[security-services] Consolidated action item list and agenda for Dec 4focus meeting

["PATO,JOE (HP-PaloAlto,ex1)" <joe_pato@hp.com>]

Title:

I pulled together the action items from the face-to-face and some of the discussion on the list. I suspect I missed a few, so please update the list at the teleconference tomorrow.

 

Jeff will be chairing the meeting - I am triple booked at noon.

 

- joe

 

Agenda:

 

1. Review status of milestones

2. Review status of action items - and move to resolution

3. Additional items?

    Outreach status

4. Adjourn

 

 

Issues and action items arising from F2F#5 - does not include editorial issues which are found in the minutes of the meeting

 

Milestones to accomplish: 

Publication and Review:

 

[M1 - Prateek] - publish bindings-07 during week of Dec 3.

 

[M2 - Tim, Simon, Irving] - detailed reviews: Tim - section 4.1; Simon - section 3.1; Irving - section 4.2

 

[M3 - Prateek] - publish bindings-08 during week of  Dec 17.

 

  

Open Action Items:

 

[A2: Prateek] - Section 3.1.9.2, need to capture SSL version, cipher suites, etc

Status: thread on direction: < http://lists.oasis-open.org/archives/security-services/200111/msg00025.html >

 

[A3: Prateek] - Section 3.1.5, need to further define error cases

 

[A4: Prateek] - Section 4.1.1, create a diagram for this section

 

[A5: BobB] - Section 4.1.3 472-473, text to clarify construction of ID (w.r.t. uniqueness)

 

[A6: Prateek] - Line 565, capture the threat (leading to requiring a <saml:audience>, then decide to leave it, change it, or strike it

 

[A7: Simon] - text for "things you might do in step 6"

 

[A9: Irving] - line 788-791, provide clarifying language for application level error handling. Tied to Scott's status code proposal

< http://lists.oasis-open.org/archives/security-services/200111/msg00049.html >

 

[A11: Irving] - line 824-829, Irving to research and propose language to weaken requirement on signing over entire message (body and headers). The proposal is to require signing over assertion headers and body only. Other components are to be signed by agreement between sender and receiver (out of scope for us).

 

[A12: Irving] - line 847-848, change "subject" to "sender"

 

[A13: Prateek] - add text on threat model and security counter measures

 

[A14: Phill] - will post to list to try to recover original intent for AssertionSpecifier as subject

 

[A15: Chris] - Write up advice on how to use current approach to generic slots for attributes

 

[A16: RLBob] - adding context to attribute query; provide text for core document including recommendations for minimum behavior.

 

[A17: Charles] - to complete proposal for adding failure "reason" for SAML response.

Status: < http://lists.oasis-open.org/archives/security-services/200111/msg00037.html >

 

[A18: Phill] - completion of error code specification for core

 

[A19: Chris] - eliminate <assertion> and rename <MultipleAssertion> Assertion. Draft text to deal with multiple assertions that are contradictory or cannot be reconciled.

 

[A20: Prateek] - Need for additional ConfirmationMethod identifiers (Prateek and Phil)

Bindings-06 uses two identifiers not found in core: HolderOfKey and SenderVouches. It is important to understand that no change in schema is being proposed, only new text and constants for Section 5 of core. Prateek to send Phil necessary text.

 

[A21: Simon] - Section 3.1, SAML SOAP binding. Simon to review and add text to reflect F2F#4 discussion.

 

[A22: Irving] - core line 752, return code for completeness specifier:

< http://lists.oasis-open.org/archives/security-services/200111/msg00031.html >

 

[A23: Chris] - explain use of xsi:type attribute to introduce element of basic XML schema type to avoid the need to introduce new schemas for the sole purpose of specifying a string attribute value.

 

[A24: Phill] - Bring together Tim's etc. text for the Authentication mechanism section.

            [In progress]

 

[A25: Phill & Eve]  - Eve's reorganization of preamble

 

[A26: Phill] - text on the <RespondWith> option voted for at F2F#5

 

 

Closed Issues:

 

[A1: RLBob] - section 2.4, Bindings/profile registry; Prateek will work with Eve to see if OASIS could serve

< http://lists.oasis-open.org/archives/security-services/200111/msg00044.html >

[Resolution - approved by vote at SSTC telecon Nov. 27]

 

[A8: RLBob] - Section 4.1.6.1 732-733, provide text for new "for your eyes only" condition element

The FORM Post architecture should not rely on the <Audience> element for target information. A <ForYourEyesOnly> tag is to be included

within core. Bob will provide needed text to Phil.

[Resolution: renamed targetRestrictions, text submitted to Phill, item closed] 

 

[A10: N/A]

 

 

Joe Pato                                HP Labs Cambridge
Principal Scientist                     1 Main Street, 10th Floor
Trust, Security & Privacy               Cambridge, MA   02142
Trusted E-Services Lab - HP Labs        Phone: (617) 679-9376
<http://www.hpl.hp.com>                 Fax 1: (617) 679-9330
<http://www.hp.com/security>            Fax 2: (781) 674-0142