[security-services] Minutes for SSTC Telecon, Tuesday Nov 27

[sanderson@opennetwork.com (Steve Anderson)]

Minutes for SSTC Telecon, Tuesday Nov 27
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson


1 -- Roll Call

- Attendance attached to bottom of these minutes.  Quorum achieved.


2 -- Review of agenda

- Creating agenda on the fly
    - Vote on issue raised by Prateek concerning Bindings/Profile
Registry
    - Review action items sent out by Prateek
    - Eve’s issue of ‘outreach’


3 -- Vote on creation of Bindings/Profile Registry, proposed by Prateek

- Charles: curious about mechanism, as this seems to be ongoing process
- Hal: in short term, TC will continue, in long term OASIS will provide
  oversight
    - We’re only talking about human-readable descriptions
- Text of proposal from Prateek’s email sent 25 Nov 2001 with subject
  "Please read BEFORE formal vote at TC call on November 27"
    - "(1) The SSTC will maintain a web-page titled "Additional SAML
      Bindings and Profiles". This page will include text explaining (1)

      How to submit a binding or a profile for publication (2)
Additional
      information describing the status of such submissions (such drafts

      do not have standard status) (3) a list of drafts received by the
      SSTC."
- Prateek: a short summary of what a bindings or profile should answer
  will be in bindings document
- Carlisle: wrt item 2, there’s no mechanism for making publications
  standard?
- Prateek: OASIS provides such mechanism, but publication in this
  registration does not equate standards status
- Prateek: open to friendly amendment
- Carlisle looking for clarification that standards status is not
  precluded
- RLBob: agrees, points out that other standards bodies may be used
- Hal: might want to add wording to clarify the possible existence of
  other registries
- Carlisle amendment:  "inclusion of such documents in this area does
not
  imply anything about their standards status"
- Prateek also amends with "(4) guidelines for structuring such drafts
  will also be published on this web page."
- [VOTE] passes by unanimous consent


4 -- Eve’s Issue over ‘Outreach’

- Eve sent email on this 20 Nov 2001 with subject "Issue: Outreach and
  rollout plans"
- Looking for consistent whitepaper generation and publicity generation
- Concerned that spec will be delivered, but no one will notice
- Eve doesn’t have bandwidth, nor does Jeff
- Hal offers to contribute, but looking for more direction
- Eve: need someone to drive issue, identify all the necessary output
  items, and see that they are completed
- Prateek: many represented companies have developed similar material,
  can they be used?
- Eve: very much would like to see that happen, and would contribute
  material herself
- Darren offers to assist, will call Eve directly to try to break down
  the more detailed to-do bits
- Hal: willing to write up some overview/FAQ material
- Prateek: willing to have a bindings -08 by 21-Dec, but guess is that
  conformant style & boilerplate won't be done
- [ACTION] Eve to check with BobB by 21-Dec to see if he will own
overall
  editing


5 -- Action Items

- Prateek urges a 2-week timelimit on the remaining action items
- Items from Prateek’s email sent 20 Nov 2001 with subject "Bindings
  action items from F2F#4" (should be "F2F#5")
    - Item 1: lines 472-473, Section 4.1.3, Bob Blakley will provide
      improved text to replace
        - BobB not on call
        - Not done
    - Item 2: lines 732-733, Section 4.1.6.1, Bob Morgan and Phil Baker.

        - Proposed text has been sent to list this morning
        - renamed "targetRestrictions"
        - Action Item is closed
    - Item 3: lines 788-791, Section 4.2.2, Irving to propose text to
      make the language more precise and clarify any connections with
      SAML faultcode.
        - Irving no longer on call
        - Scott: suggests any text must consider work in general SAML
          status codes
        - Prateek: agrees
        - Therefore, this action item is dependent upon the "status code

          proposal" discussion Scott has begun on list
        - Not done
    - Item 4: lines 824-829, Section 4.2.3.1.1, Irving to research and
      propose language to weaken requirement on signing over entire
      message (body and headers).
        - Not done
    - Item 5: Need for additional ConfirmationMethod identifiers
(Prateek
      and Phil)
        - Not done
        - Prateek & Phill will send text to list by end of the week
    - Item 6: Section 3.1, SAML SOAP binding, Simon Godik to review and
      add text to reflect F2F#5 discussion
        - Simon has sent draft to list
        - Prateek: has Simon reviewed raw minutes from F2F#5?
        - Simon: no
        - Prateek: can you resubmit after reviewing those minutes
        - Jeff: suggests that Prateek extract part of minutes he’s
          concerned with and send to Simon & the list
        - [Action Item] Prateek to send relevant portions of raw notes
to
          the list
        - Stays open
    - Item 7: Prateek to publish bindings-07 during week of December 3.
        - Just a deadline reminder
    - Item 8: In depth reviewers for bindings-07
        - Noted
    - Item 9: Prateek to publish bindings-08 during week of December 17
        - Also just a deadline reminder
- Supplementary Items from Prateek’s email sent 27 Nov 2001 with subject

  "Additional bindings action items"
    - Item 1: [Bob Blakley] doc structuring issue: sections 3.1.2 thru
      3.1.8 refer to a family of bindings, where 3.1.9 refers to a
      specific binding
        - BobB to provide text
        - Still open
    - Item 2: [Jeff Hodges] Research Cipher suites and related
information
        - Jeff: thinks it is basically done
        - Prateek: next step is to incorporate into bindings draft
        - Jeff: text also to incorporate into security considerations
doc
        - Jeff: direction has been to go with TLS and to find a cipher
          suite for AES
        - What is the state of affairs in Browsers?
        - V3 browsers not in common use at this point
        - Hal determined NS comm 4.7x supports 3des + rc4
        - Hal: Still question over patent issues with RC4
        - Jeff: effective statement is to support what is widely used in

          the installed base
        - Prateek: just point to the ‘strong enough’ cipher suite
        - Jeff: agreed, with addition of ‘widely used’
        - RLBob: is ‘mandatory to implement’ really necessary here,
since
          this is not interop among ourselves, but rather interop with
          the browsers?
        - Prateek: can we just state some weak cipher suites that are
NOT
          recommended
        - Hal: but we will need to test against something
        - Jeff Bohren: do we need to consider possibility of renewed
          export restrictions
        - RLBob: possibility does not appear to have any traction
        - <<extended discussion ...>>
        - discussion evolved to specifying RSA-WITH-3DES for web browser

          profile
        - discussion moved to SOAP binding
        - Jeff: proposes TLS-rsa-3des as MUST, TLS-RSA-AES as a SHOULD
        - RLBob: suggests that in this context, just say TLS, no SSL
        - conclusion: prateek to take Jeff's suggested text for binding
          doc & recast for web brows. contesxt (ssl-rsa-3des-sha must) &

          soap binding context separately (tls-rsa-3des must, rsa-aes
          should, SHA each)
    - Item 3: [Simon Godik] Renumber 3.1.9 to 3.2.  Explain why this
      section is required in a SAML spec
        - Tried, but cannot renumber
        - Simon will look into question of ‘why required’
    - Item 4: [Prateek]  Add high-level diagram for web browser profile
      in Section 4.1.1
        - Will appear in next rev of bindings doc
    - Item 5: [Bob Blakley] lines 481-482, Provide revised text that
      reflects that we are generating a new 20 byte string for every new

      assertion and that these 20 bytes contain somewhere between 20
      bytes and 8 bytes of entropy.
        - Not done
    - Item 6: [Simon Godik] lines 549 - 569, Would like additional text
      indicating that before Step 6 the source and destination site
could
      have additional interactions using SAML protocol (e.g., additional

      queries).
        - Not done
        - Simon will provide text
- Simon: where can all action items from last F2F be viewed?
- Jeff/Joe will publish such a list by next week
- Prateek: two sub-lists are already being maintained, one by Phill for
  core-related items and one by Prateek for bindings-related items
    - Should be consolidated


6 -- Adjourn

Adjourned.



--------------------------------------------------------------------------

Attendence of Voting Members:

  Irving Reid Baltimore
  Larry Hollowood Bank of America
  Ken Yagen Crosslogix
  Simon Godik Crosslogix
  Gil Pilz E2open
  Hal Lockhart Entegrity
  Carlisle Adams Entrust
  Robert Griffin Entrust
  Jason Rouault HP
  Marc Chanliau Netegrity
  Prateek Mishra Netegrity
  Jeff Hodges Oblix
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Jeff Bohren OpenNetwork
  Mark Griesi OpenNetwork
  Darren Platt RSA
  Jahan Moreh Sigaba
  Eve Maler Sun
  Aravindan Ranganathan Sun
  Marlena Erdos Tivoli
  Bob Morgan UWashington
  Phillip Hallam-Baker Verisign
  Thomas Hardjono Verisign



Attendance of Observers or Prospective Members:

  Scott Cantor OSU



Membership Status Changes:

  Mary Ellen Zurko IBM -- granted voting status after concall
  Joe Hawkins Novell -- granted voting status after concall
  Emily Xu Sun -- granted voting status after concall


--
Steve Anderson
OpenNetwork Technologies
sanderson@opennetwork.com
727-561-9500 x241

begin:vcard 
n:Anderson;Steve
tel;fax:727-561-0303
tel;work:727-561-9500 x241
x-mozilla-html:FALSE
url:www.opennetwork.com
org:OpenNetwork Technologies
version:2.1
email;internet:sanderson@opennetwork.com
title:Product Architect
adr;quoted-printable:;;13577 Feather Sound Drive=0D=0ASuite 330;Clearwater;Florida;33762;USA
x-mozilla-cpt:;-15216
fn:Steve Anderson
end:vcard