OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: WS-SX TC 2005-12-07 and 2005-12-08 F2F Minutes

Hosted by Microsoft Corporation and held at:
Redmond Marriott Town Center
7401 164th Avenue NE
Washington 98052 USA
Tel: 1-425-498-4000
Fax: 1-425-556-1231 

Dial in facility for this F2F meeting sponsored by Nortel: 
Tel: 919-997-8152 
Access Code: 2486414 #

The meeting also had access to an online chat room at:

1. Welcome, Convener and meeting host
>Paul Cotton convened the meeting @ 9:04

2. Introductions and roll call, Convener

The following (4) people attended the meeting as Observers:
James Bryce Clark, OASIS
Michael Brenner, Lucent Technologies
David Waite, Ping Identity Corporation
Greg Whitehead, Trustgenix

The following (8) people attended the meeting as (non-voting) TC Members:
Symon Chang, Blue Titan Software
Henry (Hyenvui) Chung, IBM
Diane Jordan, IBM
Howard Bae, Oracle Corporation
Ashok Malhotra, Oracle Corporation
Alain Regnier, Ricoh Company, Ltd.
Ruchith Fernando, WSO2
Davanum Srinivas, WSO2

The following (61) people also attended the meeting, entering as 
Propsective Members, thereby attaining Voting member status:
Duane Nickull, Adobe Systems
Joe Smith, Apani Networks
Frank Siebenlist, Argonne National Laboratory
Jong Lee, BEA Systems, Inc.
Hal Lockhart, BEA Systems, Inc.
Denis Pilipchuk, BEA Systems, Inc.
Corinna Witt, BEA Systems, Inc.
Steve Anderson, BMC Software
Rich Levinson, Computer Associates
Dana Kaufman, Forum Systems, Inc.
Toshihiro Nishimura, Fujitsu Limited
Irving Reid, Hewlett-Packard
Ching-Yun (C.Y.) Chao, IBM
Heather Hinton, IBM
Kelvin Lawrence, IBM
Michael  McIntosh, IBM
Anthony Nadalin IBM
Michael Perks, IBM
Scott Cantor, Internet2
Bob Morgan, Internet2
Donal Arundel, IONA Technologies
Fred Dushin, IONA Technologies
Mark Little, JBoss Inc.
Jan Alexander, Microsoft Corporation
Paul Cotton, Microsoft Corporation
Colleen Evans, Microsoft Corporation
Mark Fussell, Microsoft Corporation
Vijay Gajjala, Microsoft Corporation
Marc Goodner, Microsoft Corporation
Martin Gudgin, Microsoft Corporation
Chris Kaler, Microsoft Corporation
Christopher Kurt, Microsoft Corporation
Jonathan Marsh, Microsoft Corporation
Jorgen Thelin, Microsoft Corporation
Asir Vedamuthu, Microsoft Corporation
Kyle Young, Microsoft Corporation
Norman Brickman, Mitre Corporation
Jeff Hodges, Neustar, Inc.
Frederick Hirsch, Nokia Corporation
Abbie Barbir, Nortel Networks Limited
Paul Knight, Nortel Networks Limited
Lloyd Burch, Novell
Steve Carter, Novell
Martin Chapman, Oracle Corporation
Jeff Mischkinsky, Oracle Corporation
Prateek Mishra, Oracle Corporation
Vamsi Motukuru, Oracle Corporation
Alex Hristov, Otecia Incorporated
John Hughes, PA Consulting
Darren Platt, Ping Identity Corporation
Andrew Nash, Reactivity, Inc.
Rob Philpott, RSA Security
Martijn de Boer, SAP AG
Martin Raepple, SAP AG
Tony Gullotta, SOA Software Inc.
Jiandong Guo, Sun Microsystems
Hubert Le Van Gong, Sun Microsystems
Eve Maler, Sun Microsystems
Petr Dvorak, Systinet Corp.
Don Adams, Tibco Software Inc.
Hans Granqvist, VeriSign
Mike Lyons, Layer 7 Technologies Inc.

a) WS-SX TC roster

b) OASIS Web Services Secure Exchange (WS-SX) TC home page:

3. Appointment of Note taker(s), Convener
>Michael McIntosh will take notes today.

4. Selection of TC chairs, Convener 
>Nominees Chris Kaler and Kelvin Lawrence introduced themselves.
>Paul opened up to other nominations
>Chris Kaler and Kelvin Lawrence as co-chairs - Approved without objection

>10 minute break.

5. Approval of meeting agenda, Chairs
>Kelvin reviewed the agenda
>Some discussion about posting of item 9 presentation to TC page
>No objections.

6. Introduction to OASIS process, OASIS staff
>Jamie Clark (on the phone)
>Congratulated Kelvin and Chris - thanked Paul
>Briefly described: TC Process, IPR Policy, Charter, Guidelines, etc.
>Read the documents on the Web (Policies and Procedures)
>- understand obligation of participation

>Some comments about chat room problems (quotes in name are bad)

7. Selection of issues list editor(s), Chairs
>Marc Goodner volunteered to be Issues List editor
>Congratulations to Marc

>Note from Chairs that Issues List Editor and Minute Taker can halt 
meetings to catch up.

8. Review of TC charter, Chairs

a) Original Call for Participation

b) WS-SX TC charter

>Kelvin read through the Charter
>Hal noted a typo "TCís" should be "TC's" more than once
>Frederick would like to revise charter at certain points (including 3.c)
>- we will discuss at the end of the reading
>Chris noted typo "Properties for indication the"

>Frederick sent email and discussed the following revisions:

>MOTION: Shall the charter of the OASIS WS-SX TC be amended as follows?

>Modify the following sentence in the charter:
>c. Specifying the scope of each returned security token using WS-Policy 
[5] <wsp:AppliesTo>.

>c. Specifying the scope of each requested and returned security token 
using WS-Policy [5]
><wsp:AppliesTo> (eg. wsa:endpointReference).

>After the following sentence in the charter:
>j. Specifying characteristics of the requested type of keys.

>k. Enabling additional negotiation and challenge mechanisms (e.g. SASL, 
SPNEGO) initiated by
>either client or server.

>Modify the following sentence in the charter:
>2. Actions and elements for responding with a renewed token.

>2. Actions and elements for responding with a renewed token (or tokens).

>Modify the following sentence in the charter:
>2. Actions and elements for responding about the validity of a token.

>2. Actions and elements for responding about the validity of a token (or 

>After the following sentence in the charter:
>7. Definition of APIs

>8. Definition of additional negotiation and challenge protocol 
>9. Developing the roadmaps [15], [16] or other specifications mentioned 
in those roadmaps, 

>beyond the material listed explicitly as within the scope of this 

>Some discussion change form amend to clarify
>Jamie - said we need to state this as clarification (lower threshhold)

>Frederick made motion
>Tony seconded
>Jeff Hodges: we did not have a lot of time to review changes ...
>...should we take them each individually or as a whole

>Paul: asked what Jeff Hodges concern was? too large chunks? or not enough 

>Jeff H: concerned about ruling of things out of scope.
>Tony: it helps set expectations
>Hal: we should have one package one vote if possible
>Hans: inconsistent use of word "protocol" in "k" and "8".
>Hal: if removing or adding word "protocol" changes meaning?

>Martijn DeBoer: question about the use of term "binding" vs. "profile"
>Scott C.: has similar concerns - who does profiles?
>Chris K: Spec is abstract, binding concrete, profile is like WSI
>Prateek: Wants to understand which tokens themselves make this all work
>Chris K: wants this to work for all token types
>Prateek: question whether contributed specs might evolve into separate 
specifications ...
>(potentially token specific) - does the charter prohibit this?
>Jeff H.: item "k" he is OK with - would rather use "framework" ...
>... instead of "mechanism" in "8" - "k" and "8" seem contradictory
>- in the context of very detailed charter.
>Tony: Charter calls out bindings does not call out profiles
>Frederick: should we add "to be used" to end of "8".
>Chris: should we change "k" and "8" to "mechanisms, protocols, and 
>Tony: Concerned that we are going to try to combine frameworks
>Scott C: should we change to SASL Mechanisms or SPNEGO Mechanisms?
>Chris: Put this on the stack.
>Paul: Back to Prateek's issue: WS-RX has line this doesn't ...
>- essentially "tc can change name of specs and their organization"
>Darren: need to drive towards interop rather than abstract specifications
>Jeff M.: if the TC wants to change names it can  - MSFT should not hide 
behind IPR Policy
>Tony: We can do interop in context of specific tokens - its been 
successfully done in past
>Chris: We do have WSI and WSS working together in past
>Darren: other TCs have been prevented from doing details by being pointed 
at charter
>Jamie: a lot of work has gone into reviewing present charter:
>... any TC can recharter (new scope - lots of work)
>Dr. Brickman: Would like this TC to work towards interop
>Paul: we have heard that we dont have enough on the table before
>- but in the past we have gotten interop (SOAP, etc.)
>Frederick: Procedural question - still listed as prospective on web site
>- so cant post documents
>Paul: Send documents to Paul to be posted.

>Hal: Move recess for Lunch - reconvene at 1:00pm PST
>Paul Knight: Call will restart at 1pm PST.

>Chris - 3 ongoing conversations:
>Fredericks' Comments, Martin's, and Prateek's

>Starting with Prateek's
>Prateek: it his belief that a system of token exchange/issuance
>-would require some profiling of binding for specific token types
>Tony: questions whether security policy would give that ability for 
>Eve: Question - profiling is overloaded word - is group intending to 
perform interop testing
- will scenarios doc be developed
>Paul: Would encourage same process as WSS did - so yes
>Eve: would challenge someone to say it was interop for WSS - was interop 
for specific scenarios
>Chris: we built scenarios to best test mechanisms
>Scott: just be carefull about saying what has been interoped
>Paul: we should do enough interop to convince ourself the specs are good 
- can't be exhaustive
>Scott: Are there use cases in scope that can be profiled and interoped
>Darren: getting to a point where 3 companies claim interop isnt enough
>Jeff M: to be used we need to make sure we have interop - we cant wait 
for WSI to provide that
>Paul: explained the WSI profile process
>Prateek: as the deliverables are set up does not allow the use of the 
technology without a profile that speaks to specific token types
>Tony: it is a generalized framework - allows tokens of any type
>Back to Martin's Questions
>Martijn: In scope is how to cancel a token - on the other hand revocation 
is out of scope?
>Tony: Cancelling does not imply underlying revocation as with CRL
>Heather: is the distinction around notification
>Mike: Cancel is scoped to the STS - leaves undefined how underlying 
implementaiton works
>Martijn: As part of charter XPath 1.0 should not be used - why not XPath 
>Paul: XPath 1.0 is the current recommendation - dont expect 2.0 to be 
ready by then
>Scott: Clarify to say "XPath 1.0 or subsequent revisions"?
>Paul: Remove the 1.0?
>AGREED: Remove "1.0" from XPath in 1.c

>On to Frederick's issues
>Frederick: in addition to original text
>"amended" to "clarified"
>leave "8" alone
>for "k" - change "challenge protocol mechanisms to be used (e.g. SASL 
mechanisms, ...)
>AGREED: change "amended" to "clarified", leave "8" alone, for "k" - 
change "challenge protocol mechanisms to be used (e.g. SASL mechanisms, 

>Hal: Boxcaring is not well-defined
>AGREED: not to change anything wrt boxcaring

>Martijn: WS-SC - might be interesting for transport specific binding
>Tony: session is used in context of key
>Gudge: Can do that outside this TC

>Paul: Prefer a single charter
>Frederick will provide a changed charter for the motion in the morning

>Short break to prepare for presentation
9. Contributed works
a) WS-Trust (presentation by Martin Gudgin)

>Prateek: concerns about semantics vs. syntax
>Martijn: concerns about client knowledge of token specific details
>Scott: not sure what is gained by client token neutrality
>Hal: questions whether issuance requires a new token
>Darren: can token be passed in when requesting issuance? (answer yes)
>-on validate can token be returned? (answer yes)
>Prateek: What is the difference between issue and validate?
>Gudge: Issue typically involve ask for new - validate is about is this 
still good
>Prateek: Question about security intermediaries - does this work in that 
>Prateek: Are URIs Token Specific or can they be general? (answer can be 
>Prateek: Does every RST RSTR exchange involve key agreement? (answer 
typically yes - but 

potentially not in every case)
>RL Bob: Lifetime info in RSTR is a hint to client about lifetime of Token
>Hubert: Can I ask for multiple tokens for multiple subjects? (answer no 
way to do that)
>Hal: We could always return a collection
>RL Bob: question applies to more than one spec - in multitier scenario - 
is support for those 

use cases in scope for this TC?
>Gudge: Is there any reason to say it cannot be supported?
>RL Bob: what about constrained delegation?
>Gudge: no explicit language for this is included
>Chris: we need to go over specific scenarios in the context of the 
charter to decide whether 

this is in scope
>Chris: will add this to discussion tomorrow (Thursday)

b) WS-SecureConversation (presentation by Martin Gudgin)

>Prateek: Will the interop scenarios be contributed to OASIS (answer yes)
>Prateek: no challenge included in the exchange for the interops
>Chris: It could have been included but did not
>Scott: no way for application to cause a new challenge? (answer yes)
>Chris: that can be done with an application unauthorized/invalid token 

c) WS-SecurityPolicy (presentation by Martin Gudgin)

>Jeff M: isn't discussion of WS-Policy out of scope
>Frederick: aren't some of the constructs described in WS-SP going to be 
in WS-P? (answer possibly)
>Scott: is there an explicit mapping from SignedParts to signature 
mechanism and how parts are referenced
>Rich: question about SignedParts: Section 5.1.1 text is misleading about 
how fine grained it is
>Scott: is the token assertion an open content model (answer yes)
>Paul: is there a mustUnderstand type thing possible here? (answer best to 
do it at named level rather than "value" to leverege matching)
>Long discussion about brownies and cake

>Frederick has posted updated charter
>Paul: Asked if, since will be dealt with first thing in morning, whether 
Jamie can attend at 9am PST tomorrow
>RECESSED at Page 65 until tomorrow (Thursday) morning

>RECONVENED Thursday Morning

>Kelvin called meeting to order
>Checked Role for new updates

>Chairs to send charter to OASIS to set up electronic vote:
>to be done as soon as meeting ends
>- request the vote be set up ASAP
>- if cannot be done soon - then after holidays

>Paul described lunch logistics

>Returning to Gudge's presentation @ page 65
>Prateek: questions appropriateness of term "Security Binding"

>Tony G: Are defining policy for all messages in both directions 
(Asymmetric binding)?
>Tony: you can attach policy at different points
>Gudge: there are some assertions which can be applied to 
>Chris: Some assertions can appear attached to targets, and some only 
nested in others
>Hal: Are there any that can be both? (answer no)
>Tony G: Can I have supporting tokens without higher binding? (answer yes)
>Hal: spoke about potential differences between advertized and enforced 
>Prateek: spoke about satisfaction of protection assertions thru bindings
>Hal: is considering exploring assertion scope in more detail - TBD
>RL Bob: How does WS-SecurityPolicy relate to WS-Policy? Do I need to 
implement WS-Policy?
>Gudge: not really full general WS-Policy 
>Tony: Dont need to understand more than wsp:Policy
>Tony G: How to interop over choices?
>Gudge: Can publish two policies (or wsp:ExactlyOne)
>Eve: If wsp primatives are not needed - why not eliminate them?
>Tony G: How do token assertions define choices?
>Gudge: we don't need to - but we want to leverege general policy engines 
for matching
>Tony G: We use the WS-Policy namespace - we need to settle on version
>Gudge: We could express policies without choices from WS-Policy but 
easier with them
>Scott: Why isn't WS-SP layered above/below WS-P ?
>Eve: Seems like wsp:All and wsp:ExactlyOne are avoided but not 
>Chris: Need to differentiate between what is required for nested 
subassertion matching from parameters.
>Scott: don't know how to get around dependence on Ws-Policy not in 
standards org.
>Paul: Charter explains that.
>RL Bob: Are other dependent specifications in that situation?
>Paul: SOAP 1.1, WSDL 1.1, WS-Addressing, maybe others
>Jeff H: Should research the complete list
>ACTION: Paul to research the complete list of dependent specifications 
and standards status
>Jeff M: Should include WS-I BP 1.1 WSDL
>RL Bob: Hard to abstractly refer to some issues


10. TC administration, Chairs
a) Distributed meeting schedule (day of week and time of day) 

>Jeff H: Prefers 9PST to 7PST
>Jeff M: 8PST is worse
>Paul: 7PST works for WSS
>Hal: Is also works for XACML
>Frederick: Is every week necessary?
>Chris: We can cancel easier than add
>Don: 7PST works well for WSS
>Eve: What is the distribution of timezones?
>Hubert: What about alternating timezones for each week?
>AGREED: Meetings every Wednesday from 7PST-9PST starting Jan 11.

b) TC and meetings aids such as TC website, document repository, IRC, etc. 

>Kelvin went over the OASIS website and tools

i) Email archive:

ii) Document repository

iii) Minutes

iv) FAQ

c) Future F2F meeting schedule

>Chairs: Potentially next one in three months - dont want one without 
>Paul: People need to submit issues right away
>Frederick: Would rather wait since we don't have many issues
>Jeff H: With such well baked submissions we may not need a F2F
>Paul: If we don't schedule one now we will have trouble later getting a 
>TENTATIVE: F2F IBM Austin April 4-5
d) TC roles (secretary, issues list editor, specification authors, etc.)

>Issues List Editor: Marc Goodner
>-Abbie Barbir Volunteered be Secretary (Manage Roster/Attendence),
>-Paul Cotton Volunteered for Take Minutes at each meeting.
>Editors: Hans, Abbie, Gudge, and Tony N.

>Motion: Thanks to Doug Davis IBM for Sponsoring our Chat Room

>MOTION: from Paul C. to have editors morph the contributed (once 
WS-SecurityPolicy is contributed successfully) documents into the OASIS 
format in line numbered PDF, editable format, and potentially HTML and 
upload them into document repository
>Tony: need to decide which format to uses for documents and URIs.
>SECOND: by Tony
>APPROVED: no objection

>MOTION: by Tony to fold in (once contributed) errata to WS-SecurityPolicy 
and schema
>SECOND: by Darren
>APPROVED: no objection

>Prateek: One issue is the availability of Schema
>Chris: Submitted package includes them - they will be uploaded

>Chris: Issue to pull out all XML examples into separate files 

>Kelvin: Chris to upload issues list to URI off home page

>Paul: Requests that this be done before first meeting
>Tony: Should be done before Christmas
>ACTION ITEM: Chairs to make sure documents are available before first 

11. Any other business

>Paul: Asked whether namespace URIs would be modified to appropriate form
>Tony: OASIS has a base namespace - TC picks variable part
>some discussion about embedded dates vs. versions
>Proposal: http://docs.oasis-open.org/ws-sx/ws-trust/YYYYMM (200512)
>Date changed for each CD.
>Consensus reached.

>Paul: We know we will get line numbered PDF to write issues against - 
when will issues list be ready?
>Marc: Tonight or tomorrow
>Paul: So we can have email discussion on list
>Tony: Are KAVI issues with document upload dealt with yet? When?
>Paul: Hoepfully today

>Hal: Issue against WS-SP - need to support binding allowing two 
asymmetric key pairs
>Chris: do you think that it is not supported?
>Hal: Was given that impression by others
>Chris: It is enabled but nowhere to express it
>Hal: Question came from Jason Hogg from WSI Sample application
>Chris: Does not see where it is prohibited
>New Issue: Hal Owner to better understand and explain the issue.

>Prateek: New Issue about security intermediary when it presents a token 
on behalf of an application, how does it also offer proof of possesion?

12. Adjournment

>Motion: from Mike to adjourn
>No objection

>Thanks to Paul for convening and hosting the meeting!!!

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]