OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Minutes for Telecon, Tuesday 22 June 2004


In "7. Recent document updates", changed the duplicate URL to point to Paul's Exec Overview draft.  Thanks to Frederick for the catch.
--
Steve Anderson
OpenNetwork


--------------------------------------------------------------------------------------


Minutes for SSTC Telecon, Tuesday 22 June 2004
Dial in info: +1 865-673-6950 #351-8396
Minutes taken by Steve Anderson

======================================================================
                              Summary
======================================================================

  Votes:
  
    - Minutes from 8 June 2004 call accepted
    - Begin weekly quorum calls July 6, with quorate portion
      expected to occur in first hour, and focus portion to follow for
      remainder
    - Remove XKMS as an authentication method
    - Accept all recommendation from F2F concerning Issues
      disposition
  
======================================================================
                             Raw Notes
======================================================================

> 
> Agenda:
> 
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved

> 
> 2. Accept minutes from 8 June concall
>    < http://lists.oasis-open.org/archives/security-services/
>      200406/msg00050.html >
>    < http://lists.oasis-open.org/archives/security-services/
>      200406/msg00054.html >
>

- [VOTE] unanimous consent, accepted

>
> 2b.Accept minutes from 15-17 June F2F
>    < http://lists.oasis-open.org/archives/security-services/
>      200406/msg00078.html >
>

- Tony: can we approve minutes from a non-quorate meeting?
- just accepting as input to this meeting
- Irving: rather than accept the decisions all at once, we should review
  the decisions as an agenda item
- Tony: it's the same as a focus group call
- Prateek: goal would be to approve recommendations
- [no vote taken]
- Rob: proceed with reviewing schedule

> 
> 3. Review schedule and note any changes/updates
>
>    June 15: V2.0 F2F in Toronto 
>    June 22: Review updates since f2f. 
>    June 29: Both Prateek and I will be out -- anyone want a focus call
>             this week?
> 
>
>    July 6: All specification suite documents must have incorporated all
>            input from the list and F2F #5. Note that this gives us 3
>            weeks since the F2F to complete all document changes and to
>            resolve issues and action items.  This now begins sort of a
>            pre-last-call deadline for final input.  Depending on how
>            well things come together, we might possibly start our TC
>            last call here, but we opted to allow another week before
>            doing that. 
>    July 13: VOTE to start 2-week committee last call period (includes
>             external public review). 
>    July 20: Review any last call input to date. 
>    July 27: Cut-off date for TC last call input. All outstanding issues
>             have been dealt with according to the last call process. The
>             specs now become our "candidate" Committee Drafts and the TC
>             addresses any outstanding non-normative editorial issues 
>    August 3: VOTE to move spec's to "Committee Draft" status (requires
>              YES votes from 2/3 of ALL voting members). VOTE to move CD
>              spec's into 30-day Public Review for OASIS standardization
>              (majority vote). Edit doc's for CD status. Notify TC admin
>              of the start of formal Public Review. 
>    September 7: (first call following 30-day public review): Make sure
>                 all public review comments have been properly
>                 dispatched. Final editorial changes must be complete.
>                 VOTE to re-approve spec's as final Committee Draft and
>                 VOTE to submit to OASIS for standardization.  
>    September 8-15: Complete all submission paperwork. All submissions
>                    for an October voting period must be complete by
>                    September 15. 
>


- Eve: this 29 June call a focus call?
    - Prateek: there is a proposal to go to weekly formal calls
    - Rob: Jeff's suggestion was to make first part of weekly calls
      "official" with votes, etc, then treat remainder as focus call
    - Irving: so, do we start weekly calls next week with chair pro tem,
      or just wait until July 6?
    - [MOTION] Begin weekly quorum calls July 6, with quorate portion
      expected to occur in first hour, and focus portion to follow for
      remainder
    - [VOTE] no objections, accepted
    - Conor: will this be indefinitely?
    - Jeff: in the past this has been until docs got into OASIS for
      approval
    - can cancel meetings as appropriate
    - Irving: eventually, someone will propose returning to bi-weekly

