OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [wss] Oct 8th minutes corrected again (2nd time)

One further update to the minutes, Vipin Samar let me know he was also on the call.

It seems the majority of corrections for each of our calls have been the attendance list. In future, to help us get the roll call accurate the first time, as folks join the call, even if late, please announce yourselves at a convenient moment. Please speak up before the call ends or else we have no way to verify that people really are or are not on the call. To date we have given people the benefit of the doubt but I am considering making a proposal to adopt a stricter policy here. I appreciate the cooperation of all members in this. We will also try and implement a more rigorous roll call (air traffic control style) where we (the chairs and/or secretary) positively acknowledge that we heard you when you do respond to the roll call or announce yourselves. This will avoid people who do speak up still getting missed which has happened a few times as well I will agree. I appreciate everyone's best efforts to help us get an accurate roll call and as this directly affects membership status it is important we get this right. Updated minutes follow:


Web Services Security TC Meeting Minutes
October 8th , 2002

Minutes taken by Bob Morgan.

Agenda (as posted prior to the meeting)

1.    Introductions & welcome

     Roll call
     Reading of the minutes of our previous meeting (9/24)
     Brief report from the naming sub-committee
     Brief report from the Use Cases sub-committee
     Update on the SJC charter
     Progress report from the editors
     Review of documents
     Review and status of actions and issues
 Any other business

The meeting began at 7:05am Pacific Time

Roll call was taken.

Those present

Voting Members

First          Last                   Company                
Don            Adams                  TIBCO                
Zahid          Ahmed                  Commerce One                
Steve          Anderson               OpenNetwork                
Conor          Cahill                 AOL                
Paul           Cotton                 Microsoft                
Martijn        de Boer                SAP                
Thomas         DeMartini              ContentGuard                
Yassir         Elley                  Sun Microsystems                
Jeremy         Epstein                webMethods                
Don            Flinn                  Quadrasis        

Peter          Furniss                Choreology

Eric           Gravengaard            Reactivity                
Sam            Greenblatt             Computer Associates                
Phillip        Hallam-Baker           Verisign                
Geff           Hanoian                Overxeer                
Jeff           Hodges                 Sun Microsystems                
Merlin         Hughes                 Baltimore Technologies                
Chris          Kaler                  Microsoft                
Charles        Knouse                 Oblix                
Yutaka         Kudo                   Hitachi                
Kelvin         Lawrence               IBM                
Hal            Lockhart               Entegrity Solutions                
Monica         Martin                 Drake Certivo, Inc.                
Ronald         Monzillo               Sun Microsystems                
Bob            Morgan                 (individual)                
Tim            Moses                  Entrust                
Joel           Munter                 Intel                
Anthony        Nadalin                IBM                
Nataraj        Nagaratnam             IBM                
Toshihiro      Nishimura              Fujitsu                
Rob            Philpott               RSA Security                
William        Pope                   Choreology                

Rajesh         Raman                  BEA Systems
Irving         Reid                   Baltimore Technologies                
Peter          Rostin                 RSA Security  

Vipin          Samar                  Oracle              
Krishna        Sankar                 Cisco                
Jerry          Schwarz                Oracle                
Shawn          Sharp                  Cyclone Commerce                
John           Shewchuk               Microsoft                
Frank          Siebenlist             Argonne National Lab                
Andre          Srinivasan             E2open                
Gene           Thurston               AmberPoint                
Steve          Trythall               Sonic Software                
Sirish         Vepa                   Sybase        

Ganesh         Vaideeswaran           Documentum        
Rob            Weltman                Netscape/AOL                
Pete           Wenzel                 SeeBeyond                
Prospective Members                                                  
Maryann         Hondo                 IBM                
Prateek         Mishra                Netegrity                
Jason           Rouault               HP                
William         Cox                   BEA                
Anne            Manes                 (individual)                
Ron             Moritz                Computer Associates                
Toufic          Boubez                Level-7                
Guillermo       Lao                   ContentGuard                
John            Weiland               Navy                
Tim                 Hall                         Talking Blocks                

Chair’s note: As a result of this meeting, several of the prospective members, having now attended 3 meetings, became voting members. We will update the records and publish new information to the list and the web page.

Objections to last minutes as sent out?

KL:  those who attended who aren't on the list will be added with this correction,  minutes unanimously accepted

Report from naming subcommittee

Rob Philpott:  results of discussion submitted to list   several recommendations made for doc names

 "web services security:" prefix for all doc names

   followed by more specific per-doc name

 several options for current "core" doc

 others to be labelled as "profiles" for Kerberos etc

Hal Lockhart:  some comments, but no alternatives proposed

 so seems we should proceed to vote?

Jerry Schwartz:

 concern that people think we're doing all of "WS security"

 so, removing the ":" in the name would help ...

Chris K:  OK

 chairs will encourage review and comment, with vote on next concall

Report from use cases subcommittee?

Zahid A:  no meetings held

KL:  Phil Griffin had sent invitation to chairs to join OASIS SJC

Hal:  SJC is clarifying charter, always intended that WSS should join

 some confusion about which other committees should join

KL:  so should be no more contention, chairs will follow up

Hal:  chairs should join next SJC concall

Report from document editors

Tony Nadalin:  just four comments

 editors pulling out comments for inclusion in their docs

Ron Monzillo:  agreed with Prateek's comments, not yet included

Jeff Hodges:  will we have document repository?

KL:  yes, website coord has been busy, but will do that

Review of documents

CK:  a few comments on list

 should this be interpreted as consent or inattention?

various:  give a deadline

KL:  useful deadline is to go to committee draft

CK:  OK, please raise issues by one week from today

 with intent to have vote on committee spec in two weeks

Hal:  various process steps:

 public review, attestation of "use" by three companies

 need to define "use" since OASIS guidelines are minimal

RM:  need to consider impact of existing issues

Bill Cox:

 problem is that people don't read docs until they look "ready"

 so how about longer deadlines

CK:  part of schedule is scheduling F2F, November looking unlikely

various:  is F2F during comment period a bad idea?

Review of issues

John Shewchuk:  sent out revised issues list

issue #1:  alternative methods of sig/enc, Zahid is owner

ZA:  will produce proposal for alternative this week

Q:  is this proposal for XML sig/end or alternative?

ZA:  no, not alternative, just how to use XML DS/E

Prateek:  interesting use case was proposed by Monica


 should consider extensibility even if no specific alternatives

   are fully specified at this time

 since our docs will likely not be perfect for all time

 current doc says "MUST XML enc/sig, but MAY others", is that OK?

 objection:  should make alternative methods in XML the problem

   of XML sig/enc committees, not ours

 but question is about use of existing non-XML methods, eg S/MIME

JS:  proposal:  continue to say XML enc/sig MUST be implemented

 specify how to add others as profiles if desired

RM:  think of these mechanisms as "proofs"

 considering high-level abstraction indicating what is being proved

 eg, how is knowledge of time-stamp incorporated?

 maybe need is to indicate "type" of signature

 eg, digested username/password token is a kind of proof,

someone:  all signature can ever do is demonstrate knowledge of key


 does this permit anything to be a profile?

 what about combination of profiles?

 as long as parties agree, you can combine them ...

PHB:  only likely extension would be use of the

 many sign&encrypt protocols

 PKCS7 would likely better be done with separate header

JerryS:  does more extensibility imply need for negotiation?

CK:  we already have several types, imply out-of-band agreements

JerryS:  WS-I wants to

BM:  how can we know whether extensibility will work without a

 concrete example?

CK:  Phil Griffin's proposal is first step in that direction

Paul Cotton:  having extensibility doesn't change compliance

 with core stuff, as long as core isn't redefined by it


 conformant implementations must support XML sig/enc

   and MAY support additional mechanisms

   and editors are so directed

 motion is seconded

Hal:  does this imply that we might change spec to eliminate barriers

 to such extensibility?  eg in consideration of PG's proposal?

 discussion:  yes


 please check with Phil Griffin whether this addresses his issue

 KL:  yes, so notes

motion unanimously carried

issue #3:  indicate token semantics

Hal:  close to closure, but recent discussion is departure

 will send summary/proposal to list within two days

 also some important security considerations go along with this

issue #4:  why is token not child of keyinfo?

PHB:  have to do Kerberos as token

 relates to issue #5 too

CK:  so let's combine issues 4 and 5

 and note that resolution of #3 must be consistent with that

issue #6:  submission of roadmap

KL:  modifications to footers made

BM:  just a matter of putting it in committee repository?

KL:  this requires substantial legal clearance

 surely don't want to put every referenced doc in our repository?

JShewchuk:  so, doc owners will obtain fixed URL

remains open

issue #9:

instruct use-case authors to consider whether or not they need this doc

remains open

issue #10:  interop fest

postponed until closer to finished docs

issue #13:  element ordering

has proposal been made?  JerryS:  not yet

 may just be clarity issue

editors are instructed to clarify wording under consideration

remains open

issue #14:  recipient should authenticate

this is specific to SAML profile?  yes

RM:  general statement is that recipient should validate claim

 may need to be said in core doc

RM will propose modification to doc

remains open

issue #15:  use of term "role" in spec

Prateek:  need to reference that Role is defined in SOAP 1.2

 and when using SOAP 1.1 this means "actor"

editors directed to make text along this line

remains open

issue #16:  replay

Prateek:  really about nature of example, will raise new issue


issue #17:  question about lines 1139-1141 of core

clarification needed by editors about meaning of these lines

remains open

issue #18:  1224-1226 reference "send time" that is undefined

CK:  intent is to calculate delay time, no attribute implied

no change to text needed


issue #19:  special case of username/password

RM:  useful to unify notion of proof

 to achieve semantic model of proof and validation

 related to proposal to indicate semantics in label

 also covers issues 23 and 24

RM directed to participate with PHB, TN in resolution of

 labelling and POP

remains open

issue #20:  security token propagation

editors need to clarify intention regarding propagation

remains open

F2F discussion

KL:  early November is a problem due to chair availability. OASIS conference is week of 12/8 in Baltimore , W3C AC meeting is week of 11/18, religious holidays first week of December. Looking at 2-day meeting

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC