OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Notes From 5 Feb 2001 Conference Call

0. Attending

Nigel Edwards
Jeff Hodges
Hal Lockhart
Anders Rundgren
David Orchard
Marlena Erdos
Bob Morgan
Prateek Mishra
Taylor Boon
Evan Prodromou
Darren Platt

1. Issue List

   a) Make sure all issue groups are defined.

DP: reference list of 2-1 sent to security-use.

DO: reference listed issues of 2-1.

EP: Suggest that issue #2 is "enveloped" issue.

DO: B2B issue is actually a more general issue, where an intermediary
can add assertions to a message. 

PM: Need to call out intermediary issue. "Multi-hop issues."

HL: Separate issues (intermediaries & enveloping).

JH: Separate in the requirements section intermediaries, enveloping.

JH: "enveloped vs. enveloping" is a poor name.

BM: Suggested separate definition of push-pull to security-use.

DP: Noted that SSO is already called out.

BM: Privacy issues affect all parts of the requirements. Privacy
issues should be called out for all types of interactions.

NE: Anonymous use is another issue, orthogonal to privacy.

AR: Some authentication of destination is a requirement.

BM: Logout, step-up authentication aren't called out on this list.

HL: Logout, step-up are part of sessions.

PM, NE: SSO and sessions are not equal.

DP: Open issues go to strawman doc.

DO: "Framework" issue. Mechanism that allows definition of new parts
of system, "extensibility" of framework.

DP: What level of extensibility?

DO: Important to point out what the level of extensibility.

PM: Some public-key/private-key issues. Does the subject have
private-key encryption?

JH: Recommend using XML Protocol document as a model.

HL: Are there any extra use cases? What about the "health care" use
case mentioned in the TC group?

DO: Authorization use cases?

PM: Authz is part of the security service discussion (PEP-to-PDP

DP: Grouping of issues useful?

DO: Yes.

DP: Drill down into SSO (issue 1).

JH: Forming straw-man glossary.

ME: Name assertion vs. entitlements/profile assertion.

HL: Name assertion not different from profile attributes.

General: What level of control does the user have over profile
assertions? What assertions may be released?

PM: Should be specific for each system, part of a privacy policy.

HL: Issue is: should system support credentials negotiation based on
user's decision?

BM: Some recommendation that user have configuation ability.

DO: Difficult to test conformance.

PM: Is there a separate req't for credentials negotiation between
security zones?

BM: What is the point of Use Case 3 (3rd-party security system)?

PM: Request making SSO cases less Webcentric.

ME: Not necessarily SSO.

AR: Perhaps 3rd-party is better served by a Microsoft Passport

HL: Authc specifying agent, Authz specifying agent.

DO: Domain model with actors sent to the list. Should be added to the

EP: Suggest breaking up issues, sending them to list individually.

DP: 1, 3, and 5 to list today.

HL: Base discussion from Straw Man 1 version.

JH: Working on getting Web space for issues list.

JH: Glossary by 2-7 or 2-8 to list.

2. Meeting planning

   a) Next meeting.

2-13-2001, 8AM.

   b) Specific meetings dealing with particular issues.

Decided to hold separate discussion on email list for each issue,
rather than breakout concalls.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC