ws-sx message

Subject: [VER 2] WS-SX TC Minutes, Mar 01 2006
From: "Paul Cotton" <Paul.Cotton@microsoft.com>
To: <ws-sx@lists.oasis-open.org>
Date: Sun, 5 Mar 2006 13:14:31 -0800
WS-SX TC Minutes, Mar 01 2006

[VER 2]
1. Added roll call provided by Kelvin.
2. Changed year in action items to 2006.
3. Change ACTION 2006-03-01-02 to be on Werner Dittman and Mike Perks.
4. Made some changes as suggested by Scott Cantor.

Summary of new Action items:

ACTION 2006-03-01-01 Jan Alexander will provide a solution to Issue 41.

ACTION 2006-03-01-02 Werner Dittman to give an example of a case for
Issue 27 that is not sensible so that we can indicate that some cases do
not make sense.  Werner will propose specific change to SP to give
guidance on the problem identified in Issue 27.

ACTION 2006-03-01-03 Werner Dittman to work with Mike Perks to see if
it would be useful to include Tony's UML diagram to clarify Issue 28.

ACTION 2006-03-01-04 Werner Dittman, Tony Gillotta and Gudge will
prepare a proposal to add some text to describe how to extend token
assertions for Issue 30.

1. Call to order/roll call

Present (41/54 voting members at beginning of call)
Frank Siebenlist  Argonne National Laboratory*     
Jong Lee  BEA Systems, Inc.*     
Hal Lockhart  BEA Systems, Inc.*     
Corinna Witt  BEA Systems, Inc.*     
Symon Chang  Blue Titan Software*     
Steve Anderson  BMC Software*     
Rich Levinson  Computer Associates*     
Yakov Sverdlov  Computer Associates*     
Nick Ragouzis*  Enosis Group LLC*     
Toshihiro Nishimura  Fujitsu Limited*     
Greg Whitehead  Hewlett-Packard*     
Ching-Yun (C.Y.) Chao  IBM*     
Henry (Hyenvui) Chung  IBM*     
Heather Hinton  IBM*     
Kelvin Lawrence  IBM*     
Anthony Nadalin  IBM*     
Michael Perks  IBM*     
Scott Cantor  Internet2*     
Mike Lyons  Layer 7 Technologies Inc.*     
Jan Alexander  Microsoft Corporation*     
Paul Cotton  Microsoft Corporation*     
Colleen Evans  Microsoft Corporation*     
Mark Fussell  Microsoft Corporation*     
Vijay Gajjala  Microsoft Corporation*     
Marc Goodner  Microsoft Corporation*     
Martin Gudgin  Microsoft Corporation*     
Chris Kaler  Microsoft Corporation*     
Norman Brickman  Mitre Corporation*     
Frederick Hirsch  Nokia Corporation*     
Abbie Barbir  Nortel Networks Limited*     
Paul Knight  Nortel Networks Limited*     
Lloyd Burch  Novell*     
Steve Carter  Novell*     
Howard Bae  Oracle Corporation*     
Ashok Malhotra  Oracle Corporation*     
Prateek Mishra  Oracle Corporation*     
Alex Hristov  Otecia Incorporated*     
John Hughes*  PA Consulting*     
Darren Platt  Ping Identity Corporation*     
Martijn de Boer  SAP AG*     
Martin Raepple  SAP AG*     
Werner Dittmann  Siemens AG*     
Tony Gullotta  SOA Software Inc.*     
Jiandong Guo  Sun Microsystems*     
Don Adams  Tibco Software Inc.*     
Hans Granqvist  VeriSign *  
 
2. Reading/Approving minutes of last meeting (Feb 22)
http://lists.oasis-open.org/archives/ws-sx/200602/msg00129.html

Adopted unanimously.

3. F2F planning 
See information provided in:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00131.html 

ai-06 - Chairs to hold a F2F attendance ballot starting Mar 1 and
closing at least two weeks before the F2F. 
DONE.  See:
http://www.oasis-open.org/apps/org/workgroup/ws-sx/ballot.php?id=963
So far only 22 members have voted.

4. Issues list 
http://docs.oasis-open.org/ws-sx/issues/Issues.xml

a) Review of action items

ai-06 - Chairs to hold a F2F attendance ballot starting Mar 1 and
closing at least two weeks before the F2F. 
DONE.  See:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00142.html 
and ballot is at:
http://www.oasis-open.org/apps/org/workgroup/ws-sx/ballot.php?id=963
So far only 22 members have voted.

ai-09 - Editors to check that XPath examples in WS-SecurityPolicy are
fully namespace qualified. 
Pending.

