OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [wss] 11 Feb 03 minutes


Enclosed are the minutes from today's teleconference on 11 Feb 03, but not
including the role call.

Summary of actions and issue resolutions at end.

regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones


WSS TC Call, Feb 11th 2003 Minutes

Meeting Announcement:

We'd like to focus this meeting on closing interoperability issues

Agenda 

1. Call to order, roll call 
2. Reading of minutes of last meeting (Jan 28th) 
3. Discuss (and close) interop issues
4. Discuss updated profile documents / report from editors
5. Initial discussion of when/where next F2F will be 
6. Discuss remaining issues
7. Other business 
-------------------------------------------------------------------------
1) Role Call

41 voting members present, have substantial quorum.
-------------------------------------------------------------------------
2) Approval of minutes from last meeting
http://lists.oasis-open.org/archives/wss/200301/msg00073.html

Minutes from last meeting approved
-------------------------------------------------------------------------
3) Discuss and close interop issues. 

New issues list posted 10 Feb:
http://www.oasis-open.org/committees/wss/documents/wss-issues-10.htm

John Shewchuk walked group through issues list, posted last night.

#19 pending - Phil Griffin 
draft delivered to Tony Nadalin in Dec posted in Jan, so should be closed.
Subsequent user name issues later.

Ron Monzillo - not against core draft anymore. 
John Shewchuk - if issues will raise against new draft
Ron Monzillo - perhaps form group around profiling activities.
one of the alternatives
John Shewchuk - recommend close this one, raise issues 
Jean Thurston how to do interop on just core draft, don't we need a profile
Chris Kaler - we can use what we have with profiles right now
How to move forward
Chris Kaler - on mailing list, or on list
Kelvin Lawrence- having scenarios will help us know what needs to be closed
Jean specif authors, 
Chris Kaler - as needed 
Jean - sent comments, don't know who 
Ron Monzillo - have offered to help, but mostly tony & phil
Hal Lockhart - interop should be based on specification we accept as committee 
spec, frozen in time, acceptance by TC - company statemenet
Phil Hallam-Baker - interop is to see if problems in spec
Hal don't expectit to be final committee spec
Phil Hallam-Baker - don't want to start formal process for committee spec 
before interop = find so much in interop
Hal Lockhart - only asking for vote
Kelvin Lawrence- this is what we are thinking - voting on which one we should use

Kelvin Lawrence- will probably want to have multiple interops
Ron Monzillo - username, password likely one of the profiles included in interop
Need a vote? If true, then we need to review draft in more detail

Chris Kaler - go through issues, finish core then address username profile
Ron Monzillo - ok

John Shewchuk - #19 resolution, is closed? Any objections?
Phil Griffin - agrees
Request for issues list maintainer to disambiguate Phils
AGREED - #19 closed.

Kelvin Lawrence #10, #11 have actions on chair, should remain Pending.
John Shewchuk Mark pending post-interop
Chris Kaler:
11 post-interop
10 interop - postponed until through core spec

----

#28 SAML binding

Ron Monzillo - need to support case where signing SAML security token. Need to understand
how to reference SAML token from signature. Hard to reference, not extensible.
Need to define transform. Ron, Tony, Chris will work on this transform useful
flor any security token.

Chris Kaler - Separate issue. Thought this was edits, needed to review edits.
Jerry Schwarz - transform was my issue - haven't seen any email about it
Chris Kaler- not closed, have action to write up for review
Jerry Schwarz - says resolved, #63
Chris will talk about #63 when we get there.

Ron Monzillo - we need to make the transform as part of another issue
Chris Kaler - want to link this with other issue

AGREED #28 and #63 linked together, stays pending

Frederick Hirsch - Ron have you released new version including my comments
Ron Monzillo - not yet, in progress

---
#46 
postponed pending scenarios

---
#59 Editorial comments on XrML - Thomas to review changes by Phil Hallam-Baker
Chris Kaler - Thomas not on call
Kelvin Still a voting member

Action: Lao - will speak with Thomas

Ron Monzillo - thought remaining issue was proof of possession

Chris Kaler - at our next call if we haven't heard from Thomas we should close 
this
Lao - most of concern is proof of possession as Ron Monzillo said
Ron Monzillo should make editorial changes so we don't rely on term proof of 
possession
John Shewchuk - Guillermo can you make sure you know status
Lao - will ask Thomas to send note on status of issues

61
Pending 
Frederick Hirsch - check with tony, make sure in document, reviewed. (Note below
that change confirmed with Tony, to be in next draft)

63 - should be pending

Ron Monzillo - explanation of solution to reference problem
Jerry Wrapper will have id needed
John Shewchuk - optional?
Jerry - yes
Chris Kaler - what happened at last meeting - did not want to do wrapper, wanted to
do transform instead, hence why this was closed, but needed to add action
item for transform
Jerry - how does this work
Chris Kaler - idea of transform - simple, constrained transform, allowing use of security
token reference in it, allowing it to be signed. Preferable, token not  in
different places in different locations, simplerer
Jery You would need to duplicate token
Ron, No it would be a reference. Transform binds it to specific token. 
Jerry assuming every secrutiy token will have a means to reference it
Ron Monzillo - Transform allows a digital signature reference form to reference security token

Ron Monzillo Transform has to be rich enough to support different token profiles.
Jerry - wrapper doesn't need to be extended
Chris - we've already established that we want to extend security token reference
for each profile type. Both XrML and SAML bindings define mechanism for pointing
at it. Now have common transform to use security token reference, use same
mechansims 

Jerry what about role
Ron Monzillo usage
Chris Kaler - this is an open issue, #3 usage by role, 
Ron Monzillo need to create table of values
Chris Kaler - need to add to security token reference

Jerry need way to indicate purpose for usernames - why each is there.
Chris Kaler - just placing in security header not enough - might need to reference, 
role a function of usage of token
Jerry - raw reference, containing usage
Ron Monzillo - example of that in SAML profile

Jerry wrapper would be more direct and straightforward
Chris Kaler - goal to avoid containers and extra parsing

Ron Monzillo wrap tokens since binary - need way to associate, do we want to wrap
them twice?
Jerry Schwarz - referencing wrapper semantically to referencing wrapped token
Ron Monzillo - need place for usage stuff, if wrapped, then would need to use signature meachanism to 
add usage, other way is simpler, with a uniform token.

Every token could have enough detail to allow referenced in every possible way.

Kelvin - how are we to resolve this issue
John Shewchuk - Ron Monzillo made good point - we cannot identify allt he ways people might want
to have info that might be refernced. Problematic to create single way, hence
advantage of trasnform. Jerry, do you think transform method inadewquate
Jerry Schwarz I don't understand it
John Shewchuk - I propsoe we walk through it with you, rather than debate on call
Write down document, with example.
Ron Monzillo can help with writing
Chris - 
ACTION Need new issue #66 to open transform. Close 28 and 63. Tony, Ron and Chris.

Ron Monzillo could have both transform and wrapper.

Chris security related information - allows different references
Jerry Schwarz how do I know if top level token is for security
John Shewchuk - namespaces, determine semantics
Chris Reference invokes token, pulls into context
Jerry Schwarz - top level element that is just a reference?
Chris - had this a while ago, 
Ron Monzillo - example in SAML bindings
Jerry Schwarz - I haven't read the SAML bindings.

----
Hal Usage label values - posted something on that in Dec, but there was no
issue, should there be?

ACTION Add item 67 - Resolve usage labels, mark post-interop draft.
-----
64 - Post interop
----

John Shewchuk - done with issues list - first time ever

Issue 61 - Tony has put wording in draft, but hasn't sent it out yet. Should
be going out.

Chris - only two issues pending on core doc. #61, clarification, #66 is
transform.  Start with interop on username token or binary token, then 
transform does not block progress

Ron Monzillo - doesn't block, but might require structural change. 
Jerry concern where usage information gets bound might change usage of tokens.

Prateek - issue with username password - never store plain passwords, store 
hash. Profile is written requiring availabilty of plaintext password
Chris - not sure it is true - password equivalent could be hash
Phil Hallam-Baker - unless public keycrypto no way to both stores password 1 way encrypted in
directory and 1 way encrypted over wire. 1 way encrypt password - residue is as
good as the password. 
Prateek - in practicie, all we get is hash, doesn't work with this
John Shewchuk - Kerberos works as PHil described, can be duplicated with the way the profile is written
As written can send hash.
Prateek - send messages to list, way it is written requires plaintext password
at server
Hal - Kerberos defines how hash is done, might need salt value in this case for
example
John Shewchuk - believe can carry salt as written, need to check this. Could have a problem

ACTION - Examine plaintext password issue, and Prateek message.

Hal also potential interoperability issue regarding hashing algorithms

ACTION Issue 68 - review username password hash encryption mechanisms

Phil Hallam-Baker - could decide not to resolve this, SAML authentication 
mechanisms have addressed this, only need to defined binding

John Shewchuk - need to address issue of whether we carry correct issue

Ron Monzillo Phil do you mean subject confirmation

Phil Hallam-Baker need authentication server involved, public key exchange, 
secured  encrypted link - lots of work patented by Jablon, encrypted key exchange

Prateek - orthogonal to issue of real deployments that just have a hash. Do not
want to have to change deployment models.

John Shewchuk - agree, write down not require plain text password at server

ACTION - John to capture prateeks issue, prateek to send issue 
by next meeting.

Chris - would like new draft out by monday of next week, to allow full week
review, allowing vote at next call

Ron Monzillo - editors meeting would help
Chris will arrange editors meeting call later this week

Kelvin - Chris, we can produce a checklist allowing interop to get done.
ACTION - chairs to get this checklist out

Paul: Lead time for vote on committee draft? Plan needs to make this clear.

Jerry Schwarz - Can you also please explain formal semantics
Paul - can look at Oasis process draft

Kelvin - will require several iterations - 
would like to avoid excessive committee spec voting

Hal - most steps when making an Oasis standard submission. 2/3 of total TC
no more than 1/4 voting to disapprove

Kelvin - Are you working on scenarios?
Chris - will send some material to list, and some is already on list.
----------------
Updated profile documents


Phil Hallam-Baker - XrML draft substantially revised, primarily comments from 
Thomas.
Changed names of X509 and Kerberos drafts, need comments before going further.

Chris need to make sure username has new name.

Ron Monzillo - are there implementations of the Kerberos and XrML profiles? 
It seems when there are implementations then there would be more comments. 
Are people implementing?

Hal Lockhart - two levels - understand spec, understand differently
---------------------
Discuss next F2F

Chris possbily premature, since next F2F would require interoperability testing.
Kelvin - propose dates when we put checklist out
Hal Lockhart - two issues to address. 1) what sort of interop is this? 
Publicly announced in press or not.
Chris - just a tc effort to get some implmentations going, not a pr event
Hal Lockhart - must have rules to suppress information. 
2) what is process for determining which scenarios for interop? how will it be driven.
Chris - #1 Cannot keep people from talking. on #2, discuss scenarios, or sequence of scnerios on list then talk about it at next week.
Hal Lockhart - looking for criteria for decision
Kelvin - choose simpler scenarios, establish core
Hal Lockhart bread and butter
Kelvin will iterate
Chris want some success
Kelvin - not looking for announcements, want to make spec better
Jerry Schwarz - call it something other than interop - "meeting with code"
kelvin - just call it F2F
Jerry Schwarz - if it appears on web page, it will become publicity. Just talk about F2F with code.
Kelvin - will do what we can. People can read minutes.
Chris - want to have codce meeting that is successful

Chris could have ways to run code, then discuss outcome.

Jerry Schwarz - should be part of official tc meeting, otherwise issues about NDAs and
other issues.
Chris - other issue is quorum
Hal Lockhart - majority of people are not TC members if others writing code.
Chris - not all member companies will be ready with code either

Guillermo What is possibility of doing interop on web itself?
Hal Lockhart - good for initial testing
hard to put untested code on web
Kelvin - came to this conclusion at Baltimore
define cases to be tested, supply test messages, people can test code again.

Hal Lockhart - is it ok for who participated and who didn't to be public information
Chris - could not be F2F, not a meeting, then no minutes
Jerry Schwarz - F2F for testing, another F2F meeting. Quorum at any point, then you 
have quorum
Frederick - had problems with that in Baltimore
Hal Lockhart - not clear need for an official meeting for the code work
Structure event so that public information flow is appropriate.
Kelvin Flow is to test and then update specs with changes.

ACTIONs - Chris and Kelvin to put out proposal

------------------
Discuss remaining issues, other business.

No discussion.

-------------------
Kelvin - need to get scenarios out. People need to indicate what issues are
preventing code work.
Hal Lockhart - discussing when and where? Can we talk about where?
Kelvin - a few weeks after documents are closed, need to know how long it takes to get 
code together. Need interoperability test cases first
Hal Lockhart could be more controversial than spec itself
Ron Monzillo could talk about scenarios now?
Kelvin - some people were going to post scnearios

Ron Monzillo - username password and X509 first
Chris - reasonable as first steps
Martin Should include signature stuff, including timestamp element, can be anywhere
Chris element can be used anywhere - is a SOAP. Generic expiration markers etc, but
timestamp header is a SOAP header.
Hal Lockhart identify dimensions and decide fixed, or couple of points, then construct
tests (e.g. which tokens, which flows )

=== martin

Chris - propose mailing list discussion on scenarios, focus on document review
and completion of actions.
Ron Monzillo - with use cases we can focus on document review

where?
A number of people have volunteered to host. Last meeting was on 
East coast, so perhaps on middle or West Coast. If people have suggestions 
please mail to list.

Kelvin - shall we ajourn

Don - Have put out mail with format for use cases - could be a starting point
for consistency

Kelvin Lawrence - will repost

Guillermo - Use cases to WS-I, should repost to this list?

Kelvin Lawrence - issues of rules, copyright?
Chirs Kaler- someone should talk with Eve, technically copyrighted by WS-I

Jerry Schwarz - just giving standards organization right to use, not transferring 
copyright.

Kelvin Lawrence - any other business
Hal Lockhart - Motion to ajourn 
no objection

-----------------------------
Action Summary:
ACTION - John to capture Prateek's issue, prateek to send issue 
by next meeting.

ACTION - Chris and Kelvin to put out proposal regarding interop and/or F2F
ACTION - Ron to put out revision of SAML Token Profile
ACTION - chairs to get interop checklist out
ACTION - all - review new profiles.

Issue Agreement Summary: 

#19 closed.
#10, #11 have actions on chair, should remain Pending.
11 post-interop
10 interop - postponed until through core spec

#46 postponed pending scenarios

#59  Thomas to review changes by Phil Hallam-Baker, Guillermo will check with
Thomas to ensure Thomas posts message to list. Will close on next call if no
response.

#61 pending - Tony has made change, draft to be posted later for review.

#63 - pending

#64 - Post interop

New issue:  #66 - transform. Close 28 and 63. Tony, Ron and Chris.
(Subsequent to early decision to link 28 and 63 and keep pending)

New issue: 67 - Resolve usage labels, mark post-interop draft.

New Issue 68 - review username password hash encryption mechanisms








[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC