[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for Telecon, Tuesday 4 February 2002
Minutes for SSTC Telecon, Tuesday 4 February 2002
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson
======================================================================
Summary
======================================================================
Votes:
- Minutes from 21 January 2003 call accepted
Previous Action Items Still Open:
- AI-6. Jeff to determine if conformance language around the
notions of profiles vs. extensions is really an issue
- AI-15. Editor (Eve) to update documents with Eve's fragment ID
recommendations
- AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig
issues
- AI-20. Eve to update specs to 1.0
- AI-28. RobP to have RSAS convey a new "statement of licensing
intent" to the SSTC that documents the additional two
claimed applicable patents in addition to the prior two.
- AI-31. Jeff to send email to list on his interpretation of IPR
issues surrounding using Liberty material
- AI-32. Rob will draft a usecase for an Attribute Authority, to
be examined by the TC for profiling
- AI-33. Eve to update the charter based on discussion
- AI-35. Rob to propose changes to the current spec regarding
versioning
- AI-36. Prateek to draft the 1.1 doc set list
New Action Items:
- AI-37. Scott to email list with intent and proposal to modify
core around signature recommendations
- AI-38. Jahan, Scott & Prateek to draft changes to profiles for new
destination site first flows
- AI-39. Prateek to propose WSDL along with metadata
- AI-40. Jeff to find 2.0 work items list
======================================================================
Raw Notes
======================================================================
>
> Agenda:
>
> 1. Roll call
>
- Attendance attached to bottom of these minutes
- Quorum achieved
>
> 2. Accept minutes from previous meeting, 21 Jan
> < http://lists.oasis-open.org/archives/security-services/
> 200301/msg00013.html >
>
- [VOTE] unanimous consent, accepted
>
> 3. Review (and approve?) V1.1 work items
>
> < http://lists.oasis-open.org/archives/security-services/
> 200208/msg00010.html >
>
> Acceptance Criteria:
> - Bugs that are backwards-compatible (targeted to 1.1)
> - Functionality that's backwards-compatible/orthogonal and
> high-priority
> - The list as a whole can be completed in 3-6 months
> - Any decision that needs to be made in the short term
>
> The below items are in no particular order [A.* numbering taken
> from original list]:
>
> [A.1] Metadata for formalizing operational agreements
> between sites.
> 1. See AI-27 below.
> 01 draft and response to reviewers comments published in
> < http://lists.oasis-open.org/archives/security-services/
> 200301/msg00020.html >
> < http://lists.oasis-open.org/archives/security-services/
> 200301/msg00021.html >
> < http://lists.oasis-open.org/archives/security-services/
> 200302/msg00002.html >
- Action for Prateek
- several detailed contents received
- last evening, published version 01, along with schema
- still making progress
> [A.2] WS-Security profile ([3], possibly to go to WSS TC)
> 1. Closed.
> [A-3] Figure out versioning of modularly published profile
> and binding specs
> 1. See AI-19, which was previously closed.
- Rob will make proposal
> [A-4] Sharpen conformance language around the notions of
> profiles vs. extensions
> 1. See AI-6 below
- Action for Jeff
- Jeff still working on it
> [A-5] Express that an assertion should not be cached
> 1. Hal Lockhart's proposal:
> < http://lists.oasis-open.org/archives/
> security-services/200211/msg00011.html >
- proposal has been made
> [A-6] Fix fragment identifier gaffe [4]
> 1. Approved proposal on this.
> 2. Needs to be incorp'd in specs.
> 3. See AI-15.
- has been closed for a while
- text has been proposed
> [A-7] Standardize issuer name formats
> 1. See AI-25 below.
> 2. Original request came from XACML:
> < http://lists.oasis-open.org/archives/
> security-services/200211/msg00012.html >
- Action for Eve
- Hal: Eve did comment on it
- intention was to defer it to 2.0, because changes would not be
backward-compatible
- XACML group discussed it, and they are content to wait for SAML 2.0
> [A-8] Fix xmldsig issues
> 1. For 1.1, Scott's dsig doc to become a non-normative
> component of the spec set.
> < http://lists.oasis-open.org/archives/
> security-services/200212/msg00007.html >
> 2. Also see AI-18.
>
- Scott: is there any plan to change the language in the core doc to make
it backward-compatible?
- most of his changes were to binding doc
- Jeff: thought we were going to do this
- Scott: didn't pose any text for core doc, and there was an
suggestion to change core doc to recommend exclusive c14n, rather
than inclusive
- Jeff: thinks tightening up language in core doc is appropriate
- Jeff: signature document recommends to do it different than the
binding docs now recommend
- Prateek: of the three concrete manifestations of SAML (2 profiles,
1 binding), only the POST profile requires use of signatures, and
the problem has been addressed in that doc
- (discussion on appropriateness of modifying core in this area)
- [ACTION] Scott to email list with intent and proposal to modify
core around signature recommendations
> Additional Proposed V1.1 Work Items:
>
> [A-9] Fix items from the Errata List (see AI-29)
>
> Jahan has published new version capturing errors to date
> < http://lists.oasis-open.org/archives/security-services/
> 200302/msg00000.html>
- Jahan: emailed list yesterday
- proposes knocking out at least 'easy' ones on next call
- proposes an agenda item for this for next call
> Additional web browser flows as suggested by interop and Shib
> experiences
>
> Scott has published use-cases describing the proposed new
> flows extending the SAML 1.0 web browser profiles
>
> < http://lists.oasis-open.org/archives/security-services/
> 200302/msg00003.html>
- Scott published last night
- (discussion of doc)
- Prateek: next step is for group to digest these flows
- Scott: then it's a question of scoping
- Prateek: goal is to conclude this discussion by next call
- Hal: what is intended outcome? modifications to profiles for 1.1?
- Scott: thinks so
- Hal: you can accelerate process by proposing changes to profiles
for this purpose
- Jeff: we've had a canonical list of 1.1 items, and we need to be
clear about adding something to this list
- have to consider impacts to timeline
- previous discussion was to deliver 1.1 at end of Q1 / beginning Q2
of this year
- Scott: then I would probably vote to defer
- Hal: since 2.0 probably will be another 6 months away, the question
is how urgent the desire is for this
- Scott: could go ahead
- Prateek: based on interop demo, where this flow had to be invented,
thinks there is value in this, even for 1.1
- Jahan: agrees
- [ACTION] Jahan, Scott & Prateek to draft changes to profiles for new
destination site first flows
> Review SAML error model; message from Carlisle
>
> < http://lists.oasis-open.org/archives/security-services/
> 200302/msg00001.html >
- Prateek: thinks there was fairly extensive discussion in 1.0
- Scott: discussion at top level subsumed any possible discussion at
lower level
- Carlisle: when was that?
- Scott: it was fairly late
- Seems that the questions in this email could be dealt with in substatus
- Jeff: looking through archives, and discussion was Q1-Q2 2002
- Prateek: seems that discussion did encompass how to indicate this sort
of information
- Scott: interop issue is what is being raised
- you find it difficult to react appropriately to the different kinds of
errors
- Carlisle: that is exactly it
- Hal: believes there was one issue in the issues list
- Carlisle: is there any interest in addressing this more carefully in
1.1 / 2.0?
- Rob: thinks this needs careful consideration, so as not to give away
to much info in an error condition, and weaken the security aspects
- Hal: thinks we should spend time between now & next call considering
whether this is needed in 1.1 or 2.0
- Jeff: would be helpful to hear from implementors
- Scott: need to be careful not to get into errors above the SAML layer
- however, the new flows discussed above may involve carrying status
info in a SAML message
- Carlisle: was not involved in interop demo last year, but anyone who
was please send thoughts on this
- Hal: echoes Rob's concern, pointing to previous SSL hack involving
different responses in different situations
- Jeff: instinct is that proper consideration requires deferring to 2.0
- doesn't mean we should shoot down any discussion
- Prateek: will leave as consideration for 1.1, and will get final vote
for inclusion later
>
> Prateek to draft the 1.1 doc set list (related to AI-36)
>
- Scott: would like to make small addition to this list, for WSDL
extension to metadata
- [ACTION] Prateek to propose WSDL along with metadata
- Hal: if anyone has a WSDL expert in their organization, have them
review this
- this is why we didn't make this normative in 1.0
> Are there additional work items? We plan to VOTE and CLOSE the
> SAML v1.1 list on February 17, 2003.
-
>
> 4. Action Item review
>
> AI-6. Jeff to determine if conformance language around the
> notions of profiles vs. extensions is really an issue
>
- still open
>
> AI-12. Prateek to draft analysis of use of XML Encryption in SAML
>
- no champion, deferred to SAML 2.0
- Hal: thought we were always talking about this in the 2.0 timeframe
>
> AI-15. Editor (Eve) to update documents with Eve's fragment ID
> recommendations
>
- Prateek: is this not [A-6]?
- Rob: thinks we just need Eve on call to close this
- Jeff: thinks this is the step of incorporating the proposal into the
docs
- still open
>
> AI-18. Irving to consult w/ Merlin Hughes on current XMLDSig
> issues
>
- still open
>
> AI-20. Eve to update specs to 1.0
>
- still open
>
> AI-25. Eve to respond to Hal's IssuerName proposal with an
> attribute-based & an element-based solution
>
- deferred to 2.0
>
> AI-26. Carlisle to update Mike Just's credentials collection
> proposal
>
- Carlisle is owner but deferred to SAML 2.0
>
> AI-27. Prateek to rev draft-sstc-meta-data-00 and add in schema.
>
- done
>
> AI-28. RobP to have RSAS convey a new "statement of licensing
> intent" to the SSTC that documents the additional two
> claimed applicable patents in addition to the prior two.
>
- Rob: still waiting for legal
- hopes to have done by next call
- still open
> AI-30. Scott to produce use case document for destination site
> first flow using Web Browser Profiles (Target late
> January)
>
- done
>
> AI-31. Jeff to send email to list on his interpretation of IPR
> issues surrounding using Liberty material
>
- still open
>
> AI-32. Rob will draft a usecase for an Attribute Authority, to
> be examined by the TC for profiling
>
- still open
>
> AI-33. Eve to update the charter based on discussion
>
- still open
>
> AI-35. Rob to propose changes to the current spec regarding
> versioning
>
- still open
>
> AI-36. Prateek to draft the 1.1 doc set list
>
- (discussed above, at end of list of 1.1 work items)
- still open
- Rob: is there a 2.0 list, to keep track of that as well?
- Jeff: there is, re-sent it to list around Christmas
- [ACTION] Jeff to find 2.0 work items list
>
> 5. Any other business
>
- none
>
> 6. Adjourn
>
- Adjourned
----------------------------------------------------------------------
Attendance of Voting Members:
Allen Rogers Authentica
Irving Reid Baltimore
Hal Lockhart BEA
Ronald Jacobson Computer Associates
Carlisle Adams Entrust
Prateek Mishra Netegrity
Charles Knouse Oblix
Steve Anderson OpenNetwork
Rob Philpott RSA Security
Jahan Moreh Sigaba
Bhavna Bhatnagar Sun
Jeff Hodges Sun
Emily Xu Sun
Phillip Hallam-Baker Verisign
Scott Cantor (individual)
Simon Godik (individual)
Bob Morgan (individual)
Attendance of Observers or Prospective Members:
Robert Griffin Entrust
John Hughes Entegrity Solutions
Membership Status Changes:
Bill Haase Tivoli - granted voting status after call
--
Steve
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC