[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for Telecon, Tuesday 21 January 2002
Minutes for SSTC Telecon, Tuesday 21 January 2002
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson
======================================================================
Summary
======================================================================
Votes:
- Minutes from 7 January 2003 call accepted
- XML Encryption in SAML moved to v2.0 list
Previous Action Items Still Open:
- AI-6. Jeff to determine if conformance language around the
notions of profiles vs. extensions is really an issue
- AI-12. Prateek to draft analysis of use of XML Encryption in
SAML
- AI-15. Editor (Eve) to update documents with Eve's fragment ID
recommendations
- AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig
issues
- AI-20. Eve to update specs to 1.0
- AI-25. Eve to respond to Hal's IssuerName proposal with an
attribute-based & an element-based solution
- AI-26. Carlisle to update Mike Just's credentials collection
proposal
- AI-27. Prateek to rev draft-sstc-meta-data-00 and add in schema.
- AI-28. RobP to have RSAS convey a new "statement of licensing
intent" to the SSTC that documents the additional two
claimed applicable patents in addition to the prior two.
- AI-30. Prateek to produce use case document for destination site
first flow using Web Browser Profiles (Target late January)
- AI-31. Jeff to send email to list on his interpretation of IPR
issues surrounding using Liberty material
- AI-32. Rob will draft a usecase for an Attribute Authority, to
be examined by the TC for profiling
- AI-33. Eve to update the charter based on discussion
New Action Items:
- AI-35. Rob to propose changes to the current spec regarding
versioning
- AI-36. Prateek to draft the 1.1 doc set list
======================================================================
Raw Notes
======================================================================
>
> Agenda:
>
> 1. Roll call
>
- Attendance attached to bottom of these minutes
- Quorum achieved
>
> 2. Accept minutes from previous meeting, 7 Jan
> < http://lists.oasis-open.org/archives/security-services/
> 200301/msg00004.html >
>
- [VOTE] unanimous consent, accepted
>
> 3. Review (and approve?) V1.1 work items
>
> < http://lists.oasis-open.org/archives/security-services/
> 200208/msg00010.html >
> - Bugs that are backwards-compatible (targeted to 1.1)
> - Functionality that's backwards-compatible/orthogonal and
> high-priority
> - The list as a whole can be completed in 3-6 months
> - Any decision that needs to be made in the short term
>
> The below items are in no particular order [A.* numbering taken
> from original list]:
>
> [A.1] Metadata for formalizing operational agreements
> between sites.
> 1. See AI-27 below.
> 2. < http://www.oasis-open.org/committees/security/
> docs/draft-sstc-saml-meta-data-00.pdf >
> 3. < http://lists.oasis-open.org/archives/
> security-services/200212/msg00018.html >
- Prateek: has pending action item to revise, and has now received
comments, so will revise by end of week
- thinks a couple of revision cycles should suffice
- Rob: in his comments to the list, noted some things he'd like to
see added to this metadata
- should a SC be formed for this?
- Prateek: will start by responding to the comments received, and
producing a new draft
- we'll see where it goes from there
- Don: after reviewing, seems like more policy than metadata
- Prateek: this comes from the interop efforts
- motivation is to list all the different types of data that had
to be discussed between parties in the demo
- Jahan: echoes Prateek, it's not protocol, it is necessary
elements of the business agreements between parties
- Don: seems to match WSS TC's recent discussion of policy data
- Jahan: understands, but disagrees
- Rob: also disagrees
- question becomes is this something that everyone must abide by
- Prateek: this isn't a protocol, it's just a list that people
agree to
- Rob: as they've worked with customers deploying this stuff,
customers have commented that it'd be nice to have an XML schema
for a doc that could be imported from a partner
- would be hard to declare a conformance criteria, so not sure how
far this can go
- Jeff: thinks it's best to start with Prateek's responses
- Prateek: will respond to emails today, before revising the draft
- Rob: does this become part of our official doc set?
- Jeff & Prateek believe yes
> [A.2] WS-Security profile ([3], possibly to go to WSS TC)
> 1. Closed.
> [A-3] Figure out versioning of modularly published profile
> and binding specs
> 1. See AI-19 below and separate mail sent to list last
> night.
- question becomes do we need to maintain version info in the schema,
where it seems that other specs use the name of the schema to
reflect version
- Jeff: will have to look further, however, version differences
could affect semantics rather than schema
- Rob: thinks some clarity will be needed for versioning of
higher order elements, like RequestAbstractType vs.
ResponseAbstractType, and whether it's useful to keep assertion
version independent from protocol version
- Jeff: agrees that more thought is necessary
- Rob: proposes we take this to the list
- [ACTION] Rob to propose changes to the current spec regarding
versioning
> [A-4] Sharpen conformance language around the notions of
> profiles vs. extensions
> 1. See AI-6 below
- deferred to AI discussion below
> [A-5] Express that an assertion should not be cached
> 1. Hal Lockhart's proposal:
> < http://lists.oasis-open.org/archives/
> security-services/200211/msg00011.html >
- neither Hal or Eve on call
> [A-6] Fix fragment identifier gaffe [4]
> 1. Approved proposal on this.
> 2. Needs to be incorp'd in specs.
> 3. See AI-15.
- deferring until Eve on call
> [A-7] Standardize issuer name formats
> 1. See AI-25 below.
> 2. Original request came from XACML:
> < http://lists.oasis-open.org/archives/
> security-services/200211/msg00012.html >
- deferring until Eve on call
> [A-8] Fix xmldsig issues (might turn out to be a V2.0 item)
> 1. For 1.1, Scott's dsig doc to become a non-normative
> component of the spec set.
> 2. Doc needs careful review & update as necessary.
> 3. Need to vote on finalized wording and adding
> additional doc to spec set
> 4. Also see AI-18.
>
- Jeff: thinks we voted on this
- we'd have to go thru the minutes
- Jeff: at some point (e.g., in the next meeting or two) we need to
vote on contents of the 1.1 doc set
- believes our intent was clear that this non-normative doc would be
part of the 1.1 doc set
- therefore, this doc can be addressed in the final doc set approval
- [ACTION] Prateek to draft the 1.1 doc set list
> Additional Proposed V1.1 Work Items:
>
> [A-9] Fix items from the Errata List (see AI-29)
- Jahan: has constructed a draft with the three original email msgs,
without any disposition
- any other items need to be sent to the list
> [A-10] XML Encryption analysis (see AI-12)
- Prateek: concerned whether he can get to this, given the importance
of the metadata work
- glad to hand off to anyone
- otherwise, at risk for 1.1
- Rob: will take call for champion to list, but likely to be moved
out of 1.1
- Prateek: can keep his name with this item, but there is no date
> [A-11] Mike Just's Credential Collector Proposal (see AI-26)
> 1. Original mail:
> < http://lists.oasis-open.org/archives/
> security-services/200209/msg00007.html >
>
- Carlisle: notes that this was targeted for 2.0, not 1.1, so urgency
is a bit less
- Carlisle: we talked on last call about using WS-Trust as basis
- any comments from anyone who has reviewed that spec?
- Rob: his name is on authors list
- agrees with analysis, anything we can leverage from it would be
useful
- Jeff: thinks there are other options to consider, and wouldn't take
that spec to be gospel
- thinks spec has issues, including its name
- re-invents TLS handshake at the SOAP layer
- thinks SASL integration at the SOAP layer should be explored
- question is do you want to specify how to use WS-Trust or specify
how to use SASL?
- not against it, just noting that it isn't the only option
- Rob: would like to get other people working on this with Carlisle
- Rob: are there any other 1.1 items?
- Prateek: notes AI-30, will have to think about whether that
should be added to 1.1
- Jeff: doesn't think we need to close the list today, but we
should wave the flags in the next couple meetings
- Prateek: going back to this extension of the web browser
profile, in the interop, found it useful to add this redirection
step
- given that most deployments of SAML would need this step, is it
worth documenting it?
- RLBob: Shib had to form its own extensions
- would be useful to formalize some steps
- wouldn't want to invent some new schema that would be soon
superceded (e.g. by Liberty)
- Prateek: should Liberty be brought into SAML, it would be down
the road
- notes that the destination-site-first flow constructed at the
interop demo was fairly simple, and could be added to the spec
with a few tweaks
- Rob: if we can find something that at least won't conflict in
2.0, it would be useful
- Prateek: will take ownership of this
>
> 4. Action Item review
>
> AI-6. Jeff to determine if conformance language around the
> notions of profiles vs. extensions is really an issue
>
- Jeff: really needs to examine this, will try to get done this week
- still open
>
> AI-12. Prateek to draft analysis of use of XML Encryption in SAML
>
- covered above
- needs another volunteer, otherwise will get deferred to 2.0
- Jeff: no one seems to be screaming for it
- [VOTE] XML Encryption in SAML moved to v2.0 list
- still open
>
> AI-15. Editor (Eve) to update documents with Eve's fragment ID
> recommendations
>
- still open
>
> AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig
> issues
>
- still open
>
> AI-19. RobP will go back and look in issues list and see what he
> can come up with wrt item [A.3] in the SAML v1.1 to-do
> list.
>
- closed
- Rob took different action to propose alternatives
>
> AI-20. Eve to update specs to 1.0
>
- still open
>
> AI-25. Eve to respond to Hal's IssuerName proposal with an
> attribute-based & an element-based solution
>
- still open
>
> AI-26. Carlisle to update Mike Just's credentials collection
> proposal
>
- addressed above
- still open
>
> AI-27. Prateek to rev draft-sstc-meta-data-00 and add in schema.
>
- addressed above
- still open
>
> AI-28. RobP to have RSAS convey a new "statement of licensing
> intent" to the SSTC that documents the additional two
> claimed applicable patents in addition to the prior two.
>
- Rob: has drafted a doc that legal dept is approving
- hopes to submit to OASIS by next meeting
- still open
>
> AI-29. Jahan to start and own Errata list for current specs
>
- can be closed
> AI-30. Scott to produce use case document for destination site
> first flow using Web Browser Profiles (Target late
> January)
>
- Prateek is taking ownership
- still open
>
> AI-31. Jeff to send email to list on his interpretation of IPR
> issues surrounding using Liberty material
>
- Jeff: in progress
- Liberty docs have IPR statements at the beginning of each
- still open
>
> AI-32. Rob will draft a usecase for an Attribute Authority, to
> be examined by the TC for profiling
>
- still open
>
> AI-33. Eve to update the charter based on discussion
>
- still open
>
> AI-34. Rob will pull single list of v1.1 To Do items
>
- closed
>
> 5. Any other business
>
- none
>
> 6. Adjourn
>
- Adjourned
----------------------------------------------------------------------
Attendance of Voting Members:
Ronald Jacobson Computer Associates
Mingde Xu CrossLogix
Carlisle Adams Entrust
Jason Rouault HP
Prateek Mishra Netegrity
Charles Knouse Oblix
Steve Anderson OpenNetwork
Don Flinn Quadrasis
Rob Philpott RSA Security
Jahan Moreh Sigaba
Jeff Hodges Sun
Emily Xu Sun
Phillip Hallam-Baker Verisign
Simon Godik (individual)
Bob Morgan (individual)
Attendance of Observers or Prospective Members:
(none)
Membership Status Changes:
Robert Griffin Entrust - Lost voting status due to inactivity
--
Steve
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC