WSAWG Minutes 16-May-2002

Attendance , Action Items
Scribe: Prasad Yendluri, webMethods

1. Roll call, scribes for minutes/action items (15.30 + 5)

2. Agenda review, and AOB (15.35 + 5)

Chris: Any other business
Daniel: Might want to talk a little about F2F
Chris: We can do that in the status update section.

3. Approval of 9 May telcon minutes [2] (15.40 + 5)

4. Review action items [3] (15.45 + 5)

Action 1: Chris to send schedule proposal: DONE

Action 2: Chris, to notity Description group of Nov. dates: DONE

Action 3: David Booth to post logisticts and registration to SysReq: DONE

Action 4: Mike and Daniel to generate report on WS Description requirements:
Daniel; Mike sent 1st pass to me. I am in the process of updating it. Thats on going.
Chris: We wanted it done this week. When can we have it?
Daniel: Can I send it to you by Sat?
Chris: Thats fine.
Action: For daniel as above.
Daniel: Mike on the call? I want to make sure it is ok with him
Mike: Ok

Action 5: Group members to register early and often once that page is made available : DONE

Action 6: Use case team to start next week with a weekly meeting, after this meeting preferred.  DONE
               Hugo will pursue / persuade.

Action 7: Chris to extend Security ballot deadline to COB on 13 May. DONE

Action 8: All members who have not voted on Security ballot should do so by new deadline: DONE

Action 9: Chris to forward updated deadlines for other ballots: DONE

5. Status (15.50 + 10)

Chris: Please register. If you are not going to attend register your regrets so we have idea who can expect. The registration closes on 1st?
David: Closes on the May 30th.
Chris: I will get a preliminary agenda to discuss for the next week's Call.
Action Item: To Chris as above.
Chris: Anything else on F2F?
Daniel: Is it possible for the editors to have a pre-F2F meeting on Tuesday?
Chris: We can look into doing it.  We will work on that behind the scenes on the mailing list, if you will.
Daniel: OK Chris: Not much to report. We had only 3 of us on the call this week. We gave SSH off to Hugo to get CVS accounts. Chris: Not much to report. We did not meet last week but we will be meeting directly following this call today.Dave Hollendar sent regrets So I will be leadin this call. Chris: No ther isses. Nothing to report.

 6. Review of Requirements WD balloting results (16.00 + 10)

Chris: As per the last week's call I extended the balloting period for security ballot. I posted the results after COB on Monday. We had 21/22 responses. We had a number of items listed the Goal itself, CSF 6, Reqs 6.2.1, 6.4 and 6.5 received super majority of Y votes to the text as written. There were no D (needs further discussion) or O (out of scope). Based on those results can we agree to these votes and remove their draft status. Anyone object?

Chris: Hearing none, we take that as approval and WG agrees to accept the results of the straw-poll as indication of consensus for the items above, the editors will be instructed to remove the "D-" draft designation in the next editor's copy of our WD.

Daniel: Accepts the action item.

 7. More review of Requirements WD balloting results (16.10 + 20)

Chris: The following items received greater than a super majority of 'Y's but also received 1 or 2 'D' or 'O's. These may be able to
be resolved with some minor tweaking:   AC006.1, D-AR006.3, D-AR006.6, D-AC020

Chris: If those of you who felt these needed further discussion can review your concerns with the group, see if we can have concensus on we can live with what is laready there (so we can remove the Draft status) or make some friendly amendment. Anyone for CSF 6.1?
I will read CSF 6.1.

Doug: IBM had a concern.
Chris: They are not on the call. So we will defer this.
?: AC006.2 received 4 D and 4 O and 1 L which adds up to as many as Y votes.
Chris: Are you sure it is 6.2.
?: No it was 6.3
?: You are in the wrong place. It should be 6.3. Co-existence of dissimilar authorization models
Chris: The concern was, some body was questioning if we can have dissimilar authorization models..
Mark Baker: That was me. I don't see how can we support more than 1.
Joe: 6.3 are we talking confidentiality or Auth model.
Chris: Auth Model.
Joe: Auth model, something uses ACLs, Security tickets and Tokens, People are accustomed to more than one model. Some orgs use > 1 model including uname / pw and sophisticated ones like challenge model. Intent is so that people don't have to confirm to just one model.
Chris: To summarize, we don't want to impose a specific auth model on all web services. They should be free to choose whatever they see as appropriate.
Joe: Yes. ..
Mark: So does the Ref arch has to pick a model?
Joe: No the idea is not to pick. The idea is to allow co-existence.
Henrik: I am confused about why we have to pick something that sounds like design choices.
Mark Jones: 6.4, 6.5 all say must include confidentiality, data integrity but we don't put a caveat with allowance for co-existence of dissimilar confidentiality models. Why put text on this particular one?
Joe: When I wrote this I have the examples of some organizations operating this in a certain way in mind. I can entertain deleting w/o over diluting it.
Mark B: That sounds like a good idea to me. However w/ co-existenc eof dissimilar models have an arch impact  . If so, does it even belong?
Mark Jones: Then the ? is shouldn't it qualify all of these.
Doung: Or should it be a separate CSF that is sort of orthogonal to these covering the different areas of security.
Mike: Precluding is different from co-existence. Co-existence can mean you can more than one operating at the same time.
Daniel:  I felt that the idea of not-precluding means we are not precluding alternate way of doing things. We did the same / Platforms and programming models
Doug: You are mixing two different things. W/ Platforms and programming models we are making sure we don't require that a web service is implemented on aparticular paltform or in a particualr way. Auth models are externally observable. Simultaneous co-existence would raise the bar for web services in general.
Chris: Why don't we just drop the with allowance for fwk must include auth model. Can we agree to that?
Joe: Yes.
Chris: Anybody disagee? Hearing none we will drop that and can we agree to remove the draft status on it with the change. Hearing none we will make that change. Daniel can to take the action?
Daniel: I will take this as a standing action item to update these as they come in.

Chris: Next Req 6.6. Couple of people saying this should not be a req, non-repudiation is a business funtion? Does this further discussion.
Mark B: Non-Repudiation is a legal thing not a technical entity.
Suresh: Non-Repudiation  is not legally binding. You can have Non-Repudiation  that is not legaly binding in any business.
Daniel: I am not worried about legal. In our document from a technical perspective we need to make sure it is possible to do.
Mark B: As long as it is clear we are not require any country to have their laws in certain ways.
Chris: What if change the text to say security fwk must enable non-rep.
Joe: Some people may not want do non-rep.
Zula: I am one of the No voters on this. My concern is wording and lack of clear definition of non-rep. Need in Glossary.
Chris: If we give action to Glossary editor will it work.
Zula: Still can not agree to the text as it is now.
David:  How about 'Security fwk must permit non-rep bet txing parties'.
Joe: Sometme back Suresh suggested RFC 2828 terms in glossary.
Suresh: David suggested "permit". That is a better direction.
Sandeep: I have an issue with must part of it.
Allen Brown: I have extracted a number of security terms you will see them in glossary next week.
Chris: David's wording of 'Security fwk must permit non-rep bet txing parties'. Can we go with it?
Mark Hapner: NR in WS glosses over NR Meessage level, Re level NR vs Bus Txn level NR.
Joe: We should by RFC 282 defn (that will go in the glossary).
Abby/Katia: We will make stmt on it and we will the Security group define the details of it..
Mark Jones: This needs to be consistent with what Allen puts in glossary.
Chris: Lets table this until this goes in gloassary.

Zula: I have a cocern w/ the term "Reference Architecture"
Chris: There is a defn in a Glossary.
Zula: I have no concern then.
Doug: There was a Concern from Microsoft.
Allen Brown: My concern was that we have done that without ref to our sister WG that is in this business.
Chris: P3P?
Allen: We should explicitly ack P3P.
?: They are acked in 20.1 right below.
Allen: P3P is used as a gen term or as aWG.
Chris: Table this. Hugo & I will come up with a proposal for change.

 8. Review and consideration of proposals stemming from balloting (16.30 + 20)

Chris:   We'll spend about 5 minutes each (at most) on each of the proposals below. If these cannot be addressed in the 5 minutes alloted, then
they'll be kicked back to discussion via email.

a) D-AG001: the Chair has proposed alternate wording[6] that may serve
to close the consensus gap on this item. Can the WG agree to the adoption of
the proposed substitution text?

Daniel: Your proposed rewording w/o interoperability and amenas to determine the conformance
Chris: I am getting rid of "platform" not interoperability.
Daniel: I am ok w/ rem of platform but, I have isue w/ enable rather than require.
Chris: We can not prevent people from doing non-interoperably. We can only enable.
Henrik: I have concern w/ redefining all the blocks to be interoperable.
Doug: We r defining ref arch, there will be a num of strds and tech below that. How can you test for conf to ref arch?
Jeff: How can you perf interop testing to ref arch?
Chris: It does not say anything about testing.
Jeff: It says conformance.
Chris: It does not say conformance either.
Doug: My obj was to Daniel's proposed wording.
Chris: Any obj to new wording (w/o platform). No objections. OK to go ahead.

b) D-AC001.3 and D-AC001.3.1: there seems to be a sense that these
items are out of context under D-AC001 and that they are already
covered elsewhere. The Chair has proposed[10] that these items be
removed. Does the WG concur?

Chris: Any obj to this proposal.
Joe:    Read the proposals pls.
Chris: reads.
Daniel: If we change the wording of base CSF to your suggestion  we are just enabling interoperability there is no need to do either of them. We might as well strike them from the doc.
Chris: Ok. Any obj? Hearing none that what we will do.

c) D-AC004: there has been some discussion on the mailing list regarding
this CSF. Although it carried a super-majority in the strawpoll, the goal
champion has drafted a proposed revision[12]. Does the WG accept the
proposal as written?

Daniel: Seems way too specific to me. We should simply say multiple devices multi platforms w/o going to sepcifics.
Chris: It does not say that.
Joe: It says mobile
Daniel: It says mobile & wireless.
?: Those have specific charecteristic that make WS challenging.
Roger: Prevly w/o some stmt like that it wasn't clear what was being referred to.
Daniel: It seems to preclude other devices.
Sharad: It does include all devices.
Mike: Platform indep is already cov somewhere else. Dev indep is sub-set of that. This goal should focus on prog model. Should be othogonal to dev ind/plat ind.
Lots of static...

d) D-AC004.1: there seems to be strong sentiment that this particular CSF
does not apply, as it refers to development tools. The Chair has proposed[8]
that this item be eliminated.

Chris: Sharad work w/ Mike on resolving this.
<lots of noise ... cont'd>

e) D-AR004.1: the Chair has proposed alternate wording[9] that may help
to close the consensus gap on this item. Can the WG agree to the
adoption of the proposed substitution text?

Chris: Any obj? Hearing none. Agreed to. Editors will remove this.

?????Which item???
Chris: We will determine if there's support for adding these items to the Requirements doc not as "final" but as draft items, and using them
as basis for further discussion:
Chris: Amended wording " provide   consistent def of WS arch ". Any obj to revised wording. None. Approved.
Mike: I don't have prob w/ wording but seems misplaced. Why is it under CSF AC004?
Chris: Approve the wording and make editorial note to move it some place else appropriate.
Daniel: OK

f) Removal of bulleted text under D-AR006.11 [7]

Chris: Any obj on this. None. Take as Yes. Remove the item?

g) Addition of D-AR006.12 Auditing as requirement [13]
Chris: Any obj to adding this new security requirement? Hearing None. Approved.

h) Addition of D-AR006.13 -- guidelines for ws sec admin[14]
Chris: Any obj to this? Going in a draft.
None. Approved to be added.

i) Mark B's proposal for a priori requirement[15]
Chris: Mark can you summarize the requirement.
Mark B: The idea is that we attempt to define common set of methods to interact w/ any WS.
Joe: Is it like POSIX?
Mark B: No it is not. Lots of people get WSDL over HTTP. Something like that..
Chris: Is there a link to a previously proposed test. If not Daniel will add it. Can we add it as a draft req?
          Hearing none approved.

9. Discussion of thread on drafting WS Sec WG charter (16.50 + 10)

Chris: We are out of time. We will discuss Security WG charter now. No time to talk about item #9. Goes back on agenda for next week.
Chris: We have only < 50% responding ballots. Pls read them and vote.

Action Items

ACTION: Daniel will get WSD Requirements feedback report ready by Saturday [1]
   recorded in
ACTION: Chris Ferris to get preliminary F2F agenda out by Monday [2]
   recorded in
ACTION: Daniel Austin to update D-AR006.3 to "AR006.3 The security framework must include Authorization." [3]
   recorded in
ACTION: Allen Brown to add a definition for Non-Repudiation. [4]
   recorded in
ACTION: Chris Ferris to clean up D-AC020 to explicitly mention P3P and/or the P3P WG. [5]
   recorded in
ACTION: Sharad and Mike Mahon continue to noodle on 004. [6]
   recorded in
ACTION: Daniel Austin to remove bullet item from 6.11 [7]
   recorded in


AT&T Mark Jones
AT&T Ayse Dilber
Boeing Company Gerald Edgar
Carnegie Mellon University Katia Sycara
ChevronTexaco Roger Cutler
Cisco Systems Inc Sandeep Kumar
Computer Associates Igor Sedukhin
CrossWeave, Inc. Timothy Jones
DaimlerChrysler Research Hans-Peter Steiert
EDS Mike Ballantyne
EDS Waqar Sadiq
Ericsson Nilo Mitra
Exodus/Digital Island Joseph Hui
Hewlett-Packard Company Yin-Leng Husband
Hewlett-Packard Company Zulah Eckert
Intel Corporation Sharad Garg
Intel Corporation Joel Munter
MartSoft Corp. Jin Yu
Microsoft Corporation Allen Brown
Microsoft Corporation Henrik Nielsen
MITRE Corporation James Davenport
MITRE Corporation Paul Denning
Nokia Michael Mahan
Nortel Networks Abbie Barbir
Oracle Corporation Jeff Mischkinsky
Planetfred, Inc. Mark Baker
Rogue Wave Software David Noor
SAP Sinisa Zimek
SeeBeyond Technology Corp Alan Davies
Software AG Michael Champion
Sterling Commerce(SBC) Suresh Damodaran
Sun Microsystems, Inc. Chris Ferris
Sun Microsystems, Inc. Doug Bunting
Sun Microsystems, Inc. Mark Hapner
The Thomson Corporation Hao He
W. W. Grainger, Inc. Tom Carroll
W. W. Grainger, Inc. Daniel Austin
W3C David Booth
webMethods, Inc. Prasad Yendluri
BEA Systems David Orchard
Contivo Dave Hollander
DISA Marcel Jemio
Documentum Don Robertson
IONA Steve Vinoski
Ipedo Srinivas Pandrangi
Macromedia Glen Daniels
Sybase, Inc. Himagiri Mukkamala
Systinet Anne Thomas Manes
TIBCO Software, Inc. Scott Vorthmann
T-Nova Deutsche Telekom Jens Meinkoehn
W3C Hugo Haas
XQRL Inc. Tom Bradford
Apple Mike Brumbelow
Artesia Technologies Dipto Chakravarty
Cisco Systems Inc Krishna Sankar
DaimlerChrysler Research Mario Jeckle
France Telecom Shishir Garg
IBM Heather Kreger
IBM Jim Knutson
Intalio Inc Bob Lojek
IONA Eric Newcomer
Ipedo Alex Cheng
Macromedia Tom Jordahl
MartSoft Corp. Jun Chen
Rogue Wave Software Patrick Thompson
Software AG Nigel Hutchison
VeriSign, Inc. Michael Mealling
Waveset Technologies Darran Rolls
XQRL Inc. Daniela Florescu