OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes for Telecon, Tuesday 5 August 2003

Minutes for SSTC Telecon, Tuesday 5 August 2003
Dial in info: +1 865 673 3239  #238-3466
Minutes taken by Steve Anderson


    - Minutes from 22 July 2003 call accepted
    - Chairs directed to contact Project Liberty regarding
      submitting ID-FF v1.2 just as they submitted v1.1
  Previous Action Items Still Open:
    - none

  New Action Items:
    - Prateek to set up ballot to gauge F2F attendance
    - Prateek to post draft F2F agenda before next call
    - Prateek to send Rob link to previous posting, and Rob to 
      update web site with link
    - Scott, RLBob and Jeff to produce scenarios for multi-
      participant transactional workflows
    - John Hughes to produce use case doc for Kerberos support
    - Eve to compile v2.0 work items and champions
                             Raw Notes

> Agenda:
> 1. Roll call

- Attendance attached to bottom of these minutes
- Quorum achieved

> 2. Accept minutes from previous meeting, 22 July
>    < http://lists.oasis-open.org/archives/security-services/
>      200307/msg00048.html >

- Eve: minutes weren't specific on IPR issues with Liberty
- Rob: let's accept these, and deal with that topic later on the Agenda
- [VOTE] unanimous consent, accepted

> 3. SAML 1.1 follow-up
>    a. OASIS announcement to review specs by 16-Aug

- Rob: OASIS announcement already sent out

>    b. Possible errata (Scott C) 
>       < http://www.oasis-open.org/archives/security-services/
>         200307/msg00063.html >

- Rob: seems minor
- question is how to handle? new errata? incorporate into existing
  errata doc?
- Jahan: doesn't think it affects anything normative 
- Scott: it does affect some "MUST" language
- Jahan: will update errata doc, and we'll fix it in v2.0
- Hal: that's all we legally can do

>    c. SAML V1.1 Metadata doc draft-07
>       < http://www.oasis-open.org/archives/security-services/
>         200307/msg00055.html >

- Rob: how do we want to deal with this?
- Prateek: thought it would flow into v2.0
- Rob: ok, that's right

> 4. V2.0 Face-to-Face
>    a. Scheduled for Sept 8-10, Sun Campus in Burlington, MA
>    b. Logistics updates? 
>       < http://lists.oasis-open.org/archives/security-services/
>         200307/msg00051.html >

- Eve: all set
- Jahan: knows someone who is not in TC, but is OASIS member, and would
  like to attend
- Eve: just a question of space in the reserved room, which is setup
  to hold around 20
- Prateek: also has lots of requests from folks who've been
  implementing SAML wanting to attend, which is a good thing
- thinks we'll push well over 20
- will put up a ballot to determine number of people intending to come
- Eve: we need to see how many voting members will be attending, and
  make sure we reign in the numbers of non-members
- may be able to reserve bigger room
- observers should send request to the chairs (and Eve, as host) about
  attending, and it's up to the judgment of the chairs to allow/dis
- Rob, Prateek, Eve will talk offline
- [ACTION] Prateek to set up ballot to gauge F2F attendance
- Prateek: but non-members may not be able to get to the ballot

>    c. Social event?

- Rob: not too many ideas have come in
- can setup dinner reservations
- if there are any additional ideas, send them in
- otherwise, just needs indications of who would be interested in 
- Jahan: this would be on the 2nd night, right?
- Rob: yes, Tues evening

>    d. Agenda development?

- Rob: need some work done here
- Prateek: would be happy to help
- Jeff: before, we've had someone draw up a proposed agenda, post it,
  get comments, and proceed
- Irving: can have an open call for topics
- Rob: won't be on next call, so can Prateek post a proposed agenda
  and drive to resolution on next call?
- Prateek: can do
- [ACTION] Prateek to post draft F2F agenda before next call
- Hal: is there anything outside of v2.0 work? Liberty IPR, etc?
- Prateek: <described some topics, which will be in proposed agenda, to
  be posted shortly>
- Eve: would be good to keep track on public site things like 
  implementation lessons, interactions with Liberty, etc
- Prateek: had posted some material on this previously
- [ACTION] Prateek to send Rob link to previous posting, and Rob to 
  update web site with link

> 5. V2.0 Call for Editors
>    a. Frederick and Eve are the only volunteers so far. Others?

