[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes for Telecon, Tuesday 22 July 2003
Minutes for SSTC Telecon, Tuesday 22 July 2003
Dial in info: +1 865 673 3239 #238-3466
Minutes taken by Steve Anderson
======================================================================
Summary
======================================================================
Votes:
- Minutes from 1 July 2003 call accepted
Previous Action Items Still Open:
- 0038 Continue developing Metadata specs
- 0013 Request use of WS-Trust for CC proposal
New Action Items:
- Eve to send out location info for F2F
- Eve & Prateek to begin Liberty analysis
- Chairs to post notice to interested public on SAML Dev for
solicitation of comments on 2.0
- Jeff to draft goal statement for v2.0
- Eve to send Ron Monzillo question on profiles for multi-
participant transactional workflows
======================================================================
Raw Notes
======================================================================
>
> Agenda:
>
> 1. Roll call
>
- Attendance attached to bottom of these minutes
- Quorum achieved
>
> 2. Accept minutes from previous meeting, 1 July
> < http://lists.oasis-open.org/archives/security-services/
> 200307/msg00002.html >
>
- [VOTE] unanimous consent, accepted
>
> 3. Any remaining SAML 1.1 submission issues?
>
- Rob: we submitted paperwork on 15th, along with attestations
- Karl came back with some requested changes, some regarding
contributors list
- made some editorial changes and resubmitted
- they only accepted 3 of the attestations, since Internet2 isn't a
member organization
- if there are any others that can or want to make an attestation,
there is probably a little more time to get that in
- Eve: suggests that people to verify their info in Kavi, because
inconsistencies there caused some difficulty in this process
>
> 4. Finalize dates and location for September F2F
>
> < http://www.oasis-open.org/apps/org/workgroup/
> security/ballots.php >
>
- Prateek: we have a tie for week of Mon 8 Sept between beginning of
week vs. end of week
- Rob: confirming we are hold this on East coast
- given that, we could defer to folks traveling farthest
- seems that Monday noon start isn't that helpful
- Eve: proposes Mon 10-5, Tue 9-5, and Wed 9-noon (Sept 8-10)
- got consensus
- Eve: can host it, offering room and A/V (no catering)
- dial-in can be provided
- no external network access likely
- Eve: most will want to go thru Logan, but alternative is Manchester,
NH Airport, which is about an hour away
- [ACTION] Eve to send out location info for F2F
>
> 5. SAML 2.0 Next Steps
>
> (a) Call for Editors
>
> Frederick Hirsch (Nokia) and Eve Maler (SUN) have graciously
> volunteered to act as Editors. It is likely we will require
> additional editors for the many SAML 2.0 drafts. Please contact
> Rob Philpott or Prateek Mishra if you are interested in this time
> consuming, difficult but very important role.
>
- Prateek: soliciting volunteers for editor role
>
> (b) SAML 2.0 Scope definition
>
> Recall that we have requested permission to create derivative
> works from Liberty Alliance 1.1.
>
> < http://lists.oasis-open.org/archives/security-services/
> 200304/msg00072.html >
>
> What are our next steps in this space?
>
> Would it not be better to begin work from LA 1.2?
>
> Further, at various points lists of SAML 2.0 topics have been
> published:
>
> < http://lists.oasis-open.org/archives/security-services/
> 200307/msg00004.html >
>
> What are our next steps in this space?
>
- Prateek: How do we approach v2.0?
- Eve: we were specifically granted use of Liberty v1.1, right?
- Prateek/Jeff: confirmed
- Jeff: we can begin work on 1.1
- there is a minor change from 1.1 to 1.2
- there are several TC members that are part of the Liberty work
- would be a mistake to wait for 1.2
- Prateek: so how do we proceed?
- Jeff: suggests we take the SAML 2.0 wish list that has been
around for a while, and compare it to Liberty 1.1
- Eve: we need an 'elevator statement' for the goals of v2.0
- one could be re-synch'ing SAML with current practices and real
world usage scenarios
- Prateek: how do we go about that? open up for comments from
TC members?
- open up to external orgs, e.g. GRID
- Jeff: sounds reasonable
- Eve: could specifically ask for people who have been developing
profiles
- Jeff: we shouldn't wait for detailed analysis from external orgs
(e.g. GRID), but we can do our own analysis of their public docs
and ask for their comments
- Prateek: wants to assign names to these items
- Eve: Can work on Liberty analysis, but needs help from someone
more familiar with Liberty
- Prateek: isn't that familiar, but willing to help
- Jeff: minimal availability until after August
- Eve: maybe she & Prateek can start it and get review from Jeff
- Scott: can probably lend some assistance as well
- [ACTION] Eve & Prateek to begin Liberty analysis
- [ACTION] Chairs to post notice to interested public on SAML Dev
for solicitation of comments on 2.0
- Eve: talking about 'elevator pitch'
- the fact that we're moving past 1.0 and 1.x shows longevity
- Scott: would add 'alignment with emerging standards' as part of
the pitch for 2.0
- Hal: we have a list of deferrals for 2.0
- [ACTION] Jeff to draft goal statement for v2.0
- Frederick: would like to walk through list
< http://www.oasis-open.org/archives/security-services/
200302/msg00053.html >
- Prateek: were there particular questions?
- Frederick: yes, e.g. don't understand "simple sessions"
- Prateek: that's adding signout type things
- Hal: in contrast to global timeout and other non-simple
session concepts
- Jeff: sent msg to list pointing to prior discussions on v2.0
< http://www.oasis-open.org/archives/security-services/
200307/msg00045.html >
- the msgs pointed to seem a little light
- Eve: there was a desire for an HTTP binding, but there may not
be one now
- perusing thru list
- a few Liberty-related items at beginning
- Assertion encryption
- XML Encr wasn't finished by our 1.0 timeframe, but now is
- Jeff: we should gather use cases
- Hal: why not just allow any part of the assertion to be
encrypted?
- [protracted discussion, not going to solve today]
- B2B, A2A, back-office profiles
- didn't have time for them previously
- these will need champions
- Profile for mid-tier usage a la Hitachi
- will also need a champion
- Quadrasis may have interest
- Profiles for multilevel access controls
- sketchy recollections of this
- seems to speak to ability to effect access control on
attributes in assertions
- we'd need some concrete suggestions for this
- Profiles for multi-participant transactional workflows
- Irving: guessing that this is for attaching assertions to
workflows
- characteristic of web browser profile is that assertions have
confirmation methods that render the assertions useless in
any other step of a workflow process (which is intentional)
- Prateek: Irving for champion here?
- Irving: wouldn't be right person
- [ACTION] Eve to send Ron Monzillo question on profiles for
multi-participant transactional workflows
- Scott: may also be a possible champion
- basically doesn't think our assertions should be short-lived
- SIDE NOTE: Eve spoke with someone who wrote a security analysis
of web browser profile
- will be published soon, but author didn't want to compromise
the publication by providing the writeup directly
- Rob: is this good new or bad?
- Eve: good, he said it was one of the most well specified,
high quality specifications produced lately
- he had a just a few suggestions
- Eve: will contact him and urge him to submit something to us
- can do the same with the publication
- SAML credentials collector and credentials assertions
- Tim: can possibly take this on
- Tim: Jeff is also interested, so he may help
- SASL support in authentication methods
- Scott: not the same as this, but Liberty's authN context is
something we need here
- Baseline attribute namespaces
- this is standardizing some attribute namespaces
- Irving: could have a DSML profile for a person's attributes
- Eve: this is related to some misunderstandings in an article
on the IBM DeveloperWorks site
- "Debunking SAML Myths and Misunderstandings"
< http://www-106.ibm.com/developerworks/xml/
library/x-samlmyth.html >
- has a mixture of correct & incorrect material
- Chairs could respond with letter to editorial with
gentle corrections
- Scott: can champion this
- Scott: RLBob may be interested in this too
- Hierarchical delegation of privileges among federated attribute
authorities
- not sure what this means
- this may just go in a set of needed delegation use cases
- Standardized trust between SAML-enabled servers
- Jahan: this may be formal means of what we've been doing
manually
- Scott: don't want to muddy our work with metadata with trust
- there should be a clear distinction
- Jahan: can try to carry this
- Persistent caching (mirroring?) of assertions at multiple sites
- Jahan: one time use characteristic now vs. possible
multiple use characteristics?
- not clear
- Scott: WS-Security's security token references are related
- doesn't see why we have SAML protocol to obtain assertions,
and we also have these STRs
- Privacy and Anonymity items
- will be related to Liberty
- Scott: anonymity will be in Liberty 1.2
- SAML feature discovery through WSDL, UDDI, etc
- appears to be metadata
- Eve: thought this was partly just publishing a real WSDL
- Scott: not sure UDDI would fit into that
- Prateek: we can throw this into metadata bucket
- Kerberos support
- JohnHughes: will champion this, and will see if this makes
sense
- Pass-through authentication
- Prateek: is this subsumed by credential collector?
- seems to be
- will fold into that
- Rich/dynamic sessions (more than Liberty)
- Prateek: we should fold this and the simple session stuff
into an overall session topic
- X.500 attribute support
- Scott: related to prior discussion on standardized attrs
- Delegation use cases
- Liberty provides sort of "one hop" impersonation, but
wouldn't call it delegation
- Frederick: doesn't understand this relative to WS-Security
- need to consult with Ron Monzillo on this as well
- Use of intermediaries
- Scott: relates to delegation issue
- Prateek: should they be folded together?
- seems like it
- Dependency audit ("validity depends on")
- Prateek: will champion this
- Negative assertions
- Eve: should call for use cases for this
- More complex queries, e.g. all attributes in namespace X
- Prateek: this is another extension to SAML protocol
- Standardizing policy around which attributes get supplied
- related to previous
- also related to profile for multilevel access control
- can fold all these together
- Eve: notes that we should start a 2.0 issues list
- there were some items we promised to address in v2.0 that have
workarounds in v1.1
- Rob: need to call for volunteer to be editor
- Frederick: can do it if no one else is doing it
>
> 6. Open Action Items
>
> 0038 Continue developing Metadata specs
> Prateek Mishra
>
- not discussed
>
> 0013 Request use of WS-Trust for CC proposal
> Maryann Hondo
>
- not discussed
>
> 7. Any other business
>
- none
>
> 8. Adjourn
>
- Adjourned
----------------------------------------------------------------------
Attendance of Voting Members:
Irving Reid Baltimore
Hal Lockhart BEA
Ronald Jacobson Computer Associates
John Hughes Entegrity Solutions
Scott Cantor Individual
Bob Morgan Individual
Prateek Mishra Netegrity
Frederick Hirsch Nokia
Senthil Sengodan Nokia
Charles Knouse Oblix
Steve Anderson OpenNetwork
Simon Godik OverXeer
Rob Philpott RSA Security
Edward Coyne SAIC
Dipak Chopra SAP
Jahan Moreh Sigaba
Bhavna Bhatnagar Sun
Jeff Hodges Sun
Eve Maler Sun
Emily Xu Sun
Attendance of Observers or Prospective Members:
Tim Moses Entrust
Membership Status Changes:
Mark O'Neill Vordel - Granted voting status after call
--
Steve
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]