Minutes 13 Feb 2001

[Evan Prodromou <evan@outlook.net>]

Agenda:

* Regularly Scheduled Conference Calls

DP: Work on issues on the list, have concalls for discussion and votes.

DO: What voting is possible on the subcommittee? Do we vote?

HL: Recommendations are voted on, issues are preserved.

DP: Our mission is to narrow the requirements.

Vote: weekly calls. Passes.

DP: 9AM PST conference calls, 1 hour.

* Session

EP: Put use case in issues list first.

PM: Add a high-level use case for sessioning.

ME: Difference between sessioned assertion and no sessions.

HL: Difference between a user who has been authenticated by a system
and one authenticated by another system.

ME: Trust asserting party enough to use assertion as an attribute
inquiry?

* Additional B2B Use Cases

DP: Issues list is an extension of the requirements document. Add ZA's
B2B use cases to issues list.

DO: Core use cases are expressed, variations additional.

ZA: Keep some consistency based on core use cases.

DO: Need to harmonize the use cases.

ZA: Emphasize chaining use cases.

HL: Have the high-level UCs followed by specific scenarios
appertaining to that UC.

DO: Harmonize wordings across different scenarios.

EP: Maintain domain terminology.

DO: Factor out similar actors, use them.

JH: Maintain difference between levels of detail in the difference
HLUC and interaction diagrams.

EP: Map actors in HLUC and actors in interaction diagrams.

BB: Might not be necessary to do this, let specification do that.

BB: Not bias specification in terms of expected implementation.

DO: There could be excessive overlap between scenarios. Give
activities that occur in different use cases a name.

BB: Can name the items that are common between cases. 

PM: Service-to-service use case.

PM: Normalization is good, may be a down to the low level, may be a
later process.

HL: Terms should be deliberately chosen.

* High Level Use Cases

DP: Web user to Source Web Site.

JH: At this level of abstraction, is the single sign-on required.

BB: Service, security domain, rather than Web site.

JH: Maybe this should be called Web user or browser single sign-on.

ME: Not single sign-on, since sign-on isn't passed on.

DP: Other protocol bindings are about channel between issues.

DP: Vote on changing name of use case one to "Web Browser Single
Sign-on."

ME: Propose another "single sign-on" case.

PM: In HLUC 2, can PEP and PDP be in separate security domains?

BB: Propose as an issue.

DO: This should be further elaborated with low-level scenarios.

EP: ISSUE:[UC-11-01:AuthzUseCase] covers this case.

DP: Vote on whether same domain version of this use case goes into
draft 3.

PM: Need to have same-domain case?

DO: Chair should call for objections only when he hasn't heard one yet.

DP: Motion carries.

PM: Does this call for a request/response protocol in authz?

EP: Third high-level use case, w/r/t service-to-service use case.

* ISSUE:[UC-5-01:AuthCProtocol]

DO: Can we get consensus?

BB: BB will champion this issue.

* How to Close the Issues

DP: Champions choose issues and take them through discussion to a
vote.

EP: Need to get to concrete (text) input.

HL: Different issues need to be filled in in groups, not in individual
issue level.

PM: Champion is almost a sub-sub-committee member.

DO: Volunteer to write up session issue.

PM: Some closure on sessions on the list.

DO: Doesn't think we've come to closure on issues.

DP: Issue champion should choose text of issue. 

* Session Issue

DO: Put sessions into the discussion.

ZA: Send b2b business cases to list. B2B issues on list don't cover
some gaps.

BM: Ways to think about requirements. Business requirements rather
than technical requirements.

DO: How does this separation work?

DP: Table this issue, get it out in issue format.

* Further work

DP: Can we get issues to the issues list by the end of week?

DO: Need them before then.

DP: Issues out by Wednesday, get comments for vote next Wednesday.
Single Sign-on, Session, Authentication.

HL: Use terminology in the glossary.

JH: Please make suggestions for glossary.

DP: Dave Orchard session champion, BB is AuthC champion, DP is single
sign-on champion.

DO: Require more discussion on discussion list.

DP: Saturday after F2F may be a good day for more work.