Please send me your email address if you
would like to be added to the ws-sx-demo-tech@oasis-open.org
list. The list is only open to subscribers, only subscribers can post or view
archives – the purpose of the list is to discuss interoperability.
Best,
Dee
From: Rich.Levinson [mailto:rich.levinson@oracle.com]
Sent: Friday, August 29, 2008
10:18 PM
To: ws-sx@lists.oasis-open.org
Cc: Dee Schur
Subject: Meeting notes from ws-sx
Examples Document Interop - Kick-Off Meeting Wed 8/27 10 AM EDT
Please disregard previous non-message - it accidentally
escaped from my email
client.
Also: interop emails will be on separate
email list as soon
as available.
Minutes from ws-sx Examples Document Interop - Kick-Off Meeting:
Date:
Wed Aug 27, 2008
Time:
10:00 - 10:30 AM EDT
Dial-in:
888-967-2253
Meeting code: 902688#
Pass
code: 123456#
The agenda follows, w discussion notes inserted to each item; also source
material for messages for my action item is included as well.
0. (5 min) Attendance -
identify interested parties
Rich Levinson
Oracle
Bruce Rich
IBM
Mike Lyons
Layer 7 Technologies
Jiandong Guo
Sun
Mike McIntosh
IBM
Dee Schur
Oasis
Symon Chang
Oracle
Nandana Mihindukulasooriya WS02 (not at mtg, but
made contact
later, expressing interest)
1. (5 min) Brief overview of
scenarios.
Rich: briefly described scenarios - were chosen as:
- mix of WSS 1.0 and WSS 1.1
- mix of token types
- most had some modest "advocacy"
during prep of examples doc
indicating some
possible customer interest
2. (10 min) Administrative:
Dee: explained couple
things about OASIS support:
Dee: choice on mail list:
restricted or other
- Bruce: mentioned that in restricted mode,
participants might
be more likely to more freely
interact.
- Rich: We will do restricted - Dee will let us know when it is set up
Dee mentioned that possibly
marketing groups should have
parallel mail list:
- Bruce: purpose of interop is validate
examples; maybe after that
is done marketing will pick it up.
- No disagreement - will not consider marketing
until considerations
for follow-up after current
Interop is complete.
Dee: possibly after done,
we could do additional deliverable,
such as a webinar
3. (00 min) Review of scenario selection
- basically are there any
changes to the proposed list that people would request?
There were no change requests or other comments
made about
the selection of the scenarios, so
we will go with the current
list for now.
4. (10 min) Review of planned dates
and any earlier milestones that
need to be met. For example, is document in adequate
shape to be used as is for preparation or is additional
information needed?
Current planned dates:
Oct 27, 2008
-> Nov 14, 2008
Bruce: week of 27th is MS conf, maybe we could
try to get some
endpoints up sooner;
Rich: that is fine, also there may be interest in extending
the end
date another week or so; Bottom line - in next
meeting (2 weeks)
we will start talking about endpoints and
testing can begin as soon
as 2 participants have endpoints
available.
Bruce, others: would like pointers to originals from which
scenarios
were derived if available.
Rich: will provide in this email below.
4. (5 min) Plan for next steps:
schedule next call.
Next call will be in 2
weeks: same day, time, dial-in:
Date:
Wed Sep
10, 2008
Time:
10:00 - 11:00 AM EDT
Dial-in:
888-967-2253
Meeting code: 902688#
Pass
code: 123456#
Action item: Rich: List scenarios and origins:
2.1.1.3 UsernameToken with timestamp, nonce and password
hash 15
This scenario is based on the first WS-Security Interop
Scenarios Document [WSS10-INTEROP-01 Scenario 1 – section 3.4.4 - see p7]
(modified for digest and nonce) (http://www.oasis-open.org/committees/download.php/11374/wss-interop1-draft-06-merged-changes.pdf).
2.1.3.1 (WSS 1.0) Encrypted UsernameToken with
X.509v3 23
This scenario is based on the first WS-Security
Interop Scenarios Document [WSS10-INTEROP-01 Scenario 2 – section 4.4.4 -
see p11]
(http://www.oasis-open.org/committees/download.php/11374/wss-interop1-draft-06-merged-changes.pdf).
plus was subject of Public Review Issue PR012:
http://docs.oasis-open.org/ws-sx/issues/Issues.xml#PR012
2.1.4 (WSS 1.1), User Name with
Certificates, Sign, Encrypt 27
This scenario is based on the “Examples of
Secure Web Service Message Exchange Document” [WS‑SECURE-INTEROP].
http://www.oasis-open.org/committees/download.php/28803/ws-sx-secure-message-examples.doc
see pgs 10-14: (the doc only shows req/rsp no ws-sp, which we may need to have
added to
the doc - tbd, but scenario should still be good)
2.2.2.1 (WSS1.0) Mutual Auth, X.509 Certs, Symmetric
Encrypt 38
This scenario is based on WSS Interop, Scenario 4, Web Services Security: Interop 2.
http://www.oasis-open.org/committees/download.php/11375/wss-interop2-draft-06-merged.doc
see section 3.4.4 p 10-11.
2.2.4 (WSS1.1) Mutual Auth with X.509
Cert, Sign, Encrypt 46
This scenario is based on the the “Examples of
Secure Web Service Message Exchange Document” [WS‑SECURE-INTEROP]
http://www.oasis-open.org/committees/document.php?document_id=28803&wg_abbrev=ws-sx
see p 17-20 (note: in the this ref doc derived keys were not used, they are
used in the examples, we may need to get a replacement message for the ref doc
- tbd)
2.3.2.4 (WSS1.1) SAML1.1/2.0 SV w X.509
Cert, Sign, Encr 83
This scenario is based on the first WSS SAML Profile
InterOp [WSS10-SAML11-INTEROP
Scenario #3].
http://www.oasis-open.org/committees/download.php/7702/wss-saml-interop1-draft-12.doc
see p 20-26 of that doc.
Note: the examples document section 2.3.1.4 is the example that
directly references this interop document. The 2.3.1.4 example was adapted for
section 2.3.2.4 in order to show the operation for wss11, with some operational
variations that are described in the last para of p83 of 2.3.2.4. This
scenario was adapted and selected based on known customer interest.
2.3.2.5 (WSS1.1) SAML1.1/2.0 HK, Sign, Encrypt *(Needs
STS)* 89
This scenario is based on WS-SX Interop Scenarios
Phase 2 (October 31, 2006) [WSSX-WSTR-WSSC-INTEROP]
Scenario 5 (Client and STS: Mutual Certificate WSS1.1 (section 3.5 of
interop ref), Client and Service: Issued SAML 1.1 Token for Certificate WSS1.1
(section 4.3 of interop ref)).
http://www.oasis-open.org/committees/download.php/20954/ws-sx-interop-ed-10.doc
2.4.1 (WSS 1.0) Sec Conv bootstrap by Mut Auth w X.509
Certs 114
This scenario was
prepared for the examples document by Martin Raepple of SAP. There was some
off-list discussion in the sub-group that worked on the examples, in which
Martin expressed that he felt there would be value adding an example
demonstrating Security Context Token, and this is that example. If we decide we
need a direct source for this example, we can try to contact Martin, however, I
am taking it on face value that his taking the trouble to add this example
unsolicited is sufficient motivation for us to include it in the ws-sx examples
Interop.
-------- Original Message --------
Rich.Levinson wrote:
Hello all interested prospective Interop participants,
The agenda for the meeting will be the following:
0. (5 min) Attendance - identify interested parties
1. (5 min) Brief overview of scenarios.
2. (10 min) Review of scenario selection - basically are there any
changes to the proposed list that people would request?
3. (10 min) Review of planned dates and any earlier milestones that
need to be met. For example, is document in adequate
shape to be used as is for preparation or is additional
information needed?
4. (5 min) Plan for next steps: schedule next call.
-------- Original Message --------
Subject: [ws-sx] ws-sx Examples Document Interop -
Kick-Off Meeting
Date: Fri, 22 Aug 2008 18:15:25 -0400
From: Rich.Levinson <rich.levinson@oracle.com>
To: ws-sx@lists.oasis-open.org
<ws-sx@lists.oasis-open.org>
References: <48AB76C1.6080209@oracle.com>
To all *interested prospective Interop participants:*
The dates for the planned Virtual Interop have been changed based
on initial feedback (more time to prepare and more time to execute)
and are now planned to be:
*Oct 27, 2008 -> Nov 14, 2008*
As described at last week's TC meeting:
http://lists.oasis-open.org/archives/ws-sx/200808/msg00016.html
there will be a kick-off meeting conference call held, which now has
a specific date, time, and dial-in conf:
*Wed Aug 27 at 10 AM (EDT) (7AM (PDT))
*(note: usual TC mtg time but on in-between week,
but also note: different dial in instructions:)
*
Dial-in:
888-967-2253 Meeting code: 902688# Pass
code: 123456#*
Agenda:
1. Description of planned Interop (see email below copied
from earlier email w dates changed)
2. Discussion of dates chosen (3wks: Oct 27-Nov14)
3. Discussion of scenarios selected (suggestions welcome
if current selection is thought to be able to be improved)
4. Next Steps.
Thanks,
Rich
Rich.Levinson wrote:
To: WS-SX TC members:
Based on action item from the 7/23 ws-sx minutes:
http://lists.oasis-open.org/archives/ws-sx/200807/msg00035.html
We are planning (proposing) to have a *virtual interop* during the weeks
of *Oct 27 - Nov 14* for the ws-sx examples document.
http://www.oasis-open.org/committees/document.php?document_id=28909&wg_abbrev=ws-sx
Below is a tidied up copy of the full table of contents. From that list the
following have been selected as the initial candidates for this Interop. These
are subject to revision at the agreement of the participating parties. It is
expected that if this first Interop goes well then there will be subsequent
Interops to test additional scenarios. (Possibly this effort can lead to an
eventual participation in a generally available Interop test network with
a focus on security.)
