OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Minutes from SSTC Conference Call, March 2, 2004


Attendance:
-----------
Meeting has quorum; 28 of 35 voting members present.

Attendance of Voting Members

  Hal Lockhart BEA
  Gavenraj Sodhi Computer Associates
  John Hughes Entegrity Solutions
  Miguel Pallares Ericsson
  Irving Reid HP
  Paula Austel IBM
  Maryann Hondo IBM
  Michael McIntosh IBM
  Anthony Nadalin IBM
  Scott Cantor Individual
  Greg Whitehead Individual
  Prateek Mishra Netegrity
  Conor Cahill Netscape/AOL
  Peter Davis Neustar
  Frederick Hirsch Nokia
  John Kemp Nokia
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Darren Platt Ping Identity
  Jim Lien RSA Security
  John Linn RSA Security
  Jahan Moreh Sigaba
  Bhavna Bhatnagar Sun
  Jeff Hodges Sun
  Eve Maler Sun
  Ron Monzillo Sun
  Emily Xu Sun
  Mike Beach The Boeing Company


Attendance of Prospective Members or Observers

  Dipak Chopra SAP
  Nicholas Sauriol Nortel
  Tim Moses Entrust


Membership Status Changes

  Nicholas Sauriol Nortel - Requested membership 2/18/2004
  Gershom Rogers Cisco - Requested membership 2/27/2004
  Jiafu Yu Sterling Commerce - Requested membership 2/28/2004
  Dipak Chopra SAP - Granted voting status after 3/2/2004 call
  Maneesh Sahu Individual - Lost prospective membership after 3/2/2004 call
  Senthil Sengodan Nokia - Lost prospective membership after 3/2/2004 call




1. Motions and Actions


Motion 1:
Exactly one subject per assertion (no matter how many statements), with
subject confirmation data attached to that subject 
(thus, confirmation is also global to the assertion). Assertions can have a
sequence of SubjectConfirmation elements, 
with the explicit semantics that the subject can be confirmed by any one of
the methods (ie, "or" semantics).

Scott moves, Eve seconds.

No further discussion. Unanimous consent.


Motion 2:
Remove the words "held by the subject" from line 809 in draft 06-diff. Ron
moves, Eve seconds. Unanimous consent.



Action 1: Eve will implement motion 1 in an upcoming revision of core.

Action 2: "    "    "         "     2  " ...

Action 3: Eve will create an issue around the format and semantics of
KeyInfo and other ConfirmationData within SubjectConfirmation.





2. Accept minutes from previous conference call

http://lists.oasis-open.org/archives/security-services/200402/msg00146.html

Minutes are accepted.


3. March 30 F2F Planning

Next F2F Mar 30 - April 1 
(Mike McIntosh to confirm hotel details etc.)

- Need to know how many people will show up to book the meeting room. Mike
will publish hotel and directions.

March 16 absolute cutoff date of text for proposed specification 
text (no "new" text or documents after that date)

- No comments.

4. Work Item Review

The following work items do
not have solution proposals at this time and are at risk:

W-5b: SOAP Client Profile (Mike McIntosh, Tony Nadalin)

- Mike says, that in the lack of support, he would prefer to defer the
issue.

W-9: XML Encryption (Hal Lockhart)

- Hal is not present. Prateek will ask him by e-mail.

W-15: Delegation and Intermediaries (Bob Morgan, Scott Cantor, Ron Monzillo)

- There is a proposal but not exact text. Bob says that most of what he has
produced in other aspects were to make this work item progress.

W-25: Kerberos Support (John Hughes, Tim Alsop)

- John says they are refining some text for inclusion in the current
documentation set. To be ready by the end of next week.

W-21a: Document describing instances of "baselines attribute namespaces"
(John Hughes, Prateek Mishra)

- John and Prateek will produce something by end of this week.

5. Recent document postings:

- Authors are asked for an introduction about what is going on.

sstc-saml-schema-metadata-2.0.xsd

http://www.oasis-open.org/apps/org/workgroup/security/download.php/5725/sstc
-saml-schema-metadata-2.0.xsd

- Johan expects to have a draft with the textual description ready for
review by the 16th.
- Johan, answering Prateek, this closes the work item adding the ID-FF v1.2
metadata.

bindings document

http://www.oasis-open.org/apps/org/workgroup/security/download.php/5727/sstc
-saml-bindings-2.0-draft-06-diff.pdf

- Added method of url encoding that we will need to discuss.
- Added new binding (HTTP Redirect/POST).
- Don't sure where the metadata will be referenced, bindings or profiles.
Some text is currently referring to metadata in bindings but it might not be
its final location.

profiles document

http://www.oasis-open.org/apps/org/workgroup/security/download.php/5511/sstc
-saml-profiles-2.0-draft-01.pdf

- Added Enhanced Client Profile, based on PAOS.
- Noted that this is not reconciled with latest core draft.

core draft

http://www.oasis-open.org/apps/org/workgroup/security/download.php/5600/sstc
-saml-core-2.0-draft-06-diff.pdf

- Added ProxyRestrictionCondition to ConditionsType. Eve asked to add an
issue to the issues list regarding this condition. [sorry I missed the
reasoning and exact motivation]
- The AuthorizationDecisionStatement feature has been frozen.
- Added <AssertionURIReference>.
- Eve asks to add an issue to the issues list on revisiting some long names
like those including "authentication".
- Description of the Authentication Request Protocol. The description of the
NameIDPolicy (3.4.1.1) element intends to be a compromise between its usage
in ID-FF and the SAML use cases.
- Eve asks to dig into the Subject and Subject confirmation issue now, as it
is relevant for the progress of the draft core.

Raw notes, beginning 13:02 EST:

Discussion of single-subject, single-confirmation:

Eve: does anyone want to fight for statements with different subjects within
an assertion? Ron Monzillo: How about assertions with zero subjects?
Prateek: question was posted on saml-dev to see if anyone is using
multi-subject assertions - no response so far (assorted discussion)
Eve: Consensus on having exactly one subject.

Eve: Next, what about confirmation? Per assertion? Per statement?
Scott: Common case is one trivial confirmation per assertion; can we still
allow for richer confirmations without complicating the single case?
Ron: So how do we handle assertions where different relying parties can
perform different confirmations? Multiple assertions? 
(much discussion of confirmation-related use cases and assertion structures)
Irving: The Conditions extension point could solve some of these problems
better (or a profile can define an extended SubjectConfirmation to handle a
special case)
Ron: how about multiple confirmers for a single assertion (or statement)
Scott/Eve: existing SC can have one or more methods, and the current spec is
wrong because it does not define what that means.

Eve/Scott: what are we converging on?
1) Multiple confirmation elements (method+data), with "or" semantics
2) Single subject and confirmation set at assertion level

Eve proposes a motion:

Exactly one subject per assertion (no matter how many statements), with
subject confirmation data attached to that subject (thus, confirmation is
also global to the assertion). Assertions can have a sequence of
SubjectConfirmation elements, with the explicit semantics that the subject
can be confirmed by any one of the methods (ie, "or" semantics).

Scott moves, Eve seconds.

No further discussion. Unanimous consent.

Scott considers a motion that we add a optional choice of NameIdentifiers to
SubjectConfirmation, to identify the party expected to confirm using that
SubjectConfirmation. Discusses with Ron, and Irving a bit, and withdraws the
proposal.

Ron/Scott/Eve/Irving/Prateek: what about the KeyInfo within
SubjectConfirmation? Is it a special case of ConfirmationData, or could
somebody want both? Eve will create a new issue.

Eve/Ron/Scott/Prateek: Ron's proposal to modify the text around
holder-of-key SC to remove the implication 
that the holder of the key *is* the subject.

Ron moves: Remove the words "held by the subject" from line 809 in draft
06-diff. Eve seconds. Unanimous consent.

Action: Eve will make the change.

Eve: What else needs to be discussed?

??: Session management implemented based on less controversial proposal out
of last F2F.

Scott: discussion of recent changes to
sstc-saml-bindings-2.0-draft-06-diff.pdf

Moved some discussion sections of the document to factor out common
requirements and improve flow and understandability.

Removed discussion of confirmation methods, and added discussion of how to
declare binding support in metadata

Modified the discussion of SOAP headers to make sure we don't forbid headers
required by other mechanisms such as WS-Security.

Scott: People should read the "redirect binding" document.



Late Arrivals speak up.

Meeting adjourns; editors stay on to discuss document status.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]