DARFT WS-SX TC 2005-12-07 and 2005-12-08 F2F Minutes

[Michael McIntosh <mikemci@us.ibm.com>]

Hosted by Microsoft Corporation and will be held at the following 
location:

Redmond Marriott Town Center
7401 164th Avenue NE
Redmond
Washington 98052 USA
Tel: 1-425-498-4000
Fax: 1-425-556-1231 

Dial in facility for this F2F meeting sponsored by Nortel: 
Tel: 919-997-8152 
Access Code: 2486414 #

The meeting will also have access to an online chat room at:
http://webconf.soaphub.org/conf/room/wssx 

1. Welcome, Convener and meeting host
>Paul Cotton convened the meeting @ 9:04

2. Introductions and roll call, Convener

>Attendance to be provided 

a) WS-SX TC roster
http://www.oasis-open.org/apps/org/workgroup/ws-sx/members/roster.php 

b) OASIS Web Services Secure Exchange (WS-SX) TC home page:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx

3. Appointment of Note taker(s), Convener
>Michael McIntosh will take notes today.

4. Selection of TC chairs, Convener 
>Nominees Chris Kaler and Kelvin Lawrence introduced themselves.
>Paul opened up to other nominations
>Chris Kaler and Kelvin Lawrence as co-chairs - Approved without objection

>10 minute break.

5. Approval of meeting agenda, Chairs
>Kelvin reviewed the agenda
>Some discussion about posting of item 9 presentation to TC page
>No objections.

6. Introduction to OASIS process, OASIS staff
>Jamie Clark (on the phone)
>Congratulated Kelvin and Chris - thanked Paul
>Briefly described: TC Process, IPR Policy, Charter, Guidelines, etc.
>Read the documents on the Web (Policies and Procedures)
>- understand obligation of participation

>Some comments about chat room problems (quotes in name are bad)

7. Selection of issues list editor(s), Chairs
>Marc Goodner volunteered to be Issues List editor
>Congratulations to Marc

>Note from Chairs that Issues List Editor and Minute Taker can halt 
meetings to catch up.

8. Review of TC charter, Chairs

a) Original Call for Participation
http://lists.oasis-open.org/archives/tc-announce/200510/msg00006.html 

b) WS-SX TC charter
http://www.oasis-open.org/committees/ws-sx/charter.php 

>Kelvin read through the Charter
>Hal noted a typo "TCís" should be "TC's" more than once
>Frederick would like to revise charter at certain points (including 3.c)
>- we will discuss at the end of the reading
>Chris noted typo "Properties for indication the"

>Frederick sent email and discussed the following revisions:

>-----BEGIN EMAIL FROM FREDERICK-----
>MOTION: Shall the charter of the OASIS WS-SX TC be amended as follows?

>Modify the following sentence in the charter:
>c. Specifying the scope of each returned security token using WS-Policy 
[5] <wsp:AppliesTo>.

>TO READ AS FOLLOWS:
>c. Specifying the scope of each requested and returned security token 
using WS-Policy [5]
><wsp:AppliesTo> (eg. wsa:endpointReference).

>After the following sentence in the charter:
>j. Specifying characteristics of the requested type of keys.

>ADD THE SENTENCE AS FOLLOWS:
>k. Enabling additional negotiation and challenge mechanisms (e.g. SASL, 
SPNEGO) initiated by
>either client or server.

>Modify the following sentence in the charter:
>2. Actions and elements for responding with a renewed token.

>TO READ AS FOLLOWS:
>2. Actions and elements for responding with a renewed token (or tokens).

>Modify the following sentence in the charter:
>2. Actions and elements for responding about the validity of a token.

>TO READ AS FOLLOWS:
>2. Actions and elements for responding about the validity of a token (or 
tokens).

>After the following sentence in the charter:
>7. Definition of APIs

>ADD THE SENTENCES THAT FOLLOW:
>8. Definition of additional negotiation and challenge protocol 
mechanisms.
>9. Developing the roadmaps [15], [16] or other specifications mentioned 
in those roadmaps, 

>beyond the material listed explicitly as within the scope of this 
charter.
>-----END EMAIL FROM FREDERICK-----

>Some discussion change form amend to clarify
>Jamie - said we need to state this as clarification (lower threshhold)

>Frederick made motion
>Tony seconded
>Discussion
>Jeff Hodges: we did not have a lot of time to review changes ...
>...should we take them each individually or as a whole

>Paul: asked what Jeff Hodges concern was? too large chunks? or not enough 
time?

>Jeff H: concerned about ruling of things out of scope.
>Tony: it helps set expectations
>Hal: we should have one package one vote if possible
>Hans: inconsistent use of word "protocol" in "k" and "8".
>Hal: if removing or adding word "protocol" changes meaning?

