OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes from July 13 Meeting without attendance information

Here are the minutes. I will update them when I get the attendance information from the meeting.

1. Call to order, roll call

Kelvin Lawrence and Chris Kaler chaired the session.
Paula Austel appointed secretary.
Quorum achieved
Meeting started at 10:12am

2. Reading/approving minutes of last meeting (June 29th)[1]


3. Errata status and review

Errata documents are posted but no acknowledgement has been sent to Tony. Tony addressed comments from Frederick. Highlighting text did not work out well. Did not add pdf to existing set of documents. General comments applied to all errata. Use fragments for URI and make clear the full URI in the clarification section.
Chris asking if we are at last call for the errata.
Ron - we should close all the issues first.
Tony - some of the open issues are not errata but post errata.
Move this discussion until after the issue list to see which issues are resolved.

4. Status of other profiles (SAML, XrML, Kerberos, SwA)

Ron - posted updates. There were some comments on errors in examples. Reset change bars to reflect changes since draft 12. Issue 290, encoding type - put an approach on the list, Mike McIntosh responded.
Ron - there are some comments on REL profile but they have not been incorporated into the profile.
No updates to REL or Kerberos
Frederick - comments on list
- Need to discuss what to do with attachments that are XML. Treat them as XML or text. Should attachment be treated as a whole.
- MIME part canonicalization.
- Blake posted proposal for interop document

5. Issue list review

Issue 256 - Paula - clarification added to errata. Mark this issue closed.
Issue 259 - closed
Issues 260, 264 - closed
287 - closed (rich levinson)
290 - larger discussion needed (see discussion later in minutes)
293 - Ron wrote a proposal 3 weeks ago. Don't need to specify the version of the certificate. Proposal can be found at this link: http://lists.oasis-open.org/archives/wss/200406/msg00068.html.
Need to fold clarification into errata
ACTION: Mark this as pending, change issue list to state move this to errata
295B - mark as closed.
290 (296?) - Discussion on the list. Defaults should be consistent independent of the token type. Default values for attributes not codified in schema. KeyIdentifiers mostly for binary content. SAML not used for only binary. Need to use an encoding type to state that it is not encoded. Invent a URI for a non-encoded value.
Chris - Need to add a string or text identifier to core. Need to discuss adding this to core.
Encoding not buying us anything. Adding in the attribute is adding extra confusion.
Ron - make a schema change to specify the default.
Remove encoding type, specify a fixed encoding in the token profiles.
Rich Levinson - should not remove encoding type attribute. add defaults?
Ron - leave attributes and remove the defaults. If no token profile can support multiple encodings than you remove the attribute all together.
Tony - profiles might have multiple encodings. Leave the attribute.
Ron - we don't have a use case for multiple encodings.
Chris - proposal - remove the default from core. Let profiles define their own defaults.
Chris - this will be better in next round of edits (change in behavior) and not part of errata.
Proposal to make change to next version of core to unblock SAML issue.
Problem with the SAML token profile with the way the core is currently written.
Ron - prefer to handle this is in errata so SAML profile doesn't have to do something temporary to fix this issue.
Does the schema make reference to base64 as default? Is this a schema change?
How to check that implementations to see if this change will effect them.
Rev the core with new SAML token profile.
Kelvin - check with OASIS might have to put all specs together. How will this effect the URLs?
Chris - get clean changes of docs with errata folded in.
Kelvin - need to rev the version numbers.
Chris - fragment URIs don't work. Can include the full URIs in new rev of docs.
Ron - like to propose SAML token profile can work with core spec in a timely fashion. Best solution to rev the specs together unless it will delay the token profile.
Paul Cotton - what would be the time table for this new rev of specs?
Chris - REL, SAML, changes in core - does it impact interoperability testing?, Kerberos - interop going soon. Perhaps in the fall.
Hal - keep Kerberos on a separate track. no further interop tests needed for others.
ACTION: Editors to make changes.

Pending items:
297 - Frederick - comments were correct and fix was added to draft, close this issu
296 - closed - Ron added clarifications for this issue.
298 - X509 issuer/serial - raised in WS-I. Issuer/serial better mechanism to identify key. Issuer/serial is prohibited in X509 token profile
Mike - not prohibited in X509 token profile but limited in WS-I.
Issuer/Serial should be child of KeyIdentifier.
Hal - Proposed change to specs: X509 token profile shows issuer/serial used as direct reference. More logical to treat as keyidentifier. Issuer/Serial is not a URI.
Chris - We've kept structured data out of KeyIdentifier. (serial/issuer is XML). Currently using SAML assertion Id, needs to be a string or base64 encoding.
Mike - 4 different types of token references. Issuer/Serial does not fit into any of the categories (STR, Direct Reference, KeyIdentifier, Embedded)
Chris - not a good idea to make KeyIdentifier content type mixed.
Chris - need a volunteer to create a proposal for a new reference type?
ACTION: Hal will create a new proposal
299,300,301 - Closed. Comments from Frederick
302 - small errata to core spec - not addressed yet - leave open
ACTION: Tony to add to errata.
303 - Pending
ACTION: Editors to update (mainly editorial issue)
304 - Hal - suggest changing MAY to may. Is this normative?
Propose not changing anything. No strong feeling to change this. May provide some assistance to implementers.
305 - Tony - Hal and Tim responded to comments. Concern going user to user and using raw tickets. Not good to use raw tickets. More secure ways using authenticators.
Kerberos Authenticator protects the ticket. Multiple people cannot decode the ticket?
Ron - trying to add authenticator in addition to signatures?
Proposal - yes
Frank - want to exclude user to user all together?
Tony - yes
Chris - machine level tickets are common (shared identity for the host). If someone were to hijack the ticket off the wire they could feed it into Kerberos and obtain a valid handle. Authenticators could prevent this. No APIs to send in a raw ticket without authenticator.
There is some overlap with WSS and Kerberos - we are trying to work with legacy apps therefore we need to be compatible with Kerberos APIs. Authenticator may be redundant for our app but needed to secure Kerberos.
Hal - looking for clarification on when to use authenticator.
Chris - don't need to reinvent all the Kerberos infrastructure. Focus on protecting messages on the wire.
Frank - can Tony write up reviews of security issues?
Tony will check to see if it's something he can share with the group.
Chris - in user to user there are security issues.
Need a proposal on how to support user to user.
3 actions items
1. User to User is app specific
2. tgt is app specific
3. service ticket to ap_req

Raj - cannot make a statement that tgt should always be carried in the body. Might be useful in the header.
Hal - should pass ticket plus authenticator (ap_req).
Ron - are we going to prohibit sending service tickets by themselves?
Chris - for standard Kerberos API then MUST is needed. For hybrid Kerberos profiles then SHOULD is needed.
Ron - we recommend that authenticators get sent.
Chris - Make this our proposal.
ACTION: Editors make edits for this. Mark issue pending.

306 - Frederick - MIME part canonicalization is the issue. Defined by MIME definition. A clarification is needed in the text. MIME header processing is well defined. Jerry sent out a note with some clarifications. http://lists.oasis-open.org/archives/wss/200407/msg00047.html
ACTION: Mark pending, editors to make changes to draft

307 - how to deal with attachment with XML. Can you sign portions of XML?
Why not treat as a whole attachment? Not being processed as XML.
Blake - XML standards being recast as SOAP, putting XML in attachment. Might not want to handle as opaque. Want to be explicit about how this XML is processed.
Frederick - can this be opaque to SOAP processing but not opaque to the application layer?
ACTION: Frederick - make editor pass to see if he can resolve this.

6. Interop planning status (Kerberos, SwA)

No update on Kerberos interop

SwA interop
Blake - sent out email outlining proposed tests. http://lists.oasis-open.org/archives/wss/200407/msg00027.html
Need to find out who is interested in interop tests. Should send out an email to ask who is interested (lost too many people on the call).
Jerry - might want to specify what MIME types you are going to use.
Frederick - choose one binary and one XML.

7. Other business

Committee draft of errata and SAML token profile.
Propose a vote on errata for next call (vote for committee draft).
Create a new schema with an A in the name. Put information about changed schema in errata.
Start an electronic vote after 7 days for SAML token profile. Start vote a week from today, will close the Monday before next call.

8. Adjournment

Adjourned at 11:55

Paula K. Austel
Web Services Security
IBM T.J. Watson Research Center
Tieline 863-5025

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]