[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WS-SX TC 2005-12-07 and 2005-12-08 F2F Minutes
Hosted by Microsoft Corporation and held at: Redmond Marriott Town Center 7401 164th Avenue NE Redmond Washington 98052 USA Tel: 1-425-498-4000 Fax: 1-425-556-1231 Dial in facility for this F2F meeting sponsored by Nortel: Tel: 919-997-8152 Access Code: 2486414 # The meeting also had access to an online chat room at: http://webconf.soaphub.org/conf/room/wssx 1. Welcome, Convener and meeting host >Paul Cotton convened the meeting @ 9:04 2. Introductions and roll call, Convener The following (4) people attended the meeting as Observers: James Bryce Clark, OASIS Michael Brenner, Lucent Technologies David Waite, Ping Identity Corporation Greg Whitehead, Trustgenix The following (8) people attended the meeting as (non-voting) TC Members: Symon Chang, Blue Titan Software Henry (Hyenvui) Chung, IBM Diane Jordan, IBM Howard Bae, Oracle Corporation Ashok Malhotra, Oracle Corporation Alain Regnier, Ricoh Company, Ltd. Ruchith Fernando, WSO2 Davanum Srinivas, WSO2 The following (61) people also attended the meeting, entering as Propsective Members, thereby attaining Voting member status: Duane Nickull, Adobe Systems Joe Smith, Apani Networks Frank Siebenlist, Argonne National Laboratory Jong Lee, BEA Systems, Inc. Hal Lockhart, BEA Systems, Inc. Denis Pilipchuk, BEA Systems, Inc. Corinna Witt, BEA Systems, Inc. Steve Anderson, BMC Software Rich Levinson, Computer Associates Dana Kaufman, Forum Systems, Inc. Toshihiro Nishimura, Fujitsu Limited Irving Reid, Hewlett-Packard Ching-Yun (C.Y.) Chao, IBM Heather Hinton, IBM Kelvin Lawrence, IBM Michael McIntosh, IBM Anthony Nadalin IBM Michael Perks, IBM Scott Cantor, Internet2 Bob Morgan, Internet2 Donal Arundel, IONA Technologies Fred Dushin, IONA Technologies Mark Little, JBoss Inc. Jan Alexander, Microsoft Corporation Paul Cotton, Microsoft Corporation Colleen Evans, Microsoft Corporation Mark Fussell, Microsoft Corporation Vijay Gajjala, Microsoft Corporation Marc Goodner, Microsoft Corporation Martin Gudgin, Microsoft Corporation Chris Kaler, Microsoft Corporation Christopher Kurt, Microsoft Corporation Jonathan Marsh, Microsoft Corporation Jorgen Thelin, Microsoft Corporation Asir Vedamuthu, Microsoft Corporation Kyle Young, Microsoft Corporation Norman Brickman, Mitre Corporation Jeff Hodges, Neustar, Inc. Frederick Hirsch, Nokia Corporation Abbie Barbir, Nortel Networks Limited Paul Knight, Nortel Networks Limited Lloyd Burch, Novell Steve Carter, Novell Martin Chapman, Oracle Corporation Jeff Mischkinsky, Oracle Corporation Prateek Mishra, Oracle Corporation Vamsi Motukuru, Oracle Corporation Alex Hristov, Otecia Incorporated John Hughes, PA Consulting Darren Platt, Ping Identity Corporation Andrew Nash, Reactivity, Inc. Rob Philpott, RSA Security Martijn de Boer, SAP AG Martin Raepple, SAP AG Tony Gullotta, SOA Software Inc. Jiandong Guo, Sun Microsystems Hubert Le Van Gong, Sun Microsystems Eve Maler, Sun Microsystems Petr Dvorak, Systinet Corp. Don Adams, Tibco Software Inc. Hans Granqvist, VeriSign Mike Lyons, Layer 7 Technologies Inc. a) WS-SX TC roster http://www.oasis-open.org/apps/org/workgroup/ws-sx/members/roster.php b) OASIS Web Services Secure Exchange (WS-SX) TC home page: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx 3. Appointment of Note taker(s), Convener >Michael McIntosh will take notes today. 4. Selection of TC chairs, Convener >Nominees Chris Kaler and Kelvin Lawrence introduced themselves. >Paul opened up to other nominations >Chris Kaler and Kelvin Lawrence as co-chairs - Approved without objection >10 minute break. 5. Approval of meeting agenda, Chairs >Kelvin reviewed the agenda >Some discussion about posting of item 9 presentation to TC page >No objections. 