Re: [wss] OTP and the "charter" discussion.

[Frederick Hirsch <frederick.hirsch@nokia.com>]

+1 regarding Rob's comments on scope.

It seems reasonable to complete WSS profiles in the WSS TC which has  
the expertise related to WSS. Attempting to produce profiles once the  
TC is no longer in existence would be much more difficult and, as has  
been noted on the list, the status
of such profiles would be less clear that those produced by WSS.

This appears to be an important area of work related to web services  
security.

Do we have any idea how long it might take to produce an OTP profile?  
A few months?

regards, Frederick

Frederick Hirsch
Nokia


On Sep 20, 2005, at 1:14 PM, ext Philpott, Robert wrote:

> Okay – I’ll start
>
>
>
> First, IMO, the claim that the proposal for the TC to take up a  
> work item on an additional token profile is out of scope of the  
> charter is wrong.
>
>
>
> Before responding, I STRONGLY recommend that people go back and  
> read the following carefully:
>
> a)       the current TC charter (http://www.oasis-open.org/ 
> committees/wss/charter.php)
>
> b)       the OASIS TC process (http://www.oasis-open.org/committees/ 
> process.php)
>
>
>
> Here is the paragraph in the WSS charter that explicitly defines  
> the SCOPE of the TC:
>
> ------------------------------------------
>
> The scope of the Web Services Security Technical Committee is the  
> support of security mechanisms in the following areas:
>
> Using XML signature to provide SOAP message integrity for Web services
> Using XML encryption to provide SOAP message confidentiality for  
> Web services
> Attaching and/or referencing security tokens in headers of SOAP  
> messages
> Carrying security information for potentially multiple, designated  
> actors
> Associating signatures with security tokens
> ------------------------------------------
>
> So when we talk about something being IN or OUT of scope, THIS is  
> the definition that applies to our TC.
>
>
>
> Now, I believe this scope can only be read two ways. Since this  
> scope says nothing about the TC producing ANY token profiles, we  
> can either define any number of token profiles that support the  
> bullets defined in the scope, or we’ve already violated the scope  
> of the charter in producing the various token profiles we’ve  
> already built.
>
>
>
> The charter then lists an **initial** set of deliverables that  
> lists as:
>
> The "core"specification (final name TBD)
> A SAML profile
> An XrML profile
> A Kerberos profile
> An X.509 profile
>  That list did not EXPLICITLY include a Username/Password Token  
> Profile, a REL Token Profile, or a SwA Token Profile, which the TC  
> produced.  Sure, the Username/Password Token was in the original  
> “core” submission, but it wasn’t a deliverable.  Support for  
> attachments was tangentially mentioned in an input document, but it  
> wasn’t a deliverable.  The REL Profile is NOT the same as an XrML  
> Token Profile.
>
>
>
> And I’d like to call attention to XCBF.  Do folks remember this  
> work item we took up at one point?  The minutes from the Dec-2002  
> Baltimore F2F discuss it, but Kelvin summarized in a follow-up  
> email ([wss] XCBF profile). At that time, “”3. It was agreed that  
> this was another profile that should be worked on”.
>
>
>
> Work was done on this profile for about a year IIRC.  The point is  
> that the TC decided it was appropriate to work on it and it was  
> started.  I believe the same may have been true about the proposal  
> for the “minimalist” profile.  I didn’t hear anyone yelling about  
> that one being out of scope at the time.  It was dropped not  
> because of a scope issue, but because of a prioritization issue/ 
> lack of interest.
>
>
>
> So the argument that taking up an OTP Token profile is out of scope  
> is, IMO, way off base.
>
>
>
> Rob Philpott
> Senior Consulting Engineer
> RSA Security Inc.
> Tel: 781-515-7115
> Mobile: 617-510-0893
> Fax: 781-515-7020
> Email: rphilpott@rsasecurity.com
> I-name:  =Rob.Philpott
>
> From: Kelvin Lawrence [mailto:klawrenc@us.ibm.com]
> Sent: Tuesday, September 20, 2005 12:20 PM
> To: wss@lists.oasis-open.org
> Subject: [wss] OTP Discussion
>
>
>
>
> We need to find a way to close on the OTP Profile proposal. We have  
> not had much list traffic on this in the past several weeks but  
> today on the call there were clearly several very strong opinions  
> raised. I apologise that we ran out of time today. At the end of  
> the call we tried to start an e-Vote on the proposal as posted but  
> there were objections to that e-Vote also. Therefore, we really  
> need to discuss this here on the list in the next few days so that  
> we can get a decision for the folks that have introduced the  
> proposal no later than the next call. Please would people use this  
> e-mail to start that discussion.  Please raise any objections you  
> have here or likewise express support here.  This list is not in  
> anyway a binding vote but at least we can get the discussion  
> moving. It's hard to close tings like this when there is no list  
> traffic prior to the calls. At the next meeting we need to have a  
> vote to resolve this proposal one way or the other. Please come to  
> the next meeting prepared to vote. Also, if people have proposed  
> wording for the vote (there was a lot of discussion around that  
> today also) please post it and debate it here. It would be nice if  
> we could have a draft of the text for a motion ready before the  
> next call as a result of e-mail discussions here. Thanks.
>
> Cheers
> Kelvin
>
>