[01:51:50] --- Jeffrey Altman has become available
[01:52:27] * Jeffrey Altman has changed the subject to: IETF63 GSS-API Next Generation WG
[01:59:20] --- raeburn@jis.mit.edu has become available
[02:04:21] --- raeburn@jis.mit.edu has left
[02:07:56] --- Ken Raeburn has become available
[02:32:40] --- Ken Raeburn has left: Disconnected
[02:32:53] --- Jeffrey Altman has left
[02:45:51] --- Jeffrey Altman has become available
[02:48:42] --- Jeffrey Altman has left
[02:52:38] --- Ken Raeburn has become available
[03:03:18] --- warlord has become available
[03:07:30] --- tlyu has become available
[03:09:11] <Ken Raeburn> Meeting starts...
[03:10:04] <Ken Raeburn> Need two scribes, minutes and jabber.
[03:10:14] <Ken Raeburn> Two for jabber, jhutz says.
[03:10:30] --- pguenther has become available
[03:10:33] <Ken Raeburn> Is anyone willing to take jabber notes?
[03:10:45] --- sommerfeld has become available
[03:10:55] <Ken Raeburn> Or Jeff can just pick someone.
[03:11:02] --- lha has become available
[03:11:08] --- Jeffrey Altman has become available
[03:11:19] * pguenther scribes
[03:11:26] --- shima has become available
[03:12:05] <pguenther> remote may listen to audio stream at http://videolab.uoregon.edu/events/ietf/ietf63.html
[03:12:29] --- hartmans has become available
[03:12:50] <pguenther> document status:
[03:13:09] <hartmans> Test
[03:13:13] <pguenther> (agenda bash)
[03:13:24] <pguenther> ack
[03:13:58] --- nico has become available
[03:14:04] <nico> hi
[03:14:05] <Ken Raeburn> agenda proposed: doc status, tech discussion, updated milestones
[03:14:09] --- jhutz has become available
[03:14:32] <Ken Raeburn> Jeff wants pictures of the WG session, if convenient for anyone.
[03:14:42] <jhutz> who here is not in the room?
[03:15:00] <nico> phillip?
[03:15:12] <Ken Raeburn> GSSAPI PRF API extension: draft -05 submitted, should fix issues from previous last call, new WGLC expected next week
[03:15:25] <nico> I don't see phillip in the room
[03:15:38] <Ken Raeburn> Krb5 PRF did pass WGLC, but IETF LC held for generic one
[03:15:55] <pguenther> nico: I'm physically here
[03:16:01] <nico> ah, sorry
[03:16:16] <nico> yes, I see you now :)
[03:16:28] <Ken Raeburn> Corrections & updates to GSSAPI Java bindings: Draft had just a list of proposed changes to RFC 2853 to make it match shipping code. No known 2853 implementations.
[03:16:34] <hartmans> I don't recall an IETF LC
[03:17:01] <nico> for which?
[03:17:10] <Ken Raeburn> Java Community Process produced current API. IETF<->JCP interaction issues have been discussed.
[03:17:29] <Ken Raeburn> Sam: Right, Jeff said we were holding off on the IETF LC until the generic doc is ready too.
[03:18:00] <Ken Raeburn> (java) New draft will be submitted soon.
[03:18:33] --- jsalowey has become available
[03:18:37] <Ken Raeburn> C# bindings: Before last meeting, we thought one doc would describe Java and C#. Then a couple weeks discussion said it wasn't a good idea. C# bindings still based on 2853 with
[03:18:47] <Ken Raeburn> syntax mods. New draft should be available in next week or two.
[03:19:26] <Ken Raeburn> Desired enhancements to naming submitted. WGLC will start Monday. Discussion on section 7...
[03:20:29] <Ken Raeburn> Jeff thinks it's too short. Purpose of doc is to desrcibe problem to be solved. Volunteered to draft text to better describe the problem.
[03:21:03] <Ken Raeburn> Of people who read the doc, only Sam thinks current text is sufficient, and only "sort of".
[03:22:26] <Ken Raeburn> Sam thinks it's enough to tell whether something is in or out of scope, but a better description is fine if it doesn't slow things down.
[03:22:58] <pguenther> sam: draft should scope the problem sufficient to decide whether other docs are in scope or actually solve part of problem
[03:23:11] <Ken Raeburn> Jeff will submit text to WG and see.
[03:23:57] <Ken Raeburn> Nico's GSS Naming Extensions draft, no feedback since May submission. Tries to fix some of the problems in Sam's draft. Few people here have read it.
[03:24:20] <Ken Raeburn> Needs review, so please read it.
[03:25:04] <Ken Raeburn> GSSAPI v2 clarifications. No draft submitted, milestone missed. Had a volunteer for -00 draft last meeting, since withdrawn, no work done.
[03:25:20] <Ken Raeburn> Have editor volunteer, but not author.
[03:26:09] <Ken Raeburn> Want to use time this meeting as working session to go through archives, extract text, at least generate outline.
[03:26:20] <Ken Raeburn> Q on WG status?
[03:26:33] <Ken Raeburn> Tech discussion. Nico, GSSAPI naming extensions.
[03:27:07] <Ken Raeburn> (Nobody's read it. Have Nico do a dramatic reading? Interpretive dance?)
[03:27:55] <Ken Raeburn> draft-ietf-kitten-gssapi-naming-exts-00.txt
[03:28:17] <Ken Raeburn> Nico reads off the list of sections...
[03:29:39] <Ken Raeburn> Sec 5 deals with name attributes and using PKIX attributes, Kerberos authorization data, etc, through this API. Not meant to stay here so much as scare people into reviewing it and put into separate drafts.
[03:31:10] <Ken Raeburn> Some trouble getting the display readable, Jeff's using Windows, but luckily Larry is here to help. :-)
[03:31:39] <Jeffrey Altman> is anyone on Jabber that is not physically present in the room?
[03:32:25] <Ken Raeburn> Want to model anything interesting besides display name as attributes. APIs for setting and querying attributes of names.
[03:33:11] <Ken Raeburn> Includes criticality of attributes.
[03:36:40] --- nico has left: Disconnected
[03:41:56] <Ken Raeburn> Some discussion of PKIX aspects; Nico wants help in this area, not being an expect.
[03:43:34] --- ja has become available
[03:43:35] <Ken Raeburn> (Got a volunteer, but I didn't catch the name.)
[03:43:57] <Ken Raeburn> lha: Need to think about proxy certificates.
[03:44:32] <Ken Raeburn> sam: This has gone further than I was expecting. Makes nervous, though might not really be a problem. We've bitten off a big chunk...
[03:44:41] <Ken Raeburn> nico: Yep.
[03:45:08] --- jsalowey has left: Disconnected
[03:45:35] <Ken Raeburn> sam: Do we need criticality? Probably. But GSS doesn't have any of that right now.
[03:47:36] <Ken Raeburn> tom: We're introducing (discovering?) a great deal of complexity in naming. Even if needed for security, how do you build a UI to cope with it?
[03:48:12] <pguenther> bill: PKUs as names comes from thought that Kerberos uses naming conventions to restrict use of identities
[03:52:08] <Ken Raeburn> nico: A lot of this is about authorization, because display-name-based authorization is bad.
[03:55:03] --- rlbob has become available
[03:55:28] <pguenther> sam: becareful about data structure design: opaque tagged blobs are easy from one angle, but impossible to ask random particular questions about
[03:56:12] --- alexeymelnikov has become available
[03:56:23] <pguenther> "Is <blob> a subset/dominator/related/whatever of <blob2>" "I'm sorry dave, you can't ask that"
[03:56:25] <jhutz> hello bob, alexey
[03:57:13] <alexeymelnikov> I needed to leave the room to get normal network connection. Maybe something funny with my laptop...
