RE: [wss] OTP and the "charter" discussion.

["Paul Cotton" <Paul.Cotton@microsoft.com>]

>The TC has on a number of occasions added work items WITHOUT doing anything to the charter.  
 
Exactly what items have we added?
 
/paulc

________________________________

From: Philpott, Robert [mailto:rphilpott@rsasecurity.com]
Sent: Thu 29/09/2005 13:41
To: Paul Cotton; Frederick Hirsch
Cc: Kelvin Lawrence; wss@lists.oasis-open.org
Subject: RE: [wss] OTP and the "charter" discussion.



Paul - did you READ my message?  The TC has on a number of occasions
added work items WITHOUT doing anything to the charter.  This item is
really no different.

Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
Email: rphilpott@rsasecurity.com
I-name:  =Rob.Philpott


> -----Original Message-----
> From: Paul Cotton [mailto:Paul.Cotton@microsoft.com]
> Sent: Thursday, September 29, 2005 1:19 PM
> To: Frederick Hirsch; Philpott, Robert
> Cc: Kelvin Lawrence; wss@lists.oasis-open.org
> Subject: RE: [wss] OTP and the "charter" discussion.
>
> > It seems reasonable to complete WSS profiles in the WSS TC which has
> the expertise related to WSS.
>
> Since this work is not in our charter are you proposing we amend our
> charter?
>
> /paulc
>
> Paul Cotton, Microsoft Canada
> 17 Eleanor Drive, Nepean, Ontario K2E 6A3
> Tel: (613) 225-5445 Fax: (425) 936-7329
> mailto:Paul.Cotton@microsoft.com
>
>
>
>
>
> > -----Original Message-----
> > From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com]
> > Sent: September 29, 2005 12:59 PM
> > To: ext Philpott, Robert
> > Cc: Frederick Hirsch; Kelvin Lawrence; wss@lists.oasis-open.org
> > Subject: Re: [wss] OTP and the "charter" discussion.
> >
> > +1 regarding Rob's comments on scope.
> >
> > It seems reasonable to complete WSS profiles in the WSS TC which has
> > the expertise related to WSS. Attempting to produce profiles once
the
> > TC is no longer in existence would be much more difficult and, as
has
> > been noted on the list, the status
> > of such profiles would be less clear that those produced by WSS.
> >
> > This appears to be an important area of work related to web services
> > security.
> >
> > Do we have any idea how long it might take to produce an OTP
profile?
> > A few months?
> >
> > regards, Frederick
> >
> > Frederick Hirsch
> > Nokia
> >
> >
> > On Sep 20, 2005, at 1:14 PM, ext Philpott, Robert wrote:
> >
> > > Okay - I'll start
> > >
> > >
> > >
> > > First, IMO, the claim that the proposal for the TC to take up a
> > > work item on an additional token profile is out of scope of the
> > > charter is wrong.
> > >
> > >
> > >
> > > Before responding, I STRONGLY recommend that people go back and
> > > read the following carefully:
> > >
> > > a)       the current TC charter (http://www.oasis-open.org/
> > > committees/wss/charter.php)
> > >
> > > b)       the OASIS TC process
(http://www.oasis-open.org/committees/
> > > process.php)
> > >
> > >
> > >
> > > Here is the paragraph in the WSS charter that explicitly defines
> > > the SCOPE of the TC:
> > >
> > > ------------------------------------------
> > >
> > > The scope of the Web Services Security Technical Committee is the
> > > support of security mechanisms in the following areas:
> > >
> > > Using XML signature to provide SOAP message integrity for Web
> services
> > > Using XML encryption to provide SOAP message confidentiality for
> > > Web services
> > > Attaching and/or referencing security tokens in headers of SOAP
> > > messages
> > > Carrying security information for potentially multiple, designated
> > > actors
> > > Associating signatures with security tokens
> > > ------------------------------------------
> > >
> > > So when we talk about something being IN or OUT of scope, THIS is
> > > the definition that applies to our TC.
> > >
> > >
> > >
> > > Now, I believe this scope can only be read two ways. Since this
> > > scope says nothing about the TC producing ANY token profiles, we
> > > can either define any number of token profiles that support the
> > > bullets defined in the scope, or we've already violated the scope
> > > of the charter in producing the various token profiles we've
> > > already built.
> > >
> > >
> > >
> > > The charter then lists an **initial** set of deliverables that
> > > lists as:
> > >
> > > The "core"specification (final name TBD)
> > > A SAML profile
> > > An XrML profile
> > > A Kerberos profile
> > > An X.509 profile
> > >  That list did not EXPLICITLY include a Username/Password Token
> > > Profile, a REL Token Profile, or a SwA Token Profile, which the TC
> > > produced.  Sure, the Username/Password Token was in the original
> > > "core" submission, but it wasn't a deliverable.  Support for
> > > attachments was tangentially mentioned in an input document, but
it
> > > wasn't a deliverable.  The REL Profile is NOT the same as an XrML
> > > Token Profile.
> > >
> > >
> > >
> > > And I'd like to call attention to XCBF.  Do folks remember this
> > > work item we took up at one point?  The minutes from the Dec-2002
> > > Baltimore F2F discuss it, but Kelvin summarized in a follow-up
> > > email ([wss] XCBF profile). At that time, ""3. It was agreed that
> > > this was another profile that should be worked on".
> > >
> > >
> > >
> > > Work was done on this profile for about a year IIRC.  The point is
> > > that the TC decided it was appropriate to work on it and it was
> > > started.  I believe the same may have been true about the proposal
> > > for the "minimalist" profile.  I didn't hear anyone yelling about
> > > that one being out of scope at the time.  It was dropped not
> > > because of a scope issue, but because of a prioritization issue/
> > > lack of interest.
> > >
> > >
> > >
> > > So the argument that taking up an OTP Token profile is out of
scope
> > > is, IMO, way off base.
> > >
> > >
> > >
> > > Rob Philpott
> > > Senior Consulting Engineer
> > > RSA Security Inc.
> > > Tel: 781-515-7115
> > > Mobile: 617-510-0893
> > > Fax: 781-515-7020
> > > Email: rphilpott@rsasecurity.com
> > > I-name:  =Rob.Philpott
> > >
> > > From: Kelvin Lawrence [mailto:klawrenc@us.ibm.com]
> > > Sent: Tuesday, September 20, 2005 12:20 PM
> > > To: wss@lists.oasis-open.org
> > > Subject: [wss] OTP Discussion
> > >
> > >
> > >
> > >
> > > We need to find a way to close on the OTP Profile proposal. We
have
> > > not had much list traffic on this in the past several weeks but
> > > today on the call there were clearly several very strong opinions
> > > raised. I apologise that we ran out of time today. At the end of
> > > the call we tried to start an e-Vote on the proposal as posted but
> > > there were objections to that e-Vote also. Therefore, we really
> > > need to discuss this here on the list in the next few days so that
> > > we can get a decision for the folks that have introduced the
> > > proposal no later than the next call. Please would people use this
> > > e-mail to start that discussion.  Please raise any objections you
> > > have here or likewise express support here.  This list is not in
> > > anyway a binding vote but at least we can get the discussion
> > > moving. It's hard to close tings like this when there is no list
> > > traffic prior to the calls. At the next meeting we need to have a
> > > vote to resolve this proposal one way or the other. Please come to
> > > the next meeting prepared to vote. Also, if people have proposed
> > > wording for the vote (there was a lot of discussion around that
> > > today also) please post it and debate it here. It would be nice if
> > > we could have a draft of the text for a motion ready before the
> > > next call as a result of e-mail discussions here. Thanks.
> > >
> > > Cheers
> > > Kelvin
> > >
> > >
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe from this mail list, you must leave the OASIS TC that
> > generates this mail.  You may a link to this group and all your TCs
in
> > OASIS
> > at:
> >
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php