security-services message

Subject: RE: [security-services] RE: Minutes for Telecon, Tuesday 30 Septe mber 2003
From: "Philpott, Robert" <rphilpott@rsasecurity.com>
To: "'Anthony Nadalin'" <drsecure@us.ibm.com>, "'oasis sstc (E-mail)'" <security-services@lists.oasis-open.org>
Date: Thu, 2 Oct 2003 10:32:30 -0400
Okay - now sticking to the charter/goals discussion....

At the f2f, the goal statement was adopted by unanimous consent.  You were
there and therefore voted in the affirmative on these goals.

Are you now saying that you have changed your mind and do not believe these
are the goals we should be working on?  If so, then the chairs will be happy
to have you propose a new set of goals and we can put you on the agenda for
the next meeting so they can be debated and voted on in a quorum meeting as
a replacement for the current set.  But as of now, the TC has these as their
approved V2.0 goals.

> As far as the changes to the charter wording like "Addressing issues and
> enhancement requests that have arisen from experience with real-world SAML
> implementations and with standards architectures that use SAML, such as
> the
> OASIS WSS and XACML work." does not clarify anything just mystifies
> things.
> 
[Rob] Compared to the current TC charter (which was approved by the TC and
accepted by OASIS), in what way does this add mystery? The current charter
states: "new functionality satisfying newly discovered requirements (for
example, through implementation and deployment of the existing
specifications)". The new statement is simply being more specific about some
of the places where "the deployment of the existing specifications" has
occurred. Those are not a mystery to anyone.

> "Adding support for features that were deferred from previous versions of
> SAML for schedule reasons, such as session support, the exchange of
> metadata to ensure more interoperable interactions, and collection of
> credentials" is far to open. I suggest that the TC have a clear and
> precise
> list of "features" so the charter can address these as this leaves it wide
> open and does not clarify anything just mystifies things.
> 
[Rob] You've got to be kidding. There is absolutely nothing in the TC
process that states that the charter must provide that level of detail.
Please take a look at all of the other OASIS TC charters and tell me how
many provide a specific list of features with the detail you are suggesting.
Perhaps one or two might be more specific, but the vast majority are not.
The WSS-TC certainly isn't; Provisioning isn't; ebXML isn't; WSDM isn't;
DSML isn't; ...  I believe the proposed charter is much more specific than
most at OASIS. The TC process says we simply need to describe "a list of
deliverables, with completion dates" period. We only need to ensure that
those deliverables are aligned with the scope of the TC.  Please explain how
session support, metadata exchange, or credentials collector are not in
scope.

> Also  the statement "Converging on a unified technology approach for
> identity federation by integrating the specifications contributed to the
> TC
> by the Liberty Alliance" seems like scope creep to me as I don't see
> anything in the charter about "federation" as federation goes way beyond
> authentication.
[Rob] I don't see anything in our charter that states we can define how an
Attribute Authority would work, either.  But it's needed for making
authorization decisions, so we define it in SAML.  I don't see anything in
the charter that explicitly states that we will define profiles that solve
the Web SSO problem. But they are clearly in scope. In the TC's view (if
you've changed your mind it's now the TC minus 1), federated identities are
essential to completing the job we started with Web SSO. They are essential
to the process of creating useful authentication and authorization
information exchanges. Just because it's not explicitly called out doesn't
mean we can't work on it when it's required to meet our stated purpose.

If you want to argue that this is out of scope, then please make your case
with a proposal to the list.  We'll put it on the agenda for discussion and
a vote.  But as it stands, the chairs and the TC as indicated by the
unanimous consent of the goals, clearly believes that this is in scope.  If
you aren't satisfied with this approach, then please take it up with TC
Admin.  

> 
> So I don't see the updates above clarifying anything, I have no problem
> with the changes that clarify the dates or clarifying that additional
> profile documents will be produced.
[Rob] Apparently, we simply have an argument over the semantics of
"clarification".

As I said, we have agreed-upon goals and the charter update has been
proposed with the objective of clarification w.r.t those goals.  If you have
alternative proposals, please make them.

Cheers,
	Rob