RE: [security-services] Minutes of June 25 Telcon

["Hallam-Baker, Phillip" <pbaker@verisign.com>]

Title: Minutes of June 25 Telcon

Err Hal, I am very sure that nobody said that WS-Security was going to be submitted to a standards group within a week.

 

If we had the discussion would have been a LOT simpler.

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Tuesday, July 09, 2002 10:41 AM
To: 'security-services@lists.oasis-open.org'
Subject: [security-services] Minutes of June 25 Telcon

Attendees:

Allen Rogers           Authentica
Aravindan Ranganathan  Sun Microsystems
Carlisle Adams         Entrust
Chris McLaren          Netegrity
Eve Maler              Sun Microsystems
Hal Lockhart           Entegrity Solutions
Irving Reid            Baltimore
Jahan Moreh            Sigaba
Jason Rouault          HP
Jeff Hodges            Sun Microsystems
Joe Pato               HP
Phillip Hallam-Baker   Verisign
Prateek Mishra         Netegrity
Rob Philpott           RSA Security
Robert Griffin         Entrust
Ronald Jacobson        Computer Associates
Simon Godik            (individual)

Prospective members:
 
Mingde Xu               CrossLogix

Observers:
 
Scott Cantor            OSU
Don Bowen               Sun Microsystems

This constituted quorum.

There is a need for substitute chairs for the next several meetings. Volunteers should send email to Joe and Jeff.

No advance agenda was published. The following items for discussion were agreed at the beginning of the meeting:

The OASIS Standardization Process and Errata Handling

The Catalyst Interop

WS-Security

The spec has been submitted to OASIS for member review. This process will take 3 months, beginning July 1, followed by one month of voting. That brings us to Nov 1.

The question raised is how to handle errata. One specific "must fix" item relating to URIs and fragmant identifiers has been identified. There will be others, no doubt.

No one wanted to pull the spec and modify it at this point. On the other hand, the issues must be fixed and the OASIS membership has to see the actual spec that are approving.

After considerable discussion  the following was agreed.

1. Notice will be given (in the document? on the web page?) that there is an errata document.

2. Identified problems and proposed solutions will be put in a "proposed errata" document section.

3. Changes will be voted and then put in a "actual errata" section of the document.

4. At the end of the review period and prior to the actual voting, all problems will be resolved and actual errata changes applied to the documents.

SAML Interop Event

Prateek: Being held at Burton Catalyst Conference in SF, July 15. F2F dry runs held June 17-19. Very successful, planned for a week. All complete after 2 1/2 days. Few SAML problems. More problems with SSL.

Rob: East coast dry run at RSA, 4 vendors: Baltimore, Entegrity, Netegrity, RSA. Put up interoperability grid and checked off each portal-application combination. Few SAML problems all easily fixed. Some follow up discussion about use of validity interval in Browser/artifact profile.

Hal: Demo consists of 12 applications, 9 portals. Login at any portal, connect to any app. Apps use attribute MemberLevel to determine user capabilities.

Don Bowen: West coast dry run at Sun - 8 Vendors - Crosslogix, ePeople, IBM/Tivoli, Novell, Oblix, OverXeer, Sigaba, Sun - Also went very well. Validity interval issue discusssed at length. One unresolved problem, Sun and IBM could not interoperate SSL, although both could interoperate with everyone else. to be resolved. Expect to use the time in SF Sat and Sun to resolve remaining issues.

Hal: Also will be testing over the Internet. Make sure we don't have east/west versions.

WS-Security Profile for SAML

Prateek led a review and discussion of both the WS-Security document published by IBM, Microsoft and Verisign and the new SAML WS-Security Profile document he is editor of.

It is a renamed version of the SOAP Profile. Prateek would like to publish a (near final) update prior to Catalyst.

Hal and Prateek had a debate about the use of Authentication Statements and the two defined types of Subject Confirmation (Holder of Key and Sender Vouches) and their trust implications.

Prateek welcomes comments on the document flows especially.

Walk thru of WS-Security document.

Defined headers. Key concept - Actor. can be intermediary can add or remove headers.

SAML Assertion is inserted in header as Security token.

A token reference is also supported. Agreed the SAML profile should support this. Useful optimization in some environments. Use Assertion ID as reference value. No need for secrecy or single use as with Artifact.

Much discussion about use of Exclusive XML Cannonicalization. Consensus: superior to Inclusive cannonicalization as it deals with automatic expansion of tags in XML.

No change required for Profile, but should evolve SAML signature definition to use Exclusive. Discussion about how to do that.

consensus: nothing to be done in profile about encryption.

Need more text in profile to clarify intended uses and security considerations of two types of Subject Confirmation Method.

Web Services - Politics

Previously approved open letter to WS-sec folks never sent. Events are moving rapidly. Will submit to standards group within a week.

TC voted to empower chairs to provide quote for press release consistent with previous statement, but changed wording if necessary.

Ajourn