OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ws-brsp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: UPDATED DRAFT MINUTES - 25 September 2014 - WS-BRSP TC Meeting

25 September 2014, 11:00am to 12:00pm PDT

Scribe: Gershon Janssen

0. Call to Order and roll call
Jacques Durand calls the meeting to order and welcomes everyone.

* Roll call:
Jacques Durand 
Gershon Janssen 
Pim van der Eijk
Alessio Soldano
Doug Davis
Ram Jeyaraman
Tom Rutt
Micah Hainline

Tom Link
Anish Karmarkar

This meeting quorates.

Agenda adopted.

1. Administrative
Approval of August 28, 2014 meeting minutes:
Minutes approved by unanimous consent.

2. BSP11 public review feedback:

* Dispose of the BSP comment we got from the last PR
We received one comment: https://lists.oasis-open.org/archives/ws-brsp-comment/201409/msg00000.html

Summary of comment:
The new PR draft relaxes the requirements from mandating SHA-1 to mandating either SHA-1 or any of the SHA-2 algorithms. 
This is understandable given the issues with SHA-1.
The profile goes to great lengths to ensure interoperability when using SHA-1; it specifies how to communicate with the other side that SHA-1 is being used. 
There is nothing comparable specified for SHA-2.
The fundamental reason the profiles were created were to enable interoperability, it makes sense to include the same level (or equivalent) of interop requirements for SHA-2 as there are for SHA-1.

TC discussion:
- unless member companies are ready to extend and test appropriately the BSP11 to SHA-2x, then there is not much help in that upgrade
- concern is that the TC has made the profile less interoperable from its previous incarnation
- Pim notes he has been in an ebMS3- AS4 interop test that uses WS-Security with updated versions of underlying XML Security and XML Encryption http://www.entsog.eu/public/uploads/files/publications/INT%20Network%20Code/2014/int0488%20131206%20as4%20usage%20profile%20v1r0.pdf all based on SHA256 with five vendors.  No issues with most of these with recent version of e.g. WSS4J.  So product support is there.

Motion: The PR comment addresses a concern that was discussed at length in the resolution of this issue. After discussion, the TC reached concensus that the current spec meets the needs of current products, by making the use of SHA1 optional with the extensibility point for additional mechanisms. It was agreed to close this PR comment with no action.

Tom Rutt moved; Gershon seconds. Motion carried by unanimous consent.

* Move to CS for BSP1.1

Motion: The TC asks the chair to submit a request to TC admin for balloting the latest version of BSP1.1 located at http://docs.oasis-open.org/ws-brsp/BasicSecurityProfile/v1.1/csprd02/BasicSecurityProfile-v1.1-csprd02.doc for approval as Committee Specification, after comment disposition as approved in this meeting.

Gershon moved; Tom Rutt seconded. Motion carried by unanious consent.

3. Progressing profiles to OASIS standards
Need to gather 3 statements of use, and this for each profile candidate(see templates sent in a recent email)

- Jacques was not able to find previous statements of use
- All organizations are encouraged to look at providing statements of use.

4.  Adjourn
Next meeting: 30/October/2014

Meeting adjourned.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]