- From: Joseph Hui <Joseph.Hui@exodus.net>
- Date: Tue, 30 Jul 2002 15:25:37 -0700
- To: <www-ws-arch@w3.org>
<TF Meeting Minutes 7/29/2002>
Logistics
=========
Meeting Date 07/29/2002
Meeting Time 12:00-13:20 PDT (US Pacific Day-light Time)
Duration 1 Hour
Chair Joe Hui
Scribe Joe Hui
Present
=======
(AB) Abbie Barbir, Nortel Networks
(AD) Ayse Dilber, AT&T
(HH) Hugo Haas, W3G
(JH) Joe Hui, Exodus
(HL) Hal Lockhart, Entegrity Solutions (OASIS Liaising Rep)
(SM) Steven Monetti, AT&T
Regrets
=======
From (DR) Darran Rolls, Waveset, due to travel.
Agendas & Minutes
=================
Are we sufficiently ready to recommend to the WG co-chairs to make
last call on AG004's closure for the requirements doc?
Pending Darran's elaboration on the management aspect of security
and in light that the WG is going into recess later this week,
this agenda item was put off.
However, we did manage to address the need for Privacy requirements
(in the WG's reqs doc) and reach a consensus that Hugo would turn
the current Privacy sub-CSFs that actually read more like requirements
into Privacy requirements, thus filling a previous void in the
Privacy section of the reqs doc.
It was also by consensus that the current wording being solidified in the
public list for the glossary definition for Auditing was satisfactory.
STF Deliverables this week
On the "Scoping the requirements for the security working group" deliverable:
The rough consensus was that the web services security work would
be accomplished in phases:
Phase 1: the layers 1 and 2 of the "Onion Model," namely:
Confidentiality; Integrity; Authentication; Authorization.
Phase 2: Non-repudiation
Phase 3: Accessibility
Phase 4: Auditing and (Security) Management
It was perceived that there would be overlapping between phases, allowing
for improvement and/or enhancement of work done in a previous phase.
No resolution was reached whether Privacy would be a part of Security.
Even if in the future a positive resolution can be reached,
it's reasonable to assume now that the Privacy work will likely
done in a Privacy track, (the traditional security classificaiton
being the other track under Security,) where the phases will be
determined by Privacy experts. The STF would provide to the WG a
succinct summary, with recommendations where appropriate.
members do not have the chance to exchange notes in private, there
is no point in doing colaborative writing.)
On the "Security technologies tolLook at" deliverable:
The team augmented the list that Darran initiated two weeks ago
with few more items, and resolved that the delivery format would
be to compile a list and to provide a terse description and
reference pointer(s) to source(s) for each list item.
On the "Security Usage Scenarios" deliverable:
Hugo sent out to www-ws-arch a message pertaining to the latest
integration efforts with Steve in security usage scenarios.
Among the most note-worthy are the addition of Privacy scenarios,
the need for ACL and Auditing scenarios (to be added).
It is understood that the security usage scenarios will continue
to be an on-going effort for sometime.
Preliminary Discussion on the security workshop/BOF idea
Whether Privacy is part of Security remains an open issue.
There was the opinion that the security frame work should include
privacy. There was also the opposite opinion.
This would be a good topic for a security workshop to work out.
Abbie briefly made a case for holding a security workshop
(as opposed to BOF or no-go) and would repeat the
appeal in more details to the WG at large via www-ws-arch.
Action Items:
* Joe to draft a succinct summary for the STF's rough
consensus on "scoping the requirements for the Web
Services Security working group."
* Abbie to compile the following list, which was initiated
by Darran and subsequently augmented with additions per
STF teamwork, by providing a terse description and reference
pointer(s) to source(s) for each technology named.
(The STF's assignment was to identified relevant security
technologies "to look at, (i.e. no "to investigate" or "to
harvest," so terse description will serfice. In-depth
discourse may be conducted over the publie forum on demand.
[Darran couldn't join the concall due to travel, but in
postmortem graciously volunteered to pitch in to do
the OASIS portion.]
OASIS WS-Security
- Spec
OASIS Security TC
- SAML 1.0
OASIS XCBF TC
- XCBF
OASIS Provisioning TC
- SPML
OASIS Access Control TC
- XACML
OASIS Rights Language TC
-XrML
OASIS ebXML
- Various security relevant elements
W3C XML Digital Signatures
- XML-DSIG
W3C XML Encryption
- XML Encryption
W3C/IETF XKMS
- XKISS
- XRISS
W3C SOAP 1.2
- Security stuff
DMTF
- Security stuff in CIM
BEEP
IPSec
TLS
PKIX
Kerberos
SASL
SACRED
S/MIME
IKE
* Abbie to make a case in the public list for holding a Web Services
Security Workshop (as opposed to a BOF (or no-go)).
* Hugo and Steve to continue the on-going efforts in security
usage scenarios. Much has been produced so far towards the
usage scenarios document's end. Due to the nature of the work
where new usage scenarios or the needs for such arise during
the progression of the work of the WSAWG, the STF, or the usage
scenarios work itself, this has been recogized to be a protracted
engagement. Hence, status updates on usage scenarios in the future
may switch to event based (i.e. consolidated reporting as situations
warrant) instead of the time base.
</TF Meeting Minutes 7/29/2002>
Received on Tuesday, 30 July 2002 18:24:43 UTC