Action 2: Chris, to notity Description group of Nov. dates: DONE
Action 3: David Booth to post logisticts and registration to SysReq: DONE
Action 4: Mike and Daniel to generate report on WS Description
Daniel; Mike sent 1st pass to me. I am in the process of updating it. Thats on going.
Chris: We wanted it done this week. When can we have it?
Daniel: Can I send it to you by Sat?
Chris: Thats fine.
Action: For daniel as above.
Daniel: Mike on the call? I want to make sure it is ok with him
Action 5: Group members to register early and often once that page is made available : DONE
Action 6: Use case team to start next week with a weekly
meeting, after this meeting preferred. DONE
Hugo will pursue / persuade.
Action 7: Chris to extend Security ballot deadline to COB on 13 May. DONE
Action 8: All members who have not voted on Security ballot should do so by new deadline: DONE
Action 9: Chris to forward updated deadlines for other ballots: DONE
Chris: Hearing none, we take that as approval and WG agrees to accept the results of the straw-poll as indication of consensus for the items above, the editors will be instructed to remove the "D-" draft designation in the next editor's copy of our WD.
Daniel: Accepts the action item.
Chris: If those of you who felt these needed further discussion
can review your concerns with the group, see if we can have
concensus on we can live with what is laready there (so we can
remove the Draft status) or make some friendly amendment. Anyone
for CSF 6.1?
I will read CSF 6.1.
Doug: IBM had a concern.
Chris: They are not on the call. So we will defer this.
?: AC006.2 received 4 D and 4 O and 1 L which adds up to as many as Y votes.
Chris: Are you sure it is 6.2.
?: No it was 6.3
?: You are in the wrong place. It should be 6.3. Co-existence of dissimilar authorization models
Chris: The concern was, some body was questioning if we can have dissimilar authorization models..
Mark Baker: That was me. I don't see how can we support more than 1.
Joe: 6.3 are we talking confidentiality or Auth model.
Chris: Auth Model.
Joe: Auth model, something uses ACLs, Security tickets and Tokens, People are accustomed to more than one model. Some orgs use > 1 model including uname / pw and sophisticated ones like challenge model. Intent is so that people don't have to confirm to just one model.
Chris: To summarize, we don't want to impose a specific auth model on all web services. They should be free to choose whatever they see as appropriate.
Joe: Yes. ..
Mark: So does the Ref arch has to pick a model?
Joe: No the idea is not to pick. The idea is to allow co-existence.
Henrik: I am confused about why we have to pick something that sounds like design choices.
Mark Jones: 6.4, 6.5 all say must include confidentiality, data integrity but we don't put a caveat with allowance for co-existence of dissimilar confidentiality models. Why put text on this particular one?
Joe: When I wrote this I have the examples of some organizations operating this in a certain way in mind. I can entertain deleting w/o over diluting it.
Mark B: That sounds like a good idea to me. However w/ co-existenc eof dissimilar models have an arch impact . If so, does it even belong?
Mark Jones: Then the ? is shouldn't it qualify all of these.
Doung: Or should it be a separate CSF that is sort of orthogonal to these covering the different areas of security.
Mike: Precluding is different from co-existence. Co-existence can mean you can more than one operating at the same time.
Daniel: I felt that the idea of not-precluding means we are not precluding alternate way of doing things. We did the same / Platforms and programming models
Doug: You are mixing two different things. W/ Platforms and programming models we are making sure we don't require that a web service is implemented on aparticular paltform or in a particualr way. Auth models are externally observable. Simultaneous co-existence would raise the bar for web services in general.
Chris: Why don't we just drop the with allowance for ..security fwk must include auth model. Can we agree to that?
Chris: Anybody disagee? Hearing none we will drop that and can we agree to remove the draft status on it with the change. Hearing none we will make that change. Daniel can to take the action?
Daniel: I will take this as a standing action item to update these as they come in.
Chris: Next Req 6.6. Couple of people saying this should not be
a req, non-repudiation is a business funtion? Does this further
Mark B: Non-Repudiation is a legal thing not a technical entity.
Suresh: Non-Repudiation is not legally binding. You can have Non-Repudiation that is not legaly binding in any business.
Daniel: I am not worried about legal. In our document from a technical perspective we need to make sure it is possible to do.
Mark B: As long as it is clear we are not require any country to have their laws in certain ways.
Chris: What if change the text to say security fwk must enable non-rep.
Joe: Some people may not want do non-rep.
Zula: I am one of the No voters on this. My concern is wording and lack of clear definition of non-rep. Need in Glossary.
Chris: If we give action to Glossary editor will it work.
Zula: Still can not agree to the text as it is now.
David: How about 'Security fwk must permit non-rep bet txing parties'.
Joe: Sometme back Suresh suggested RFC 2828 terms in glossary.
Suresh: David suggested "permit". That is a better direction.
Sandeep: I have an issue with must part of it.
Allen Brown: I have extracted a number of security terms you will see them in glossary next week.
Chris: David's wording of 'Security fwk must permit non-rep bet txing parties'. Can we go with it?
Mark Hapner: NR in WS glosses over NR Meessage level, Re level NR vs Bus Txn level NR.
Joe: We should by RFC 282 defn (that will go in the glossary).
Abby/Katia: We will make stmt on it and we will the Security group define the details of it..
Mark Jones: This needs to be consistent with what Allen puts in glossary.
Chris: Lets table this until this goes in gloassary.
Zula: I have a cocern w/ the term "Reference Architecture"
Chris: There is a defn in a Glossary.
Zula: I have no concern then.
Doug: There was a Concern from Microsoft.
Allen Brown: My concern was that we have done that without ref to our sister WG that is in this business.
Allen: We should explicitly ack P3P.
?: They are acked in 20.1 right below.
Allen: P3P is used as a gen term or as aWG.
Chris: Table this. Hugo & I will come up with a proposal for change.
a) D-AG001: the Chair has proposed alternate wording that may
to close the consensus gap on this item. Can the WG agree to the adoption of
the proposed substitution text?
Daniel: Your proposed rewording w/o interoperability and amenas
to determine the conformance
Chris: I am getting rid of "platform" not interoperability.
Daniel: I am ok w/ rem of platform but, I have isue w/ enable rather than require.
Chris: We can not prevent people from doing non-interoperably. We can only enable.
Henrik: I have concern w/ redefining all the blocks to be interoperable.
Doug: We r defining ref arch, there will be a num of strds and tech below that. How can you test for conf to ref arch?
Jeff: How can you perf interop testing to ref arch?
Chris: It does not say anything about testing.
Jeff: It says conformance.
Chris: It does not say conformance either.
Doug: My obj was to Daniel's proposed wording.
Chris: Any obj to new wording (w/o platform). No objections. OK to go ahead.
b) D-AC001.3 and D-AC001.3.1: there seems to be a sense that
items are out of context under D-AC001 and that they are already
covered elsewhere. The Chair has proposed that these items be
removed. Does the WG concur?
Chris: Any obj to this proposal.
Joe: Read the proposals pls.
Daniel: If we change the wording of base CSF to your suggestion we are just enabling interoperability there is no need to do either of them. We might as well strike them from the doc.
Chris: Ok. Any obj? Hearing none that what we will do.
c) D-AC004: there has been some discussion on the mailing list
this CSF. Although it carried a super-majority in the strawpoll, the goal
champion has drafted a proposed revision. Does the WG accept the
proposal as written?
Daniel: Seems way too specific to me. We should simply say
multiple devices multi platforms w/o going to sepcifics.
Chris: It does not say that.
Joe: It says mobile
Daniel: It says mobile & wireless.
?: Those have specific charecteristic that make WS challenging.
Roger: Prevly w/o some stmt like that it wasn't clear what was being referred to.
Daniel: It seems to preclude other devices.
Sharad: It does include all devices.
Mike: Platform indep is already cov somewhere else. Dev indep is sub-set of that. This goal should focus on prog model. Should be othogonal to dev ind/plat ind.
Lots of static...
d) D-AC004.1: there seems to be strong sentiment that this
does not apply, as it refers to development tools. The Chair has proposed
that this item be eliminated.
Chris: Sharad work w/ Mike on resolving this.
<lots of noise ... cont'd>
e) D-AR004.1: the Chair has proposed alternate wording that
to close the consensus gap on this item. Can the WG agree to the
adoption of the proposed substitution text?
Chris: Any obj? Hearing none. Agreed to. Editors will remove
Chris: We will determine if there's support for adding these items to the Requirements doc not as "final" but as draft items, and using them
as basis for further discussion:
Chris: Amended wording " provide consistent def of WS arch ". Any obj to revised wording. None. Approved.
Mike: I don't have prob w/ wording but seems misplaced. Why is it under CSF AC004?
Chris: Approve the wording and make editorial note to move it some place else appropriate.
f) Removal of bulleted text under D-AR006.11 
Chris: Any obj on this. None. Take as Yes. Remove the item?
g) Addition of D-AR006.12 Auditing as requirement 
Chris: Any obj to adding this new security requirement? Hearing None. Approved.
h) Addition of D-AR006.13 -- guidelines for ws sec admin
Chris: Any obj to this? Going in a draft.
None. Approved to be added.
i) Mark B's proposal for a priori requirement
Chris: Mark can you summarize the requirement.
Mark B: The idea is that we attempt to define common set of methods to interact w/ any WS.
Joe: Is it like POSIX?
Mark B: No it is not. Lots of people get WSDL over HTTP. Something like that..
Chris: Is there a link to a previously proposed test. If not Daniel will add it. Can we add it as a draft req?
Hearing none approved.
|Boeing Company||Gerald Edgar|
|Carnegie Mellon University||Katia Sycara|
|Cisco Systems Inc||Sandeep Kumar|
|Computer Associates||Igor Sedukhin|
|CrossWeave, Inc.||Timothy Jones|
|DaimlerChrysler Research||Hans-Peter Steiert|
|Exodus/Digital Island||Joseph Hui|
|Hewlett-Packard Company||Yin-Leng Husband|
|Hewlett-Packard Company||Zulah Eckert|
|Intel Corporation||Sharad Garg|
|Intel Corporation||Joel Munter|
|MartSoft Corp.||Jin Yu|
|Microsoft Corporation||Allen Brown|
|Microsoft Corporation||Henrik Nielsen|
|MITRE Corporation||James Davenport|
|MITRE Corporation||Paul Denning|
|Nortel Networks||Abbie Barbir|
|Oracle Corporation||Jeff Mischkinsky|
|Planetfred, Inc.||Mark Baker|
|Rogue Wave Software||David Noor|
|SeeBeyond Technology Corp||Alan Davies|
|Software AG||Michael Champion|
|Sterling Commerce(SBC)||Suresh Damodaran|
|Sun Microsystems, Inc.||Chris Ferris|
|Sun Microsystems, Inc.||Doug Bunting|
|Sun Microsystems, Inc.||Mark Hapner|
|The Thomson Corporation||Hao He|
|W. W. Grainger, Inc.||Tom Carroll|
|W. W. Grainger, Inc.||Daniel Austin|
|webMethods, Inc.||Prasad Yendluri|
|BEA Systems||David Orchard|
|Sybase, Inc.||Himagiri Mukkamala|
|Systinet||Anne Thomas Manes|
|TIBCO Software, Inc.||Scott Vorthmann|
|T-Nova Deutsche Telekom||Jens Meinkoehn|
|XQRL Inc.||Tom Bradford|
|Artesia Technologies||Dipto Chakravarty|
|Cisco Systems Inc||Krishna Sankar|
|DaimlerChrysler Research||Mario Jeckle|
|France Telecom||Shishir Garg|
|Intalio Inc||Bob Lojek|
|MartSoft Corp.||Jun Chen|
|Rogue Wave Software||Patrick Thompson|
|Software AG||Nigel Hutchison|
|VeriSign, Inc.||Michael Mealling|
|Waveset Technologies||Darran Rolls|
|XQRL Inc.||Daniela Florescu|