[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: MINUTES Meeting 29 May 2014
---------------------------------------- DRAFT MINUTES OASIS WS-BRSP TC Meeting 29 May 2014, 11:00am to noon PDT ---------------------------------------- Scribe: Gershon Janssen, Jacques Durand 0. Call to Order and roll call Jacques Durand calls the meeting to order and welcomes everyone. * Roll call: Alessio Soldano Ram Jeyaraman Gershon Janssen Doug Davis Jacques Durand Tom Rutt Pim Van Der Eijk Tom Link (observer) Excused: Micah Hainline This meeting is quorate. Agenda adopted: 1. Administrative - Minutes May 1 meeting - End of PR2 for BP12, BP20, RSP10, few public comments (see comment archives) . See: https://lists.oasis-open.org/archives/ws-brsp-comment/201405/maillist.html - proposed resolution, and Next steps. - Next meeting(s) schedule. 2. Upgrading BSP11 for later versions of SHA (see minutes May 1): - status on Pim/Ram action item to talk to BSP users to check their preference / interest. - see the Extensibility point proposal: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53117/BasicSecurityProfile-v1.1-WD03-withSHAextensibilityPoint-rev2.doc Minutes: 1. Administrative - Minutes May 1st meeting: approved - Disposition of comments for PR2 of for BP12, BP20, RSP10: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53155/PR2-bp12-bp20-rsp10-ConsolodatedCommentResolutions.xlsx few public comments (see above): only cosmetic, from OASIS staff. - 2 comments on broken URL links in PDF. - 1 comment about misaligned TA tables in test assertions new appendix. (decide to not address) - new packages with comment disposition implemented at: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53158/rsp10wd08-Package.zip https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53157/bp20wd08-Package.zip https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53156/bp12wd08-Package.zip - Next step is approving the disposition of these comments. - Ram had additional comment: email: https://lists.oasis-open.org/archives/ws-brsp/201405/msg00017.html - Ram speaks to suggestions / changes for RSP section 2.1 - Ram: Current description of claiming conformance: "This specification defines two mechanisms to claim conformance to the Profile, the use of which needs be agreed upon by users: 1) the Conformance Claim Attachment Mechanisms [claimAttachment] (see Section 2.5.1), or 2) the Web Services Policy - Framework [WSPolicy1.5] and Web Services Policy - Attachment [WSPolicyAtt1.5] (see Section 2.5.2)." - Ram points out that we removed the recommendation for WS-Policy. - Jacques explains that we kept the normative keywords inside the WS-Policy option for claiming conformance, BUT that we removed the recommendation (RECOMMENDED keyword) for WS-Policy, as the choice of conf claim is out of scope for teh profile. - Ram agrees this is acceptable. - Ram other suggested edits is being taken care of by Tom Rutt to post a new package during this call. - Conclusion: changes are purely editorial and as such can be made after the Public Review. - Motion: TC approves the following wd08 packages to be approved for progression as CSD04 and open a subsequent ballot for CS. BP12: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53156/bp12wd08-Package.zip BP20: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53157/bp20wd08-Package.zip RSP10: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53170/rsp10wd08-Package-r1.zip - Gershon moves; Tom R. seconds. Motion approved by unanimous consent 2. Upgrading BSP11 for later versions of SHA (see minutes May 1): - Jacques posted the new SHA Extensibility point proposal: https://www.oasis-open.org/apps/org/workgroup/ws-brsp/download.php/53117/BasicSecurityProfile-v1.1-WD03-withSHAextensibilityPoint-rev2.doc - note that all the Rxxx that mentioned SHA1 now have become conditional to the extensibility point, e.g.: R5420 " If SHA-1 is used, the DIGEST_METHOD Algorithm attribute MUST have the value "http://www.w3.org/2000/09/xmldsig#sha1"." - Pim speaks to the proposal: improvement is achieved by implementing the conservative change option (no new Rxxxx for SHA new versions) - Pim: still that is not the best option for users: they don't get guidance on SHA-256 - several projects use SHA-256 and have interop issues around X509. - Jacques: not approve anything today on BSP, still needs some work - Current "extension" proposal at least removes preference for sha1 and opens up the profile for other encryption algorithms through the extensibility point. - other versions of sha are still missing new Rxxx, but this requires involvement of security experts and a clear indication of users really wanting this. - Problem for a more serious BSP update: older ws-security TCs closed; there are hard-wired dependencies on sha1 in WS-Security. - no real interest externally on changing this from a standards perspective. - Pim knows some products actually using other algorithms than sha1, so positive signals. - using these algorithms might not require extensive interop testing, but not clear. - Upgrading BSP11 according to the Extensibility proposal is the best we can do today. - AI:jacques: to produce a more up to date proposal on the BSP, with help of Pim. - Pim: we need to consider BSP priority: help customers or just a paper spec? - next meeting: july 10 - meeting adjourned at 12:10 after agreed time extension. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]