>Martijn DeBoer: question about the use of term "binding" vs. "profile"
>Scott C.: has similar concerns - who does profiles?
>Chris K: Spec is abstract, binding concrete, profile is like WSI
>Prateek: Wants to understand which tokens themselves make this all work
>Chris K: wants this to work for all token types
>Prateek: question whether contributed specs might evolve into separate 
specifications ...
>(potentially token specific) - does the charter prohibit this?
>Jeff H.: item "k" he is OK with - would rather use "framework" ...
>... instead of "mechanism" in "8" - "k" and "8" seem contradictory
>- in the context of very detailed charter.
>Tony: Charter calls out bindings does not call out profiles
>Frederick: should we add "to be used" to end of "8".
>Chris: should we change "k" and "8" to "mechanisms, protocols, and 
frameworks"?
>Tony: Concerned that we are going to try to combine frameworks
>Scott C: should we change to SASL Mechanisms or SPNEGO Mechanisms?
>Chris: Put this on the stack.
>Paul: Back to Prateek's issue: WS-RX has line this doesn't ...
>- essentially "tc can change name of specs and their organization"
>Darren: need to drive towards interop rather than abstract specifications
>Jeff M.: if the TC wants to change names it can  - MSFT should not hide 
behind IPR Policy
>Tony: We can do interop in context of specific tokens - its been 
successfully done in past
>Chris: We do have WSI and WSS working together in past
>Darren: other TCs have been prevented from doing details by being pointed 
at charter
>Jamie: a lot of work has gone into reviewing present charter:
>... any TC can recharter (new scope - lots of work)
>Dr. Brickman: Would like this TC to work towards interop
>Paul: we have heard that we dont have enough on the table before
>- but in the past we have gotten interop (SOAP, etc.)
>Frederick: Procedural question - still listed as prospective on web site
>- so cant post documents
>Paul: Send documents to Paul to be posted.

>Hal: Move recess for Lunch - reconvene at 1:00pm PST
>Paul Knight: Call will restart at 1pm PST.

>RECONVENED @ 1pm PST
>Chris - 3 ongoing conversations:
>Fredericks' Comments, Martin's, and Prateek's

>Starting with Prateek's
>Prateek: it his belief that a system of token exchange/issuance
>-would require some profiling of binding for specific token types
>Tony: questions whether security policy would give that ability for 
bindings
>Eve: Question - profiling is overloaded word - is group intending to 
perform interop testing
- will scenarios doc be developed
>Paul: Would encourage same process as WSS did - so yes
>Eve: would challenge someone to say it was interop for WSS - was interop 
for specific scenarios
>Chris: we built scenarios to best test mechanisms
>Scott: just be carefull about saying what has been interoped
>Paul: we should do enough interop to convince ourself the specs are good 
- can't be exhaustive
>Scott: Are there use cases in scope that can be profiled and interoped
>Darren: getting to a point where 3 companies claim interop isnt enough
>Jeff M: to be used we need to make sure we have interop - we cant wait 
for WSI to provide that
>Paul: explained the WSI profile process
>Prateek: as the deliverables are set up does not allow the use of the 
technology without a profile that speaks to specific token types
>Tony: it is a generalized framework - allows tokens of any type
>Back to Martin's Questions
>Martijn: In scope is how to cancel a token - on the other hand revocation 
is out of scope?
>Tony: Cancelling does not imply underlying revocation as with CRL
>Heather: is the distinction around notification
>Mike: Cancel is scoped to the STS - leaves undefined how underlying 
implementaiton works
>Martijn: As part of charter XPath 1.0 should not be used - why not XPath 
2.0?
>Paul: XPath 1.0 is the current recommendation - dont expect 2.0 to be 
ready by then
>Scott: Clarify to say "XPath 1.0 or subsequent revisions"?
>Paul: Remove the 1.0?
>AGREED: Remove "1.0" from XPath in 1.c

>On to Frederick's issues
>Frederick: in addition to original text
>"amended" to "clarified"
>leave "8" alone
>for "k" - change "challenge protocol mechanisms to be used (e.g. SASL 
mechanisms, ...)
>AGREED: change "amended" to "clarified", leave "8" alone, for "k" - 
change "challenge protocol mechanisms to be used (e.g. SASL mechanisms, 
...)

>Hal: Boxcaring is not well-defined
>AGREED: not to change anything wrt boxcaring

>Martijn: WS-SC - might be interesting for transport specific binding
>Tony: session is used in context of key
>Gudge: Can do that outside this TC

>Paul: Prefer a single charter
>Frederick will provide a changed charter for the motion in the morning

>Short break to prepare for presentation
 
9. Contributed works
 
a) WS-Trust (presentation by Martin Gudgin)
http://schemas.xmlsoap.org/ws/2005/02/trust/

>Prateek: concerns about semantics vs. syntax
>Martijn: concerns about client knowledge of token specific details
>Scott: not sure what is gained by client token neutrality
>Hal: questions whether issuance requires a new token
>Darren: can token be passed in when requesting issuance? (answer yes)
>-on validate can token be returned? (answer yes)
>Prateek: What is the difference between issue and validate?
>Gudge: Issue typically involve ask for new - validate is about is this 
still good
>Prateek: Question about security intermediaries - does this work in that 
context?
>Prateek: Are URIs Token Specific or can they be general? (answer can be 
general)
>Prateek: Does every RST RSTR exchange involve key agreement? (answer 
typically yes - but 

potentially not in every case)
>RL Bob: Lifetime info in RSTR is a hint to client about lifetime of Token
>Hubert: Can I ask for multiple tokens for multiple subjects? (answer no 
way to do that)
>Hal: We could always return a collection
>RL Bob: question applies to more than one spec - in multitier scenario - 
is support for those 

use cases in scope for this TC?
>Gudge: Is there any reason to say it cannot be supported?
>RL Bob: what about constrained delegation?
>Gudge: no explicit language for this is included
>Chris: we need to go over specific scenarios in the context of the 
charter to decide whether 

this is in scope
>Chris: will add this to discussion tomorrow (Thursday)

b) WS-SecureConversation (presentation by Martin Gudgin)
http://schemas.xmlsoap.org/ws/2005/02/sc/ 

>Prateek: Will the interop scenarios be contributed to OASIS (answer yes)
>Prateek: no challenge included in the exchange for the interops
>Chris: It could have been included but did not
>Scott: no way for application to cause a new challenge? (answer yes)
>Chris: that can be done with an application unauthorized/invalid token 
fault

c) WS-SecurityPolicy (presentation by Martin Gudgin)
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ 

>Jeff M: isn't discussion of WS-Policy out of scope
>Frederick: aren't some of the constructs described in WS-SP going to be 
in WS-P? (answer possibly)
>Scott: is there an explicit mapping from SignedParts to signature 
mechanism and how parts are referenced
>Rich: question about SignedParts: Section 5.1.1 text is misleading about 
how fine grained it is
>Scott: is the token assertion an open content model (answer yes)
>Paul: is there a mustUnderstand type thing possible here? (answer best to 
do it at named level rather than "value" to leverege matching)
>Long discussion about brownies and cake

>Frederick has posted updated charter
>Paul: Asked if, since will be dealt with first thing in morning, whether 
Jamie can attend at 9am PST tomorrow
>RECESSED at Page 65 until tomorrow (Thursday) morning

>RECONVENED Thursday Morning

>Kelvin called meeting to order
>Checked Role for new updates

>Chairs to send charter to OASIS to set up electronic vote:
>WS-SX-Charter-Clarification-redlineC.pdf
>to be done as soon as meeting ends
>- request the vote be set up ASAP
>- if cannot be done soon - then after holidays

>Paul described lunch logistics

>Returning to Gudge's presentation @ page 65
>Prateek: questions appropriateness of term "Security Binding"

>Tony G: Are defining policy for all messages in both directions 
(Asymmetric binding)?
>Tony: you can attach policy at different points
>Gudge: there are some assertions which can be applied to 
service/endpoints/messages/etc 
>Chris: Some assertions can appear attached to targets, and some only 
nested in others
>Hal: Are there any that can be both? (answer no)
>Tony G: Can I have supporting tokens without higher binding? (answer yes)
>Hal: spoke about potential differences between advertized and enforced 
policy
>Prateek: spoke about satisfaction of protection assertions thru bindings
>Hal: is considering exploring assertion scope in more detail - TBD
>RL Bob: How does WS-SecurityPolicy relate to WS-Policy? Do I need to 
implement WS-Policy?
>Gudge: not really full general WS-Policy 
>Tony: Dont need to understand more than wsp:Policy
>Tony G: How to interop over choices?
>Gudge: Can publish two policies (or wsp:ExactlyOne)
>Eve: If wsp primatives are not needed - why not eliminate them?
>Tony G: How do token assertions define choices?
>Gudge: we don't need to - but we want to leverege general policy engines 
for matching
>Tony G: We use the WS-Policy namespace - we need to settle on version
>Gudge: We could express policies without choices from WS-Policy but 
easier with them
>Scott: Why isn't WS-SP layered above/below WS-P ?
>Eve: Seems like wsp:All and wsp:ExactlyOne are avoided but not 
wsp:Policy?
>Chris: Need to differentiate between what is required for nested 
subassertion matching from parameters.
>Scott: don't know how to get around dependence on Ws-Policy not in 
standards org.
>Paul: Charter explains that.
>RL Bob: Are other dependent specifications in that situation?
>Paul: SOAP 1.1, WSDL 1.1, WS-Addressing, maybe others
>Jeff H: Should research the complete list
>ACTION: Paul to research the complete list of dependent specifications 
and standards status
>Jeff M: Should include WS-I BP 1.1 WSDL
>RL Bob: Hard to abstractly refer to some issues

>Break

10. TC administration, Chairs
 
a) Distributed meeting schedule (day of week and time of day) 

>Jeff H: Prefers 9PST to 7PST
>Jeff M: 8PST is worse
>Paul: 7PST works for WSS
>Hal: Is also works for XACML
>Frederick: Is every week necessary?
>Chris: We can cancel easier than add
>Don: 7PST works well for WSS
>Eve: What is the distribution of timezones?
>Hubert: What about alternating timezones for each week?
>AGREED: Meetings every Wednesday from 7PST-9PST starting Jan 11.

b) TC and meetings aids such as TC website, document repository, IRC, etc. 


>Kelvin went over the OASIS website and tools

i) Email archive:
http://lists.oasis-open.org/archives/ws-sx/ 

ii) Document repository
http://www.oasis-open.org/committees/documents.php?wg_abbrev=ws-sx 

iii) Minutes
http://www.oasis-open.org/committees/ws-sx/minutes.php 

iv) FAQ
http://www.oasis-open.org/committees/ws-sx/faq.php 

c) Future F2F meeting schedule
http://www.oasis-open.org/committees/calendar.php?wg_abbrev=ws-sx 

>Chairs: Potentially next one in three months - dont want one without 
issues
>Paul: People need to submit issues right away
>Frederick: Would rather wait since we don't have many issues
>Jeff H: With such well baked submissions we may not need a F2F
>Paul: If we don't schedule one now we will have trouble later getting a 
slot
>TENTATIVE: F2F IBM Austin April 4-5
 
d) TC roles (secretary, issues list editor, specification authors, etc.)

>Issues List Editor: Marc Goodner
>Secretary:
>-Abbie Barbir Volunteered be Secretary (Manage Roster/Attendence),
>-Paul Cotton Volunteered for Take Minutes at each meeting.
>Editors: Hans, Abbie, Gudge, and Tony N.

>Motion: Thanks to Doug Davis IBM for Sponsoring our Chat Room
>Approved

>MOTION: from Paul C. to have editors morph the contributed (once 
WS-SecurityPolicy is contributed successfully) documents into the OASIS 
format in line numbered PDF, editable format, and potentially HTML and 
upload them into document repository
>Tony: need to decide which format to uses for documents and URIs.
>SECOND: by Tony
>APPROVED: no objection

>MOTION: by Tony to fold in (once contributed) errata to WS-SecurityPolicy 
and schema
>SECOND: by Darren
>APPROVED: no objection

>Prateek: One issue is the availability of Schema
>Chris: Submitted package includes them - they will be uploaded

>Chris: Issue to pull out all XML examples into separate files 

>Kelvin: Chris to upload issues list to URI off home page

>Paul: Requests that this be done before first meeting
>Tony: Should be done before Christmas
>ACTION ITEM: Chairs to make sure documents are available before first 
meeting.

11. Any other business

>Paul: Asked whether namespace URIs would be modified to appropriate form
>Tony: OASIS has a base namespace - TC picks variable part
>some discussion about embedded dates vs. versions
>Proposal: http://docs.oasis-open.org/ws-sx/ws-trust/YYYYMM (200512)
>Date changed for each CD.
>Consensus reached.

>Paul: We know we will get line numbered PDF to write issues against - 
when will issues list be ready?
>Marc: Tonight or tomorrow
>Paul: So we can have email discussion on list
>Tony: Are KAVI issues with document upload dealt with yet? When?
>Paul: Hoepfully today

>Hal: Issue against WS-SP - need to support binding allowing two 
asymmetric key pairs
>Chris: do you think that it is not supported?
>Hal: Was given that impression by others
>Chris: It is enabled but nowhere to express it
>Hal: Question came from Jason Hogg from WSI Sample application
>Chris: Does not see where it is prohibited
>New Issue: Hal Owner to better understand and explain the issue.

>Prateek: New Issue about security intermediary when it presents a token 
on behalf of an application, how does it also offer proof of possesion?

12. Adjournment

>Motion: from Mike to adjourn
>No objection

>Thanks to Paul for convening and hosting the meeting!!!