[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes for SSTC conf call, 2004-05-25
Attendance of Voting Members
Conor P. Cahill AOL, Inc.
Hal Lockhart BEA
Tim Alsop CyberSafe
John Hughes Entegrity Solutions
Paul Madsen Entrust
Miguel Pallares Ericsson
Dana Kaufman Forum Systems
Irving Reid Hewlett-Packard Company
Paula Austel IBM
Michael McIntosh IBM
Scott Cantor Individual
Bob Morgan Individual
Prateek Mishra Netegrity
Peter Davis Neustar
Frederick Hirsch Nokia
John Kemp Nokia
Nicholas Sauriol Nortel
Jim Lien RSA Security
Rob Philpott RSA Security
Dipak Chopra SAP
Jahan Moreh Sigaba
Bhavna Bhatnagar Sun Microsystems
Jeff Hodges Sun Microsystems
Eve Maler Sun Microsystems
Ron Monzillo Sun Microsystems
Mike Beach The Boeing Company
Greg Whitehead Trustgenix
Attendance of Prospective Members or Observers
Ronald Jacobson Computer Associates
Membership Status Changes
John Cook ComBrio -- requested membership 2004-05-15
Summary:
Discussion of remaining issues in Core document, primarly
"ReauthenticateOnOrAfter". New text will be proposed, further discussion
on focus call.
Minutes
-------
1. minutes of 2004-05-11 meeting accepted
2. Toronto F2F planning
location will be downtown location, 901 King
no visitor parking, but some lots near meeting site
public transit runs right by
nearest "decent" hotels are 15-20 minute walk
Holiday Inn on King St West is default hotel
Irving will send a note confirming all this
3. editors report on latest doc revs
Eve: Scott is now official owner/editor of Core draft
she will remaining as coordinator/reviewer
Scott:
note that most core changes were from -11 to -12
changes from -12 to -13 were minor
-13 reflects all the name abbreviations
-12 substantive changes: (Scott)
text about "entity ID" or "provider ID" format in section 8.3.7
referenced from encrypted nameID text in section 2.3.3
section 2.4.3.2 confirmationMethod is now attribute, not element
some conditions now state "do not have more than one per assertion"
added choice of encrypted assertion in any place where assertion was
authenticationMethod still in for now, may come out
added reauthenticateOnOrAfter, unabbreviated
language still needed about interpretation of this
much discussion of "reauthenticate" issues
"statement no longer represents authn state of principal"
can behavior of relying party be normatively specified?
maybe sense should be flipped: "don't use statement after ..."
much discussion of lifetime semantics ...
just use overall statement notOnOrAfter time?
statement-specific lifetime? use "session" word?
make it "revalidateOnOrAfter" instead of "reauthenticate"?
some agreement about basing it on "session" behavior
and saying issuer has session responsibility for that time
statement already has session index attr
but what about other uses besides sessions?
maybe those need their own attributes/conditions?
do we know enough about these other uses to generalize to them?
is there still agreement that multiple statements in one assertion
and the same statements in multiple assertions are equivalent
yes, though some practical effects may be different
eg may not get all assertions, easier to forward separately etc
RonM: how does this relate to confirmation method?
which is now moved up to assertion level, right?
is having this be at a different level than session a problem?
Scott will make proposal in next core rev using "session" concept
Scott: on to more -12 changes
note authncontext "declaration" name change (line 923)
change in 2.5.3.1.1 about type declaration on attribute values
"resource" attribute removed (line 1519)
processing rules changes (line 1538)
change "federated" identifier to "persistent"
how long does it "persist"?
it persists until changed ... but many deployers confused
Prateek will propose language explaining this
processing rules for proxying clarified (3.4.1.7)
example uses of encryption needed ...
Scott: core draft is more or less "feature complete", just undergoing
cleanup
Scott: may need to add "bearer condition" schema to core
bindings/profiles, Frederick
bindings-11, profiles-08 are latest
bindings:
language added to explain what SOAP means
there's a use of "CANNOT", this isn't 2119-standard language
some question about whether "MUST NOT" is appropriate for this item
WSS is recommended for integrity/confidentiality
how does this recommendation relate to HTTP protections?
or: what is the nature of this recommendation?
may imply relying on WS-I profile for conformance
profiles:
name abbreviations put in ...
Scott: bearer confirmation data attributes now in profile doc
any objections to updating core with this schema?
this would permit proper type to be defined
RonM: couldn't these attrs apply to other confirmation methods?
Scott: probably, but haven't been defined that way
but would they have consistent meaning across all methods?
RonM: question in WSS about whether validity time needs definition
in WSS token profile
but wouldn't overall assertion validity work for holder-of-key?
probably ...
Prateek: object to mandatory dual binding methods in bindings doc
can discuss more on focus call
Scott: turned mandatory language in ID-FF profiles into binding lang
much better to be clear about requirement than vague
but may want to change it to conformance-spec requirement ...
much discussion of what goes in protocol spec
vs what goes in conformance spec
use of conformance is fine, but need metadata support for saying what is
actually deployed
4. Other
Rob: everyone please go through issues list and see what's assigned to
them, and do it
Scott: working with Jahan on actual metadata document
JohnK: authn context document still needs work, will do
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]