RE: [wss] WSS OTP-Token subcommittee proposal

["Linn, John" <jlinn@rsasecurity.com>]

The set of specific deliverables identified within the charter is
designated as "initial", and so does not appear exhaustive or
prescriptive.  Instead, I believe that it is reasonable to interpret and
anticipate that it could evolve over time within the boundaries of the
TC's chartered scope.  The OASIS TC process (Sec. 2.11) states that a TC
may expand its list of deliverables (via a charter clarification, rather
than through rechartering) if those new deliverables are within the
scope of the topic that the TC's charter defines. Referring to the WSS
charter, its scope statement is as follows:

"The scope of the Web Services Security Technical Committee is the
support of security mechanisms in the following areas:

    * Using XML signature to provide SOAP message integrity for Web
services
    * Using XML encryption to provide SOAP message confidentiality for
Web services
    * Attaching and/or referencing security tokens in headers of SOAP
messages
    * Carrying security information for potentially multiple, designated
actors
    * Associating signatures with security tokens"

It is not apparent to me that the proposed OTP profile work is any more
or less consistent with this list than the profiles that have already
been addressed by the TC. 

--jl

-----Original Message-----
From: Duane Nickull [mailto:dnickull@adobe.com] 
Sent: Tuesday, September 20, 2005 11:43 AM
To: Paul Cotton; Granqvist, Hans; Linn, John
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] WSS OTP-Token subcommittee proposal

Paul:

Actually, your statement is not quite correct.  TC's are bound by their
charter and no *single* member may arbitrarily introduce work items that
increase a charter's scope.  A TC must also not arbitrarily expand its'
charter without going through a lengthy process as defined by the OASIS
Policies and Procedures.  There is a process for the TC to expand or
clarify its charter but that must be done in accordance with the
procedures.

I do agree that the proposed item is out of scope given the current
charter of the TC and do not favor adding more work.

Duane



-----Original Message-----
From: Paul Cotton [mailto:Paul.Cotton@microsoft.com] 
Sent: Tuesday, September 20, 2005 8:28 AM
To: Granqvist, Hans; Linn, John
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] WSS OTP-Token subcommittee proposal

> This profile would be functionally comparable to other profiles
defined 
> within the WSS TC, so we believe it is appropriate to standardize 
> within the same forum.

I disagree.  You cannot just add something to the work list of an OASIS
TC.  Each TC has a charter that governs its work and a TC is not
permitted to change its charter.

I do not believe that this proposed work is within the scope of the
current OASIS TC charter [1].  The charter explicitly states:

"The TC has the following initial set of deliverables.

- The "core" specification (final name TBD) 
- A SAML profile 
- An XrML profile 
- A Kerberos profile 
- An X.509 profile"

There is no mention of an OTP profile in this list and an OTP profile
was not in the contributed "core" specification.  In addition there is
no other mention of other token profiles being in scope in the TC's
charter.  Thus I believe the OTP proposed work is Out of Scope and
cannot be added to the WSS TC's work list.

In addition I believe the WSS TC should concentrate its resources on
completing its work on WSS 1.1 and must not be distracted with other Out
of Scope work.

If this matter comes to a vote I will vote against adopting this new
work. 

/paulc

[1] http://www.oasis-open.org/committees/wss/charter.php

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Nepean, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com

 


> -----Original Message-----
> From: Granqvist, Hans [mailto:hgranqvist@verisign.com]
> Sent: August 22, 2005 7:53 PM
> To: wss@lists.oasis-open.org; Linn, John
> Subject: [wss] WSS OTP-Token subcommittee proposal
> 
> (This is a follow up to the issue I brought up August 9
> regarding a WSS One-Time Password token profile sub
> committee, see minutes of call under "5. Other business"
> --Hans)
> 
> 
> Proposal
> ========
> RSA Security and VeriSign would like to propose a new work
> item for the WSS TC, defining a WSS profile for use of One-
> Time Password (OTP) authentication.  The intended goal is
> to accommodate a broad range of OTP technologies within the
> WSS framework.  While IPR claims may apply to underlying OTP
> methods that the profile may support, the proposers intend
> that the constructions to be defined in the profile itself
> be unencumbered.
> 
> This profile would be functionally comparable to other
> profiles defined within the WSS TC, so we believe it is
> appropriate to standardize within the same forum.   We
> propose that this work item be pursued in a new OTP Token
> Profile subcommittee within the WSS TC, as this should
> facilitate effective discussion of OTP-related aspects that
> may have limited interest for some TC members.  The profile
> specification(s) would be the subcommittee's deliverable to
> the TC. A chair or co-chairs would be selected if and as the
> subcommittee is formed.
> 
> We anticipate that existing and related work will be
> available as input for this task.  The One-Time Password
> Specifications (OTPS, http://www.rsasecurity.com/rsalabs/otps)
> initiative, coordinated by RSA Security, has produced several
> drafts of an OTP-WSS-Token specification which have evolved
> in response to public review and comment.  Following further
> refinement within the OTPS process, RSA Security proposes to
> submit a subsequent version of this document as input to the
> WSS TC.
> 
> VeriSign, in conjunction with the Open Authentication
> initiative (OATH, http://www.openauthentication.org) is also
> producing work related to an OTP token profile.  We anticipate
> that versions of these input documents will be ready for OASIS
> submission by or during October 2005. We propose that the
> results of these efforts, along with any other inputs which may
> be received through the OASIS process, be harmonized under WSS
> TC auspices.
> 
> 
> John Linn, RSA Security
> Hans Granqvist, VeriSign
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php