The intent is to pick scenarios that vendors support and are interested in
promoting for customer use. We will also consider adding new scenarios not
included in the doc if there is significant interest in that. Similarly, the
existing
examples can be molded to meet current practice if discrepancies are found.
The "flavor" of these scenarios is primarily straight WS-Security
with WS-SP policies
applied. However, there is one scenario that includes WS-Trust (2.3.2.5 (the
ws-sx
interop scenario) and one with WS-SecureConversation (2.4.1).
2.1.1.3 UsernameToken with timestamp, nonce and password
hash 15
2.1.3.1 (WSS 1.0) Encrypted UsernameToken with
X.509v3 23
2.1.4 (WSS 1.1), User Name with Certificates, Sign,
Encrypt 27
2.2.2.1 (WSS1.0) Mutual Auth, X.509 Certs, Symmetric
Encrypt 38
2.2.4 (WSS1.1) Mutual Auth with X.509 Cert, Sign,
Encrypt 46
2.3.2.4 (WSS1.1) SAML1.1/2.0 SV w X.509 Cert, Sign,
Encr 83
2.3.2.5 (WSS1.1) SAML1.1/2.0 HK, Sign, Encrypt *(Needs
STS)* 89
2.4.1 (WSS 1.0) Sec Conv bootstrap by Mut Auth w X.509
Certs 114
The selections were loosely based on the level of interest shown
during the TC by various contributors. They also represent a good
cross-section of the capabilities and include some of the more
difficult examples. As indicated above, it is intended that the
participants agree on the scenarios selected, so the initial task
will be to agree on the objectives. If at least 2 participants are
willing to do an example then it should be included.
Please send an email to me directly to indicate interest and copy
anyone else in the TC (or the whole TC) if you want others to know
of your initial interest (i.e. willing to listen to tentative
conditional interest levels as well, since the initial purpose of this email is
to gauge the interest to try to establish critical
mass - date will be flexible if there is interest in a "better"
date).
Suggestions are welcome.
Thanks,
Rich
2
Scenarios
13
2.1
UsernameToken
13
2.1.1 UsernameToken -- no security
binding
13
2.1.1.1 UsernameToken with plain text
password 13
2.1.1.2 UsernameToken without
password
14
2.1.1.3 UsernameToken with timestamp, nonce and password
hash 15
2.1.2 Use of SSL Transport
Binding
16
2.1.2.1 UsernameToken as supporting
token
17
2.1.3 (WSS 1.0) UsernameTok w Mut X.509v3 Auth, Sign,
Encrypt 19
2.1.3.1 (WSS 1.0) Encrypted UsernameToken with
X.509v3 23
2.1.4 (WSS 1.1), User Name with Certificates, Sign,
Encrypt 27
2.2 X.509 Token Authentication Scenario
Assertions 31
2.2.1 (WSS1.0) X.509 Certificates, Sign,
Encrypt 31
2.2.2 (WSS1.0) Mutual Auth with X.509 Certs, Sign,
Encrypt 34
2.2.2.1 (WSS1.0) Mutual Auth, X.509 Certs, Symmetric
Encrypt 38
2.2.3 (WSS1.1) Anonymous with X.509 Cert, Sign,
Encrypt 42
2.2.4 (WSS1.1) Mutual Auth with X.509 Cert, Sign,
Encrypt 46
2.3 SAML Token Authentication Scenario
Assertions 52
2.3.1 WSS 1.0 SAML Token
Scenarios
54
2.3.1.1 (WSS1.0) SAML1.1 Assertion
(Bearer)
54
2.3.1.2 (WSS1.0) SAML1.1 Assertion (Sender Vouches (SV)) on SSL 56
2.3.1.3 (WSS1.0) SAML1.1 Assertion (Holder of key (HK)) on
SSL 59
2.3.1.4 (WSS1.0) SAML1.1 (SV) w X.509 Cert, Sign, Option
Encr 60
2.3.1.5 (WSS1.0) SAML1.1 Holder of Key, Sign, Optional
Encrypt 66
2.3.2 WSS 1.1 SAML Token
Scenarios
72
2.3.2.1 (WSS1.1) SAML 2.0
Bearer
72
2.3.2.2 (WSS1.1) SAML2.0 Sender Vouches over
SSL 76
2.3.2.3 (WSS1.1) SAML2.0 HoK over
SSL
78
2.3.2.4 (WSS1.1) SAML1.1/2.0 SV w X.509 Cert, Sign,
Encr 83
2.3.2.5 (WSS1.1) SAML1.1/2.0 HK, Sign,
Encrypt 89
2.4 Secure Conversation
Scenarios
114
2.4.1 (WSS 1.0) Sec Conv bootstrap by Mut Auth w X.509
Certs 114