| [Thread Prev]
| [Thread Next]
| [Date Next]
| [Thread Index]
| [Elist Home]
Subject: [wss] Oct 8th minutes corrected again (2nd time)
- From: Kelvin Lawrence <firstname.lastname@example.org>
- To: email@example.com
- Date: Thu, 17 Oct 2002 16:09:41 -0600
One further update to the minutes, Vipin
Samar let me know he was also on the call.
It seems the majority of corrections
for each of our calls have been the attendance list. In future, to help
us get the roll call accurate the first time, as folks join the call, even
if late, please announce yourselves at a convenient moment. Please speak
up before the call ends or else we have no way to verify that people really
are or are not on the call. To date we have given people the benefit of
the doubt but I am considering making a proposal to adopt a stricter policy
here. I appreciate the cooperation of all members in this. We will also
try and implement a more rigorous roll call (air traffic control style)
where we (the chairs and/or secretary) positively acknowledge that we heard
you when you do respond to the roll call or announce yourselves. This will
avoid people who do speak up still getting missed which has happened a
few times as well I will agree. I appreciate everyone's best efforts to
help us get an accurate roll call and as this directly affects membership
status it is important we get this right. Updated minutes follow:
Web Services Security TC Meeting Minutes
October 8th , 2002
Minutes taken by Bob Morgan.
Agenda (as posted prior to the meeting)
1. Introductions & welcome
of the minutes of our previous meeting
report from the naming sub-committee
report from the Use Cases sub-committee
on the SJC charter
report from the editors
and status of actions and issues
The meeting began at 7:05am Pacific Time
Roll call was taken.
Martijn de Boer
Drake Certivo, Inc.
Argonne National Lab
Chair’s note: As a result of this meeting, several of the prospective
members, having now attended 3 meetings, became voting members. We will
update the records and publish new information to the list and the web
Objections to last minutes as sent out?
KL: those who attended who aren't on the list will be added with
this correction, minutes unanimously accepted
Report from naming subcommittee
Rob Philpott: results of discussion submitted to list several
recommendations made for doc names
"web services security:" prefix for all doc names
followed by more specific per-doc name
several options for current "core" doc
others to be labelled as "profiles" for Kerberos etc
Hal Lockhart: some comments, but no alternatives proposed
so seems we should proceed to vote?
concern that people think we're doing all of "WS security"
so, removing the ":" in the name would help ...
Chris K: OK
chairs will encourage review and comment, with vote on next concall
Report from use cases subcommittee?
Zahid A: no meetings held
KL: Phil Griffin had sent invitation to chairs to join OASIS SJC
Hal: SJC is clarifying charter, always intended that WSS should join
some confusion about which other committees should join
KL: so should be no more contention, chairs will follow up
Hal: chairs should join next SJC concall
Report from document editors
Tony Nadalin: just four comments
editors pulling out comments for inclusion in their docs
Ron Monzillo: agreed with Prateek's comments, not yet included
Jeff Hodges: will we have document repository?
KL: yes, website coord has been busy, but will do that
Review of documents
CK: a few comments on list
should this be interpreted as consent or inattention?
various: give a deadline
KL: useful deadline is to go to committee draft
CK: OK, please raise issues by one week from today
with intent to have vote on committee spec in two weeks
Hal: various process steps:
public review, attestation of "use" by three companies
need to define "use" since OASIS guidelines are minimal
RM: need to consider impact of existing issues
problem is that people don't read docs until they look "ready"
so how about longer deadlines
CK: part of schedule is scheduling F2F, November looking unlikely
various: is F2F during comment period a bad idea?
Review of issues
John Shewchuk: sent out revised issues list
issue #1: alternative methods of sig/enc, Zahid is owner
ZA: will produce proposal for alternative this week
Q: is this proposal for XML sig/end or alternative?
ZA: no, not alternative, just how to use XML DS/E
Prateek: interesting use case was proposed by Monica
should consider extensibility even if no specific alternatives
are fully specified at this time
since our docs will likely not be perfect for all time
current doc says "MUST XML enc/sig, but MAY others", is
objection: should make alternative methods in XML the problem
of XML sig/enc committees, not ours
but question is about use of existing non-XML methods, eg S/MIME
JS: proposal: continue to say XML enc/sig MUST be implemented
specify how to add others as profiles if desired
RM: think of these mechanisms as "proofs"
considering high-level abstraction indicating what is being proved
eg, how is knowledge of time-stamp incorporated?
maybe need is to indicate "type" of signature
eg, digested username/password token is a kind of proof,
someone: all signature can ever do is demonstrate knowledge of key
does this permit anything to be a profile?
what about combination of profiles?
as long as parties agree, you can combine them ...
PHB: only likely extension would be use of the
many sign&encrypt protocols
PKCS7 would likely better be done with separate header
JerryS: does more extensibility imply need for negotiation?
CK: we already have several types, imply out-of-band agreements
JerryS: WS-I wants to
BM: how can we know whether extensibility will work without a
CK: Phil Griffin's proposal is first step in that direction
Paul Cotton: having extensibility doesn't change compliance
with core stuff, as long as core isn't redefined by it
conformant implementations must support XML sig/enc
and MAY support additional mechanisms
and editors are so directed
motion is seconded
Hal: does this imply that we might change spec to eliminate barriers
to such extensibility? eg in consideration of PG's proposal?
please check with Phil Griffin whether this addresses his issue
KL: yes, so notes
motion unanimously carried
issue #3: indicate token semantics
Hal: close to closure, but recent discussion is departure
will send summary/proposal to list within two days
also some important security considerations go along with this
issue #4: why is token not child of keyinfo?
PHB: have to do Kerberos as token
relates to issue #5 too
CK: so let's combine issues 4 and 5
and note that resolution of #3 must be consistent with that
issue #6: submission of roadmap
KL: modifications to footers made
BM: just a matter of putting it in committee repository?
KL: this requires substantial legal clearance
surely don't want to put every referenced doc in our repository?
JShewchuk: so, doc owners will obtain fixed URL
instruct use-case authors to consider whether or not they need this doc
issue #10: interop fest
postponed until closer to finished docs
issue #13: element ordering
has proposal been made? JerryS: not yet
may just be clarity issue
editors are instructed to clarify wording under consideration
issue #14: recipient should authenticate
this is specific to SAML profile? yes
RM: general statement is that recipient should validate claim
may need to be said in core doc
RM will propose modification to doc
issue #15: use of term "role" in spec
Prateek: need to reference that Role is defined in SOAP 1.2
and when using SOAP 1.1 this means "actor"
editors directed to make text along this line
issue #16: replay
Prateek: really about nature of example, will raise new issue
issue #17: question about lines 1139-1141 of core
clarification needed by editors about meaning of these lines
issue #18: 1224-1226 reference "send time" that is undefined
CK: intent is to calculate delay time, no attribute implied
no change to text needed
issue #19: special case of username/password
RM: useful to unify notion of proof
to achieve semantic model of proof and validation
related to proposal to indicate semantics in label
also covers issues 23 and 24
RM directed to participate with PHB, TN in resolution of
labelling and POP
issue #20: security token propagation
editors need to clarify intention regarding propagation
KL: early November is a problem due to chair availability. OASIS
conference is week of 12/8 in Baltimore , W3C AC meeting is week of 11/18,
religious holidays first week of December. Looking at 2-day meeting
| [Thread Prev]
| [Thread Next]
| [Date Next]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC