OTP and the "charter" discussion.

["Philpott, Robert" <rphilpott@rsasecurity.com>]

Okay – I’ll start

 

First, IMO, the claim that the proposal for the TC to take up a work item on an additional token profile is out of scope of the charter is wrong.

 

Before responding, I STRONGLY recommend that people go back and read the following carefully:

a)       the current TC charter (http://www.oasis-open.org/committees/wss/charter.php)

b)       the OASIS TC process (http://www.oasis-open.org/committees/process.php)

 

Here is the paragraph in the WSS charter that explicitly defines the SCOPE of the TC:

------------------------------------------

The scope of the Web Services Security Technical Committee is the support of security mechanisms in the following areas:

• Using XML signature to provide SOAP message integrity for Web services
• Using XML encryption to provide SOAP message confidentiality for Web services
• Attaching and/or referencing security tokens in headers of SOAP messages
• Carrying security information for potentially multiple, designated actors
• Associating signatures with security tokens

------------------------------------------

So when we talk about something being IN or OUT of scope, THIS is the definition that applies to our TC.

 

Now, I believe this scope can only be read two ways. Since this scope says nothing about the TC producing ANY token profiles, we can either define any number of token profiles that support the bullets defined in the scope, or we’ve already violated the scope of the charter in producing the various token profiles we’ve already built. 

 

The charter then lists an **initial** set of deliverables that lists as:

• The "core"specification (final name TBD)
• A SAML profile
• An XrML profile
• A Kerberos profile
• An X.509 profile

 That list did not EXPLICITLY include a Username/Password Token Profile, a REL Token Profile, or a SwA Token Profile, which the TC produced.  Sure, the Username/Password Token was in the original “core” submission, but it wasn’t a deliverable.  Support for attachments was tangentially mentioned in an input document, but it wasn’t a deliverable.  The REL Profile is NOT the same as an XrML Token Profile.

 

And I’d like to call attention to XCBF.  Do folks remember this work item we took up at one point?  The minutes from the Dec-2002 Baltimore F2F discuss it, but Kelvin summarized in a follow-up email ([wss] XCBF profile). At that time, “”3. It was agreed that this was another profile that should be worked on”.

 

Work was done on this profile for about a year IIRC.  The point is that the TC decided it was appropriate to work on it and it was started.  I believe the same may have been true about the proposal for the “minimalist” profile.  I didn’t hear anyone yelling about that one being out of scope at the time.  It was dropped not because of a scope issue, but because of a prioritization issue/lack of interest.

 

So the argument that taking up an OTP Token profile is out of scope is, IMO, way off base.

 

Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
Email: rphilpott@rsasecurity.com
I-name:  =Rob.Philpott

---

From: Kelvin Lawrence [mailto:klawrenc@us.ibm.com]
Sent: Tuesday, September 20, 2005 12:20 PM
To: wss@lists.oasis-open.org
Subject: [wss] OTP Discussion

 

We need to find a way to close on the OTP Profile proposal. We have not had much list traffic on this in the past several weeks but today on the call there were clearly several very strong opinions raised. I apologise that we ran out of time today. At the end of the call we tried to start an e-Vote on the proposal as posted but there were objections to that e-Vote also. Therefore, we really need to discuss this here on the list in the next few days so that we can get a decision for the folks that have introduced the proposal no later than the next call. Please would people use this e-mail to start that discussion.  Please raise any objections you have here or likewise express support here.  This list is not in anyway a binding vote but at least we can get the discussion moving. It's hard to close tings like this when there is no list traffic prior to the calls. At the next meeting we need to have a vote to resolve this proposal one way or the other. Please come to the next meeting prepared to vote. Also, if people have proposed wording for the vote (there was a lot of discussion around that today also) please post it and debate it here. It would be nice if we could have a draft of the text for a motion ready before the next call as a result of e-mail discussions here. Thanks.

Cheers
Kelvin