6. Introduction to OASIS process, OASIS staff >Jamie Clark (on the phone) >Congratulated Kelvin and Chris - thanked Paul >Briefly described: TC Process, IPR Policy, Charter, Guidelines, etc. >Read the documents on the Web (Policies and Procedures) >- understand obligation of participation >Some comments about chat room problems (quotes in name are bad) 7. Selection of issues list editor(s), Chairs >Marc Goodner volunteered to be Issues List editor >Congratulations to Marc >Note from Chairs that Issues List Editor and Minute Taker can halt meetings to catch up. 8. Review of TC charter, Chairs a) Original Call for Participation http://lists.oasis-open.org/archives/tc-announce/200510/msg00006.html b) WS-SX TC charter http://www.oasis-open.org/committees/ws-sx/charter.php >Kelvin read through the Charter >Hal noted a typo "TCís" should be "TC's" more than once >Frederick would like to revise charter at certain points (including 3.c) >- we will discuss at the end of the reading >Chris noted typo "Properties for indication the" >Frederick sent email and discussed the following revisions: >-----BEGIN EMAIL FROM FREDERICK----- >MOTION: Shall the charter of the OASIS WS-SX TC be amended as follows? >Modify the following sentence in the charter: >c. Specifying the scope of each returned security token using WS-Policy  <wsp:AppliesTo>. >TO READ AS FOLLOWS: >c. Specifying the scope of each requested and returned security token using WS-Policy  ><wsp:AppliesTo> (eg. wsa:endpointReference). >After the following sentence in the charter: >j. Specifying characteristics of the requested type of keys. >ADD THE SENTENCE AS FOLLOWS: >k. Enabling additional negotiation and challenge mechanisms (e.g. SASL, SPNEGO) initiated by >either client or server. >Modify the following sentence in the charter: >2. Actions and elements for responding with a renewed token. >TO READ AS FOLLOWS: >2. Actions and elements for responding with a renewed token (or tokens). >Modify the following sentence in the charter: >2. Actions and elements for responding about the validity of a token. >TO READ AS FOLLOWS: >2. Actions and elements for responding about the validity of a token (or tokens). >After the following sentence in the charter: >7. Definition of APIs >ADD THE SENTENCES THAT FOLLOW: >8. Definition of additional negotiation and challenge protocol mechanisms. >9. Developing the roadmaps ,  or other specifications mentioned in those roadmaps, >beyond the material listed explicitly as within the scope of this charter. >-----END EMAIL FROM FREDERICK----- >Some discussion change form amend to clarify >Jamie - said we need to state this as clarification (lower threshhold) >Frederick made motion >Tony seconded >Discussion >Jeff Hodges: we did not have a lot of time to review changes ... >...should we take them each individually or as a whole >Paul: asked what Jeff Hodges concern was? too large chunks? or not enough time? >Jeff H: concerned about ruling of things out of scope. >Tony: it helps set expectations >Hal: we should have one package one vote if possible >Hans: inconsistent use of word "protocol" in "k" and "8". >Hal: if removing or adding word "protocol" changes meaning? >Martijn DeBoer: question about the use of term "binding" vs. "profile" >Scott C.: has similar concerns - who does profiles? >Chris K: Spec is abstract, binding concrete, profile is like WSI >Prateek: Wants to understand which tokens themselves make this all work >Chris K: wants this to work for all token types >Prateek: question whether contributed specs might evolve into separate specifications ... >(potentially token specific) - does the charter prohibit this? >Jeff H.: item "k" he is OK with - would rather use "framework" ... >... instead of "mechanism" in "8" - "k" and "8" seem contradictory >- in the context of very detailed charter. >Tony: Charter calls out bindings does not call out profiles >Frederick: should we add "to be used" to end of "8". >Chris: should we change "k" and "8" to "mechanisms, protocols, and frameworks"? >Tony: Concerned that we are going to try to combine frameworks >Scott C: should we change to SASL Mechanisms or SPNEGO Mechanisms? >Chris: Put this on the stack. >Paul: Back to Prateek's issue: WS-RX has line this doesn't ... >- essentially "tc can change name of specs and their organization" >Darren: need to drive towards interop rather than abstract specifications >Jeff M.: if the TC wants to change names it can - MSFT should not hide behind IPR Policy >Tony: We can do interop in context of specific tokens - its been successfully