ws-sx message

Subject: Re: [ws-sx] WS-SX TC Minutes, Mar 01 2006

From: Anthony Nadalin <drsecure@us.ibm.com>
To: "Paul Cotton" <Paul.Cotton@microsoft.com>
Date: Wed, 1 Mar 2006 20:18:41 -0600

This should read

ACTION 2005-03-01-03 Werner Dittman to work with Mike Perks to see if it would be useful to include Mike's UML diagram to clarify Issue 28.

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Paul Cotton" <Paul.Cotton@microsoft.com>

"Paul Cotton" <Paul.Cotton@microsoft.com>
03/01/2006 10:59 AM

To

<ws-sx@lists.oasis-open.org>

cc

Subject

[ws-sx] WS-SX TC Minutes, Mar 01 2006

WS-SX TC Minutes, Mar 01 2006 Summary of new Action items: ACTION 2006-03-01-01 Jan Alexander will provide a solution to Issue 41. ACTION 2005-03-01-02 Werner Dittman to give an example of a case for Issue 27 that is not sensible so that we can indicate that some cases do not make sense. Werner will propose specific change to SP to give guidance on the problem identified in Issue 27. ACTION 2005-03-01-03 Werner Dittman to work with Tony Nadalin to see if it would be useful to include Tony's UML diagram to clarify Issue 28. ACTION 2005-03-01-04 Werner Dittman, Tony Gillotta and Gudge will prepare a proposal to add some text to describe how to extend token assertions for Issue 30. 1. Call to order/roll call Present (41/54 voting members at beginning of call) <to be provided> 2. Reading/Approving minutes of last meeting (Feb 22)http://lists.oasis-open.org/archives/ws-sx/200602/msg00129.htmlAdopted unanimously. 3. F2F planning See information provided in:http://lists.oasis-open.org/archives/ws-sx/200602/msg00131.html ai-06 - Chairs to hold a F2F attendance ballot starting Mar 1 and closing at least two weeks before the F2F. DONE. See:http://www.oasis-open.org/apps/org/workgroup/ws-sx/ballot.php?id=963So far only 22 members have voted. 4. Issues listhttp://docs.oasis-open.org/ws-sx/issues/Issues.xmla) Review of action items ai-06 - Chairs to hold a F2F attendance ballot starting Mar 1 and closing at least two weeks before the F2F. DONE. See:http://lists.oasis-open.org/archives/ws-sx/200602/msg00142.html and ballot is at:http://www.oasis-open.org/apps/org/workgroup/ws-sx/ballot.php?id=963So far only 22 members have voted. ai-09 - Editors to check that XPath examples in WS-SecurityPolicy are fully namespace qualified. Pending. AI-2006-02-15-01 - Gudge to draft a revised proposal for Issue 9 DONE. See:http://lists.oasis-open.org/archives/ws-sx/200602/msg00143.html AI-2006-02-15-04 - Prateek to propose resolution to Issue 20 by Feb 17. Pending. ETA is before the F2F. AI-2006-02-15-05 - Chairs to add information to the public page on how to access previous versions of the Issues List. DONE. Kelvin included the URL of the directory containing the old issues lists. AI-2006-02-15-06 - Prateek to provide additional broader scenarios for at least WS-Trust. Pending. ETA is Mar 10. AI-2006-02-15-07 - TC members to come to the April F2F with data on when they would be ready to carry out SC/Trust interop. Pending. AI-2006-01-25-01 - TC members to come to the April F2F with data on when they would be ready to carry out SC/Trust interop. Duplicate. b) Issues in Review status None. c) New issues i041 Clarification on token propagation of SCT requiredhttp://lists.oasis-open.org/archives/ws-sx/200602/msg00136.htmlChange status to Active. Owner is Martin R. ACTION 2006-03-01-01 Jan Alexander will provide a solution to Issue 41. i042 WS-SC HTTP Binding http://lists.oasis-open.org/archives/ws-sx/200602/msg00137.html Jan's response:http://lists.oasis-open.org/archives/ws-sx/200602/msg00150.htmlDuanne's response:http://lists.oasis-open.org/archives/ws-sx/200602/msg00151.html Prateek Mishra asked if Martin was trying to map SC onto HTTP. Martin is trying to figure out how an HTTP load balancer can distribute messages to the correct end point if the SC information is buried in the SOAP message. Paul Cotton pointed out that Duanne's response suggested that this issue is out of scope of the charter. Martin said that he would drop the issue if the issue was deemed out of scope. Change status to Closed since the Issue is out of scope. d) Active issues i004 Paul Cotton Transitive closure spec dependencies Pending. ETA before the F2F. i008 Editors Need well formed XML examples Pending. i009 Hal Lockhart Support for different key pairs for sign and encrypt in SP AI-2006-02-15-01 - Gudge to draft a revised proposal for Issue 9 DONE. See:http://lists.oasis-open.org/archives/ws-sx/200602/msg00143.html Hal sent email supporting this proposal. Paul Cotton moved to adopt the proposal for Issue 9. Gudge seconded the motion. Adopted unanimously. Change status to Pending. i010 Prateek Mishra Proof of possesion for security intermediaries Use case motivation:http://lists.oasis-open.org/archives/ws-sx/200602/msg00108.html Darren's reply:http://lists.oasis-open.org/archives/ws-sx/200602/msg00133.htmlJan Alexander was about to reply but he had a hard disc crash. Pending comments on email list. i016 Michael McIntosh sp:SignedParts mechanism Pending comments on email list. i018 Michael McIntosh absolute XPath expressions Pending comments on email list. i020 Describe minimum acceptable lengths for P_SHA1 inputs AI-2006-02-15-04 - Prateek to propose resolution to Issue 20 by Feb 17. Pending. It will take Prateek a couple of weeks to put together a proposal for this technical issue. i021 Editors Correct section numbers in SP Marc's email:http://lists.oasis-open.org/archives/ws-sx/200603/msg00000.htmlChange status to Pending. Assigned to Editors. i024 [Protection Order] Property using same source for keyshttp://lists.oasis-open.org/archives/ws-sx/200602/msg00033.htmlChange status to Closed as duplicate of Issue 9. i027 When to include a token? Gudge's note:http://lists.oasis-open.org/archives/ws-sx/200603/msg00001.html Werner's response:http://lists.oasis-open.org/archives/ws-sx/200603/msg00005.html