Minutes from May 3, 2005

["Weiland, John R. NMIMC GS" <JRWeiland@US.MED.NAVY.MIL>]

Title: Minutes from May 3, 2005

Agenda:
1. Call to order, roll call
2. Reading/approving minutes of last meeting (19th April [1] )
3. Gartner interop demo results/feedback/lessons learned
4. Issue list review & document status
5. Kerberos Interop status
6. Other business
7. Adjournment

[1] http://lists.oasis-open.org/archives/wss/200504/msg00016.html

1. Call to order, roll call
Attendance of Voting Members
Maneesh Sahu Actional Corporation
  Gene Thurston AmberPoint
  Hal Lockhart BEA
  Thomas DeMartini ContentGuard
  Sam Wei Documentum
  Dana Kaufman Forum Systems
  Kefeng Chen GeoTrust
  Kojiro Nakayama Hitachi
  Derek Fu IBM
  Kelvin Lawrence IBM
  Mike McIntosh IBM
  Ron Williams IBM
  Don Flinn Individual
  Kate Cherry Lockheed Martin
  Paul Cotton Microsoft
  Vijay Gajjala Microsoft
  Chris Kaler Microsoft
  Richard Levinson Netegrity
  Jeff Hodges NeuStar
  Frederick Hirsch Nokia
  Abbie Barbir Nortel
  Vamsi Motukuru Oracle
  Prateek Mishra Principal Identity
  Ben Hammond RSA Security
  Rob Philpott RSA Security
  Pete Wenzel SeeBeyond
  Ronald Monzillo Sun Microsystems
  Jan Alexander Systinet
  Symon Chang TIBCO
  John Weiland US Navy
  Hans Granqvist VeriSign

Membership Status Changes
  Ramana Turlapati Oracle Withdrew 5/3/2005
  Steve Orrin Watchfire Lost prospective status after 5/3/2005 meeting

2. Reading/approving minutes of last meeting (19th April [1] )
No issues, minutes accepted.

3. Gartner interop demo results/feedback/lessons learned
A large number of participants were at the interop.  Thanks to all from Kelvin and Chris, especially Hal for leading the interop.

Please email interop issues to Hal so he can make a list for lessons learned.

Patrick Gannon, from Oasis, did a kick off speech. Kelvin and Chris did an intro, Hal did a quick pitch on what WS security is. 

A user from Wachovia, who is using WS-Security conveyed a positive impression of his experience.  His only issue was that

different products deploy different versions of the standards.  Spec stability would resolve this issue, it should be behind us in the next year or two.

 
Most left the demo with a good impression of all companies working together, we achieved the goals that we at OASIS had for the event. 

If lessons learned are forwarded to Hal, he will compile them and update the TC and forward to WSI BSP for consideration.

Chris and ViJay worked the issues

version 65 posted yesterday.

three pending review items.

371 X.509v1 Certificate support in 1.0 Errata
373 WSS spec legibility
374 TokenType URI for EncryptedKey

No comments if no objections proposed marked Closed

371, 373, and 374 Closed.

357 Need a Token Type URI in SAML token profile
 - Ron Monzillo - will go into next version of profile rewrite Version2 for meeting after next.  Assistance not required at this time,

profile needs to be changed - profiles define support for 1.1 and 2.0 describe backward compatibility issues to support one token or the other

Ron made a comment concerning the next interop: SAML Token Profile 1.1, with the exception of the Token Type attribute, in it's support for SAML 2.0 and

1.1 it is all accurate. 

391 Tracking incorporation of SAML 2.0  is linked to 357. Document needs to be partitioned to support both versions of tokens. 

376 Manveen: Input format to transform Closed

380 - 387 relating to Kerberose
Tony Not present hoping to get that out this week for review to be address next call

338 Hal: Proposed new work - WSS Templates - no change

366 SWA profile: Review MIME headers that are included in signature, make extensible;  no action Closed

370 SWA profile: Add processing rules/guidance for SOAP and MIME intermediaries
 one of two that Brian responded to 364.  Reopen  364 - similar to 370 (remains open).

377 xenc:ReferenceList SwA comment
XML encryption - message 18 on the list 24th of April - changing the text to allow reference list to be less restrictive to Core

move to pending and incorporate

378 Deprecating or otherwise superceding documents - Open

379 Kerberos TP: Use Kerberos V GSS-API mechanism - conceptual agreement reached Pending

388 editorial comment on username token - no objections to having editors incorporate - Pending

389 ID Clash case http://lists.oasis-open.org/archives/wss/200504/msg00023.html -

Hal: Two identical ids in a message is currently a should rather than a must.  Operating in a multiple environment passing around processes could unnecessarily

break things. The argument against this by Mike McIntosh - the mechanism of communication between the security layer and the application layer

might be such that the security layer would validate or verify signature over one set of text and the application would be under the impression that the

signature was validated over a different set of text; more of a design error then specification problem.  If WSU:id or XML:id otherwise reject it could be

enforced. 

Ron: Other than a direct reference, an ID can be arbitrary in the spec.   In 1.0 assertion ids are being used as key identifiers so when someone references

a local assertion is by the assertion id reference rather than a direct reference.  Chris did not see a security attack.

Hal: Should two ids, from a yet to be specified set, to have the same value be an error?  Paul had a question on uniqueness constraint (namespace). 

Chris: pointed out that if they have a different namespace and they have the same value and they are referenced from a signed info then you have a potential

attack.  Other than that, schema aware applications may want to shut this down, but our spec does not mandate schema.

Chris proposed a security consideration:    Any of the known attributes from id when referenced from a signed info and there is duplicate values is an error

then add another sentence that says Token Profile may describe additional constraints and something in the SAML token profile with 1.0.

Ron proposed:  If you have a id used from signed info, you can't have two attributes within a document with the same value. 

Chris suggested this was unenforceable because you don't know which are ids and non ids, processors should not have to parse the whole document looking for

duplicate attributes.  Paul agreed with this.

Different attacks were discussed, published and speculative. Application layer suggestions to evaluate first reference as the message was serialized.

Proposed:  Add wording to the id reference section of the Core that says

1.   "For those id types recognized by this specification, their id values must be unique. If not then it should generate a fatal error."

2.  "Any value reference by a signed info must be unique."

3.  "In a canonical form of the message the unique id must be first in the canonical output."

No agreement was reached - Action to continue debate on list and decide at next meeting.

390 Section Numbering issue- pending
391 Tracking incorporation of SAML 2.0- pending
389 ID Clash case-  note taken to list for discussion.  Expectation is for resolution and vote on next call.

5. Kerberos Interop status
Vijay: Of three parts two are almost complete two more cases to go.  These have been captured in issues list, along with some from SUN review. 

At least two companies will have interop finished by Wednesday. 

IBM, Microsoft and Data Power are doing Kerbose interop, all hopefully finished by end of next week, each company has their own KDP with scenarios

using local and remote KDPs.

Gudge will be publishing 1.1 interop scenarios this week or early next week.

6. Other business

Finishing 1.1:
Minimalist profile - posted a long time ago, with no comments in the past two years.  Will it be part of 1.1?
Who is the editor, and is it consistent with 1.1 core. 

Another posted document was a proposed value of usage attribute, could be rolled in to 1.1 document or a separate short document (Hal would be editor).

Editorial changes to Minimalist profile are not even up to 1.0 specs let alone 1.1.  Document will be reviewed for action.

Issues for the list:

1.  Keep track of Minimalist Profile.
2.  Review proposed value of usage attribute.
3.  Clear general call of other bits and pieces that should be part of 1.1.

Frederick - reopen 364 for SwA guidance to editor - review in the mail list.

7. Adjournment

Respectfully Submitted,

John R. Weiland
Information Technology Specialist
GS 2210 (APPSW) Code 38 Naval Medicine OnLine

Naval Medical Information Mngmt Cntr
Bldg 27
8901 Wisconsin Ave
Bethesda, Md. 20889-5605

301-319-1159
JRWeiland@us.med.navy.mil
http://navymedicine.med.navy.mil
"GIVE ME A PLACE TO STAND AND I WILL MOVE THE EARTH"
A remark of Archimedes quoted by Pappus of Alexandria