[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes from SSTC Conference Call, March 2, 2004
Attendance: ----------- Meeting has quorum; 28 of 35 voting members present. Attendance of Voting Members Hal Lockhart BEA Gavenraj Sodhi Computer Associates John Hughes Entegrity Solutions Miguel Pallares Ericsson Irving Reid HP Paula Austel IBM Maryann Hondo IBM Michael McIntosh IBM Anthony Nadalin IBM Scott Cantor Individual Greg Whitehead Individual Prateek Mishra Netegrity Conor Cahill Netscape/AOL Peter Davis Neustar Frederick Hirsch Nokia John Kemp Nokia Charles Knouse Oblix Steve Anderson OpenNetwork Darren Platt Ping Identity Jim Lien RSA Security John Linn RSA Security Jahan Moreh Sigaba Bhavna Bhatnagar Sun Jeff Hodges Sun Eve Maler Sun Ron Monzillo Sun Emily Xu Sun Mike Beach The Boeing Company Attendance of Prospective Members or Observers Dipak Chopra SAP Nicholas Sauriol Nortel Tim Moses Entrust Membership Status Changes Nicholas Sauriol Nortel - Requested membership 2/18/2004 Gershom Rogers Cisco - Requested membership 2/27/2004 Jiafu Yu Sterling Commerce - Requested membership 2/28/2004 Dipak Chopra SAP - Granted voting status after 3/2/2004 call Maneesh Sahu Individual - Lost prospective membership after 3/2/2004 call Senthil Sengodan Nokia - Lost prospective membership after 3/2/2004 call 1. Motions and Actions Motion 1: Exactly one subject per assertion (no matter how many statements), with subject confirmation data attached to that subject (thus, confirmation is also global to the assertion). Assertions can have a sequence of SubjectConfirmation elements, with the explicit semantics that the subject can be confirmed by any one of the methods (ie, "or" semantics). Scott moves, Eve seconds. No further discussion. Unanimous consent. Motion 2: Remove the words "held by the subject" from line 809 in draft 06-diff. Ron moves, Eve seconds. Unanimous consent. Action 1: Eve will implement motion 1 in an upcoming revision of core. Action 2: " " " " 2 " ... Action 3: Eve will create an issue around the format and semantics of KeyInfo and other ConfirmationData within SubjectConfirmation. 2. Accept minutes from previous conference call http://lists.oasis-open.org/archives/security-services/200402/msg00146.html Minutes are accepted. 3. March 30 F2F Planning Next F2F Mar 30 - April 1 (Mike McIntosh to confirm hotel details etc.) - Need to know how many people will show up to book the meeting room. Mike will publish hotel and directions. March 16 absolute cutoff date of text for proposed specification text (no "new" text or documents after that date) - No comments. 4. Work Item Review The following work items do not have solution proposals at this time and are at risk: W-5b: SOAP Client Profile (Mike McIntosh, Tony Nadalin) - Mike says, that in the lack of support, he would prefer to defer the issue. W-9: XML Encryption (Hal Lockhart) - Hal is not present. Prateek will ask him by e-mail. W-15: Delegation and Intermediaries (Bob Morgan, Scott Cantor, Ron Monzillo) - There is a proposal but not exact text. Bob says that most of what he has produced in other aspects were to make this work item progress. W-25: Kerberos Support (John Hughes, Tim Alsop) - John says they are refining some text for inclusion in the current documentation set. To be ready by the end of next week. W-21a: Document describing instances of "baselines attribute namespaces" (John Hughes, Prateek Mishra) - John and Prateek will produce something by end of this week. 5. Recent document postings: - Authors are asked for an introduction about what is going on. sstc-saml-schema-metadata-2.0.xsd http://www.oasis-open.org/apps/org/workgroup/security/download.php/5725/sstc -saml-schema-metadata-2.0.xsd - Johan expects to have a draft with the textual description ready for review by the 16th. - Johan, answering Prateek, this closes the work item adding the ID-FF v1.2 metadata. bindings document http://www.oasis-open.org/apps/org/workgroup/security/download.php/5727/sstc -saml-bindings-2.0-draft-06-diff.pdf - Added method of url encoding that we will need to discuss. - Added new binding (HTTP Redirect/POST). - Don't sure where the metadata will be referenced, bindings or profiles. Some text is currently referring to metadata in bindings but it might not be its final location. profiles document http://www.oasis-open.org/apps/org/workgroup/security/download.php/5511/sstc -saml-profiles-2.0-draft-01.pdf - Added Enhanced Client Profile, based on PAOS. - Noted that this is not reconciled with latest core draft. core draft http://www.oasis-open.org/apps/org/workgroup/security/download.php/5600/sstc -saml-core-2.0-draft-06-diff.pdf - Added ProxyRestrictionCondition to ConditionsType. Eve asked to add an issue to the issues list regarding this condition. [sorry I missed the reasoning and exact motivation] - The AuthorizationDecisionStatement feature has been frozen. - Added <AssertionURIReference>. - Eve asks to add an issue to the issues list on revisiting some long names like those including "authentication". - Description of the Authentication Request Protocol. The description of the NameIDPolicy (3.4.1.1) element intends to be a compromise between its usage in ID-FF and the SAML use cases. - Eve asks to dig into the Subject and Subject confirmation issue now, as it is relevant for the progress of the draft core. Raw notes, beginning 13:02 EST: Discussion of single-subject, single-confirmation: Eve: does anyone want to fight for statements with different subjects within an assertion? Ron Monzillo: How about assertions with zero subjects? Prateek: question was posted on saml-dev to see if anyone is using multi-subject assertions - no response so far (assorted discussion) Eve: Consensus on having exactly one subject. Eve: Next, what about confirmation? Per assertion? Per statement? Scott: Common case is one trivial confirmation per assertion; can we still allow for richer confirmations without complicating the single case? Ron: So how do we handle assertions where different relying parties can perform different confirmations? Multiple assertions? (much discussion of confirmation-related use cases and assertion structures) Irving: The Conditions extension point could solve some of these problems better (or a profile can define an extended SubjectConfirmation to handle a special case) Ron: how about multiple confirmers for a single assertion (or statement) Scott/Eve: existing SC can have one or more methods, and the current spec is wrong because it does not define what that means. Eve/Scott: what are we converging on? 1) Multiple confirmation elements (method+data), with "or" semantics 2) Single subject and confirmation set at assertion level Eve proposes a motion: Exactly one subject per assertion (no matter how many statements), with subject confirmation data attached to that subject (thus, confirmation is also global to the assertion). Assertions can have a sequence of SubjectConfirmation elements, with the explicit semantics that the subject can be confirmed by any one of the methods (ie, "or" semantics). Scott moves, Eve seconds. No further discussion. Unanimous consent. Scott considers a motion that we add a optional choice of NameIdentifiers to SubjectConfirmation, to identify the party expected to confirm using that SubjectConfirmation. Discusses with Ron, and Irving a bit, and withdraws the proposal. Ron/Scott/Eve/Irving/Prateek: what about the KeyInfo within SubjectConfirmation? Is it a special case of ConfirmationData, or could somebody want both? Eve will create a new issue. Eve/Ron/Scott/Prateek: Ron's proposal to modify the text around holder-of-key SC to remove the implication that the holder of the key *is* the subject. Ron moves: Remove the words "held by the subject" from line 809 in draft 06-diff. Eve seconds. Unanimous consent. Action: Eve will make the change. Eve: What else needs to be discussed? ??: Session management implemented based on less controversial proposal out of last F2F. Scott: discussion of recent changes to sstc-saml-bindings-2.0-draft-06-diff.pdf Moved some discussion sections of the document to factor out common requirements and improve flow and understandability. Removed discussion of confirmation methods, and added discussion of how to declare binding support in metadata Modified the discussion of SOAP headers to make sure we don't forbid headers required by other mechanisms such as WS-Security. Scott: People should read the "redirect binding" document. Late Arrivals speak up. Meeting adjourns; editors stay on to discuss document status.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]