> 
> 4. Review action item list from F2F and determine status of each
>    (a) any missing actions?
>    (b) clarification and dates
>

- Prateek: we'll review the minutes from the F2F, with goal of accepting
  recommendations as a set
- starting with AI's at top
    - 1. Editors to resolve submission process for additional Authn
      Context classes / Bindings / Profiles
        - JohnK: thinks this became general question of process, not
          specific to these docs
        - Scott: there was complaint about boilerplate text
        - JohnK: do we think current process for submission of profiles
          is sufficient?
        - Rob: there's another AI for submission process
        - Scott: question is whether submitted profiles get added to
          single profile doc or not
        - we can just say "there is a process", and later post the process
          on the web site
        - [ACTION] JohnK & Scott to propose text concerning process for
          submitting new profiles, etc.
    - 2. JohnK and Scott to move Authn Context Declarations to XML Schema
      centric approach
        - JohnK: has been working on this, thinks he's got it solved
        - should have new draft prior to next week's meeting
        - [OWNER: JohnK]
    - 3. Scott to ping Peter for additional text, subsequent to that there
      will need to be a review to ensure that the appropriate SHOULDs etc
      are there.
        - Scott: has pinged him, still waiting
        - [CLOSED]
    - 4.  Scott to reorganize section 4 (Metadata) to clarify
        - Scott: related to 3
        - Peter has more thoughts on these
        - remains OPEN
    - 5. Scott to clean up the text around the different types of profiles
      in Section 1.1
        - Scott: remains open
    - 6. investigate profile designator for statement and query -
      potentially allowing for endpoint metadata
        - issue was whether NULL profile was needed, etc
        - [OWNER: Scott]
    - 7. Scott to talk to RL Bob (re: BER & DER issues in LDAP/X.500 
      profile?)
        - Scott: initial AI was done
        - result is that intent was, in fact, different
        - need someone to propose new text
        - [CLOSED]
        - Scott: will see RLBob next week, and can ask him what he thinks
          we should do
        - would characterize this more as an Issue than Action
        - [ACTION] RLBob to review & propose text for handling syntax of
          attr values
    - 8. Prateek to ping John H for clarification (re: UUID's being used
      with attribute values)
        - Prateek: we completed this the next day
        - [CLOSED]
    - 9.  Scott to incorporate into document. include reference to
      Appendix A. (re: XACML profile)
        - Prateek: issue was to include a section on XACML
        - still OPEN
    - 10. Need clarification as to what is the target namespace for the
      DataType element? (re: XACML profile)
        - Prateek: thought this was an action to Scott
        - do we need inputs from XACML on this?
        - Scott: don't think it matters
        - if we put it in core, it will be in our namespace
        - if we put it in a profile, it will need a separate ns
        - we decided to move FriendlyName to core, since it is shared
          by multiple profiles
        - still OPEN
    - 11. Paul Madsen to take the exec overview document
        - Paul: posted first draft to list
        - CLOSED
        - awaiting feedback
    - 12. Scott will investigate use of wiki on Oasis site
        - Scott: this will wait
        - still OPEN
    - 13. chairs to put item regarding errata process on the concall agenda
        - [OWNER: Prateek, Rob]
        - Scott: sense of meeting was to establish a 2.0 errata process
          now
        - Prateek: idea was that in 1.0, we didn't have such a process,
          which lead to confusion
        - Jahan: can we not follow what we did for 1.1?
        - Scott: don't want to publish whole new rev for errata
        - Hal: OASIS has only recently accepted notion of errata
    - 14. (Jeffh) Resolve status of RFC (re: syntax of UUID as URI)
        - Jeff: done, posted to list
        - CLOSED
    - 15. (Scott) to document the well-known values for the DCE attribute
      name
        - stays OPEN
    - 16. (Scott) Will fix spec. to be more precise about use of
      encryption with name identifiers (per discussion on PKI-based attr
      profile)
        - Scott: done in next working draft
        - CLOSED
    - 17. Rick R. (and customer) should read and accept the OASIS IPR
      policy for document submission
        - Rick: planning to send it today
        - stays OPEN
    - 18. (chairs) discuss + resolve general approach to new profile
        - Prateek: duplicate of #1
        - CLOSED
    - 19. Jeff to add security context to Glossary
        - stays OPEN
    - 20. Jeff to help with sequence diagrams for profiles
        - Jeff: in progress
        - stays OPEN
    - 21. Rob to enumerate the implementation declarations/claims of
      interest. Prateek and Scott will contribute
        - Prateek: wasn't this completed on day 3? on a spreadsheet?
        - Rob: yes, but still has long way to go
        - sent to list
        - CLOSED
    - 22. Hal will look at OneTimeUse text again and attempt to clarify
        - Hal: in progress
        - stays OPEN
    - 23. John K. to clarity text on 909-911 on SessionIndex
        - stays OPEN
        - related to 24
    - 24. John K. to look up why SessionIndex is required
        - stays OPEN
        - related to 23
    - 25. Scott to propose alternate text for section 3.2.3.1, strike 
      3.2.3.2-3.2.3.4 and rewrite 3.2.2.3-3.2.2.5
        - stays OPEN
    - 26. Hal to get expert advice on how to prevent caching by proxies
      and user agents
        - stays OPEN
- Prateek: on to Issues
    - 1. Deprecation/removal of XKMS authn context class 
		- should these just be added to Issues list?
		- Scott: some were resolved
		- could be added to Issues list and closed
		- JohnK: on XKMS, we did remove it as an authentication method,
		  but it could be added back as a sort of OCSP-like mechanism
		- Eve: should be approve the removal on this call?
		- [MOTION] Remove XKMS as an authentication method
		- [VOTE] no objections, accepted
    - 2. Versioning in Profiles and Metadata
        - CLOSED
        - related to version attr that was added to element
        - resolution was to remove version attr, and the element that was
          the endpoint type would relate directly to profile version
        - [ISSUE] Versioning of profiles in general
    - 3. How to represent support for attribute profiles in metadata 
        - definitely not yet resolved
        - needs to be captured in Issues list
        - in next call, we'll go thru current outstanding issues
        - [ISSUE a] How to represent support for attr profiles in metadata
        - [ISSUE b] How to represent support for attr profiles in core
    - 4. Verify purpose of EncryptionMethod in KeyDescriptor in metadata 
        - Scott: (asking Greg) this is for the wrapped key, right?
        - Greg: not clear agreement in recent interop
        - thinks most were using it for bulk encryption, not key wrap
        - Scott: if this is for bulk encryption, it's in wrong place in
          metadata
        - Greg: agreed
        - Issue remains open
    - 5. SSO profile is different in how role division is split across
      request response 
        - Scott: wouldn't call this an issue
        - was just a question in the metadata spec, and came to his own
          conclusion
        - CLOSED
    - 6. SSODescriptorType shouldn't be a base
        - Scott: thinks we resolved this
        - CLOSED
        - additionally, decided ID & SP descriptor elements need "SSO" in
          names
    - 7. Need new name for AttributeRequestingService 
        - Scott: was resolved
        - changed back to AttributeConsumingService
        - CLOSED
- Prateek: one action not covered (from day 3) was IBM paper on BAP
    - JohnL and Prateek to produce draft response to IBM paper on BAP
    - expect late July
    - Prateek: meeting notes may be missing 3rd day morning portion
    - Rob: looks like I am missing Jeff's notes
    - Rob: will send updated notes
    - item is captured as [ACTION] in missing minutes
    - Scott: there was a change resulting from this paper as well
- Prateek: continuing with Issues that were recommended to be closed
  at F2F
    - Core 7:
        - recommended we CLOSE
    - Core 9: 
        - still OPEN
    - Core 12: 
        - recommended we CLOSE
    - Core 16:
        - recommended we CLOSE
    - Core 22:
        - recommended we CLOSE
        - Scott: there should be no QNames in our spec except for status
          codes
        - Prateek: so you're asking that we broaden the recommendation?
        - Scott: yes
    - Core 25:
        - recommended we CLOSE
        - Scott: thought we were waiting to see if anyone remembered why
          this was required
        - also need to document what Logout means without a SessionIndex,
          which would be to logout all sessions for principal
    - Core 27:
        - remains OPEN
    - Bind 3
        - remains OPEN
    - Tech 1
        - remains OPEN
    - Tech 3:
        - Recommendation is to CLOSE as long as Ron has reviewed and is ok
    - Tech 4
        - remains OPEN
    - Tech 5
        - remains OPEN
    - [MOTION] Accept all recommendation from F2F concerning Issues
      disposition
    - [VOTE] no objections, accepted
- Prateek: there is an issue of progress on Conformance
    - Rob: OASIS rejected a message on this topic, but it has been 
      reposted
    - Prateek: so there is an action already on this
  
> 
> 7. Recent document updates
>
>    < http://www.oasis-open.org/apps/org/workgroup/security/
>      download.php/7379/sstc-saml-sec-consider-2.0-draft-03-diff.pdf >
>    < http://www.oasis-open.org/apps/org/workgroup/security/
>      download.php/7339/sstc-saml-exec-overview-2.0-draft-00.pdf >
>

- Paul is looking for comments
- Frederick also sent update to Security Considerations
    - folks should read & comment
    - Doesn't have threat analysis for attr profile or name identifier
      profile
        - if anyone has material, please contribute
        - Scott: can provide some bullets for name identifier profile
    - would like to approve this in 2 weeks

> 
> 8. Any other business
>

- Prateek: looking at schedule ...
    - next meeting is 6 July
    - need all material from F2F incorporated by then
    - Scott: mostly mine, and will be working on that over next few days
    - Prateek: we may start TC Last Call on 6 July, otherwise following
      week
    - Core & Bindings seem pretty stable
    - a little churn in Profiles
    - Conformance is most at risk
    - will get discussion going
    - do we need any other docs before going to TC Last Call?
    - Scott: glossary?
    - Jeff: will try to have ready
- JohnH: posted revised storyboard for Tech Overview
    - < http://lists.oasis-open.org/archives/security-services/
        200406/msg00076.html >
    - please send comments in next few days
    - will be writing doc based on storyboard after that
- Thanks to whomever left us with hold music for the latter portion of the
  call!

> 
> 9. Adjourn
>

- Adjourned


----------------------------------------------------------------------

Attendance of Voting Members:

  Conor P. Cahill AOL, Inc.
  Hal Lockhart BEA
  Rick Randall Booz Allen Hamilton
  Tim Alsop CyberSafe
  John Hughes Entegrity Solutions
  Paul Madsen Entrust
  Dana Kaufman Forum Systems
  Irving Reid Hewlett-Packard Company
  Paula Austel IBM
  Anthony Nadalin IBM
  Scott Cantor Individual
  Bob Morgan Individual
  Prateek Mishra Netegrity
  Frederick Hirsch Nokia
  John Kemp Nokia
  Senthil Sengodan Nokia
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Darren Platt Ping Identity
  Jim Lien RSA Security
  Rob Philpott RSA Security
  Dipak Chopra SAP
  Jahan Moreh Sigaba
  Bhavna Bhatnagar Sun Microsystems
  Jeff Hodges Sun Microsystems
  Eve Maler Sun Microsystems
  Ron Monzillo Sun Microsystems
  Mike Beach The Boeing Company
  Greg Whitehead Trustgenix


Attendance of Observers or Prospective Members:

  James Vanderbeek Vodafone
  Gavenraj Sodhi Computer Associates
  Rebekah Metz NASA
  Tim Moses Entrust
  

Membership Status Changes:

  James Vanderbeek Vodafone - Requested prospective status 6/21/2004
  Gavenraj Sodhi Computer Associates - Requested prospective status 6/22/2004
  Miguel Pallares Ericsson - Lost voting status after 6/22/2004 call
  Jason Rouault Hewlett-Packard Company - Lost voting status after 6/22/2004 call
  Bhavna Bhatnagar Sun Microsystems - Beginning LOA after 6/22/2004 call

--
Steve Anderson
OpenNetwork



To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]