wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: [wss] Minutes for WSS TC meeting on October 8th
- From: Kelvin Lawrence <klawrenc@us.ibm.com>
- To: wss@lists.oasis-open.org
- Date: Wed, 16 Oct 2002 14:47:52 -0500
Here are the minutes from our most recent
call. As always, please review and post corrections to the list so we can
approve (quickly) at our next call.
Thanks
Kelvin & Chris
Web Services Security TC Meeting Minutes
October 8th , 2002
Minutes taken by Bob Morgan.
Agenda (as posted prior to the meeting)
1. Introductions
& welcome
2.
Roll
call
3.
Reading
of the minutes of our previous meeting
(9/24)
4.
Brief
report from the naming sub-committee
5.
Brief report from
the Use Cases sub-committee
6.
Update on the SJC
charter
7.
Progress
report from the editors
8.
Review
of documents
9.
Review
and status of actions and issues
10.
Any other business
11.
Adjournment
The meeting began at 7:05am Pacific Time
Roll call was taken.
Those present
Voting Members
First
Last
Company
Don
Adams
TIBCO
Zahid
Ahmed
Commerce One
Steve
Anderson
OpenNetwork
Conor
Cahill
AOL
Paul
Cotton
Microsoft
Martijn
de Boer
SAP
Thomas
DeMartini
ContentGuard
Yassir
Elley
Sun Microsystems
Jeremy
Epstein
webMethods
Don
Flinn
Quadrasis
Peter Furniss
Choreology
Eric
Gravengaard
Reactivity
Sam
Greenblatt
Computer Associates
Phillip
Hallam-Baker Verisign
Geff
Hanoian
Overxeer
Jeff
Hodges
Sun Microsystems
Merlin
Hughes
Baltimore Technologies
Chris
Kaler
Microsoft
Charles
Knouse
Oblix
Yutaka
Kudo
Hitachi
Kelvin
Lawrence
IBM
Hal
Lockhart
Entegrity Solutions
Monica
Martin
Drake Certivo, Inc.
Ronald
Monzillo
Sun Microsystems
Bob
Morgan
(individual)
Tim
Moses
Entrust
Joel
Munter
Intel
Anthony
Nadalin
IBM
Nataraj
Nagaratnam
IBM
Toshihiro
Nishimura
Fujitsu
Rob
Philpott
RSA Security
William
Pope
Choreology
Irving
Reid
Baltimore Technologies
Peter
Rostin
RSA Security
Krishna
Sankar
Cisco
Jerry
Schwarz
Oracle
Shawn
Sharp
Cyclone Commerce
John
Shewchuk
Microsoft
Frank
Siebenlist
Argonne National Lab
Andre
Srinivasan
E2open
Gene
Thurston
AmberPoint
Steve
Trythall
Sonic Software
Sirish
Vepa
Sybase
Ganesh
Vaideeswaran Documentum
Rob
Weltman
Netscape/AOL
Pete
Wenzel
SeeBeyond
Prospective Members
Maryann
Hondo
IBM
Prateek
Mishra
Netegrity
Jason
Rouault
HP
William
Cox
BEA
Anne
Manes
(individual)
Ron
Moritz
Computer Associates
Toufic
Boubez
Level-7
Guillermo
Lao
ContentGuard
John
Weiland
Navy
Observers
Tim
Hall
Talking Blocks
Chair’s note: As a result of this
meeting, several of the prospective members, having now attended 3 meetings,
became voting members. We will update the records and publish new information
to the list and the web page.
Objections to last minutes as sent out?
KL: those who attended who aren't on
the list will be added with this correction, minutes unanimously
accepted
Report from naming subcommittee
Rob Philpott: results of discussion
submitted to list several recommendations made for doc names
"web services security:"
prefix for all doc names
followed by more specific per-doc
name
several options for current "core"
doc
others to be labelled as "profiles"
for Kerberos etc
Hal Lockhart: some comments, but no
alternatives proposed
so seems we should proceed to vote?
Jerry Schwartz:
concern that people think we're doing
all of "WS security"
so, removing the ":" in
the name would help ...
Chris K: OK
chairs will encourage review and comment,
with vote on next concall
Report from use cases subcommittee?
Zahid A: no meetings held
KL: Phil Griffin had sent invitation
to chairs to join OASIS SJC
Hal: SJC is clarifying charter, always
intended that WSS should join
some confusion about which other committees
should join
KL: so should be no more contention,
chairs will follow up
Hal: chairs should join next SJC concall
Report from document editors
Tony Nadalin: just four comments
editors pulling out comments for inclusion
in their docs
Ron Monzillo: agreed with Prateek's
comments, not yet included
Jeff Hodges: will we have document
repository?
KL: yes, website coord has been busy,
but will do that
Review of documents
CK: a few comments on list
should this be interpreted as consent
or inattention?
various: give a deadline
KL: useful deadline is to go to committee
draft
CK: OK, please raise issues by one
week from today
with intent to have vote on committee
spec in two weeks
Hal: various process steps:
public review, attestation of "use"
by three companies
need to define "use" since
OASIS guidelines are minimal
RM: need to consider impact of existing
issues
Bill Cox:
problem is that people don't read
docs until they look "ready"
so how about longer deadlines
CK: part of schedule is scheduling
F2F, November looking unlikely
various: is F2F during comment period
a bad idea?
Review of issues
John Shewchuk: sent out revised issues
list
issue #1: alternative methods of sig/enc,
Zahid is owner
ZA: will produce proposal for alternative
this week
Q: is this proposal for XML sig/end
or alternative?
ZA: no, not alternative, just how to
use XML DS/E
Prateek: interesting use case was proposed
by Monica
discussion:
should consider extensibility even
if no specific alternatives
are fully specified at this
time
since our docs will likely not be
perfect for all time
current doc says "MUST XML enc/sig,
but MAY others", is that OK?
objection: should make alternative
methods in XML the problem
of XML sig/enc committees,
not ours
but question is about use of existing
non-XML methods, eg S/MIME
JS: proposal: continue to say
XML enc/sig MUST be implemented
specify how to add others as profiles
if desired
RM: think of these mechanisms as "proofs"
considering high-level abstraction
indicating what is being proved
eg, how is knowledge of time-stamp
incorporated?
maybe need is to indicate "type"
of signature
eg, digested username/password token
is a kind of proof,
someone: all signature can ever do
is demonstrate knowledge of key
discussion:
does this permit anything to be a
profile?
what about combination of profiles?
as long as parties agree, you can
combine them ...
PHB: only likely extension would be
use of the
many sign&encrypt protocols
PKCS7 would likely better be done
with separate header
JerryS: does more extensibility imply
need for negotiation?
CK: we already have several types,
imply out-of-band agreements
JerryS: WS-I wants to
BM: how can we know whether extensibility
will work without a
concrete example?
CK: Phil Griffin's proposal is first
step in that direction
Paul Cotton: having extensibility doesn't
change compliance
with core stuff, as long as core isn't
redefined by it
MOTION:
conformant implementations must support
XML sig/enc
and MAY support additional
mechanisms
and editors are so directed
motion is seconded
Hal: does this imply that we might
change spec to eliminate barriers
to such extensibility? eg in
consideration of PG's proposal?
discussion: yes
comment:
please check with Phil Griffin whether
this addresses his issue
KL: yes, so notes
motion unanimously carried
issue #3: indicate token semantics
Hal: close to closure, but recent discussion
is departure
will send summary/proposal to list
within two days
also some important security considerations
go along with this
issue #4: why is token not child of
keyinfo?
PHB: have to do Kerberos as token
relates to issue #5 too
CK: so let's combine issues 4 and 5
and note that resolution of #3 must
be consistent with that
issue #6: submission of roadmap
KL: modifications to footers made
BM: just a matter of putting it in
committee repository?
KL: this requires substantial legal
clearance
surely don't want to put every referenced
doc in our repository?
JShewchuk: so, doc owners will obtain
fixed URL
remains open
issue #9:
instruct use-case authors to consider whether
or not they need this doc
remains open
issue #10: interop fest
postponed until closer to finished docs
issue #13: element ordering
has proposal been made? JerryS: not
yet
may just be clarity issue
editors are instructed to clarify wording
under consideration
remains open
issue #14: recipient should authenticate
this is specific to SAML profile? yes
RM: general statement is that recipient
should validate claim
may need to be said in core doc
RM will propose modification to doc
remains open
issue #15: use of term "role"
in spec
Prateek: need to reference that Role
is defined in SOAP 1.2
and when using SOAP 1.1 this means
"actor"
editors directed to make text along this
line
remains open
issue #16: replay
Prateek: really about nature of example,
will raise new issue
closed
issue #17: question about lines 1139-1141
of core
clarification needed by editors about meaning
of these lines
remains open
issue #18: 1224-1226 reference "send
time" that is undefined
CK: intent is to calculate delay time,
no attribute implied
no change to text needed
closed
issue #19: special case of username/password
RM: useful to unify notion of proof
to achieve semantic model of proof
and validation
related to proposal to indicate semantics
in label
also covers issues 23 and 24
RM directed to participate with PHB, TN in
resolution of
labelling and POP
remains open
issue #20: security token propagation
editors need to clarify intention regarding
propagation
remains open
F2F discussion
KL: early November is a problem due
to chair availability. OASIS conference is week of 12/8 in Baltimore ,
W3C AC meeting is week of 11/18, religious holidays first week of December.
Looking at 2-day meeting
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC