[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for Telecon, Tuesday 1 October 2002
Minutes from prior meeting...
[security-services] Minutes for Telecon, Tuesday 17 September 2002
http://lists.oasis-open.org/archives/security-services/200209/msg00018.html
Minutes from 1-Oct based on agenda..
http://lists.oasis-open.org/archives/security-services/200210/msg00006.html
------------------------------------>
1. Roll call
reached quorum
2. agenda bashing
add action item #7 (see below)
Mike Just is on another call.
2.1 minutes approval
minutes from prior meeting (see above) approved by unanimous consent w/addition
of action item #7 (see below).
3. outcome of submission of draft-sstc-ws-sec-profile-03 to WSSTC
SSTC submission of WS-Security profile is complete.
draft-sstc-ws-sec-profile-04 with appropriate author list
was submitted to the WSS TC. Appropriate declaration from authors is
available from SSTC archives.
Formal minutes of WSS from September 24 not yet published so we need
to verify successful submission.
4. discussion of draft-sstc-xmlsig-guidelines-02
Scott presents contents of draft-sstc-xmlsig-guidelines-02. Main
issue is around the recent development of exclusive canonicalization and
its use in SAML. Important to note that exclusive canonicalization is
relevant to both the transformation and canonicalization.
AI: Jeff to send this doc over to Liberty arena for feedback -- #8
transform issue:
Summary (by Prateek)..
A second area of concern is interoperability and transforms. The problem
here is that the XML-DSIG specification does not mandate support for
transforms (uses SHOULDs not MUSTs). So there is a difficulty in the
interoperability area.
Issues: (a) What to do in the short-term before SAML 1.1?
(b) What recommendations to make for SAML 1.1?
(a) One proposal would be to restrict attention to interoperability on the
POST profile, and, provide some reasonable guidelines for generic use
(not worry about interoperability in general).
(b) Need to figure out XMLish and other concerns around the use of ID in
SAML assertions. This should be part of SAML 1.1.
---------------
Raw Notes (JeffH's)..
scott: w3c dsig spec doesn't have MTIs in it, so we need to profile it to
narrow the space down to something implementable. easiest thing to do wrt to
referencing the target xml frag is to have the target's schema support id attrs
on it's elements.
there are interop implications to using a shortcut to doing the xforms
for now folks can be conformant... (didn't capture it)
do need to define a best practice for saml 1.0 xform-wise
only way to be secure (right now)
do xform
take result bytes
input them to one's app
most xml (parsing) libs these days are DOM-based
so one ends up parsing one's xml stuff twice
so until saml spec is updated, what xforms do we promulgate to promote
interop?
one approach: get post profile to interop for now
empty uri ref will work w/emp sig xform
this will work for that one profile
these issues then are an issue for other profiles that ref SAML, such as WSS
work.
scott impl'd his SAML lib to try to support signing indep of the particular
profile.
an action item later on will be to address the id attr in terms of the SAML
schema
do we want to use the saml id:attr? or use the xsd:id attr?
there are issues with either choice
right thing to do one way or another is to get an id attr in the saml schema.
-----------------
AI: scott will take another pass on the sstc-xmlsig-guidelines doc (a -03) in
the next week or so. -- #9
5. discussion of credentials collection
Discussion on Mike Just's "SAML Credentials Collection" paper. Mike Just
is absent from the call, with Carlisle Adams subbing for him. Hal expresses
concern about the use-case discussed in the current draft (September 13, 2002).
Main issue is how this accounts for the use case where several web servers
"front" for an authentication authority. The web servers need to interact with
the authentication authority, possibly via a multiple sequence of steps.
nominal questions on the doc..
[Irving, Jeff, Hal] Relationship to WS-Security?
[Prateek, Carlisle] Is the interaction between System Entity and CC in scope?
Or is it just the relationship bewteen the CC and the AA?
seeAlso: recent discussion on the list
Carlisle will communicate this feedback to Mike Just. Expectation is that Mike
will rev the doc.
6. adjourn
Action items
------------->
AI1. Scott Cantor to take the XML DSIG discussions from the thread
and turn it to a "best practices" document
done.
AI2. Carlisle Adams to take the "Standardize Issuer Format" back
to the XACML for more clear requirements and/or proposal.
still open.
AI3. Eve to ask other TCs about how they did their charter
modifications.
still open
AI4. Prateek to check with OASIS folks on submitting
draft-sstc-ws-sec-profile-03
done.
AI5. Rob and Irving to look over Eve's submission on fragment
identifiers
still open.
AI6. Jeff to determine if conformance language around the notions of
profiles vs. extensions is really an issue
still open.
AI7. Prateek & Jeff to look at Liberty provider metadata's applicability
for SAML specs
still open.
AI8. Jeff to solicit comment on draft-sstc-xmlsig-guidelines-0{2|3} from
Liberty arena.
New.
AI9. Scott to rev the draft-sstc-xmlsig-guidelines-02 doc to -03.
New.
---------------
attendees
-----------------
Allen Rogers Authentica
Irving Reid Baltimore
Ronald Jacobson Computer Associates
Mingde Xu CrossLogix
Hal Lockhart Entegrity
Carlisle Adams Entrust
Robert Griffin Entrust
Don Flinn Hitachi
Prateek Mishra Netegrity
Charles Knouse Oblix
Rob Philpott RSA Security
Jahan Moreh Sigaba
Jeff Hodges Sun
Emily Xu Sun
Simon Godik (individual)
Bob Morgan (individual)
---
end
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC