OASIS Security TC Face to Face
2 March 2001

Minutes recorded by Joe Pato

 

Agenda

Following is the proposed agenda for the meeting:

Time

Activity

8:30-9:00

Meet and greet; continental breakfast

9:00

Administrative

  • Call to order
  • Roll call
  • Approve minutes of previous meeting
  • Approve agenda

9:30-10:00

Editor's report (Bob Blakley)

  • Outline for SAML spec
  • Consideration/acceptance of any cross-subgroup sections

10:00-10:30

security-use subgroup report (Darren Platt)

  • Presentation of security-use subgroup recommendations

10:30-10:45

Break

10:45-12:30

security-use, cont'd

  • Consideration/acceptance of recommendations

12:30-1:15

Lunch

1:15-2:45

security-use, cont'd

  • Conclude consideration/acceptance of recommendations

2:45-3:00

Break

3:00-3:30

Administrative, part 2:

  • F2F schedule

3:30-5:00

Other subgroup reports

  • security-core (Phil Hallam-Baker)
  • security-protocol (Tim Moses)
  • security-bindings (Prateek Mishra)
  • security-consider (Jeremy Epstein)
  • security-conform (Krishna Sankar substitute)

5:00

Adjourn

Minutes

Call to order

Quourum 33, 35 in attendance

 

Attendance:

 

Voting Members

 

Bill Perry

Aventail

Stephen Farrell

Baltimore

Alex Ceponkus

Bowstreet

Zahid Ahmed

Commerce One

Brian Eisenburg

DataChannel

Hal Lockhart

Entegrity

Fred Moses

Entitlement

Alex Berson

Entrust

Tim Moses

Entrust

Jason Rouault

Hewlett-Packard

Joe Pato

Hewlett-Packard

Nigel Edwards

Hewlett-Packard

Maryann Hondo

IBM

David Orchard

Jamcracker

Gilbert Pilz

Jamcracker

Marc Chanliau

Netegrity

Prateek Mishra

Netegrity

Adam Prishtina

Netscape

David McNeely

Netscape

Charles Knouse

Oblix

Duane Hamilton

OpenNetwork

Michael Lyoins

OpenNetwork

Steve Anderson

OpenNetwork

Evan Prodromou

Outlook

Chris Ferris

Sun

David Hofert

Sun

Eve Maler

Sun

Ron Monzillo

Sun

Bob Blakley

Tivoli

Marlena Erdos

Tivoli

Bob Morgan

U Washington

Philip Baker

Verisign

Thane Plambeck

Verisign

Warwick Ford

Verisign

Jeremy Epstein

webMethods

 

Observers

Steve Carmody

Brown U

Paul Madsen

Entrust

Alan Brown

MS

Marc Griesi

OpenNetwork

Aravindan Ranganathan

Sun

Yassir Elly

Sun

Dan Guainan

Verisign

Hans Granqvist

 

 

 

Motion to approve the minutes – unanimous consent

 

Operation plan for today’s meeting – we will hold to the published time slots. If a topic is not completed at the end of the time slot, we will move on and publish the materials annotated as not yet approved.

 

Agenda is approved.

 

 

09:30 – Editor’s Report – Bob Blakley

 

Bob reviews the outline of the document.

 

Expected changes: elimination of per section introductions; consolidation of references into a common section.

 

Debate on outline:

 

Stephen Farrell: questions if we want to have a single “brick” document for printed format – benefits to break it up are that it becomes smaller; as sections are completed, it becomes easier to close discussion on topics by having them in ratified documents.

 

Question about architectural model – is it about the substance of the specification or the structure of the document.

 

Bob & Tim Moses – this is the substance of the specification

 

Amendment to move architectural model before core assertions

 

Use case requirements group has been discussing developing a model. Eve observes that there have been a number of occasions where the absence of a specific architectural model.

 

Hal Lockhart – what we are proposing to do is to identifying a pre-existing use case model to provide a basis for the discussion of requirements. Not an architectural model that would speak to the design of the specification.

 

Phillip – really we are talking about four architectural models

 

No objections – by acclamation

 

Move the conformance section to the end of the document – after security and privacy considerations

 

Friendly amendment: split conformance into a substantive normative text to a section at the end and retaining the guidance on how to read conformance information. This will be an aggregation (profiles) of information that will be interspersed throughout the text.

 

Passed with a single objection

 

Move to split out the Use Cases and Requirements and Issues to a separate document.

 

Request to retain at least a summary of use cases and requirements

 

In favor 22

Opposed 11

 

Motion to accept the outline as amended

 

Passed – no objections

 

 

10:00 Security use subgroup report (Darren Platt)

 

Consensus: 75% of group

Eligibility: 2 out of 3 meetings

 

Strawman represents issues where the sub-group has reached consensus, the issues list are those areas that have not yet been settled within the subgroup.

 

Motion to accept the strawman – requirements and use cases (lines 12-335)

 

Amendment: Line 103 to be deleted

Amendment: Blakley: replace 103 with: Specification of a challenge response protocol is outside the scope of SAML

Friendly and accepted Withdrawn

 

Opposed: 5 Motion passes

 

Amendment: Add following text to non-goals – former line 103: [NO-Authn] Authentication methods or frameworks are outside the scope of SAML.

 

Amendment: User Authentication

 

Not accepted

 

Protracted discussion using Hal Lockhart’s diagram.

 

Motion to refer to committee: 

passed, 1 Objection

 

Amendment: line 109: SAML does not define a data format for expressing authorization policies

Motion passes – 3 dissents

 

Amendment: line 90: change “messages” to “assertions”

Failed

 

Amendment: line 97: SAML should define standard methods of defining new bindings

Failed

 

Amendment: Line 73: change “and protocol” to “and protocol bindings”

Failed

 

Amendment: Line 107: motion to delete entire bullet

Passes – 1 objection

 

Motion to suspend the rules to allow Dave to talk for 10 minutes:

Use case and requirements team is volunteering to develop a set of “architectural / domain” models to ground discussions.

 

Amendment: Line 99: insert “protocols” -> “… cryptographic technologies, protocols or models”

Failed

 

Amendment: Create a new use case for user session management and the scenario within single-sign on be removed

Passes

 

Motion to refer to use case and requirements committee

Amendment to incorporate all amendments applied during today’s session

Passes

 

Amendment to complete use cases in a depth-first rather than breadth-first manner (starting with use case 2 & 3)

Failed

 

Passes (Unanimous)

 

 

 

Administration

 

Face-to-face dates

 

April 18/19, or 11/12 NYC

May 30/31

 

Locations to be offered via e-mail

 

Action: Eve – conduct e-vite poll

 

Next telecon will be held on 6 March as previously planned

Action: Eve – will send out agenda by Monday Noon.

 

 

Architecture Work

 

Motion: Call for model proposals to be sent to the main list with responses due the end of week 3/9

Passed (Unanimous)

 

Motion: to refer Glossary back to sub-group to prune down to pull out or highlight the relevant terms into a separate section

Passed

 

 

Action: Eve – call for comments to be sent to e-mail list

 

Core Assertions Report

 

Material presented was Phill’s representation of various one-on-one interactions, but not yet a sub-group report since use cases were not available early enough for the sub-group to consider as a group.

 

Protocols Report

 

Motion: The TC instructs the Protocols subcommittee to continue to adapt the text of the Protocols section to be consistent with the outputs of the Use Case, Assertions and Bindings subcommittees, and to provide the current text to the lead editor upon request, for inclusion in subsequent versions of the consolidated document.

 

Passed Unanimously

 

Bindings Report

 

 

Motion to Adjourn (04:30)

Passed