AI-2006-02-15-01 - Gudge to draft a revised proposal for Issue 9 
DONE. See:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00143.html 

AI-2006-02-15-04 - Prateek to propose resolution to Issue 20 by Feb 17.
Pending.  ETA is before the F2F. 

AI-2006-02-15-05 - Chairs to add information to the public page on how
to access previous versions of the Issues List. 
DONE.  Kelvin included the URL of the directory containing the old
issues lists.

AI-2006-02-15-06 - Prateek to provide additional broader scenarios for
at least WS-Trust. 
Pending.  ETA is Mar 10.

AI-2006-02-15-07 - TC members to come to the April F2F with data on when
they would be ready to carry out SC/Trust interop. 
Pending.

AI-2006-01-25-01 - TC members to come to the April F2F with data on when
they would be ready to carry out SC/Trust interop.
Duplicate.

b) Issues in Review status

None.

c) New issues

i041   Clarification on token propagation of SCT required
http://lists.oasis-open.org/archives/ws-sx/200602/msg00136.html
Change status to Active.  Owner is Martin R.

ACTION 2006-03-01-01 Jan Alexander will provide a solution to Issue 41.
  
i042   WS-SC HTTP Binding  
http://lists.oasis-open.org/archives/ws-sx/200602/msg00137.html 
Jan's response:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00150.html
Duanne's response:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00151.html 

Prateek Mishra asked if Martin was trying to map SC onto HTTP.  Martin
is trying to figure out how an HTTP load balancer can distribute
messages to the correct end point if the SC information is buried in the
SOAP message.

Paul Cotton pointed out that Duanne's response suggested that this issue
is out of scope of the charter.  Martin said that he would drop the
issue if the issue was deemed out of scope.

Change status to Closed since the Issue is out of scope.

d) Active issues

i004  Paul Cotton  Transitive closure spec dependencies 
Pending.  ETA before the F2F.

i008  Editors  Need well formed XML examples    
Pending. 

i009  Hal Lockhart  Support for different key pairs for sign and encrypt
in SP   
AI-2006-02-15-01 - Gudge to draft a revised proposal for Issue 9 
DONE. See:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00143.html 
Hal sent email supporting this proposal.

Paul Cotton moved to adopt the proposal for Issue 9.  Gudge seconded the
motion.
Adopted unanimously.

Change status to Pending.

i010  Prateek Mishra  Proof of possesion for security intermediaries 
Use case motivation:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00108.html   
Darren's reply:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00133.html
Jan Alexander was about to reply but he had a hard disc crash.  Pending
comments on email list.  

i016  Michael McIntosh  sp:SignedParts mechanism 
Pending comments on email list.

i018  Michael McIntosh  absolute XPath expressions
Pending comments on email list.   

i020   Describe minimum acceptable lengths for P_SHA1 inputs    
AI-2006-02-15-04 - Prateek to propose resolution to Issue 20 by Feb 17. 
Pending.  It will take Prateek a couple of weeks to put together a
proposal for this technical issue.

i021  Editors  Correct section numbers in SP     
Marc's email:
http://lists.oasis-open.org/archives/ws-sx/200603/msg00000.html
Change status to Pending.  Assigned to Editors. 

i024   [Protection Order] Property using same source for keys
http://lists.oasis-open.org/archives/ws-sx/200602/msg00033.html
Change status to Closed as duplicate of Issue 9.
  
i027   When to include a token? 
Gudge's note:
http://lists.oasis-open.org/archives/ws-sx/200603/msg00001.html 
Werner's response:
http://lists.oasis-open.org/archives/ws-sx/200603/msg00005.html 
Werner's correction in:
http://lists.oasis-open.org/archives/ws-sx/200603/msg00006.html 

Gudge wondered if it was worthwhile to list all the valid combinations
of constructed messages.  Werner simply wanted to ensure that SP does
not encourage people to imply combinations of inclusion values and
reference types that don't make sense.  Gudge thought there might be
some cases that don't make sense but thought there are some grey areas
that people would disagree on.  

Werner agreed that SP gives a lot of freedom and could combinations that
don't make sense.  Werner suggested that specifying an embedded token
AND always included a binary security token is one case that does not
make sense.  

ACTIION 2006-03-01-02 Werner Dittman to give an example of a case for
Issue 27 that is not sensible so that we can indicate that some cases do
not make sense.  Werner will propose specific change to SP to give
guidance on the problem identified in Issue 27.

i028   Multiple supporting tokens of the same type? 
See thread at:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00077.html 
The TC agreed to await proposals for specific changes to Appendix A. 

Prateek Mishra asked if we can have a signed part assertion as a direct
child of an asymmetric binding assertion?  Is it allowed? Does it make
sense?

Tony Nadalin thinks it is allowed but is not sure it makes sense since
it would depend on the use case.

Tony Nadalin said he had a UML diagram that described the assertions.

Gudge suggested that some assertions have a specific scope ("defined
policy subject") and others are unscoped since they are supposed to be
use with a scoped assertion.

Prateek asked if the contra-positive case exist.  Gudge said if that was
the case then it was probably an error.  Some might occur as siblings
but not as children.

ACTION 2006-03-01-03 Werner Dittman to work with Mike Perks to see if
it would be useful to include Tony's UML diagram to clarify Issue 28.

i029   Which token to use to encrypt/sign in case of multiple tokens
defined in a supporting token assertion?  
See Gudge's proposal in:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00065.html
"All of them (sic "tokens included in the supporting tokens") should
sign and encrypt the various message parts. Ordering of elements
(tokens, referencelists etc.) in the security header would have to be
used to determine which order encryptions occurred in."

The above text will be added to the section on supporting tokens
(currently section 8).  Adopted unanimously.

Change status to Pending.  

i030   Need a mechanism to identify token assertions 
See thread in Feb and Mar archive.  Latest message is:
http://lists.oasis-open.org/archives/ws-sx/200603/msg00004.html 

The TC discussed how someone would know when to use multiple tokens.
Tony said that SP was meant to define what would occur "on the wire".
But Werner thinks additional information is needed.  

Gudge suggested that this problem exists when only one token is
required.  SP was not meant to handle this case since it would cause an
exponential explosion of assertions.  Gudge suggested this is a client
configuration problem not something for SP to solve.  Gudge asked if
having the information of what the token is used for is enough for the
client to figure out what to do.

Werner felt this would make the client operations very complicated.

Someone asked why SP supported supporting tokens if there was not enough
information for the client to know what to do with it.  

Scott Cantor said he felt the discussion was conflating one sort of
policy (I think security is too vague a word, period) with what I would
call "authorization" policy, but you could use the words access or
application there as well.

Several people noted that SP does not provide the full semantic
information on the roll of a required token.  Scott Cantor asked how to
specify that roll.  Gudge asked if WS-PolicyReference spec could be used
to do this.  Chris Kaler said that there was a "#include" facility that
could do this.

Prateek asked what the extensibility model of token assertions was in
Section 5?  Gudge thought that all the token assertions allow nested
elements and attributes.  Gudge suggested that it would be better to
create a "SAML token with holder of key assertion" or to create a
sub-assertion under the existing SAML token assertion.   Gudge pointed
out that you want to make sure that the matching algorithm is invoked.

ACTION 2006-03-01-04 Werner Dittman, Tony Gillotta and Gudge will
prepare a proposal to add some text to describe how to extend token
assertions for Issue 30.
Note: Gudge noted he would not be on the next call.
 
i031   Clarification for UsernameToken assertion 
See thread at:
http://lists.oasis-open.org/archives/ws-sx/200602/msg00091.html

Corina Witt stated that the SP should define what features of a token
are used.   Scott Cantor observed that almost all tokens have a lot of
variablility including some Kerberos flavours.
 
Tony Nadalin said that SP was meant to describe message formats down to
the token wrapper and not for exactly what the features of each token
should be used.  

Prateek Mishra agreed that it would be useful to know what features of a
tokenwere used but he was not sure if SP was the right place.

Scott Cantor suggested that it would be useful to know how to link
"application level security" to the information expressed by SP.

Tony Naalin suggested we look at Issue 30 first and then return to Issue
31.  

i032  Hal Lockhart  WS-SP should permit Policy to specify the use of
keys derived from passwords 
http://docs.oasis-open.org/ws-sx/issues/Issues.xml#i032
Hal is working on a proposal for this issue.

5. Other business 

a) Interop scenarios
Marc's note re WSDL for interop:
http://lists.oasis-open.org/archives/ws-sx/200603/msg00003.html 
Noted.

6. Adjournment 

The meeting adjourned at about 8:57am PST.

/paulc

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Nepean, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com