OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-brsp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: MINUTES Meeting 29 May 2014

----------------------------------------

DRAFT MINUTES

OASIS WS-BRSP TC Meeting

29 May 2014, 11:00am to noon PDT

----------------------------------------

 

Scribe: Gershon Janssen, Jacques Durand

0. Call to Order and roll call

Jacques Durand calls the meeting to order and welcomes everyone.

 

* Roll call:

 

Alessio Soldano

Ram Jeyaraman

Gershon Janssen

Doug Davis

Jacques Durand

Tom Rutt

Pim Van Der Eijk

 

Tom Link (observer)

 

Excused:

Micah Hainline

 

 

This meeting is quorate.

 

Agenda adopted:

 

1. Administrative

- Minutes May 1 meeting

- End of PR2 for BP12, BP20, RSP10,  few public comments (see comment archives) . See:

https://lists.oasis-open.org/archives/ws-brsp-comment/201405/maillist.html

- proposed resolution, and Next steps.

- Next meeting(s) schedule.

 

2.  Upgrading BSP11 for later versions of SHA (see minutes May 1):

- status on Pim/Ram action item to talk to BSP users to check their preference / interest.

- see the Extensibility point proposal:

https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53117/BasicSecurityProfile-v1.1-WD03-withSHAextensibilityPoint-rev2.doc

 

 

Minutes:

 

1. Administrative

- Minutes May 1st meeting: approved

- Disposition of comments for PR2 of for BP12, BP20, RSP10:

https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53155/PR2-bp12-bp20-rsp10-ConsolodatedCommentResolutions.xlsx

few public comments (see above): only cosmetic, from OASIS staff.

- 2 comments on broken URL links in PDF.

- 1 comment about misaligned TA tables in test assertions new appendix. (decide to not address)

- new packages with comment disposition implemented at:

https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53158/rsp10wd08-Package.zip

https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53157/bp20wd08-Package.zip

https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53156/bp12wd08-Package.zip

- Next step is approving the disposition of these comments.

- Ram had additional comment: email: https://lists.oasis-open.org/archives/ws-brsp/201405/msg00017.html

- Ram speaks to suggestions / changes for RSP section 2.1

- Ram: Current description of claiming conformance:

"This specification defines two mechanisms to claim conformance to the Profile,

the use of which needs be agreed upon by users: 1) the Conformance Claim Attachment Mechanisms

[claimAttachment] (see Section 2.5.1), or 2) the Web Services Policy - Framework [WSPolicy1.5]

and Web Services Policy - Attachment [WSPolicyAtt1.5] (see Section 2.5.2)."

- Ram points out that we removed the recommendation for WS-Policy.

- Jacques explains that we kept the normative keywords inside the WS-Policy option for claiming

conformance, BUT that we removed the recommendation (RECOMMENDED keyword) for WS-Policy, as

the choice of conf claim is out of scope for teh profile.

- Ram agrees this is acceptable.

- Ram other suggested edits is being taken care of by Tom Rutt to post a new package during this call.

- Conclusion: changes are purely editorial and as such can be made after the Public Review.

- Motion: TC approves the following wd08 packages to be approved for progression as CSD04 and

open a subsequent ballot for CS.

BP12: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53156/bp12wd08-Package.zip

BP20: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53157/bp20wd08-Package.zip

RSP10: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53170/rsp10wd08-Package-r1.zip

- Gershon moves; Tom R. seconds.

Motion approved by unanimous consent

 

 

 

2.  Upgrading BSP11 for later versions of SHA (see minutes May 1):

- Jacques posted the new SHA Extensibility point proposal:

https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53117/BasicSecurityProfile-v1.1-WD03-withSHAextensibilityPoint-rev2.doc

- note that all the Rxxx that mentioned SHA1 now have become conditional to the extensibility point, e.g.:

R5420 " If SHA-1 is used, the DIGEST_METHOD Algorithm attribute MUST have the value

"http://www.w3.org/2000/09/xmldsig#sha1"."

- Pim speaks to the proposal: improvement is achieved by implementing the conservative change option

(no new Rxxxx for SHA new versions)

- Pim: still that is not the best option for users: they don't get guidance on SHA-256

- several projects use SHA-256 and have interop issues around X509.

- Jacques: not approve anything today on BSP, still needs some work

- Current "extension" proposal at least removes preference for sha1 and opens up the profile for

other encryption algorithms through the extensibility point.

- other versions of sha are still missing new Rxxx, but this requires involvement of security experts

and a clear indication of users really wanting this.

- Problem for a more serious  BSP update: older ws-security TCs closed;

there are hard-wired dependencies on sha1 in WS-Security.

- no real interest externally on changing this from a standards perspective.

- Pim knows some products actually using other algorithms than sha1, so positive signals.

- using these algorithms might not require extensive interop testing, but not clear.

- Upgrading BSP11 according to the Extensibility proposal is the best we can do today.

- AI:jacques: to produce a more up to date proposal on the BSP, with help of Pim.

- Pim: we need to consider BSP priority: help customers or just a paper spec?

 

- next meeting: july 10

- meeting adjourned at 12:10 after agreed time extension.

 

 

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]