Werner's correction in:http://lists.oasis-open.org/archives/ws-sx/200603/msg00006.html Gudge wondered if it was worthwhile to list all the valid combinations of constructed messages. Werner simply wanted to ensure that SP does not encourage people to imply combinations of inclusion values and reference types that don't make sense. Gudge thought there might be some cases that don't make sense but thought there are some grey areas that people would disagree on. Werner agreed that SP gives a lot of freedom and could combinations that don't make sense. Werner suggested that specifying an embedded token AND always included a binary security token is one case that does not make sense. ACTION 2005-03-01-02 Werner Dittman to give an example of a case for Issue 27 that is not sensible so that we can indicate that some cases do not make sense. Werner will propose specific change to SP to give guidance on the problem identified in Issue 27. i028 Multiple supporting tokens of the same type? See thread at:http://lists.oasis-open.org/archives/ws-sx/200602/msg00077.html The TC agreed to await proposals for specific changes to Appendix A. Prateek Mishra asked if we can have a signed part assertion as a direct child of an asymmetric binding assertion? Is it allowed? Does it make sense? Tony Nadalin thinks it is allowed but is not sure it makes sense since it would depend on the use case. Tony Nadalin said he had a UML diagram that described the assertions. Gudge suggested that some assertions have a specific scope ("defined policy subject") and others are unscoped since they are supposed to be use with a scoped assertion. Prateek asked if the contra-positive case exist. Gudge said if that was the case then it was probably an error. Some might occur as siblings but not as children. ACTION 2005-03-01-03 Werner Dittman to work with Tony Nadalin to see if it would be useful to include Tony's UML diagram to clarify Issue 28. i029 Which token to use to encrypt/sign in case of multiple tokens defined in a supporting token assertion? See Gudge's proposal in:http://lists.oasis-open.org/archives/ws-sx/200602/msg00065.html"All of them (sic "tokens included in the supporting tokens") should sign and encrypt the various message parts. Ordering of elements (tokens, referencelists etc.) in the security header would have to be used to determine which order encryptions occurred in." The above text will be added to the section on supporting tokens (currently section 8). Adopted unanimously. Change status to Pending. i030 Need a mechanism to identify token assertions See thread in Feb and Mar archive. Latest message is:http://lists.oasis-open.org/archives/ws-sx/200603/msg00004.html The TC discussed how someone would know when to use multiple tokens. Tony said that SP was meant to define what would occur "on the wire". But Werner thinks additional information is needed. Gudge suggested that this problem exists when only one token is required. SP was not meant to handle this case since it would cause an exponential explosion of assertions. Gudge suggested this is a client configuration problem not something for SP to solve. Gudge asked if having the information of what the token is used for is enough for the client to figure out what to do. Werner felt this would make the client operations very complicated. Scott Cantor asked why SP supported supporting tokens if there was not enough information for the client to know what to do with it. Scott asked how the usage attribute in the security token reference will get filled in. Several people noted that SP does not provide the full semantic information on the roll of a required token. Scott Cantor asked how to specify that roll. Gudge asked if WS-PolicyReference spec could be used to do this. Chris Kaler said that there was a "#include" facility that could do this. Prateek asked what the extensibility model of token assertions was in Section 5? Gudge thought that all the token assertions allow nested elements and attributes. Gudge suggested that it would be better to create a "SAML token with holder of key assertion" or to create a sub-assertion under the existing SAML token assertion. Gudge pointed out that you want to make sure that the matching algorithm is invoked. ACTION 2005-03-01-04 Werner Dittman, Tony Gillotta and Gudge will prepare a proposal to add some text to describe how to extend token assertions for Issue 30. Note: Gudge noted he would not be on the next call. i031 Clarification for UsernameToken assertion See thread at:http://lists.oasis-open.org/archives/ws-sx/200602/msg00091.htmlCorina Witt stated that the SP should define what features of a token are used. Scott Cantor asked why SP shouldn't be used to specify what SAML assertions were required in a specific token instance. Tony said that SP was meant to describe message formats down to the token wrapper and not for exactly what the features of each token should be used. Prateek agreed that it would be useful to know what features of a token were used but he was not sure if SP was the right place. Scott Cantor suggested that it would be useful to know how to link "application level security" to the information expressed by SP. Tony suggested we look at Issue 30 first and then return to Issue 31. i032 Hal Lockhart WS-SP should permit Policy to specify the use of keys derived from passwordshttp://docs.oasis-open.org/ws-sx/issues/Issues.xml#i032Hal is working on a proposal for this issue. 5. Other business a) Interop scenarios Marc's note re WSDL for interop:http://lists.oasis-open.org/archives/ws-sx/200603/msg00003.html Noted. 6. Adjournment The meeting adjourned at about 8:57am PST. /paulc Paul Cotton, Microsoft Canada 17 Eleanor Drive, Nepean, Ontario K2E 6A3 Tel: (613) 225-5445 Fax: (425) 936-7329mailto:Paul.Cotton@microsoft.com

References:
- WS-SX TC Minutes, Mar 01 2006
  - From: "Paul Cotton" <Paul.Cotton@microsoft.com>