RE: [wss] WSS OTP-Token subcommittee proposal

["Paul Cotton" <Paul.Cotton@microsoft.com>]

> This profile would be functionally comparable to other profiles
defined 
> within the WSS TC, so we believe it is appropriate to standardize 
> within the same forum.

I disagree.  You cannot just add something to the work list of an OASIS
TC.  Each TC has a charter that governs its work and a TC is not
permitted to change its charter.

I do not believe that this proposed work is within the scope of the
current OASIS TC charter [1].  The charter explicitly states:

"The TC has the following initial set of deliverables.

- The "core" specification (final name TBD) 
- A SAML profile 
- An XrML profile 
- A Kerberos profile 
- An X.509 profile"

There is no mention of an OTP profile in this list and an OTP profile
was not in the contributed "core" specification.  In addition there is
no other mention of other token profiles being in scope in the TC's
charter.  Thus I believe the OTP proposed work is Out of Scope and
cannot be added to the WSS TC's work list.

In addition I believe the WSS TC should concentrate its resources on
completing its work on WSS 1.1 and must not be distracted with other Out
of Scope work.

If this matter comes to a vote I will vote against adopting this new
work. 

/paulc

[1] http://www.oasis-open.org/committees/wss/charter.php

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Nepean, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com

 


> -----Original Message-----
> From: Granqvist, Hans [mailto:hgranqvist@verisign.com]
> Sent: August 22, 2005 7:53 PM
> To: wss@lists.oasis-open.org; Linn, John
> Subject: [wss] WSS OTP-Token subcommittee proposal
> 
> (This is a follow up to the issue I brought up August 9
> regarding a WSS One-Time Password token profile sub
> committee, see minutes of call under "5. Other business"
> --Hans)
> 
> 
> Proposal
> ========
> RSA Security and VeriSign would like to propose a new work
> item for the WSS TC, defining a WSS profile for use of One-
> Time Password (OTP) authentication.  The intended goal is
> to accommodate a broad range of OTP technologies within the
> WSS framework.  While IPR claims may apply to underlying OTP
> methods that the profile may support, the proposers intend
> that the constructions to be defined in the profile itself
> be unencumbered.
> 
> This profile would be functionally comparable to other
> profiles defined within the WSS TC, so we believe it is
> appropriate to standardize within the same forum.   We
> propose that this work item be pursued in a new OTP Token
> Profile subcommittee within the WSS TC, as this should
> facilitate effective discussion of OTP-related aspects that
> may have limited interest for some TC members.  The profile
> specification(s) would be the subcommittee's deliverable to
> the TC. A chair or co-chairs would be selected if and as the
> subcommittee is formed.
> 
> We anticipate that existing and related work will be
> available as input for this task.  The One-Time Password
> Specifications (OTPS, http://www.rsasecurity.com/rsalabs/otps)
> initiative, coordinated by RSA Security, has produced several
> drafts of an OTP-WSS-Token specification which have evolved
> in response to public review and comment.  Following further
> refinement within the OTPS process, RSA Security proposes to
> submit a subsequent version of this document as input to the
> WSS TC.
> 
> VeriSign, in conjunction with the Open Authentication
> initiative (OATH, http://www.openauthentication.org) is also
> producing work related to an OTP token profile.  We anticipate
> that versions of these input documents will be ready for OASIS
> submission by or during October 2005. We propose that the
> results of these efforts, along with any other inputs which may
> be received through the OASIS process, be harmonized under WSS
> TC auspices.
> 
> 
> John Linn, RSA Security
> Hans Granqvist, VeriSign
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php