- Rob: Krishna also volunteered
- anyone else?
- Jeff: might be able to
- Rob: that would be good, given you background with Liberty stuff
- John Hughs: volunteers as well
- Eve: happy to serve as coordinating editor
- Jahan: can continue with errata and meta data
- Tim: expecting to help Jeff with SASL and CC work
- Jahan: also keening interested in CC work
- Eve: could do editorial team meetings
- Hal: has keen interest in several technical items, but probably can't
  commit to editor job
- Eve: maybe those editor calls can be focus group calls

> 6. V2.0 scope definition
>    a. Follow-up from 22-July discussion?

- Eve: Liberty IPR discussion from last call
    - Liberty contribution came with its own IPR statement
    - Prateek will point to message with that info
    - Rob will update web site to point to that
- Jeff: goal statement just sent to list
    - probably better to hash this out on list with specific wording
    - Rob: if anyone has feedback on the goal statement, post to list
    - we need to settle on goal statement on next call

>    b. Multi-participant transactional workflows - several emails
>       exchanged:
>       i.  Sender Vouches vs Bearer Vs Artifact confirmation methods

- Rob: there were about 7-8 emails exchanged on this
    - comments?
    - Irving: 'SenderVouches' isn't meaningful in an assertion
    - simply redundant with absent confirmation method
    - Irving: the one condition you could imply is that the absence
      of anything else is intentional
    - Prateek: does this have a technical impact?
    - Jeff: we need to address what is the difference in trust models?
    - Bob Blakely did this way back at a F2F (#4?)
    - can pull the data out, put into doc, and post to list
    - Irving: has only waived arms about artifact profile mandating
      confirmation method of "artifact", because using the assertion
      after the SSO interaction requires requesting a different 
    - Prateek: SAML profile in WSS calls out many of these issues
    - Scott: there is no bridge between the SSO interactions and any
      subsequent assertion use
    - Prateek: so is that a use case that folks are interested in?
    - seems to be
    - Prateek: is anyone willing to step up with some scenarios?
    - Scott: can do it
    - RLBob: will assist
    - Jeff: will also
    - [ACTION] Scott, RLBob and Jeff to produce scenarios for multi-
      participant transactional workflows

>       ii.  CSIv2/IIOP identity token vs authorization token

- Rob: can continue this discussion on list, if people think 

>       iii. Using SAML assertions in WSS-SAML Profile

- Rob: dealt with above
- Prateek: is it appropriate to have as part of F2F a discussion of the
  state of the WSS-SAML Profile?
- seems to be
- Prateek: will add to agenda
- can feed information back to Ron Monzillo based on that discussion

>    c. Liberty ID-FF
>       i.  Can we use ID-FF V1.2?

- Prateek: proposes that we solicit contribution of Liberty v1.2
- would like to unify federation layers between SAML & Liberty
- [MOTION] Chairs directed to contact Project Liberty regarding
  submitting ID-FF v1.2 just as they submitted v1.1
- Jeff: draft specs are available
- would be a problem to start some work based on those, provided our
  work is in draft stage
- IPR stuff seems only dependent on final specs (of derivative work)
- Jeff: Liberty already committed (in statement to press?) to 
  contribute ID-FF v1.2 to SSTC
- won't hurt for SSTC to request it anyway
- Liberty won't submit it until it is finalize, but may get direct 
  commitment to do so, freeing SSTC to begin draft work based on
  draft of ID-FF v1.2
- [VOTE] unanimous consent

>       ii. Migration issues SAML V1.x/Liberty to SAML 2.0

- Prateek: already spending time on this issue
- seeking other volunteers that are more involved with implementations,
  Liberty, etc
- Rob: will assist

>    d. Trust and delegation email (Krishna)

- Krishna: do we have caching intermediaries now?
- Prateek: don't believe there is a general intermediary case
- Hal: not clear on the terms thrown about here, as they mean so many
- Krishna: wants to work on providing definitions
- Hal: prefers to hear clear problems that aren't currently solved by
- Eve: we're still at definition phase, and until that progresses, we
  can't do further work
- Scott: this may relate to earlier discussions

>    e. Kerberos support (Krishna)

- John Hughes: someone should produce some use cases on this
- offers to take the lead on this
- Hal: a prior email of mine had some implied use cases, which could
  easily be extracted
- John: will be on vacation soon, so it won't be ready until right
  before F2F
- [ACTION] John Hughes to produce use case doc for Kerberos support
- Krishna: can assist

>    f. XACML and OGSA proposals for new request type

- Hal: some time ago, XACML submitted proposal for enhancement to
  AuthZDecisionRequest to better fit with XACML
- April 3, submitted by Carlisle
- OGSA also had a request that was very similar
- Eve: this is exactly the kind of implementor experience suggestions
  we are looking for
- Hal: expects XACML will analyze OGSA request, and may revise their
  submission (no later than the F2F)

>    g. anything else?

- Eve: there was a set of things we promised way beck to do in 2.0
- need to go back and gather those
- Scott: certainly, deprecations need to be removed
- [ACTION] Eve to compile v2.0 work items and champions

> 7. Action item review
>    #0056: Solicit comments on 2.0 activities from saml-dev
>    Owner: Prateek Mishra
>    Status: Closed
>    #0058: Ask Ron Monzillo for input on multi-participant
>           transactional workflows
>    Owner: Eve Maler
>    Status: Closed
>    #0038: Continue developing Metadata specs
>    Owner: Prateek Mishra
>    Status: Open

- Rob: let's close this, since it will be a v2.0 work item

>    #0055: Draft goal statement for SAML 2.0
>    Owner: Jeff Hodges
>    Status: Open

- Jeff sent draft to list at beginning of call
- discussion will be on list

>    #0054: Prepare analysis of Liberty work for 2.0
>    Owner: Eve Maler
>    Status: Open

- Eve: result turned into candidate work item list
- working on a cross reference list of Liberty items
- Scott working on a spreadsheet-style doc
- could also have references to other efforts such as XACML, WS-Fed
- What about WS-Federation?
    - Hal: BEA's position is to work to a single set of specs
    - Rob: RSA would like to see the same thing
    - Eve: has heard that WS-Fed has features that exist in other open
      specs, but does it have features that we can take as use cases
      for work here?
    - Scott: it has benefit of hindsight
    - Hal: thinks it does have additional features, like UDDI
    - Eve: can you elaborate?
    - Scott: UDDI fits in tighter when you move up stack into 
    - Eve: so this is more relevant to Liberty?
    - seems so
    - Jeff: there is a need in the Web Services space for discover
      service, and Liberty feels that UDDI is too high up, and designed
      its own
    - Eve: would like to take a use case-based approach to this
    - there may be some marketing impacts to any response to WS-Fed
    - Prateek: what is there we can do, other than urging submission to
      some standards body?
    - Eve: thinks there is work we can do
    - happy to hear that some WS-Fed authors are pursuing convergence
    - we can present ourselves in a stronger fashion as we begin on 
      v2.0, such as additional web site collateral discussed today,
      renewing an attempt at an FAQ section, etc
    - John Hughes: has a white paper that includes several relevant
      use cases, available on their web site (but requires registering)
    - can provide it to anyone who sends him direct requests
    - Eve: soliciting people interested in outreach efforts
        - Krishna, Rob, Jeff, Jahan, RLBob interested
        - Eve: will contact them offline
- analysis done

>    #0013: Request use of WS-Trust for CC Proposal
>    Owner: Maryann Hondo
>    Status: Open

- Rob: can discuss at F2F
- Tim: doesn't seem to be going anywhere, so we should forget it
- Jeff: there are other avenues
- CLOSED (due to lack of response)

> 8. Any other business

- Eve: administrative, we can confirm our telecon schedule at the F2F,
  which should be weekly beginning then
- Eve: for work items, can make explicit calls for champions via 
  emails (one per item)

> 9. Adjourn

- Adjourned


Attendance of Voting Members:

  Irving Reid Baltimore
  Hal Lockhart BEA
  Krishna Sankar Cisco
  John Hughes Entegrity Solutions
  Jason Rouault HP
  Scott Cantor Individual
  Bob Morgan Individual
  Darren Platt Individual
  Prateek Mishra Netegrity
  Frederick Hirsch Nokia
  Senthil Sengodan Nokia
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Simon Godik OverXeer
  Rob Philpott RSA Security
  Edward Coyne SAIC
  Jahan Moreh Sigaba
  Jeff Hodges Sun
  Eve Maler Sun
  Emily Xu Sun
  Phillip Hallam-Baker Verisign

Attendance of Observers or Prospective Members:

  John Linn RSA Security
  Tim Moses Entrust
  Bill Haase IBM

Membership Status Changes:

  Rebekah Lepro NASA - granted voting status after call


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]