RE: [ws-sx] WS-SX TC Minutes, Oct 18 2006

[VER 2] Added roll, corrected date for last meeting’s minutes. Under discussion of issue 101 changed “current proposal” to “original proposal”.

WS-SX TC Minutes, Oct 18 2006

Thanks to Nortel for hosting the call.

Summary of new Action Items:

none

1. Call to order/roll call

Status Change

None

Present:

Jong Lee, BEA Systems, Inc.*

Hal Lockhart, BEA Systems, Inc.*

Denis Pilipchuk, BEA Systems, Inc.*

Corinna Witt, BEA Systems, Inc.*

Yakov Sverdlov, CA*

Dana Kaufman, Forum Systems, Inc.*

Toshihiro Nishimura, Fujitsu Limited*

Greg Whitehead, Hewlett-Packard*

Ching-Yun (C.Y.) Chao, IBM*

Henry (Hyenvui) Chung, IBM*

Heather Hinton, IBM*

Kelvin Lawrence, IBM*

Michael McIntosh, IBM*

Anthony Nadalin, IBM*

Ron Williams, IBM

Mike Lyons, Layer 7 Technologies Inc.*

Jan Alexander, Microsoft Corporation*

Greg Carpenter, Microsoft Corporation*

Paul Cotton, Microsoft Corporation*

Colleen Evans, Microsoft Corporation*

Vijay Gajjala, Microsoft Corporation*

Marc Goodner, Microsoft Corporation*

Martin Gudgin, Microsoft Corporation*

Chris Kaler, Microsoft Corporation*

Norman Brickman, Mitre Corporation*

Frederick Hirsch, Nokia Corporation*

Abbie Barbir, Nortel Networks Limited*

Lloyd Burch, Novell*

Steve Carter, Novell*

Rich Levinson, Oracle Corporation*

Ashok Malhotra, Oracle Corporation*

Prateek Mishra, Oracle Corporation*

Martin Raepple, SAP AG*

Tony Gullotta, SOA Software Inc.*

Jiandong Guo, Sun Microsystems*

Don Adams, Tibco Software Inc.*

2. Reading/Approving minutes of last meeting (Oct 11)

http://lists.oasis-open.org/archives/ws-sx/200610/msg00027.html

Adopted unanimously.

3. TC Logistics (10 minutes or less)

No calls on Nov 22nd, Dec 20, 27.

First call of 07 is Jan 3rd

Nortel has graciously volunteered to host calls until end of the year.

4. Issues list

http://docs.oasis-open.org/ws-sx/issues/Issues.xml

a) Review of action items

AI-2006-10-04-02 - Marc to delve into TC document organization issues and report back

b) Issues in Review status

None.

c) New issues

None.

d) Active issues

i066 - SecurityPolicy use cases

Latest discussion: http://www.oasis-open.org/archives/ws-sx/200610/msg00033.html

Explains assumptions on assumptions of using Trust vs. proceesing models

If this is acceptable then it can be used to clarify text in the doc.

i081 - Provide policy statements and associated URIs that can be referenced from wsp:PolicyReference statements

i090 - Description of Strict Formatting seems wrong for EncryptedKey

Current proposal: http://lists.oasis-open.org/archives/ws-sx/200609/msg00065.html

Hal’s response: http://www.oasis-open.org/archives/ws-sx/200610/msg00031.html

Frederick’s response: http://www.oasis-open.org/archives/ws-sx/200610/msg00034.html

Gudge’s position: http://www.oasis-open.org/archives/ws-sx/200610/msg00035.html

Difference of opinion is around where we get consistency from, 1.0 treatment of encrypted key vs. 1.1 treatment of tokens.

Reference to encrypted key using 11 would need to be treated as 1.1, 1.0 reference would be 1.0.

This is only a problem for endpoints that accept both 1.0 and 1.1. Endpoints that accept only one type would not need to do this inspection.

Where does this new requirement to not include encr ref list? Treating it like any other token.

The proposal does not change what WSS 1.1 says or what SP already said, this is viewed by Gudge as a clarification of what is already in both specs.

Strict formatting has rules on how to process tokens.

Hal thinks convergence should be on treating encr key the same between 1.0 and 1.1

Gudge thinks convergence should be on treating all tokens the same, encr key is now a token in 1.1

Treat it as a special thing with the ref list or treat it as any other token

Line 868 of the core for WSS1.1, token references, section 7; encrypted key is listed as a token.

What about guideline of when using strict don’t support multiple versions of WSS on the same endpoint?

i101 - Need additional SamlToken Assertion Elements for Holder-of-Key and Sender-Vouches

Initial feedback was that this needed to be done out of band

That seemed to be to much burden on SAML

There has been pushback on the implicit model in the original proposal that was written in response to feedback in the current proposal.

Suggestion is to address this in use case document rather than the spec.

Next rev of use cases document will be in two weeks.

i114 - Additional algorithm properties, assertions and references needed

If we want to support comments those should be other assertions. Why would we want to support comments other than completeness? Completeness. Could help as well if W3C introduces new cannocalization we would be prepared. Why wouldn’t we just introduce a new algortithm bag in that case.

What is item 3?

Why do we want the things in item 4?

Attempt to mirror what was in min profile.

Why would that not be done in the min profile? Because it doesn’t exist.

Taking to email.

i115 - Universal Encryption of UsernameToken (as specified by Appendix D, d.4, 3.) seems wrong

Why would you encrypt username with hashed password?

To protect the username itself for privacy, guessing attacks, weak key for the hash...

Objection is to the always must encrypt rather than using guidence in the policy

Continue discussion on email.

i116 - Is Appendix D Normative?

Added as proposal for issue 33.

Hal is going to take a pass at locating this advice in the spec.

Gudge suggests looking at the email thread between himself and Prateek that constructed proposal for issue 33.

PR001 - Question on WS-Trust sections 4.3.5 to 4.3.7

Proposal should be ready this week.

f) Pending issues

None.

5. Next steps

We still have some open issues on the spec so we need to close those before taking SP to CD.

Greg discussed revised interop doc. Explicit failure cases have been added.

http://www.oasis-open.org/archives/ws-sx/200610/msg00036.html

6. AOB

None.

7. Adjournment

The meeting adjourned at 8:00am PST.

ws-sx message