork
>   Rob Philpott RSA Security
>   Eve Maler Sun
>   Emily Xu Sun
>   Bob Morgan UWashington
>   Phillip Hallam-Baker Verisign
> Attendance of Observers or Prospective Members:
>   Simon Godik
>   Scott Cantor OSU
>   Bob Blakley Tivoli
>   Tim Moses Entrust
> Membership Status Changes:
>   Simon Godik - granted voting member status
> --
> Steve

Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC