| [Thread Prev]
| [Thread Next]
| [Date Next]
| [Thread Index]
| [List Home]
Subject: Minutes from July 13 Meeting Version 3
- From: Paula K Austel <firstname.lastname@example.org>
- To: email@example.com
- Date: Mon, 26 Jul 2004 13:32:26 -0400
Corrections/additions were sent to me by Ramana Turlapati.
Look for additions marked with <RT>
1. Call to order, roll call
Kelvin Lawrence and Chris Kaler chaired the session.
Paula Austel appointed secretary.
Attendance of Voting Members
Gene Thurston AmberPoint
Frank Siebenlist Argonne National Lab
Merlin Hughes Betrusted
Hal Lockhart BEA
Corinna Witt BEA
Davanum Srinivas CA
Thomas DeMartini ContentGuard
Sam Wei Documentum
Dana Kaufman Forum Systems
Toshihiro Nishimura Fujitsu
Kefeng Chen GeoTrust
Kojiro Nakayama Hitachi
Paula Austel IBM
Derek Fu IBM
Kelvin Lawrence IBM
Mike McIntosh IBM
Anthony Nadalin IBM
Nataraj Nagaratnam IBM
Ron Williams IBM
Don Flinn Individual
Bob Morgan Internet2
Kate Cherry Lockheed Martin
Paul Cotton Microsoft
Vijay Gajjala Microsoft
Alan Geller Microsoft
Chris Kaler Microsoft
Richard Levinson Netegrity
Frederick Hirsch Nokia
Senthil Sengodan Nokia
Abbie Barbir Nortel
Lloyd Burch Novell
Jerry Schwarz Oracle
Ramana Turlapati Oracle
Ben Hammond RSA Security
Andrew Nash RSA Security
Martijn de Boer SAP
Blake Dournaee Sarvega
Pete Wenzel SeeBeyond
Jeff Hodges Sun Microsystems
Ronald Monzillo Sun Microsystems
John Weiland US Navy
Phillip Hallam-Baker VeriSign
Maneesh Sahu Westbridge Technology
Attendance of Prospective Members and Observers
Vamsi Motukuru Oracle
Membership Status Changes
Vamsi Motukuru Oracle - Requested membership 7/6/2004
Ari Kermaier Oracle - Requested membership 7/13/2004
Peter Dapkus BEA - Lost voting status after 7/13/2004 call
John Shewchuk Microsoft - Returned from LOA before 7/13/2004 call
Meeting started at 10:12am
2. Reading/approving minutes of last meeting (June 29th)
3. Errata status and review
Errata documents are posted but no acknowledgement has been sent to Tony.
Tony addressed comments from Frederick. Highlighting text did not work
out well. Did not add pdf to existing set of documents. General comments
applied to all errata. Use fragments for URI and make clear the full URI
in the clarification section.
Chris asking if we are at last call for the errata.
Ron - we should close all the issues first.
Tony - some of the open issues are not errata but post errata.
Move this discussion until after the issue list to see which issues are
4. Status of other profiles (SAML, XrML, Kerberos, SwA)
Ron - posted updates. There were some comments on errors in examples. Reset
change bars to reflect changes since draft 12. Issue 290, encoding type
- put an approach on the list, Mike McIntosh responded.
Ron - there are some comments on REL profile but they have not been incorporated
into the profile.
No updates to REL or Kerberos
Frederick - comments on list
- Need to discuss what to do with attachments that are XML. Treat them
as XML or text. Should attachment be treated as a whole.
- MIME part canonicalization.
- Blake posted proposal for interop document
5. Issue list review
Issue 256 - Paula - clarification added to errata. Mark this issue closed.
Issue 259 - closed
Issues 260, 264 - closed
287 - closed (rich levinson)
290 - larger discussion needed (see discussion later in minutes)
293 - Ron wrote a proposal 3 weeks ago. Don't need to specify the version
of the certificate. Proposal can be found at this link: http://lists.oasis-open.org/archives/wss/200406/msg00068.html.
Need to fold clarification into errata
ACTION: Mark this as pending, change issue list to state move this to errata
295B - mark as closed.
290 (296?) - Discussion on the list. Defaults should be consistent independent
of the token type. Default values for attributes not codified in schema.
KeyIdentifiers mostly for binary content. SAML not used for only binary.
Need to use an encoding type to state that it is not encoded. Invent a
URI for a non-encoded value.
Chris - Need to add a string or text identifier to core. Need to discuss
adding this to core.
Encoding not buying us anything. Adding in the attribute is adding extra
Ron - make a schema change to specify the default.
Remove encoding type, specify a fixed encoding in the token profiles.
Rich Levinson - should not remove encoding type attribute. remove
default from core.
Ron - leave attributes and remove the defaults. If no token profile can
support multiple encodings than you remove the attribute all together.
Tony - profiles might have multiple encodings. Leave the attribute.
Ron - we don't have a use case for multiple encodings.
Chris - proposal - remove the default from core. Let profiles define their
Chris - this will be better in next round of edits (change in behavior)
and not part of errata.
Proposal to make change to next version of core to unblock SAML issue.
Problem with the SAML token profile with the way the core is currently
Ron - prefer to handle this is in errata so SAML profile doesn't have to
do something temporary to fix this issue.
Does the schema make reference to base64 as default? Is this a schema change?
How to check that implementations to see if this change will effect them.
Rev the core with new SAML token profile.
Kelvin - check with OASIS might have to put all specs together. How will
this effect the URLs?
Chris - get clean changes of docs with errata folded in.
Kelvin - need to rev the version numbers.
Chris - fragment URIs don't work. Can include the full URIs in new rev
Ron - like to propose SAML token profile can work with core spec in a timely
fashion. Best solution to rev the specs together unless it will delay the
Paul Cotton - what would be the time table for this new rev of specs?
Chris - REL, SAML, changes in core - does it impact interoperability testing?,
Kerberos - interop going soon. Perhaps in the fall.
Hal - keep Kerberos on a separate track. no further interop tests needed
ACTION: Editors to make changes.
297 - Frederick - comments were correct and fix was added to draft, close
296 - closed - Ron added clarifications for this issue.
298 - X509 issuer/serial - raised in WS-I. Issuer/serial better mechanism
to identify key. Issuer/serial is prohibited in X509 token profile
Mike - not prohibited in X509 token profile but limited in WS-I.
Issuer/Serial should be child of KeyIdentifier.
Hal - Proposed change to specs: X509 token profile shows issuer/serial
used as direct reference. More logical to treat as keyidentifier. Issuer/Serial
is not a URI.
Chris - We've kept structured data out of KeyIdentifier. (serial/issuer
is XML). Currently using SAML assertion Id, needs to be a string or base64
Mike - 4 different types of token references. Issuer/Serial does not fit
into any of the categories (STR, Direct Reference, KeyIdentifier, Embedded)
Chris - not a good idea to make KeyIdentifier content type mixed.
Chris - need a volunteer to create a proposal for a new reference type?
ACTION: Hal will create a new proposal
299,300,301 - Closed. Comments from Frederick
302 - small errata to core spec - not addressed yet - leave open
ACTION: Tony to add to errata.
303 - Pending
ACTION: Editors to update (mainly editorial issue)
304 - Hal - suggest changing MAY to may. Is this normative?
Propose not changing anything. No strong feeling to change this. May provide
some assistance to implementers.
305 - Tony - Hal and Tim responded to comments. Concern going user to user
and using raw tickets. Not good to use raw tickets. More secure ways using
Kerberos Authenticator protects the ticket. Multiple people cannot decode
Ron - trying to add authenticator in addition to signatures?
Proposal - yes
Frank - want to exclude user to user all together?
Tony - yes
Chris - machine level tickets are common (shared identity for the host).
If someone were to hijack the ticket off the wire they could feed it into
Kerberos and obtain a valid handle. Authenticators could prevent this.
No APIs to send in a raw ticket without authenticator.
There is some overlap with WSS and Kerberos - we are trying to work with
legacy apps therefore we need to be compatible with Kerberos APIs. Authenticator
may be redundant for our app but needed to secure Kerberos.
Hal - looking for clarification on when to use authenticator.
Chris - don't need to reinvent all the Kerberos infrastructure. Focus on
protecting messages on the wire.
Frank - can Tony write up reviews of security issues?
Tony will check to see if it's something he can share with the group.
Chris - in user to user there are security issues.
Need a proposal on how to support user to user.
3 actions items
1. User to User is app specific
2. tgt is app specific
3. service ticket to ap_req
<RT>Ramana - "is there a use case that
requires u2u information to be transported as part of WS-Security headers?"
<RT>Frank - no
<RT> Hal - This means only APREQ needs
to be supported
<RT> Ron - sounds reasonable, but will there
be case where only service tickets are required?
<RT>Ramana - No proof of possession with service
tickets, authenticators are required.
Raj - cannot make a statement that tgt should always be carried in the
body. Might be useful in the header.
Hal - should pass ticket plus authenticator (ap_req).
Ron - are we going to prohibit sending service tickets by themselves?
Chris - for standard Kerberos API then MUST is needed. For hybrid Kerberos
profiles then SHOULD is needed.
Ron - we recommend that authenticators get sent.
Chris - Make this our proposal.
ACTION: Editors make edits for this. Mark issue pending.
<RT>Raj or somebody - What about fwd'ble
<RT>Ramana - Fwd'ble tkts are part of APREQ
306 - Frederick - MIME part canonicalization is the issue. Defined by MIME
definition. A clarification is needed in the text. MIME header processing
is well defined. Jerry sent out a note with some clarifications. http://lists.oasis-open.org/archives/wss/200407/msg00047.html
<RT>Ramana asked Frederick why cant canonicalization
be decoupled from the transform? His reply :"whether a mime type needs
to canonicalized or not is defined as part of mime definition. But will
determine if decoupling is required for cases where such definition is
missing or if applications choose not to." Jerry had some comments
on this as well.
ACTION: Mark pending, editors to make changes to draft
307 - how to deal with attachment with XML. Can you sign portions of XML?
Why not treat as a whole attachment? Not being processed as XML.
Blake - XML standards being recast as SOAP, putting XML in attachment.
Might not want to handle as opaque. Want to be explicit about how this
XML is processed.
Frederick - can this be opaque to SOAP processing but not opaque to the
ACTION: Frederick - make editor pass to see if he can resolve this.
6. Interop planning status (Kerberos, SwA)
No update on Kerberos interop
Blake - sent out email outlining proposed tests. http://lists.oasis-open.org/archives/wss/200407/msg00027.html
Need to find out who is interested in interop tests. Should send out an
email to ask who is interested (lost too many people on the call).
Jerry - might want to specify what MIME types you are going to use.
Frederick - choose one binary and one XML.
7. Other business
Committee draft of errata and SAML token profile.
Propose a vote on errata for next call (vote for committee draft).
Create a new schema with an A in the name. Put information about changed
schema in errata.
Start an electronic vote after 7 days for SAML token profile. Start vote
a week from today, will close the Monday before next call.
Adjourned at 11:55
Paula K. Austel
Web Services Security
IBM T.J. Watson Research Center
| [Thread Prev]
| [Thread Next]
| [Date Next]
| [Thread Index]
| [List Home]