[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for Telecon, Tuesday 17 September 2002
Minutes for SSTC Telecon, Tuesday 17 September 2002 Dial in info: +1 334 262 0740 #856956 Minutes taken by Steve Anderson ====================================================================== Summary ====================================================================== Votes: - Minutes from previous meeting accepted (unanimous) - TC directs editor of draft-sstc-ws-sec-profile-03 to ensure that the IPR issues necessary to submit to WSSTC are dealt with, and to submit it as an individual to the WSSTC (unanimous) - TC willing to submit draft-sstc-ws-sec-profile-03, in case it must be submitted as TC (unanimous) New Action Items: - Prateek to check with OASIS folks on submitting draft-sstc-ws-sec-profile-03 - Rob and Irving to look over Eve's submission on fragment identifiers - Jeff to determine if conformance language around the notions of profiles vs. extensions is really an issue Previous Action Items Still Open: - Scott Cantor to take the XML DSIG discussions from the thread and turn it to a "best practices" document - Carlisle Adams to take the "Standardize Issuer Format" back to the XACML for more clear requirements and/or proposal. - Eve to ask other TCs about how they did their charter modifications. ====================================================================== Raw Notes ====================================================================== > > Agenda: > > 1. Roll call > - Attendance attached to bottom of these minutes - Quorum achieved > > 2. Accept minutes from previous meeting > - [VOTE] unanimous consent, accepted > > 3. Review of action items (see below) > > A1. Mike Just to submit a proposal on Credentials Collection > > nominally done. see.. > > [security-services] Credentials collection proposal > http://lists.oasis-open.org/archives/security-services/ > 200209/msg00007.html > - content will be discussed later in this meeting > > A2. Eve Maler to propose changes for fixing the Fragment > Identifier issue > > nominally done. see.. > > [security-services] Concrete proposal for changes to fix the > fragmentID problem > http://lists.oasis-open.org/archives/security-services/ > 200209/msg00003.html > > Re: [security-services] Concrete proposal for changes to fix > thefragment ID problem > http://lists.oasis-open.org/archives/security-services/ > 200209/msg00011.html > - discussion is also later on agenda > > A3. Scott Cantor to take the XML DSIG discussions from the thread > and turn it to a "best practices" document > - Scott: still working, hope to have done by end of week > > A4. Carlisle Adams to take the "Standardize Issuer Format" back to > the XACML for more clear requirements and/or proposal. > - [minute taker distracted ... but sounded like this is still open] > > A5. Eve to ask other TCs about how they did their charter > modifications. > - Eve not on call, still open > > 4. Submission of draft-sstc-ws-sec-profile-03 to WSSTC > - Jeff: when he stood up at WSSTC to formally submit draft, WSSTC pushed back, claiming we had not fully satisfied submission process in the area of IPR claims - Hal: if Sun had simply submitted, it would be simple, but since this TC as a whole submitted, it requires more discussion - Prateek: disagrees - Hal: makes assertion based on Chris Kurt, who is on OASIS board - Prateek: cites OASIS web page language - Joe: 2 items - Need to get clearance from named submitters - Need to get vote from TC as a whole - Prateek: will contact other listed authors to get consent - Jeff: should do it on the list for all to see - Hal: believes the view was that if the TC submits it, then the TC is the author - Joe: pinging once again for IPR claim, and will push for formal vote to submit this - If committee as a whole is unwilling to submit, individual authors can submit free and clear - Rob: reading OASIS Committees guidelines - rights granted to OASIS are effectively copyrights - Prateek: this is for a contributed work? - referenced link: < http://www.oasis-open.org/who/intellectualproperty.shtml > heading: OASIS.IPR.3.1. All Contributions - Joe: as part of the agreement to develop work in committee, this work is already in control of OASIS - Rob: tried to argue this at WSSTC, but didn't go over well - RLBob: recalls that the discussion wasn't over the TC work, it was over RSA's claims - Rob: that was his issue, as he doesn't believe RSA has any statement to make - Jeff: doesn't see anything RSA needs to do either - Hal: does think there is a desire for RSA to make clear that their claims apply equally well to WSSTC - discussion of inconsistency wrt to ContentGuard claims against the XML Token document submitted to WSSTC - Prateek: would like to take the position that the authors be made aware of the OASIS IPR for contributions, and that after that, we have completed our work - Hal: that begs the question of who the authors are -- the whole TC or not? - Rob: doesn't feel strongly either way, but thinks we can get a TC vote through easy enough - Jeff: there was some question of whether Bob Blakely should be listed as author, likewise for Phill - Phill: doesn't think this whole thing is about SAML and WS-Sec, thinks that Chris Kurt has some meta-procedural issues where he wants some precedent set - Rob: would it help to get clarification from Karl? - maybe - Hal: if we do three things, they may not all be necessary, but they can't hurt, and should be more than enough - vote - fix authors list to include only people who know they are listed - have authors clarify that they have no claims or that licenses will be handled same as for TC - could change to submitting as individuals rather than as TC - Ron: wouldn't it be simpler to spin off another version, with a subset of authors - Prateek: would call for a vote from TC to direct editor to ensure that IP issues are met, and to submit to WSSTC - RLBob; so moved -- TC directs editor of this doc to ensure that the IPR issues necessary to submit to WSSTC are dealt with, and to submit it as an individual to the WSSTC - [VOTE] no objections, motion passes - Ron: will this document, when submitted, be modifiable by the WSSTC? - yes - Jeff: suggests the OASIS footer and logo be removed from draft - Prateek: asserts that this is a draft, created under OASIS committee - Hal: suggests that Prateek take this up with Karl and Chris Kurt directly - [ACTION] Prateek to check with OASIS folks on submitting draft - Joe: would like to take secondary vote on TC's willingness to submit the draft (in case it must be submitted as TC) - so moved - [VOTE] no objections, motion passes > > 5. Discussion on fragment identifiers. > - Eve isn't on call - we can either discuss it in her absence or postpone until next call - looking for volunteer to lead discussion - Irving: can do it, doesn't think it's complicated - in SAML 1.1, deprecate old format, and recommend new format with a strong SHOULD - in SAML 2.0, old format would be completely removed, breaking backward compatibility (which is allowable in major version) - Jeff: This was on our plate for SAML 1.1, so next thing to is for people to examine this and determine if it is complete, and if so slate it for inclusion in 1.1 spec - need to ensure that new values are complete and exhaustive - Jeff: raises question of who is editor for 1.1 - consensus is that the lion's share of the work is done - Rob volunteers to double check completeness, but would like another volunteer - Irving will take a pass as well - [ACTION] Rob and Irving to look over Eve's submission > > 6. Discussion on credentials collection > - Mike giving overview - Prateek: where does challenge response fit into diagram? - Mike: probably need additional item on interaction diagram - Hal: when we decided to defer this, he concluded that using SASL caused limitations (as outlined in his recent paper) - Believes you cannot fully support TLS client cert or Kerberos - His paper laid out what he thought were all the reasonable requirements, but doesn't think they can all be covered - thinks we should construct some use cases to illustrate what can be covered by any approach, and what cannot be covered - overall reaction is that this proposal more fully support the weaker forms and less fully supports the stronger forms - Hal: observes that in this proposal, credentials collector is actually performing the authentication - thinks that is architecturally undesirable - model Hal had in mind was for CC to simply assert what was collected, but not assert any validity -- that is what AuthN Authority does - not quite model Carlisle had in mind, was thinking more RA/CA - Jeff: leans toward Hal's model - Hal: if CC has access to repositories and can validate credentials, what distinguishes it from AA? - Carlisle: imagined AuthN Authority just issuing assns of authN - Hal: use cases will be useful - Carlisle: appears that there's plenty of interest to continue this work - so we need to clarify what we mean by CC and AA - Mike: soliciting more feedback on submission > > 7. Review of steps towards a SAML 1.x specification release > - Carlisle: clarifying that 1.x means 1.1 and we're not releasing anything else prior to 2.0 - correct - Jeff: reviewing minutes of last call ("TODO list" items) - rehashing assertion cache discussion - TC must determine whether to address in 1.1 or not - Carlisle: has just sent msg to list for Standardize issuer name formats - [ACTION] Jeff to determine if conformance language around the notions of profiles vs. extensions is really an issue - Jeff thinks formalizing operational agreements is a longer term item, but if someone (like Interop participant) wants to investigate further, that would be useful - Rob: is this a candidate for a subcommittee? - sounds like it - Prateek: refers to metadata outlined in Liberty, will examine applicability to SAML > > 8. Changes to OASIS TC process, official as of today > - Joe reviewing changes - there is now restrictions of third party trademarks - clarification on membership issues - big change to timelines -- monthly rather than quarterly submissions, and review period has been shrunk to 1 month (half for review, half for vote) - no errata accepted, whole spec must be resubmitted - before a TC can submit a spec, there needs to be a public review for at least 30 days (similar what we did), during which no changes are allowed - Hal: other comments - more stringent membership procedures, like keeping membership list current on web site > > 9. Adjourn > - Adjourned ----------------------------------------------------------------------- Attendance of Voting Members: Allen Rogers Authentica Irving Reid Baltimore Hal Lockhart Entegrity Carlisle Adams Entrust Don Flinn Hitachi Joe Pato HP Jason Rouault HP Prateek Mishra Netegrity Steve Anderson OpenNetwork Rob Philpott RSA Security Jahan Moreh Sigaba Jeff Hodges Sun Aravindan Ranganathan Sun Phillip Hallam-Baker Verisign Simon Godik (individual) Bob Morgan (individual) Attendance of Observers or Prospective Members: Scott Cantor OSU Mike Just Entrust Ron Monzillo Sun Membership Status Changes: Robert Standefer EDS -- granted voting status after call -- Steve
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC