OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] B2B/A2A/EAI Profile using SAML


Title: B2B/A2A/EAI Profile using SAML

>    [A.3] Figure out versioning of modularly published profile and
>          binding specs
>
>       - TBD.
>>
>>       - this one has to do with how do we define and version SAML as
>>         a whole?
>>
>>       - don't need to answer the below scenarios on this call, but
>>         need someone to sign up to consider the question and write a
>>         proposal
>>
>>       - presently we refer to the "SAML v1.0 specification set", and
>>         have "version" elements in assertions, request msg, and
>>         response msg.
>>
>>      what should we do if we eg rev the bindings and profiles spec
>>      in the future, w/o making changes to -core ? 
>>
>>      what should we do if we write a separate b2b profile spec --
>>        what's the version of that spec once approved as a OASIS std,
>>        say?

>- Jeff: need someone to sign up to analyze this

Some questions about the above:

1) Can we develop a B2B/A2A/EAI Profile using SAML?

2) Can this work begin or do we need to first decide how such
profile specs can be versioned as part of the overall post-1.0
plans? E.g., each profile could possibly be associated with
a specific SAML version (or possibly a set of versions)and
at the same time have its own profile version (if needed).

3) I think it is also possible that I can take a crack at writing
the B2B/A2A/EAI profile initially as a Technical note until we
decide what versioning model we use for SAML work following
v. 1.0. If anyone is interested in this effort, please let
me know.

thanks,
Zahid


thanks,
Zahid


-----Original Message-----
From: Steve Anderson [mailto:sanderson@opennetwork.com]
Sent: Tuesday, October 15, 2002 10:29 AM
To: oasis sstc (E-mail)
Subject: [security-services]


Minutes for SSTC Telecon, Tuesday 15 October 2002
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson

======================================================================
                              Summary
======================================================================

  Votes:
 
    - Minutes from 1 October 2002 call accepted
 
  New Action Items:
 
    - Eve, Rob and Jeff to draft amended SSTC charter
    - Eve to send mail msg that wraps up resolution on fragment
      identifiers
    - Prateek to draft analysis of use of XML Encryption in SAML
    - Hal to write up proposal on expressing that assertions are not
      to be cached

  Previous Action Items Still Open:
 
    - Carlisle Adams to take the "Standardize Issuer Name Format"
      back to the XACML for more clear requirements and/or
      proposal
    - Jeff to determine if conformance language around the notions
      of profiles vs. extensions is really an issue
    - Prateek & Jeff to look at Liberty provider metadata's
      applicability for SAML specs
    - Jeff to solicit comment on draft-sstc-xmlsig-guidelines-0{2|3}
      from Liberty arena
    - Scott to rev the draft-sstc-xmlsig-guidelines-02 doc to -03

======================================================================
                             Raw Notes
======================================================================

>
> Agenda:
>
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved

>
> 2. Accept minutes from previous meeting
>    < http://lists.oasis-open.org/archives/security-services/
>      200210/msg00015.html >
>

- [VOTE] unanimous consent, accepted

>
> 3. Review of open Action Items (AIs)...
>
>    AI-2. Carlisle Adams to take the "Standardize Issuer Name Format"
>          back to the XACML for more clear requirements and/or
>          proposal.
>

- Carlisle not on call
- still open

>
>    AI-3. Eve to ask other TCs about how they did their charter
>          modifications.
>

- Eve: has checked with some others
- no real mystery to it
- propose new text, and OASIS rules just need majority vote
- should not be drastically changing scope
- pass on to Karl, and he will pass on to OASIS
- do we want to add any statement of IPR to our charter?
- volunteers to draft text of new charter?
- Joe: it would seem appropriate to wait until SAML 1.0 is approved at
  end of month
- Hal: remind me why are we changing charter?
    - Eve: We had decided originally to finish SAML 1.0, then reasses
      what we want to take on for scope
    - Joe: changing and republishing charter is a good way to generate
      new membership interest
- Joe: would be good to have a small group work on draft
- Phill: discussion of different ideas on how to maintain SAML spec
  (for minor changes, such as reactions to other new specs) without a
  full-blown TC
- Jeff: believes what is on the table for next SAML work is sufficient
  for keeping TC alive and active
- Hal: looking over current charter and not much needs to change wrt
  to current set of new SAML work
- Volunteers for charter mod task force
    - Eve
    - Rob
    - Jeff
    - [ACTION]
- Eve will try to send out a strawman draft in a couple weeks

>
>    AI-5. Rob and Irving to look over Eve's submission on fragment
>          identifiers
>

- Jeff: from stuff on list, appears done
- Eve had raised an additional proposal, which hadn't
    - add a SHOULD (rather than a MUST) around use of absolute URIs
    - [ACTION] Eve will send mail msg that wraps up resolution, for
      a vote next call

>
>    AI-6. Jeff to determine if conformance language around the notions
>          of profiles vs. extensions is really an issue
>
>          [in progress (will try to do this week)]
>

- nothing to add

>
>    AI-7. Prateek & Jeff to look at Liberty provider metadata's
>          applicability for SAML specs
>
>          [in progress (will try to do before next meeting)]
>

- Prateek: commits to sending out thoughts this week

>
>    AI-8. Jeff to solicit comment on
>          draft-sstc-xmlsig-guidelines-0{2|3} from Liberty arena.
>
>          [in progress]
>

- Jeff: got some comments back, believes they are positive
- was hoping we'd have the -03, but will send the -02

>
>    AI-9. Scott to rev the draft-sstc-xmlsig-guidelines-02 doc to -03.
>
>          [will do by next meeting 29-Oct]
>

- nothing to add

>
> 4. Desire for encryption
>

- Hal: Prateek posted msg last week, and only got one response
- Question is how urgently do people think we need XML Enc?
- someone pointed out that burden of key mgmt may be prohibitive, or
  that SSL is sufficient
- Prateek: hasn't responded yet
- takes POST profile for instance, where data is sensitive and people
  may want to protect it with encr
- Hal: no reason you can't use SSL for some level of protection
- Prateek: oddly, some had suggested that there was data that needed to
  be hidden from even the user
    - Jahan: in that case, believes POST is not appropriate
    - some discussion of this use case
- Hal: doesn't think adding this would be that difficult, but would be
  a waste of time if no one will use it
- Phill: is there more to be done than returning a SAML assertion in an
  encrypted node?
    - may need to profile XML Enc
    - no one is clear without examining it
    - Jeff: would be worth someone writing up a position paper or
      analysis of it
    - Volunteers?
        - [ACTION] Prateek offers to take a crack
        - Phill will review and assist

>
> 5. SAML v1.0 OASIS-wide vote
>
>    tally can be monitored here..
>    < http://lists.oasis-open.org/archives/tc-voting/ >
>
>    cyclone:     yea
>    asn-1.com:   abstain
>    rsa:         yea
>    bea:         yea
>    sun:         yea
>    entegrity:   yea
>    b of a:      yea
>    ca:          yea
>    ean-int.org: abstain
>    hp:          yea
>    entrust:     yea
>    sap:         yea
>    overxeer:    yea
>    quadrasis:   yea
>    usdoj.gov:   yea
>    mtgmc:       yea
>
>    still need ~11 "yea" votes for SAML, if there's 250 oasis members
>    (need 10% at least to vote "yea")
>
>    So there's sstc participants who've yet to vote, please encourage
>    your OASIS corp rep to do so!
>

- nothing to add

>
> 6. where are we at with a SAML v1.1?
>
>    todo list from item [A] of..
>
>    [security-services] Proposed, categorized To-Do list for SAML 1.x
>    and 2.0 (SAMLng/SAML.next)
>    < http://lists.oasis-open.org/archives/security-services
>      /200208/msg00010.html >
>
>    [A] Feasible Near-term high-priority items, and bug fixes
>
>       - Bugs that are backwards-compatible (targeted to 1.1)
>       - Functionality that's backwards-compatible/orthogonal and
>         high-priority
>       - The list as a whole can be completed in 3-6 months
>       - Any decision that needs to be made in the short term
>       - the below items are in no particular order (ie unprioritized)
>
>    [A.1] Formalizing operational agreements between sites (see
>          Liberty provider metadata schema (section 4 of [1]) and
>          the saml-dev work [2], for examples; this is guidance/
>          facilitation work rather than protocol work)
>
>       - above will be initiated w/ AI-7
>
>       - who will take those results and fold-in what was learned from
>         the SAML interop event?
>
>
>    [A.2] WS-Security profile ([3], possibly to go to WSS TC)
>
>       - done.
>
>
>    [A.3] Figure out versioning of modularly published profile and
>          binding specs
>
>       - TBD.
>
>       - this one has to do with how do we define and version SAML as
>         a whole?
>
>       - don't need to answer the below scenarios on this call, but
>         need someone to sign up to consider the question and write a
>         proposal
>
>       - presently we refer to the "SAML v1.0 specification set", and
>         have "version" elements in assertions, request msg, and
>         response msg.
>
>      what should we do if we eg rev the bindings and profiles spec
>      in the future, w/o making changes to -core ? 
>
>      what should we do if we write a separate b2b profile spec --
>        what's the version of that spec once approved as a OASIS std,
>        say?

- Jeff: need someone to sign up to analyze this
         
>
>    [A.4] Sharpen conformance language around the notions of profiles
>          vs. extensions
>
>       - this is AI-6, in progress
>
>    [A.5] Express that an assertion should not be cached
>
>       - need volunteer to consider this and see if mods to spec are
>         needed, and propose said mods if so.
>

- Jeff: need a volunteer to consider/analyze this (which may be short)
- believes Hal has expressed interest in the past
- Hal: made a proposal last year, but got no interest, so withdrew it
- Jeff: it is DS3-01 in issues list (issues-12), and was deferred
- [ACTION] Hal: will write up another (simple) proposal

>
>    [A.6] Fix fragment identifier gaffe [4]
>
>       - mods "on the table, essentially ready to go (modulo Eve's
>         last question)"
>

- nominally done
- Eve sending out email

>
>    [A.7] Standardize issuer name formats (request came from XACML)
>
>       - this is AI-2
>
>    [A.8] Fix xmldsig issues (might turn out to be a [B] item) [5]
>
>       - for 1.1, this will be addressed by Scott's dsig doc (yes?)
>

- Hal: people have asked about SAML defining some standard attributes,
  and wants to see reaction of the TC
    - Eve: could be established by a separate profile, for a given
      community
    - seems to be no support for it in near-term

>
> 7. Discussion of xmldsig guidelines
>
>    - scott will have a -03 rev out by next meeting
>    - further discussion from thread on list?
>

- deferring until Scott is present

>
> 8. Discussion of credentials collection (?)
>

- Carlisle and Mike Just are not on call
- Hal: Mike Just is no longer with Entrust, so Carlisle is expected to
  carry this proposal
- concerned that there are those that have interest, but are not
  speaking up
    - Hal has offered a write up that comes down to a choice between
      two directions
    - there has been no response to influence which path to take

>
> 9. any other business?
>

- Eve: several SSTC member companies haven't voted yet, so get your
  voting reps to cast their vote
- Phill: have we gotten any 'NO' votes?
    - no, just 2 'ABSTAIN' votes
    - see in minutes above
- There was a request for clarification on IPR
    - Rob: RSA's legal team is nearly ready to respond, hopefully this
      week

>
> 10. Adjourn
>

- Adjourned


-----------------------------------------------------------------------

Attendance of Voting Members:

  Ronald Jacobson Computer Associates
  Hal Lockhart Entegrity
  Joe Pato HP
  Maryann Hondo IBM
  Prateek Mishra Netegrity
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Rob Philpott RSA Security
  Jahan Moreh Sigaba
  Bhavna Bhatnagar Sun
  Jeff Hodges Sun
  Eve Maler Sun
  Emily Xu Sun
  Phillip Hallam-Baker Verisign
  Simon Godik (individual)
  Bob Morgan (individual)


Attendance of Observers or Prospective Members:

  (none)


Membership Status Changes:

  Scott Cantor -- granted voting status before call


--
Steve


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC