[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for SSTC Telecon, Tuesday Dec 11
Minutes for SSTC Telecon, Tuesday Dec 11 Dial in info: +1 334 262 0740 #856956 Minutes taken by Steve Anderson > > 1 -- Roll Call > - Attendance attached to bottom of these minutes - Quorum achieved. > > 2 -- Review of agenda > - Joe: Two items to add - Dealing with the issues list - Changes to docs from present action items list > > 3 -- Approve Minutes from last call: < http://lists.oasis-open.org/ > archives/security-services/200111/msg00064.html > > - [APPROVED] > > 4 -- Confirm Last-Call process < http://lists.oasis-open.org/ > archives/security-services/200112/msg00009.html > as amended by > Eve: I think sec-conform and glossary must be part of the > deliverables. > - BobG: discussion of conformance issues - Joe: seeking consensus on motion - Jeff: quote of Eve should reference just "conform" rather than "sec-conform" - [APPROVED] - Jeff: clarified that sec considerations and conformance and glossary are effectively added to core and bindings as deliverables > > 5 -- Confirm Editor Availability: All editors and the issue list > editor will have to confirm their high availability in December > and January to make this work. > - Eve: superceded by events, as Eve has herself stepped in - Many thanks to Eve for doing so - Doc status - Core: in good hands - Bindings: in good hands - Sec considerations: may be on different (longer) timeline - Glossary: Marc now owns & will generate something this week. Some holes, but in pretty good shape for now - Conformance: There are 2 difference approaches proposed in this, which require discussion today - Domain Model: phantom doc, which Eve believes should be integrated in Concepts section of core - Hal: how about combining with glossary - Eve: could work, some pros, some cons - JeffH: would prefer it to go into core, predicting most people will pick up core first - Candidate date for last call announcement: Jan 8 - Candidate date for final vote: 2 weeks later, Jan 22 - Hal: is this intended to proceed as all 5 docs together, or will the docs proceed independently? - E.g., conformance approach hasn’t been seriously discussed yet - Sec-considerations is still in first draft state as well - Idea given consideration - Eve uncomfortable proceeding without all 5 docs synchronized - Chris: notes that changes to something like sec-considerations may produce changes to other docs like core - We should shift our attention to conformance and sec- considerations to bring them up to speed, so they can all be presented in last call announcement - So, guarantees pushing out last call to February - Will this affect publicized March date? - no - Will there be 3 implementations by March? - We want a more defined criteria than what OASIS requires - Would we need a sixth F2F? - Would be a good interop opportunity - For each organization that can state implementation or plan for implementation of standard, please email committee chairs this week - Prefer to keep this off of main list for now - Please state degree of completeness in email - Also indicate comfort level with making your implementation claims/plans public - Summary: we’ve identified that sec-considerations & conformance docs are on critical path for last call process - Eve: realistic to shoot for 9 Jan release of fresh drafts of all 5 docs, plus FAQ - Joe: makes 8 Jan Conf Call very important > > 6 -- Review status of milestones > > > [M1 - Prateek] - publish bindings-07 during week of Dec 3. > > Status: Document available 6-Dec < http://lists.oasis-open.org/ > archives/security-services/200112/msg00028.html > > Comments due 12-Dec. > - Doc available. Comments coming in. > > [M2 - Tim, Simon, Irving] - detailed reviews: Tim - section 4.1; > Simon - section 3.1; Irving - section 4.2 > > Status: Comments due 12-Dec. > > Simon: http://lists.oasis-open.org/archives/security-services/ > 200112/msg00038.html > - Tim has published some comments today - Irving at IETF today, but will try to get deliverables in tomorrow > > [M3 - Prateek] - publish bindings-08 during week of Dec 17. > - Prateek: still believes it is doable, with some small possible slippage - Joe: any feeling among the group that there will be any larger class of issues that the ones that have been coming in? - Not really > > 7 -- Review status of action items - and move to resolution > > [A3: Prateek] - Section 3.1.5, need to further define error cases > > Status: Still open pending issuance of bindings-07, need to confirm > core reflects changes > - Actually, it is a core issue, which is still open - Changing ownership of this item to Phill - Change wording to reflect that bindings did its task > > [A4: Prateek] - Section 4.1.1, create a diagram for this section > > Status: still open pending -07 > - done - [CLOSED] > > [A5: BobB] - Section 4.1.3 472-473, text to clarify construction of > ID (w.r.t. uniqueness) > > Status: open > - Joe will contact BobB offline directly > > [A6: Prateek] - Line 565, capture the threat (leading to requiring a > <saml:audience>, then decide to leave it, change it, or strike it > > Status: open pending -07 > - Bindings-07 removed this material, and includes appropriate justification - [CLOSED] > > [A7: Simon] - text for "things you might do in step 6" > > Status: proposed text < http://lists.oasis-open.org/archives/ > security-services/200112/msg00040.html > > - no feedback to Simon’s proposed text - not in bindings-07, so will go into --08 - no concerns on call with Simon’s proposal - [CLOSED] > [A9: Irving] - line 788-791, provide clarifying language for > application level error handling. Tied to Scott's status code > proposal > < http://lists.oasis-open.org/archives/security-services/200111/ > msg00049.html > > > Status: open pending -07 > - Prateek: believes this is distinct from the status codes issue, and Irving has given clarifying text on this - Scott: agrees - [CLOSED] > > [A11: Irving] - line 824-829, Irving to research and propose language > to weaken requirement on signing over entire message (body and > headers). The proposal is to require signing over assertion headers > and body only. Other components are to be signed by agreement between > sender and receiver (out of scope for us). > > Status: < http://lists.oasis-open.org/archives/security-services/ > 200112/msg00020.html > > > pending -07 > - Done - [CLOSED] > > [A12: Irving] - line 847-848, change "subject" to "sender" > > Status: pending -07 > - in -07 - [CLOSED] > > [A13: Prateek] - add text on threat model and security counter > measures > > Status: pending -07 > - in -07 - [CLOSED] > > [A15: Chris] - Write up advice on how to use current approach to > generic slots for attributes > > Status: Thread beginning: < http://lists.oasis-open.org/ > archives/security-services/200112/msg00006.html > > - Chris: written up, but still not sure where to put this - Prateek: this is issue for core - Eve: could be appendix - Chris: fine with that - This could be integrated in the section on value and used as an example, so long as its non-normative status is clear - Joe: objects to using color coding to convey normative vs. non- normative status, due to printing issues and color-blind readers - Will leave open until Eve has chance to do another edit > > [A18: Phill] - completion of error code specification for core > > Status: still open > - Still open > > [A20: Prateek] - Need for additional ConfirmationMethod identifiers > (Prateek and Phil) > > Bindings-06 uses two identifiers not found in core: HolderOfKey and > SenderVouches. It is important to understand that no change in schema > is being proposed, only new text and constants for Section 5 of core. > Prateek to send Phil necessary text. > > Status - Still open > - Prateek published note this morning - Still must be integrated by Phill - Still open > > [A22: Irving] - core line 752, return code for completeness specifier: > > < http://lists.oasis-open.org/archives/security-services/ > 200111/msg00031.html > > > Status: still open > - Still pending Phill - Code has been published - Owner changes to Phill - Semantic meaning is still unresolved - Scott leans to less security-related interpretation, which suggests option ‘b’ (in mail list reference above) - Hal: sees it as a way for implementations to avoid doing some work, when a set of attrs are requested, and not all are returned - Hal will write up if necessary, but is there anyone who still wants this? - Doesn’t view it as essential, since requestor can still detect the condition and react as necessary - <<discussion>> - Eve: proposes removing completeness specifier, adding a simple status code "non-complete results due to reasons other than processing failures" where partial result will be returned - Should the causes for not returning all attrs be treated with different codes? - Hal: this completeness specifier was explicitly requested last summer, so we should give fair notice before dropping it - Eve will write up complete proposal and submit to list - Scott will finish this for Eve if Eve doesn’t finish before leaving for vacation > > [A24: Phill] - Bring together Tim's etc. text for the Authentication > mechanism section. > > Status - [In progress] still open > - Eve: apologizes, but didn’t know about it, or it would have gone into core-21 - JeffH: was this approved? - Tim: doesn’t think it’s had discussion, and he thought getting it into draft would cause discussion - Joe: expected Phill to add to core as action item from F2F#5, so we must have given tacit approval - JeffH: in F2F#5, day #2 raw notes, found evidence that we decided to add this to core - Tim to send pointer to Eve, and Eve will add to core-22 - Open pending Eve’s edits > > [A25: Phill & Eve] - Eve's reorganization of preamble > > Status - still open - in Eve's control this week > - Done - [Closed] > > [A26: Phill] - text on the <RespondWith> option voted for at F2F#5 > > Status - still open > - still open, remains Phill’s > > 8 -- Dealing with the issues list > - Issues-06 is out of date - Hal has been unofficially out for a while, but will now get back on track, and be available through February > > 9 -- Changes to docs from present action items list > - Working itself out > > 10 -- Conformance > - Candidate approaches - BobG: we’ve always planned for "levels" of conformance - Conformance-07 defines these levels in terms of the domain model entities - Has found lots of overlap of assertions used by various domain model entities - Has also found that implementations don’t appear that they will follow that model - Looking at going back with an assertion-specific approach to conformance levels, with producer/consumer qualifiers - Reflected in a version of the doc, conformance-07a - Proposes sending both docs out for discussion - Eve had suggested a questionnaire for implementers to use to identify conformance requirements, which BobG has taken a stab at - Alternate proposal leaves possibility for implementations to claim conformance, but not interoperate - Hal: uncomfortable with claims to conformance still leaving real possibility of no interop - Eve: suggests attaching names to conformance levels to make vendor claims more clear - BobG: must accommodate different bindings - Scott: already identified trust model to be out of scope, and some app-specific implementation details, so interop challenges will always exist - Prateek: bindings and profiles feel like feature material, where core feels like concrete, conformance-testable material - [ACTION ITEM] BobG will send out both versions of the spec, along with draft of questionnaire for discussion - Hopes to include discussion of this in next week’s focus group call > > 11 -- Eve’s comments on Core-21 > - Not enough time to cover > > 12 -- Additional Items > - Proposal to eliminate SingleAssertion and AbstractAssertion, and rename MultipleAssertion to Assertion - [ACCEPTED] > > 13 -- Adjourn > - Adjourned ----------------------------------------------------------------------- Attendence of Voting Members: Allen Rogers Authentica Larry Hollowood Bank of America Ken Yagen Crosslogix Simon Godik Crosslogix Hal Lockhart Entegrity Carlisle Adams Entrust Robert Griffin Entrust Tim Moses Entrust Don Flinn Hitachi Joe Pato HP Jason Rouault HP Chris McLaren Netegrity Marc Chanliau Netegrity Prateek Mishra Netegrity Jeff Hodges Oblix Charles Knouse Oblix Steve Anderson OpenNetwork Jeff Bohren OpenNetwork Darren Platt RSA Jahan Moreh Sigaba Eve Maler Sun Emily Xu Sun Bob Morgan UWashington Attendance of Observers or Prospective Members: Scott Cantor OSU Membership Status Changes: Gavenraj Sodhi BusinessLayers -- re-instated after leave of absence Alex Berson Entrust -- granted voting status after 3 meetings during prospective status Maryann Hondo IBM -- lost voting status by missing 3 consecutive meetings Sridhar Muppidi Tivoli -- lost voting status by missing 3 consecutive meetings -- Steve Anderson OpenNetwork Technologies sanderson@opennetwork.com 727-561-9500 x241
begin:vcard n:Anderson;Steve tel;fax:727-561-0303 tel;work:727-561-9500 x241 x-mozilla-html:FALSE url:www.opennetwork.com org:OpenNetwork Technologies version:2.1 email;internet:sanderson@opennetwork.com title:Product Architect adr;quoted-printable:;;13577 Feather Sound Drive=0D=0ASuite 330;Clearwater;Florida;33762;USA x-mozilla-cpt:;-15216 fn:Steve Anderson end:vcard
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC