Action 2: Chris, to notity Description group of Nov. dates: DONE
Action 3: David Booth to post logisticts and registration to SysReq: DONE
Action 4: Mike and Daniel to generate report on WS Description
requirements:
Daniel; Mike sent 1st pass to me. I am in the process of updating
it. Thats on going.
Chris: We wanted it done this week. When can we have it?
Daniel: Can I send it to you by Sat?
Chris: Thats fine.
Action: For daniel as above.
Daniel: Mike on the call? I want to make sure it is ok with
him
Mike: Ok
Action 5: Group members to register early and often once that page is made available : DONE
Action 6: Use case team to start next week with a weekly
meeting, after this meeting preferred. DONE
Hugo will pursue / persuade.
Action 7: Chris to extend Security ballot deadline to COB on 13 May. DONE
Action 8: All members who have not voted on Security ballot should do so by new deadline: DONE
Action 9: Chris to forward updated deadlines for other ballots: DONE
Chris: Hearing none, we take that as approval and WG agrees to accept the results of the straw-poll as indication of consensus for the items above, the editors will be instructed to remove the "D-" draft designation in the next editor's copy of our WD.
Daniel: Accepts the action item.
Chris: If those of you who felt these needed further discussion
can review your concerns with the group, see if we can have
concensus on we can live with what is laready there (so we can
remove the Draft status) or make some friendly amendment. Anyone
for CSF 6.1?
I will read CSF 6.1.
Doug: IBM had a concern.
Chris: They are not on the call. So we will defer this.
?: AC006.2 received 4 D and 4 O and 1 L which adds up to as many
as Y votes.
Chris: Are you sure it is 6.2.
?: No it was 6.3
?: You are in the wrong place. It should be 6.3. Co-existence of
dissimilar authorization models
Chris: The concern was, some body was questioning if we can have
dissimilar authorization models..
Mark Baker: That was me. I don't see how can we support more than
1.
Joe: 6.3 are we talking confidentiality or Auth model.
Chris: Auth Model.
Joe: Auth model, something uses ACLs, Security tickets and Tokens,
People are accustomed to more than one model. Some orgs use > 1
model including uname / pw and sophisticated ones like challenge
model. Intent is so that people don't have to confirm to just one
model.
Chris: To summarize, we don't want to impose a specific auth model
on all web services. They should be free to choose whatever they
see as appropriate.
Joe: Yes. ..
Mark: So does the Ref arch has to pick a model?
Joe: No the idea is not to pick. The idea is to allow
co-existence.
Henrik: I am confused about why we have to pick something that
sounds like design choices.
Mark Jones: 6.4, 6.5 all say must include confidentiality, data
integrity but we don't put a caveat with allowance for co-existence
of dissimilar confidentiality models. Why put text on this
particular one?
Joe: When I wrote this I have the examples of some organizations
operating this in a certain way in mind. I can entertain deleting
w/o over diluting it.
Mark B: That sounds like a good idea to me. However w/ co-existenc
eof dissimilar models have an arch impact . If so, does it
even belong?
Mark Jones: Then the ? is shouldn't it qualify all of these.
Doung: Or should it be a separate CSF that is sort of orthogonal
to these covering the different areas of security.
Mike: Precluding is different from co-existence. Co-existence can
mean you can more than one operating at the same time.
Daniel: I felt that the idea of not-precluding means we are
not precluding alternate way of doing things. We did the same /
Platforms and programming models
Doug: You are mixing two different things. W/ Platforms and
programming models we are making sure we don't require that a web
service is implemented on aparticular paltform or in a particualr
way. Auth models are externally observable. Simultaneous
co-existence would raise the bar for web services in general.
Chris: Why don't we just drop the with allowance for ..security
fwk must include auth model. Can we agree to that?
Joe: Yes.
Chris: Anybody disagee? Hearing none we will drop that and can we
agree to remove the draft status on it with the change. Hearing
none we will make that change. Daniel can to take the action?
Daniel: I will take this as a standing action item to update these
as they come in.
Chris: Next Req 6.6. Couple of people saying this should not be
a req, non-repudiation is a business funtion? Does this further
discussion.
Mark B: Non-Repudiation is a legal thing not a technical
entity.
Suresh: Non-Repudiation is not legally binding. You can have
Non-Repudiation that is not legaly binding in any
business.
Daniel: I am not worried about legal. In our document from a
technical perspective we need to make sure it is possible to
do.
Mark B: As long as it is clear we are not require any country to
have their laws in certain ways.
Chris: What if change the text to say security fwk must enable
non-rep.
Joe: Some people may not want do non-rep.
Zula: I am one of the No voters on this. My concern is wording and
lack of clear definition of non-rep. Need in Glossary.
Chris: If we give action to Glossary editor will it work.
Zula: Still can not agree to the text as it is now.
David: How about 'Security fwk must permit non-rep bet txing
parties'.
Joe: Sometme back Suresh suggested RFC 2828 terms in glossary.
Suresh: David suggested "permit". That is a better direction.
Sandeep: I have an issue with must part of it.
Allen Brown: I have extracted a number of security terms you will
see them in glossary next week.
Chris: David's wording of 'Security fwk must permit non-rep bet
txing parties'. Can we go with it?
Mark Hapner: NR in WS glosses over NR Meessage level, Re level NR
vs Bus Txn level NR.
Joe: We should by RFC 282 defn (that will go in the glossary).
Abby/Katia: We will make stmt on it and we will the Security group
define the details of it..
Mark Jones: This needs to be consistent with what Allen puts in
glossary.
Chris: Lets table this until this goes in gloassary.
CSF-20:
Zula: I have a cocern w/ the term "Reference Architecture"
Chris: There is a defn in a Glossary.
Zula: I have no concern then.
Doug: There was a Concern from Microsoft.
Allen Brown: My concern was that we have done that without ref to
our sister WG that is in this business.
Chris: P3P?
Allen: We should explicitly ack P3P.
?: They are acked in 20.1 right below.
Allen: P3P is used as a gen term or as aWG.
Chris: Table this. Hugo & I will come up with a proposal for
change.
a) D-AG001: the Chair has proposed alternate wording[6] that may
serve
to close the consensus gap on this item. Can the WG agree to the
adoption of
the proposed substitution text?
Daniel: Your proposed rewording w/o interoperability and amenas
to determine the conformance
Chris: I am getting rid of "platform" not interoperability.
Daniel: I am ok w/ rem of platform but, I have isue w/ enable
rather than require.
Chris: We can not prevent people from doing non-interoperably. We
can only enable.
Henrik: I have concern w/ redefining all the blocks to be
interoperable.
Doug: We r defining ref arch, there will be a num of strds and
tech below that. How can you test for conf to ref arch?
Jeff: How can you perf interop testing to ref arch?
Chris: It does not say anything about testing.
Jeff: It says conformance.
Chris: It does not say conformance either.
Doug: My obj was to Daniel's proposed wording.
Chris: Any obj to new wording (w/o platform). No objections. OK to
go ahead.
b) D-AC001.3 and D-AC001.3.1: there seems to be a sense that
these
items are out of context under D-AC001 and that they are
already
covered elsewhere. The Chair has proposed[10] that these items
be
removed. Does the WG concur?
Chris: Any obj to this proposal.
Joe: Read the proposals pls.
Chris: reads.
Daniel: If we change the wording of base CSF to your
suggestion we are just enabling interoperability there is no
need to do either of them. We might as well strike them from the
doc.
Chris: Ok. Any obj? Hearing none that what we will do.
c) D-AC004: there has been some discussion on the mailing list
regarding
this CSF. Although it carried a super-majority in the strawpoll,
the goal
champion has drafted a proposed revision[12]. Does the WG accept
the
proposal as written?
Daniel: Seems way too specific to me. We should simply say
multiple devices multi platforms w/o going to sepcifics.
Chris: It does not say that.
Joe: It says mobile
Daniel: It says mobile & wireless.
?: Those have specific charecteristic that make WS
challenging.
Roger: Prevly w/o some stmt like that it wasn't clear what was
being referred to.
Daniel: It seems to preclude other devices.
Sharad: It does include all devices.
Mike: Platform indep is already cov somewhere else. Dev indep is
sub-set of that. This goal should focus on prog model. Should be
othogonal to dev ind/plat ind.
Lots of static...
Resolution?
d) D-AC004.1: there seems to be strong sentiment that this
particular CSF
does not apply, as it refers to development tools. The Chair has
proposed[8]
that this item be eliminated.
Chris: Sharad work w/ Mike on resolving this.
<lots of noise ... cont'd>
e) D-AR004.1: the Chair has proposed alternate wording[9] that
may help
to close the consensus gap on this item. Can the WG agree to
the
adoption of the proposed substitution text?
Chris: Any obj? Hearing none. Agreed to. Editors will remove
this.
?????Which item???
Chris: We will determine if there's support for adding these items
to the Requirements doc not as "final" but as draft items, and
using them
as basis for further discussion:
Chris: Amended wording " provide consistent def of WS
arch ". Any obj to revised wording. None. Approved.
Mike: I don't have prob w/ wording but seems misplaced. Why is it
under CSF AC004?
Chris: Approve the wording and make editorial note to move it some
place else appropriate.
Daniel: OK
f) Removal of bulleted text under D-AR006.11 [7]
Chris: Any obj on this. None. Take as Yes. Remove the item?
g) Addition of D-AR006.12 Auditing as requirement [13]
Chris: Any obj to adding this new security requirement? Hearing
None. Approved.
h) Addition of D-AR006.13 -- guidelines for ws sec admin[14]
Chris: Any obj to this? Going in a draft.
None. Approved to be added.
i) Mark B's proposal for a priori requirement[15]
Chris: Mark can you summarize the requirement.
Mark B: The idea is that we attempt to define common set of
methods to interact w/ any WS.
Joe: Is it like POSIX?
Mark B: No it is not. Lots of people get WSDL over HTTP. Something
like that..
Chris: Is there a link to a previously proposed test. If not
Daniel will add it. Can we add it as a draft req?
Hearing
none approved.
| Present |
|
| AT&T | Mark Jones |
| AT&T | Ayse Dilber |
| Boeing Company | Gerald Edgar |
| Carnegie Mellon University | Katia Sycara |
| ChevronTexaco | Roger Cutler |
| Cisco Systems Inc | Sandeep Kumar |
| Computer Associates | Igor Sedukhin |
| CrossWeave, Inc. | Timothy Jones |
| DaimlerChrysler Research | Hans-Peter Steiert |
| EDS | Mike Ballantyne |
| EDS | Waqar Sadiq |
| Ericsson | Nilo Mitra |
| Exodus/Digital Island | Joseph Hui |
| Hewlett-Packard Company | Yin-Leng Husband |
| Hewlett-Packard Company | Zulah Eckert |
| Intel Corporation | Sharad Garg |
| Intel Corporation | Joel Munter |
| MartSoft Corp. | Jin Yu |
| Microsoft Corporation | Allen Brown |
| Microsoft Corporation | Henrik Nielsen |
| MITRE Corporation | James Davenport |
| MITRE Corporation | Paul Denning |
| Nokia | Michael Mahan |
| Nortel Networks | Abbie Barbir |
| Oracle Corporation | Jeff Mischkinsky |
| Planetfred, Inc. | Mark Baker |
| Rogue Wave Software | David Noor |
| SAP | Sinisa Zimek |
| SeeBeyond Technology Corp | Alan Davies |
| Software AG | Michael Champion |
| Sterling Commerce(SBC) | Suresh Damodaran |
| Sun Microsystems, Inc. | Chris Ferris |
| Sun Microsystems, Inc. | Doug Bunting |
| Sun Microsystems, Inc. | Mark Hapner |
| The Thomson Corporation | Hao He |
| W. W. Grainger, Inc. | Tom Carroll |
| W. W. Grainger, Inc. | Daniel Austin |
| W3C | David Booth |
| webMethods, Inc. | Prasad Yendluri |
| Regrets |
|
| BEA Systems | David Orchard |
| Contivo | Dave Hollander |
| DISA | Marcel Jemio |
| Documentum | Don Robertson |
| IONA | Steve Vinoski |
| Ipedo | Srinivas Pandrangi |
| Macromedia | Glen Daniels |
| Sybase, Inc. | Himagiri Mukkamala |
| Systinet | Anne Thomas Manes |
| TIBCO Software, Inc. | Scott Vorthmann |
| T-Nova Deutsche Telekom | Jens Meinkoehn |
| W3C | Hugo Haas |
| XQRL Inc. | Tom Bradford |
| Absent |
|
| Apple | Mike Brumbelow |
| Artesia Technologies | Dipto Chakravarty |
| Cisco Systems Inc | Krishna Sankar |
| DaimlerChrysler Research | Mario Jeckle |
| France Telecom | Shishir Garg |
| IBM | Heather Kreger |
| IBM | Jim Knutson |
| Intalio Inc | Bob Lojek |
| IONA | Eric Newcomer |
| Ipedo | Alex Cheng |
| Macromedia | Tom Jordahl |
| MartSoft Corp. | Jun Chen |
| Rogue Wave Software | Patrick Thompson |
| Software AG | Nigel Hutchison |
| VeriSign, Inc. | Michael Mealling |
| Waveset Technologies | Darran Rolls |
| XQRL Inc. | Daniela Florescu |