[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: DARFT WS-SX TC 2005-12-07 and 2005-12-08 F2F Minutes
Hosted by Microsoft Corporation and will be held at the following location: Redmond Marriott Town Center 7401 164th Avenue NE Redmond Washington 98052 USA Tel: 1-425-498-4000 Fax: 1-425-556-1231 Dial in facility for this F2F meeting sponsored by Nortel: Tel: 919-997-8152 Access Code: 2486414 # The meeting will also have access to an online chat room at: http://webconf.soaphub.org/conf/room/wssx 1. Welcome, Convener and meeting host >Paul Cotton convened the meeting @ 9:04 2. Introductions and roll call, Convener >Attendance to be provided a) WS-SX TC roster http://www.oasis-open.org/apps/org/workgroup/ws-sx/members/roster.php b) OASIS Web Services Secure Exchange (WS-SX) TC home page: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx 3. Appointment of Note taker(s), Convener >Michael McIntosh will take notes today. 4. Selection of TC chairs, Convener >Nominees Chris Kaler and Kelvin Lawrence introduced themselves. >Paul opened up to other nominations >Chris Kaler and Kelvin Lawrence as co-chairs - Approved without objection >10 minute break. 5. Approval of meeting agenda, Chairs >Kelvin reviewed the agenda >Some discussion about posting of item 9 presentation to TC page >No objections. 6. Introduction to OASIS process, OASIS staff >Jamie Clark (on the phone) >Congratulated Kelvin and Chris - thanked Paul >Briefly described: TC Process, IPR Policy, Charter, Guidelines, etc. >Read the documents on the Web (Policies and Procedures) >- understand obligation of participation >Some comments about chat room problems (quotes in name are bad) 7. Selection of issues list editor(s), Chairs >Marc Goodner volunteered to be Issues List editor >Congratulations to Marc >Note from Chairs that Issues List Editor and Minute Taker can halt meetings to catch up. 8. Review of TC charter, Chairs a) Original Call for Participation http://lists.oasis-open.org/archives/tc-announce/200510/msg00006.html b) WS-SX TC charter http://www.oasis-open.org/committees/ws-sx/charter.php >Kelvin read through the Charter >Hal noted a typo "TCís" should be "TC's" more than once >Frederick would like to revise charter at certain points (including 3.c) >- we will discuss at the end of the reading >Chris noted typo "Properties for indication the" >Frederick sent email and discussed the following revisions: >-----BEGIN EMAIL FROM FREDERICK----- >MOTION: Shall the charter of the OASIS WS-SX TC be amended as follows? >Modify the following sentence in the charter: >c. Specifying the scope of each returned security token using WS-Policy [5] <wsp:AppliesTo>. >TO READ AS FOLLOWS: >c. Specifying the scope of each requested and returned security token using WS-Policy [5] ><wsp:AppliesTo> (eg. wsa:endpointReference). >After the following sentence in the charter: >j. Specifying characteristics of the requested type of keys. >ADD THE SENTENCE AS FOLLOWS: >k. Enabling additional negotiation and challenge mechanisms (e.g. SASL, SPNEGO) initiated by >either client or server. >Modify the following sentence in the charter: >2. Actions and elements for responding with a renewed token. >TO READ AS FOLLOWS: >2. Actions and elements for responding with a renewed token (or tokens). >Modify the following sentence in the charter: >2. Actions and elements for responding about the validity of a token. >TO READ AS FOLLOWS: >2. Actions and elements for responding about the validity of a token (or tokens). >After the following sentence in the charter: >7. Definition of APIs >ADD THE SENTENCES THAT FOLLOW: >8. Definition of additional negotiation and challenge protocol mechanisms. >9. Developing the roadmaps [15], [16] or other specifications mentioned in those roadmaps, >beyond the material listed explicitly as within the scope of this charter. >-----END EMAIL FROM FREDERICK----- >Some discussion change form amend to clarify >Jamie - said we need to state this as clarification (lower threshhold) >Frederick made motion >Tony seconded >Discussion >Jeff Hodges: we did not have a lot of time to review changes ... >...should we take them each individually or as a whole >Paul: asked what Jeff Hodges concern was? too large chunks? or not enough time? >Jeff H: concerned about ruling of things out of scope. >Tony: it helps set expectations >Hal: we should have one package one vote if possible >Hans: inconsistent use of word "protocol" in "k" and "8". >Hal: if removing or adding word "protocol" changes meaning? >Martijn DeBoer: question about the use of term "binding" vs. "profile" >Scott C.: has similar concerns - who does profiles? >Chris K: Spec is abstract, binding concrete, profile is like WSI >Prateek: Wants to understand which tokens themselves make this all work >Chris K: wants this to work for all token types >Prateek: question whether contributed specs might evolve into separate specifications ... >(potentially token specific) - does the charter prohibit this? >Jeff H.: item "k" he is OK with - would rather use "framework" ... >... instead of "mechanism" in "8" - "k" and "8" seem contradictory >- in the context of very detailed charter. >Tony: Charter calls out bindings does not call out profiles >Frederick: should we add "to be used" to end of "8". >Chris: should we change "k" and "8" to "mechanisms, protocols, and frameworks"? >Tony: Concerned that we are going to try to combine frameworks >Scott C: should we change to SASL Mechanisms or SPNEGO Mechanisms? >Chris: Put this on the stack. >Paul: Back to Prateek's issue: WS-RX has line this doesn't ... >- essentially "tc can change name of specs and their organization" >Darren: need to drive towards interop rather than abstract specifications >Jeff M.: if the TC wants to change names it can - MSFT should not hide behind IPR Policy >Tony: We can do interop in context of specific tokens - its been successfully done in past >Chris: We do have WSI and WSS working together in past >Darren: other TCs have been prevented from doing details by being pointed at charter >Jamie: a lot of work has gone into reviewing present charter: >... any TC can recharter (new scope - lots of work) >Dr. Brickman: Would like this TC to work towards interop >Paul: we have heard that we dont have enough on the table before >- but in the past we have gotten interop (SOAP, etc.) >Frederick: Procedural question - still listed as prospective on web site >- so cant post documents >Paul: Send documents to Paul to be posted. >Hal: Move recess for Lunch - reconvene at 1:00pm PST >Paul Knight: Call will restart at 1pm PST. >RECONVENED @ 1pm PST >Chris - 3 ongoing conversations: >Fredericks' Comments, Martin's, and Prateek's >Starting with Prateek's >Prateek: it his belief that a system of token exchange/issuance >-would require some profiling of binding for specific token types >Tony: questions whether security policy would give that ability for bindings >Eve: Question - profiling is overloaded word - is group intending to perform interop testing - will scenarios doc be developed >Paul: Would encourage same process as WSS did - so yes >Eve: would challenge someone to say it was interop for WSS - was interop for specific scenarios >Chris: we built scenarios to best test mechanisms >Scott: just be carefull about saying what has been interoped >Paul: we should do enough interop to convince ourself the specs are good - can't be exhaustive >Scott: Are there use cases in scope that can be profiled and interoped >Darren: getting to a point where 3 companies claim interop isnt enough >Jeff M: to be used we need to make sure we have interop - we cant wait for WSI to provide that >Paul: explained the WSI profile process >Prateek: as the deliverables are set up does not allow the use of the technology without a profile that speaks to specific token types >Tony: it is a generalized framework - allows tokens of any type >Back to Martin's Questions >Martijn: In scope is how to cancel a token - on the other hand revocation is out of scope? >Tony: Cancelling does not imply underlying revocation as with CRL >Heather: is the distinction around notification >Mike: Cancel is scoped to the STS - leaves undefined how underlying implementaiton works >Martijn: As part of charter XPath 1.0 should not be used - why not XPath 2.0? >Paul: XPath 1.0 is the current recommendation - dont expect 2.0 to be ready by then >Scott: Clarify to say "XPath 1.0 or subsequent revisions"? >Paul: Remove the 1.0? >AGREED: Remove "1.0" from XPath in 1.c >On to Frederick's issues >Frederick: in addition to original text >"amended" to "clarified" >leave "8" alone >for "k" - change "challenge protocol mechanisms to be used (e.g. SASL mechanisms, ...) >AGREED: change "amended" to "clarified", leave "8" alone, for "k" - change "challenge protocol mechanisms to be used (e.g. SASL mechanisms, ...) >Hal: Boxcaring is not well-defined >AGREED: not to change anything wrt boxcaring >Martijn: WS-SC - might be interesting for transport specific binding >Tony: session is used in context of key >Gudge: Can do that outside this TC >Paul: Prefer a single charter >Frederick will provide a changed charter for the motion in the morning >Short break to prepare for presentation 9. Contributed works a) WS-Trust (presentation by Martin Gudgin) http://schemas.xmlsoap.org/ws/2005/02/trust/ >Prateek: concerns about semantics vs. syntax >Martijn: concerns about client knowledge of token specific details >Scott: not sure what is gained by client token neutrality >Hal: questions whether issuance requires a new token >Darren: can token be passed in when requesting issuance? (answer yes) >-on validate can token be returned? (answer yes) >Prateek: What is the difference between issue and validate? >Gudge: Issue typically involve ask for new - validate is about is this still good >Prateek: Question about security intermediaries - does this work in that context? >Prateek: Are URIs Token Specific or can they be general? (answer can be general) >Prateek: Does every RST RSTR exchange involve key agreement? (answer typically yes - but potentially not in every case) >RL Bob: Lifetime info in RSTR is a hint to client about lifetime of Token >Hubert: Can I ask for multiple tokens for multiple subjects? (answer no way to do that) >Hal: We could always return a collection >RL Bob: question applies to more than one spec - in multitier scenario - is support for those use cases in scope for this TC? >Gudge: Is there any reason to say it cannot be supported? >RL Bob: what about constrained delegation? >Gudge: no explicit language for this is included >Chris: we need to go over specific scenarios in the context of the charter to decide whether this is in scope >Chris: will add this to discussion tomorrow (Thursday) b) WS-SecureConversation (presentation by Martin Gudgin) http://schemas.xmlsoap.org/ws/2005/02/sc/ >Prateek: Will the interop scenarios be contributed to OASIS (answer yes) >Prateek: no challenge included in the exchange for the interops >Chris: It could have been included but did not >Scott: no way for application to cause a new challenge? (answer yes) >Chris: that can be done with an application unauthorized/invalid token fault c) WS-SecurityPolicy (presentation by Martin Gudgin) http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ >Jeff M: isn't discussion of WS-Policy out of scope >Frederick: aren't some of the constructs described in WS-SP going to be in WS-P? (answer possibly) >Scott: is there an explicit mapping from SignedParts to signature mechanism and how parts are referenced >Rich: question about SignedParts: Section 5.1.1 text is misleading about how fine grained it is >Scott: is the token assertion an open content model (answer yes) >Paul: is there a mustUnderstand type thing possible here? (answer best to do it at named level rather than "value" to leverege matching) >Long discussion about brownies and cake >Frederick has posted updated charter >Paul: Asked if, since will be dealt with first thing in morning, whether Jamie can attend at 9am PST tomorrow >RECESSED at Page 65 until tomorrow (Thursday) morning >RECONVENED Thursday Morning >Kelvin called meeting to order >Checked Role for new updates >Chairs to send charter to OASIS to set up electronic vote: >WS-SX-Charter-Clarification-redlineC.pdf >to be done as soon as meeting ends >- request the vote be set up ASAP >- if cannot be done soon - then after holidays >Paul described lunch logistics >Returning to Gudge's presentation @ page 65 >Prateek: questions appropriateness of term "Security Binding" >Tony G: Are defining policy for all messages in both directions (Asymmetric binding)? >Tony: you can attach policy at different points >Gudge: there are some assertions which can be applied to service/endpoints/messages/etc >Chris: Some assertions can appear attached to targets, and some only nested in others >Hal: Are there any that can be both? (answer no) >Tony G: Can I have supporting tokens without higher binding? (answer yes) >Hal: spoke about potential differences between advertized and enforced policy >Prateek: spoke about satisfaction of protection assertions thru bindings >Hal: is considering exploring assertion scope in more detail - TBD >RL Bob: How does WS-SecurityPolicy relate to WS-Policy? Do I need to implement WS-Policy? >Gudge: not really full general WS-Policy >Tony: Dont need to understand more than wsp:Policy >Tony G: How to interop over choices? >Gudge: Can publish two policies (or wsp:ExactlyOne) >Eve: If wsp primatives are not needed - why not eliminate them? >Tony G: How do token assertions define choices? >Gudge: we don't need to - but we want to leverege general policy engines for matching >Tony G: We use the WS-Policy namespace - we need to settle on version >Gudge: We could express policies without choices from WS-Policy but easier with them >Scott: Why isn't WS-SP layered above/below WS-P ? >Eve: Seems like wsp:All and wsp:ExactlyOne are avoided but not wsp:Policy? >Chris: Need to differentiate between what is required for nested subassertion matching from parameters. >Scott: don't know how to get around dependence on Ws-Policy not in standards org. >Paul: Charter explains that. >RL Bob: Are other dependent specifications in that situation? >Paul: SOAP 1.1, WSDL 1.1, WS-Addressing, maybe others >Jeff H: Should research the complete list >ACTION: Paul to research the complete list of dependent specifications and standards status >Jeff M: Should include WS-I BP 1.1 WSDL >RL Bob: Hard to abstractly refer to some issues >Break 10. TC administration, Chairs a) Distributed meeting schedule (day of week and time of day) >Jeff H: Prefers 9PST to 7PST >Jeff M: 8PST is worse >Paul: 7PST works for WSS >Hal: Is also works for XACML >Frederick: Is every week necessary? >Chris: We can cancel easier than add >Don: 7PST works well for WSS >Eve: What is the distribution of timezones? >Hubert: What about alternating timezones for each week? >AGREED: Meetings every Wednesday from 7PST-9PST starting Jan 11. b) TC and meetings aids such as TC website, document repository, IRC, etc. >Kelvin went over the OASIS website and tools i) Email archive: http://lists.oasis-open.org/archives/ws-sx/ ii) Document repository http://www.oasis-open.org/committees/documents.php?wg_abbrev=ws-sx iii) Minutes http://www.oasis-open.org/committees/ws-sx/minutes.php iv) FAQ http://www.oasis-open.org/committees/ws-sx/faq.php c) Future F2F meeting schedule http://www.oasis-open.org/committees/calendar.php?wg_abbrev=ws-sx >Chairs: Potentially next one in three months - dont want one without issues >Paul: People need to submit issues right away >Frederick: Would rather wait since we don't have many issues >Jeff H: With such well baked submissions we may not need a F2F >Paul: If we don't schedule one now we will have trouble later getting a slot >TENTATIVE: F2F IBM Austin April 4-5 d) TC roles (secretary, issues list editor, specification authors, etc.) >Issues List Editor: Marc Goodner >Secretary: >-Abbie Barbir Volunteered be Secretary (Manage Roster/Attendence), >-Paul Cotton Volunteered for Take Minutes at each meeting. >Editors: Hans, Abbie, Gudge, and Tony N. >Motion: Thanks to Doug Davis IBM for Sponsoring our Chat Room >Approved >MOTION: from Paul C. to have editors morph the contributed (once WS-SecurityPolicy is contributed successfully) documents into the OASIS format in line numbered PDF, editable format, and potentially HTML and upload them into document repository >Tony: need to decide which format to uses for documents and URIs. >SECOND: by Tony >APPROVED: no objection >MOTION: by Tony to fold in (once contributed) errata to WS-SecurityPolicy and schema >SECOND: by Darren >APPROVED: no objection >Prateek: One issue is the availability of Schema >Chris: Submitted package includes them - they will be uploaded >Chris: Issue to pull out all XML examples into separate files >Kelvin: Chris to upload issues list to URI off home page >Paul: Requests that this be done before first meeting >Tony: Should be done before Christmas >ACTION ITEM: Chairs to make sure documents are available before first meeting. 11. Any other business >Paul: Asked whether namespace URIs would be modified to appropriate form >Tony: OASIS has a base namespace - TC picks variable part >some discussion about embedded dates vs. versions >Proposal: http://docs.oasis-open.org/ws-sx/ws-trust/YYYYMM (200512) >Date changed for each CD. >Consensus reached. >Paul: We know we will get line numbered PDF to write issues against - when will issues list be ready? >Marc: Tonight or tomorrow >Paul: So we can have email discussion on list >Tony: Are KAVI issues with document upload dealt with yet? When? >Paul: Hoepfully today >Hal: Issue against WS-SP - need to support binding allowing two asymmetric key pairs >Chris: do you think that it is not supported? >Hal: Was given that impression by others >Chris: It is enabled but nowhere to express it >Hal: Question came from Jason Hogg from WSI Sample application >Chris: Does not see where it is prohibited >New Issue: Hal Owner to better understand and explain the issue. >Prateek: New Issue about security intermediary when it presents a token on behalf of an application, how does it also offer proof of possesion? 12. Adjournment >Motion: from Mike to adjourn >No objection >Thanks to Paul for convening and hosting the meeting!!!
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]