done in past >Chris: We do have WSI and WSS working together in past >Darren: other TCs have been prevented from doing details by being pointed at charter >Jamie: a lot of work has gone into reviewing present charter: >... any TC can recharter (new scope - lots of work) >Dr. Brickman: Would like this TC to work towards interop >Paul: we have heard that we dont have enough on the table before >- but in the past we have gotten interop (SOAP, etc.) >Frederick: Procedural question - still listed as prospective on web site >- so cant post documents >Paul: Send documents to Paul to be posted. >Hal: Move recess for Lunch - reconvene at 1:00pm PST >Paul Knight: Call will restart at 1pm PST. >RECONVENED @ 1pm PST >Chris - 3 ongoing conversations: >Fredericks' Comments, Martin's, and Prateek's >Starting with Prateek's >Prateek: it his belief that a system of token exchange/issuance >-would require some profiling of binding for specific token types >Tony: questions whether security policy would give that ability for bindings >Eve: Question - profiling is overloaded word - is group intending to perform interop testing - will scenarios doc be developed >Paul: Would encourage same process as WSS did - so yes >Eve: would challenge someone to say it was interop for WSS - was interop for specific scenarios >Chris: we built scenarios to best test mechanisms >Scott: just be carefull about saying what has been interoped >Paul: we should do enough interop to convince ourself the specs are good - can't be exhaustive >Scott: Are there use cases in scope that can be profiled and interoped >Darren: getting to a point where 3 companies claim interop isnt enough >Jeff M: to be used we need to make sure we have interop - we cant wait for WSI to provide that >Paul: explained the WSI profile process >Prateek: as the deliverables are set up does not allow the use of the technology without a profile that speaks to specific token types >Tony: it is a generalized framework - allows tokens of any type >Back to Martin's Questions >Martijn: In scope is how to cancel a token - on the other hand revocation is out of scope? >Tony: Cancelling does not imply underlying revocation as with CRL >Heather: is the distinction around notification >Mike: Cancel is scoped to the STS - leaves undefined how underlying implementaiton works >Martijn: As part of charter XPath 1.0 should not be used - why not XPath 2.0? >Paul: XPath 1.0 is the current recommendation - dont expect 2.0 to be ready by then >Scott: Clarify to say "XPath 1.0 or subsequent revisions"? >Paul: Remove the 1.0? >AGREED: Remove "1.0" from XPath in 1.c >On to Frederick's issues >Frederick: in addition to original text >"amended" to "clarified" >leave "8" alone >for "k" - change "challenge protocol mechanisms to be used (e.g. SASL mechanisms, ...) >AGREED: change "amended" to "clarified", leave "8" alone, for "k" - change "challenge protocol mechanisms to be used (e.g. SASL mechanisms, ...) >Hal: Boxcaring is not well-defined >AGREED: not to change anything wrt boxcaring >Martijn: WS-SC - might be interesting for transport specific binding >Tony: session is used in context of key >Gudge: Can do that outside this TC >Paul: Prefer a single charter >Frederick will provide a changed charter for the motion in the morning >Short break to prepare for presentation 9. Contributed works a) WS-Trust (presentation by Martin Gudgin) http://schemas.xmlsoap.org/ws/2005/02/trust/ >Prateek: concerns about semantics vs. syntax >Martijn: concerns about client knowledge of token specific details >Scott: not sure what is gained by client token neutrality >Hal: questions whether issuance requires a new token >Darren: can token be passed in when requesting issuance? (answer yes) >-on validate can token be returned? (answer yes) >Prateek: What is the difference between issue and validate? >Gudge: Issue typically involve ask for new - validate is about is this still good >Prateek: Question about security intermediaries - does this work in that context? >Prateek: Are URIs Token Specific or can they be general? (answer can be general) >Prateek: Does every RST RSTR exchange involve key agreement? (answer typically yes - but potentially not in every case) >RL Bob: Lifetime info in RSTR is a hint to client about lifetime of Token >Hubert: Can I ask for multiple tokens for multiple subjects? (answer no way to do that) >Hal: We could always return a collection >RL Bob: question applies to more than one spec - in multitier scenario - is support for those use cases in scope for this TC? >Gudge: Is there any reason to say it cannot be supported? >RL Bob: what about constrained delegation? >Gudge: no explicit language for this is included >Chris: we need to go over specific scenarios in the context of the charter to decide whether this is in scope >Chris: will add this to discussion tomorrow (Thursday) b) WS-SecureConversation (presentation by Martin Gudgin) http://schemas.xmlsoap.org/ws/2005/02/sc/ >Prateek: Will the interop scenarios be contributed to OASIS (answer yes) >Prateek: no challenge included in the exchange for the interops >Chris: It could have been included but did not >Scott: no way for application to cause a new challenge? (answer yes) >Chris: that can be done with an application unauthorized/invalid token fault c) WS-SecurityPolicy (presentation by Martin Gudgin) http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ >Jeff M: isn't discussion of WS-Policy out of scope >Frederick: aren't some of the constructs described in WS-SP going to be in WS-P? (answer possibly) >Scott: is there an explicit mapping from SignedParts to signature mechanism and how parts are referenced >Rich: question about SignedParts: Section 5.1.1 text is misleading about how fine grained it is >Scott: is the token assertion an open content model (answer yes) >Paul: is there a mustUnderstand type thing possible here? (answer best to do it at named level rather than "value" to leverege matching) >Long discussion about brownies and cake >Frederick has posted updated charter >Paul: Asked if, since will be dealt with first thing in morning, whether Jamie can attend at 9am PST tomorrow >RECESSED at Page 65 until tomorrow (Thursday) morning >RECONVENED Thursday Morning >Kelvin called meeting to order >Checked Role for new updates >Chairs to send charter to OASIS to set up electronic vote: >WS-SX-Charter-Clarification-redlineC.pdf >to be done as soon as meeting ends >- request the vote be set up ASAP >- if cannot be done soon - then after holidays >Paul described lunch logistics >Returning to Gudge's presentation @ page 65 >Prateek: questions appropriateness of term "Security Binding" >Tony G: Are defining policy for all messages in both directions (Asymmetric binding)? >Tony: you can attach policy at different points >Gudge: there are some assertions which can be applied to service/endpoints/messages/etc >Chris: Some assertions can appear attached to targets, and some only nested in others >Hal: Are there any that can be both? (answer no) >Tony G: Can I have supporting tokens without higher binding? (answer yes) >Hal: spoke about potential differences between advertized and enforced policy >Prateek: spoke about satisfaction of protection assertions thru bindings >Hal: is considering exploring assertion scope in more detail - TBD >RL Bob: How does WS-SecurityPolicy relate to WS-Policy? Do I need to implement WS-Policy? >Gudge: not really full general WS-Policy >Tony: Dont need to understand more than wsp:Policy >Tony G: How to interop over choices? >Gudge: Can publish two policies (or wsp:ExactlyOne) >Eve: If wsp primatives are not needed - why not eliminate them? >Tony G: How do token assertions define choices? >Gudge: we don't need to - but we want to leverege general policy engines for matching >Tony G: We use the WS-Policy namespace - we need to settle on version >Gudge: We could express policies without choices from WS-Policy but easier with them >Scott: Why isn't WS-SP layered above/below WS-P ? >Eve: Seems like wsp:All and wsp:ExactlyOne are avoided but not wsp:Policy? >Chris: Need to differentiate between what is required for nested subassertion matching from parameters. >Scott: don't know how to get around dependence on Ws-Policy not in standards org. >Paul: Charter explains that. >RL Bob: Are other dependent specifications in that situation? >Paul: SOAP 1.1, WSDL 1.1, WS-Addressing, maybe others >Jeff H: Should research the complete list >ACTION: Paul to research the complete list of dependent specifications and standards status >Jeff M: Should include WS-I BP 1.1 WSDL >RL Bob: Hard to abstractly refer to some issues >Break 10. TC administration, Chairs a) Distributed meeting schedule (day of week and time of day) >Jeff H: Prefers 9PST to 7PST >Jeff M: 8PST is worse >Paul: 7PST works for WSS >Hal: Is also works for XACML >Frederick: Is every week necessary? >Chris: We can cancel easier than add >Don: 7PST works well for WSS >Eve: What is the distribution of timezones? >Hubert: What about alternating timezones for each week? >AGREED: Meetings every Wednesday from 7PST-9PST starting Jan 11. b) TC and meetings aids such as TC website, document repository, IRC, etc. >Kelvin went over the OASIS website and tools i) Email archive: http://lists.oasis-open.org/archives/ws-sx/ ii) Document repository http://www.oasis-open.org/committees/documents.php?wg_abbrev=ws-sx iii) Minutes http://www.oasis-open.org/committees/ws-sx/minutes.php iv) FAQ http://www.oasis-open.org/committees/ws-sx/faq.php c) Future F2F meeting schedule http://www.oasis-open.org/committees/calendar.php?wg_abbrev=ws-sx >Chairs: Potentially next one in three months - dont want one without issues >Paul: People need to submit issues right away >Frederick: Would rather wait since we don't have many issues >Jeff H: With such well baked submissions we may not need a F2F >Paul: If we don't schedule one now we will have trouble later getting a slot >TENTATIVE: F2F IBM Austin April 4-5 d) TC roles (secretary, issues list editor, specification authors, etc.) >Issues List Editor: Marc Goodner >Secretary: >-Abbie Barbir Volunteered be Secretary (Manage Roster/Attendence), >-Paul Cotton Volunteered for Take Minutes at each meeting. >Editors: Hans, Abbie, Gudge, and Tony N. >Motion: Thanks to Doug Davis IBM for Sponsoring our Chat Room >Approved >MOTION: from Paul C. to have editors morph the contributed (once WS-SecurityPolicy is contributed successfully) documents into the OASIS format in line numbered PDF, editable format, and potentially HTML and upload them into document repository >Tony: need to decide which format to uses for documents and URIs. >SECOND: by Tony >APPROVED: no objection >MOTION: by Tony to fold in (once contributed) errata to WS-SecurityPolicy and schema >SECOND: by Darren >APPROVED: no objection >Prateek: One issue is the availability of Schema >Chris: Submitted package includes them - they will be uploaded >Chris: Issue to pull out all XML examples into separate files >Kelvin: Chris to upload issues list to URI off home page >Paul: Requests that this be done before first meeting >Tony: Should be done before Christmas >ACTION ITEM: Chairs to make sure documents are available before first meeting. 11. Any other business >Paul: Asked whether namespace URIs would be modified to appropriate form >Tony: OASIS has a base namespace - TC picks variable part >some discussion about embedded dates vs. versions >Proposal: http://docs.oasis-open.org/ws-sx/ws-trust/YYYYMM (200512) >Date changed for each CD. >Consensus reached. >Paul: We know we will get line numbered PDF to write issues against - when will issues list be ready? >Marc: Tonight or tomorrow >Paul: So we can have email discussion on list >Tony: Are KAVI issues with document upload dealt with yet? When? >Paul: Hoepfully today >Hal: Issue against WS-SP - need to support binding allowing two asymmetric key pairs >Chris: do you think that it is not supported? >Hal: Was given that impression by others >Chris: It is enabled but nowhere to express it >Hal: Question came from Jason Hogg from WSI Sample application >Chris: Does not see where it is prohibited >New Issue: Hal Owner to better understand and explain the issue. >Prateek: New Issue about security intermediary when it presents a token on behalf of an application, how does it also offer proof of possesion? 12. Adjournment >Motion: from Mike to adjourn >No objection >Thanks to Paul for convening and hosting the meeting!!!
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]