[03:58:44] <pguenther> nico: opaque blobs may be right when inquiry is via separate/additional API. e..g: trusted path can be opaque with policy-checking API
[03:59:43] --- cnewman has become available
[04:00:33] <pguenther> need to export various things to native form to actually use
[04:01:53] <pguenther> sam: interoperable subsets? this is 90% of the complexity of PKIX
[04:02:15] <pguenther> ...and we don't have the fallback to X.500 that PKIX does
[04:03:22] --- alexeymelnikov has left: Replaced by new connection
[04:04:30] <Ken Raeburn> GSS_Inquire_name_attribute scares Sam. He wants it to go away.
[04:04:59] <pguenther> sam: can it actually be defined and used portably
[04:04:59] <Ken Raeburn> Nico wants it to have even more outputs, like whether the name is appropriate to use in an ACL.
[04:06:06] <pguenther> sam: "safe but useless is non-interoperable!"
[04:07:25] <Ken Raeburn> Jeff: It's 11:30. 10 more minutes, then move on.
[04:07:42] <Ken Raeburn> Nico: Think we've gone through the controversial bits.
[04:08:07] <Ken Raeburn> lzhu: Many attributes have multiple values, API appears to retrieve a single value.
[04:08:13] <pguenther> nico: it addresses both uses: 1) application can know about particular attributes and use them directly; 2) it can kick others up to the user and ask them what to do
[04:12:41] <Ken Raeburn> Denis Pinkas: Wrote a draft long ago for extracting name and group membership, for CAT. Will send to WG.
[04:12:54] <Ken Raeburn> Jeff finds it listed via web.
[04:13:13] <Jeffrey Altman> Trying to find draft-ietf-cat-xgssapi-acc-cntrl-03.txt via google
[04:14:05] <Jeffrey Altman> http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-ietf-cat-xgssapi-acc-cntrl-03.txt
[04:14:29] <Ken Raeburn> Nico and Larry: More on uniqueness of attribute values...
[04:15:11] <shima> Presentation material: http://www.ietf.org/proceedings/98dec/slides/cat-linn-98dec/sld001.htm
[04:17:31] <Ken Raeburn> jaltman: Time's up. Let's get final questions, then move it to list.
[04:18:12] <Jeffrey Altman> There is a need to be able to handle positive and negative acls. We need a mechanism at the GSS layer to indicate whether the set of groups specified are in fact complete.
[04:18:38] <Ken Raeburn> rlbob: Working in SAML space, assertions, etc. Not aware of other work on security context management.
[04:22:02] --- alexeymelnikov has become available
[04:23:58] --- nico has become available
[04:25:21] <Ken Raeburn> Much discussion on the question, "are all of the entity's attributes listed?"
[04:25:32] <Ken Raeburn> Much, much, much...
[04:26:11] --- leifj has become available
[04:27:04] <nico> heh
[04:30:06] <leifj> I think tom is right
[04:30:13] <Ken Raeburn> End of discussion, due to time limits.
[04:30:39] <Ken Raeburn> AD request: Discuss taking RFC 2743, 2744 to Draft Standard.
[04:30:53] <Ken Raeburn> Outstanding issues:
[04:31:35] <Ken Raeburn> Need to republish? (Interoperable implementations for all items?) What do we do for interop tests for an API?
[04:32:19] <Ken Raeburn> Martin's done some certification tests, but results are confidential. He's willing to talk to implementors, if/when we have a plan.
[04:34:37] --- nico has left
[04:34:41] --- nico has become available
[04:35:06] <Ken Raeburn> Sam: IESG seems to be very (too?) liberal on needing two implementations implementing all "MUST" items. And our language may make it trickier.
[04:35:37] <Ken Raeburn> Sam: Take whatever steps you can to reduce testing matrix.
[04:38:14] --- nico has left
[04:38:17] --- nico has become available
[04:40:31] <Ken Raeburn> Sam: Draft Std scheme may be under revision. Discussion of testing matrix.
[04:43:54] <Ken Raeburn> Discussion of character set specification in C bindings.
[04:46:10] <leifj> url for the product mentioned just now?
[04:46:26] <hartmans> http://www.sap.com/
[04:46:30] <leifj> ah
[04:46:33] <leifj> th
[04:47:22] <Ken Raeburn> jhutz: Will newtrk expand process to address APIs specifically? Probably not, and that's probably okay.
[04:47:47] <Ken Raeburn> 20 minutes left...
[04:48:00] <Ken Raeburn> Volunteers to work on interop matrix?
[04:48:52] <Ken Raeburn> Jeff will, but wants someone else too. Want it by mid-September. Nico may be able to get some help at Sun.
[04:50:58] <Ken Raeburn> Next topic...
[04:51:35] <Ken Raeburn> Clarifications to GSSAPIv2 -- won't have time now to get into details. Missed the milestone item for this doc.
[04:52:12] <Ken Raeburn> Character set issues, thread safety, channel bindings, C language issues, guidelines.
[04:52:20] <Ken Raeburn> Do informational doc.
[04:56:11] <Ken Raeburn> Uri: Possibly the guidelines should be informational RFCs or BCPs, the rest should probably be part of standards-track spec.
[04:57:55] <Ken Raeburn> Much discussion on CAT and Kerberos WG lists before Kitten formed, should have text in archives. Wanted to go over them today, won't have time. Jaltman will request help from people.
[04:58:54] <Ken Raeburn> Nico: Can we reschedule milestone for 2 years from now? :-)
[04:59:27] <Ken Raeburn> jhutz: Looked reasonable at the time, when we had a volunteer, but then we lost the volunteer and no work had been done, so we lost a lot of time.
[05:00:24] <hartmans> I think I agree with nico.
[05:01:12] --- pguenther has left
[05:01:26] <nico> which part? (answer that later, when you're done speaking)
[05:01:28] <Ken Raeburn> Issue will go to list, and Jeff will contact individuals.
[05:02:01] <Ken Raeburn> SecMech BOF tomorrow morning.
[05:02:28] <Ken Raeburn> Want to be able to write a doc which defines an EAP mech *and* GSS mech.
[05:03:10] <Ken Raeburn> (Sam speaking.) Thinks work is critical, otherwise we get divergence in mechs, and frameworks chosen because of available mechs.
[05:03:35] <Ken Raeburn> Concerned the effort could fail for lack of people to do the work on drafts.
[05:04:13] <Ken Raeburn> (Jeff) Lots of time at IETF 62 Kitten was spent discussing it.
[05:04:21] --- hartmans has left
[05:04:29] <Ken Raeburn> Kerberos meeting this afternoon, after lunch.
[05:04:30] --- warlord has left
[05:05:10] <Ken Raeburn> wrapping up. bye...
[05:05:17] --- Ken Raeburn has left: Disconnected
[05:05:27] --- leifj has left
[05:05:27] --- nico has left
[05:05:39] --- lha has left
[05:05:43] --- ja has left
[05:06:14] --- tlyu has left
[05:06:46] --- rlbob has left
[05:07:01] --- Jeffrey Altman has left
[05:07:01] --- jhutz has left: Disconnected
[05:15:38] --- alexeymelnikov has left: Disconnected
[05:23:53] --- shima has left
[05:24:33] --- Melinda has become available
[05:25:15] --- Melinda has left
[05:25:24] --- cnewman has left: Disconnected
[06:17:21] --- sommerfeld has left
[06:22:27] --- Ken Raeburn has become available
[06:22:34] --- Ken Raeburn has left
[06:37:49] --- Jeffrey Altman has become available
[06:59:58] --- shima has become available
[08:42:51] --- Jeffrey Altman has left
[09:02:55] --- shima has left
[09:02:55] --- shima has become available
[09:27:02] --- warlord has become available
[09:32:38] --- shima has left
[09:43:36] --- warlord has left
[09:45:33] --- Jeffrey Altman has become available
[09:57:33] --- Jeffrey Altman has left
[10:51:10] --- wyllys has become available
[10:53:42] --- wyllys has left
[14:44:59] --- wyllys has become available
[14:45:13] --- wyllys has left