[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Draft Minutes for SSTC F2F, Thursday 1 April 2004
Enclosed are draft minutes for the SSTC Face-Face meeting, Thursday 1 April 2004. regards, Frederick Frederick Hirsch Nokia <<sstc-04-04-01-f2f-minutes.txt>> <<sstc-f2f-sso-table.pdf>>
Minutes SSTC F2F, Day 3: Thursday 1-April (8:30-11:30) Minute-Taker: Frederick Hirsch 8:30-9:15: Kerberos Proposal Resolution draft-sstc-solution-profile-kerberos-04 9:15-9:30: Review/approve SAML V1.1 technical Overview as a Committee Draft sstc-saml-tech-overview-1[1].1-draft-03 9:30-10:30:Review issues list (incl prioritized small issues) sstc-saml-2[1].0-issues-draft-07 10:30-10:45 Break 10:45-11:30: Review/establish schedule for remaining work and next F2F 11:30: Adjourn ------------------------------------------------------------------------------- Deferred: - ITU-T Status (Hal Lockhart) - Baseline Attribute Status and Next Steps sstc-hughes-mishra-baseline-attributes-01 (yet to appear :-) - Review AI and list and extract dates from owners/close items - Establish which work items are "complete" and those that need work ------------------------------------------------------------------------------ Action Items AI - Scott Determine how Kerberos principals can be represented as NameIdentifiers. AI - Prateek - forward Technical Overview 1.1 to external parties that had comments on draft Chairs - publish message to list asking for review of technical overview 1.1 and indicate that vote to bring to committee draft will be at SSTC meeting in two weeks from this week. AI Jeff H to propose glossary definition for binding and profile, issue TECH-4 AI Scott, "Binding conditions" proposal AI Prateek to review core for locations where privacy considerations are implicit AI Eve, implement decision on core 18 after checking with Ron AI Hal, to send focus call information to XACML list regarding SSTC focus call AI Rob - put Kavi polls for location and dates for next F2F AI Prateek - to put out notice to saml-dev, id-ff vendors and others for saml2 related implementation experience, now, give early notice regarding later attestations. AI JeffH - send notice to Liberty members requesting interest in creating SSTC implementations from parties that have met Liberty 1.1 conformance tests AI Eve - publish tentative schedule on home page AI Eve to publish core-09 by Tuesday AI Frederick to send his updates on bindings and profile to Scott who will then incorporate additional edits. AI John H - draft of technical 1 pager with final deadine end of April ------------------------------------------------------------------------------ 8:30-9:15: Kerberos Proposal Resolution draft-sstc-solution-profile-kerberos-04 Tim Alsop presented a whiteboard overview. picture: [Active Directory] [workstation with credential store]--[web server with credential store] Two primary use cases discussed, (1) browser and web server with web server determinining identity of user using kerberos (2) work station creating SAML assertion using kerberos on work station. Not necessarily specifically a browser environment. Note that "Windows integrated authentication", or SP-Nego (SP Negotiate) is not a standard, but a specification that was submitted as an IETF draft since expired, but implemented. Mozilla and Apache web server plugins exist. impersonation - authenticate user at work station using Kerberos, cache credentials at web server, then web server can authenticate elsewhere on network using those credentials. This allows end-end authentication in a network. Greg W - authentication step discussed yesterday, step 4,doesn't require a detailed SSTC specification, since many authentication methods are possible John H - this could go into the technical overview document to explain how kerberos may be used for authentication John Hughes presented more detailed scenario. Requirement - pull or push saml assertion to service outside the kerberos domain that produces the original saml assertion. 1 Authenticate to KDC at active directory 2. generate assertion using authenticated principal, proprietary implementation, within kerberos domain want to go to remote domain, 3. AuthnRequest to SAML component within source kerberos domain with secure connection 4. Get samlp:Response with Artifact or Assertion Scott - How to use Kerberos with SOAP is undefined, not standard Frederick - WSS Kerberos Token Profile would be helpful in this area Scott - could define DCE RPC interface to be SAML protocol, but not done Tim - trying various approaches, have not worked out solution at this point Scott - do not use Artifact unless needed. John H - indicated that there may be a unique issue to this profile regarding how to push assertions, with a potential solution of using a browser applet to send the assertion from the browser, as opposed to using the HTML form post technique, for example. AI - Scott Determine how Kerberos principals can be represented as NameIdentifiers. 1510 possibility. Issue of how to support kerberos interaction discussed, possibility of using SAML browser methods but might require knowledge of user agent capabilities, otherwise could use SOAP technique. Scott - using SOAP makes it easier to address markets. Tim - Could also put kerberos ticket inside assertion, possible Kerberos confirmation method. Tim Kerberos ticket lifetime can be passed in AuthnRequest, to address lifetime issues. Scott - Schema includes Conditions to allow this Prateek - Part of Kerberos work will be in SAML 2.0, part will be outside SAML 2.0 but enabled by it. ---------------------------------------------------------------------- John Hughes - draft 04 of technical overview published this morning 9:15-9:30: Review/approve SAML V1.1 technical Overview as a Committee Draft sstc-saml-tech-overview-1[1].1-draft-03 Changes - comments from Frederick incorporated - corrections to one of the diagrams - restructured: discussion of source site first, destination site first moved since not necessarily part of standard Conor - prefer push, pull Jeff H - SAML 2.0 should carefully define terms so we use SP or IDP, similar source and destination John H - 1.1 technical overview used older terms John H - want to bring document to closure Eve - committee draft is appropriate Prateek - will forward to external parties that had comments on draft Decision: will vote to publish as a committee draft at SSTC meeting in two weeks. Chair action item to send message to list regarding upcoming vote. ---------------------------------------------------------------------- Eve leads Issues list discussion 9:30-10:30:Review issues list (incl prioritized small issues) sstc-saml-2[1].0-issues-draft-07 Draft 08 has not yet been published on site, discussed draft 08 Closed Core 06 - Closed - Assertion level subject- prose based optional subject Core 15 - closed - health warning on xsi:typeExtensions priorize high A to lower C, A for today Open Core-7 -Soap 1.1 vs 1.2 - priority C Scott - use of SOAP internal to SAML, more of an issue with WSS SAML Token Profile, not in this group Core 8 - open but resolved, so priority C. Scott has details Core 9 - Eve, Scott priority C, "anyAttribute evil" response to Ann in this category Core 11 - validity period - still open, Scott has short solution proposal, priority A Core 12 - add "for issuer" to item, C Core 13 - pending - resolve by removing restriction core 14 - Ron issue - need input from Ron - B core 16 - new issue, Authentication vs Authn, decision would be helpful for cleanness and elegance. B core 17 - bag of conditions - B core 18 - could make decision today, A Bindings 3 - discuss later - related to conformance, e.g mandatory to implement. B Tech 1 - terminology as Jeff mentioned, would like to clean up drafts earlier B Tech 2 - at last F2F there was consensus that there are no use cases, A Tech 3 - impersonation - text changes were done for KeyInfo, changes needed for holder of key, Scott may be out of scope. Tech 4 - glossary additions - need to define binding, profile, Jeff H AI define binding and profiles "atomic unit of interoperability" proposed Prateek - would like to change definition federation, email thread. Federation Definition - B ---------------------------------------------------------------------- Issues added during F2F Domain Model, "SAML Authority" == "IDP", same as Tech 1 Consent vs Reason - B Element vs Attribute Review - AuthenticationMethod, SessionIndex are examples, C QName prefixes in Status - interop issue, new issue to add to issues list, "Replace QNames for Status with URIs", B Scott's "Binding conditions", Scott to draft proposal Encryption key (1 or more) distribution and recipient A Privacy considerations? Jeff H - We need to highlight privacy considerations related to core, could be notes in core, could be section. Prateek - will generate list potential changes from core Rename Authentication context statement A AuthnMethod? decided, Scott and John K have action associated with that. Schema extensibility - already issue Core-9 anyAttribute - evil? - already issue Core-9 ----------------------------------------------------------------------- Issue List Detailed Discussion A items Core-11 Scott described issue. Conor - encryption does not impact validity, just used for confidentiality only while passing third party Scott not with name identifier mapping, can be passed around, if not in assertion can be used. Hal - needs to be in an assertion. Why not have assertion with just name identifier in it, make statement optional Proposal - subject-less assertion with no statements. :) Can change federation time frame by changing name in protocol Prateek - potential issue, how to define the lifetime of a federation, possibly the federation identifier Greg - two lifetimes: 1-time, only for this session, or otherwise indefinite time Scott Exchanging encrypted references to principals - could hand out permanent identifier that should not have one. Conor - NameIdentifier response includes assertion encrypt name identifier - either name identifier or assertion containing name identifer Prateek All federated identifier establishment contain time period Tony - hard to manage if mandated Conor - dont want to mandate use of assertion, want to simplify at SPs Eve suggests focus group call on the topic. Conor could change name of Reauthenticate On or after to Renew On or After... Hal - relying party decision, offering guidance New issue : lifetime for federated identifiers Eve updated issues list. ---- core 18 KeyInfo or SubjectConfirmationData Scott - should be choice Prateek -some wanted both Scott could put KeyInfo inside SubjectConfirmationData Eve would require explaination Prateek - biometric in SubjectConfirmationData, key in KeyInfo Eve - decision to make choice group Mike - what is difference in meaning for KeyInfo at top versus KeyInfo inside SubjectConfirmationData Eve - no, just a syntactic discussion ensues, decision to remove KeyInfo Prateek - eliminating holder of key, Ron will have comments Decision - remove KeyInfo, allow within SubjectConfirmationData AI - Eve to implement decision on core 18 after checking with Ron ---- Bind-3 Scott draws table see PDF sstc-f2f-sso-table.pdf. Proposed refers to Scotts refactoring presented yesterday. Concern about number of table entries, complexity. Need for different entries to meet different requirements discussed. Conor - FORM POST needed for SPs that do not use SOAP call. Scott - feels different about Artifact vs POST Hal - proposes implementation guidelines on when to use each cell, depending on requirements. JeffH - wide range of deployment scenarios. Scott - metadata Endpoint = binding, location, location element name corresponds to message in table binding refers to binding column Prateek - As editor of conformance draft will start working on draft. Would like to see Federation identifier establishment and management factored out separately from single sign on functionality. Will raise issue of whether both will be required for conformance to SAML 2 - issue for later discussion. Scott - really wants to see destination site first supported Hal - suggests packages JeffH - what does SAML 2 mean? ---------------------------------------------------------------------------------- Hal gives summary of XACML meeting regarding SSTC. Next step propose agenda item on next SSTC focus call on relevant topics related to type information. XACML members interested in topic to attend SSTC focus call. Plan for next Tuesday Prateek requests email from XACML on mail list before meeting. Discussion deferred until Tuesday. ---------------------------------------------------------------------------------- 10:45-11:30: Review/establish schedule for remaining work and next F2F Discussed possible additional F2F, end of May beginning of June. Rob to arrange call. Eve - Plan committee draft vote by end of June to start 30 day public review. Might get enough comments to require a second committee draft. Eve - should get additional review earlier, drafts are public. Scott - once a round of changes are in we can have drafts for early review Candidate committee draft for final comments within TC, last call, end April 30. include OASIS news notice F2F mid-May to mid-June CD + 30 day public review, end-June Collect attestations: now to Aug 15 (AI Prateek to contact ID-FF vendors) OS Balloting request Aug 15 Conor - suggests contacting Liberty vendors that have certified 1.1 Liberty conformance. Eve - last call must include delta document, 1 page technical overview, Burton Catalyst is mid-July, July 21-23, possible outreach Eve - motion to thank Tony and IBM for hosting, much appreciated hospitality. Motion passed without objection. ---------------------------------------------------------------------------------- John Kemp - examine authentiation context method - deferred action items added to list above. Meeting Adjorned.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]