OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Minutes for Telecon, Tuesday 17 August 2004


Minutes for SSTC Telecon, Tuesday 17 August 2004
Dial in info: +1 865 673 6950 #351-8396
Minutes taken by Steve Anderson

======================================================================
                              Summary
======================================================================

  Votes:
  
    - Minutes from 10 August 2004 call accepted
    - Change the conformance document for IdP & SP SOAP-based SLO
      to MUST (4 cells), per Prateek's email
      < http://lists.oasis-open.org/archives/security-services/
        200408/msg00150.html >
    - Chairs to solicit participants for virtual interop as soon as
      possible on SAML TC and SAML Dev lists
    - Designate current drafts (with amendment to conformance above)
      as Committee Drafts
    - Submit Committee Drafts to OASIS for public review
    - Keep weekly schedule for now, but make calls on 24 Aug and 
	  7 Sept focus calls
    
  New Action Items:
  
    - Frederick to identify MTI algoriths for signature and
      encryption and determine where to capture it
    - Charles to post Implementation Guidelines draft by next week
    - Eve to help John Hughes with Tech Overview
    
======================================================================
                             Raw Notes
======================================================================

> 
> Agenda:
> 
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved, with 34 of 41 voting members in attendance at start

> 
> 2. Accept minutes from previous meeting, 10 August
>    < http://lists.oasis-open.org/archives/security-services/
>      200408/msg00100.html >
>

- [VOTE] unanimous consent, accepted

> 
> 3. Discussion on optional SP support for SLO over SOAP
>

- JohnK: wants to mandate implementation of SOAP SLO for IdP & SP (not
  light) in both directions, to mitigate security concern
- [MOTION] Change the conformance document for IdP & SP SOAP-based SLO
  to MUST (4 cells), per Prateek's email
  < http://lists.oasis-open.org/archives/security-services/
    200408/msg00150.html >
    - Prateek: thinks this is appropriate
    - we got here thru oversight
    - Hal: would this be a requirement on an implementation on someone
      that isn't otherwise implementing SOAP (e.g. POST profile based)?
    - Scott: we require implementing the Artifact profile
    - Hal: ok
    - Hal: if this is a security motivation, it's pretty weak
    - JohnK: fair enough, but this question has come up, and we're at
      least moving the right direction
    - Ari: is there any need to extend this to Federation Termination?
    - Conor: there isn't as much of a security consideration in that case
    - Hal: we're not actually requiring people to logout, and in fact 
      some implementations cannot perform this without interacting with
      user
    - Steve: this forbids an implementation that for whatever reason
      cannot accomplish SOAP-initiated logout from doing NIM, based on
      "MUST NOT" cells in SP-lite
    - Scott: if implementation can do NIM, presumably they can do
      SOAP-initiated SLO
    - [VOTE] no objections, passes
    - Editors directed to make the change

> 
> 4. Vote on CD status: 
>
>    Note that the files currently in the repository will be edited one
>    final time to rename them and fix their "Status" paragraphs.  We
>    will include any additional edits agreed to during this con-call.
>
>    A zip file containing all PDF's and schema files is at: 
>    < http://www.oasis-open.org/apps/org/workgroup/security/
>      download.php/8736/sstc-saml-2.0-pre-cd.zip >
>

- Tony: we need to cover the issue of interop
- what is the proposal, given that there is no interop scheduled
  currently?
- Rob: we've not scheduled them at this stage in past versions
- it's been an out-of-band exercise previously
- Hal: would a significant number of companies be able to do an interop
  during the OASIS approval process?
- Maryann: how would feedback be handled?
- Hal: there's the rub
- Conor: x.1 version
- Conor: doesn't believe in holding up CD vote for interop, but would
  support doing one during OASIS approval process
- Scott: relates to vagueness of attestations in OASIS process
- Hal: so we should decide for ourselves what the right thing to do is
- Maryann: concerning attestations and IP, when do IP statements need to
  be made?
    - Hal: should be doing it all along, but prior to submission to OASIS
      for vote, chairs should remind folks to make claims
    - Jeff: IPR issues are documented in OASIS process
    - in submission to OASIS package, we need to include any IPR 
      declarations
- Conor: we should move forward with CD, and start putting together
  interop for whoever is ready, but it won't be formal
- Jeff: OASIS process has no notion of interop, which isn't necessarily
  good, it's just up to us to decide
- Tony: who believes interop is right thing to do?
- Conor: no one feels it is wrong, question is what should be held up?
- CD should not
- Jeff: this TC has a good history of interops, they've just been after
  the fact
- Hal: proposes chairs put out call for interop participants
- Rob: has done so regarding RSA Conf 2005
- Hal: suggests virtual interop sooner
- Rob: individuals can vote how they feel on the process as is
- Eve: there is a list of minor edits that are necessary to produce CD
  versions, which should be complete by EOD tomorrow
- Hal: rather than drop interop talk, suggests we aggressively pursue
  short term virtual interop, and withhold judgement on whether to 
  hold up submission for OASIS vote
- [MOTION] Chairs to solicit participants for virtual interop as soon as
  possible on SAML TC and SAML Dev lists
    - [VOTE] no objections, passes
- [MOTION] Designate current drafts (with amendment to conformance above)
  as Committee Drafts
    - [VOTE] no objections, passes (with more than 2/3 majority)
- [MOTION] Submit Committee Drafts to OASIS for public review
    - Paula: objects to sending these out without understanding interop
      implications
    - Scott: believes we are sending these out _with_ interop experience
    - Rob: although not with _these_ specs
    - Eve: and this step encourages more interop feedback
    - Scott: limiting interop experience to just this TC is too incestuous
    - Hal: it would be completely reasonable to defer re-confirming CDs
      and submitting to OASIS for approval after completion of public
      review if interop is still underway
    - [VOTE] 28 approval, 3 abstain, vote passes

>
> 5. Recent discussion threads:
>
>    a) Contributor lists 
>

- Rob made proposal, got mostly positive responses
  < http://www.oasis-open.org/archives/security-services/
    200408/msg00142.html >
- Maryann make counterproposal
  < http://www.oasis-open.org/archives/security-services/
    200408/msg00145.html >
- Maryann: thinks it's simpler
- Hal: isn't the current approach the way we've done it in the past?
- yes
- Rob: we're changing the contributor list to consist of those that 
  contributed to _this_ version
- Maryann: contributions that were accepted only? what about rejected
  contributions?  (e.g. Michael McIntosh)
- Rob: believes both
- Eve: we've followed self-nomination process, which generally gets
  approved
- Rob: will look thru mail archive for other contributions
- Maryann: is the TC response to IBM security analysis part of CD
  package?
    - no, separate doc
    - FYI there is an open AI on this
- Scott: does the list vary doc to doc?
- suggests making them the same
- Eve: would be simpler
- Rob: we did them separately in the past, but there were much fewer docs
- Eve: could just put acknowledgements on entry point doc
- Frederick: paper isn't a concern
- [no strong sentiment on uniform list, so will be specific lists]

>
>    b) Additional text for MTI modes in dsig/encryption. Started with: 
>       < http://lists.oasis-open.org/archives/security-services/
>         200408/msg00102.html >
>

- Prateek: also could capture aspects such as including cert or cert
  chain with dsig
- Scott: thinks it's more important to address algorithms first
- Rob: concerned about normative nature of this at current stage
- could put in recommendations to implementers, and in normative text in
  2.1
- [ACTION] Frederick to identify MTI algoriths for signature and
  encryption and determine where to capture it
- Prateek: Scott has listed some

>
>    c) Text for OneTimeUse replay detection.  Started with: 
>       < http://lists.oasis-open.org/archives/security-services/
>         200408/msg00101.html >
>

- Scott: we decided to propose some weak wording in core, and leave it up
  to profiles to make use of it
- Rob: this change was made in last draft
- discussion closed

>
>    d) Do we need some interop testing? Before CD? Before
>       standardization? Keep this out of the SSTC's process?  Started
>       with:
>       < http://lists.oasis-open.org/archives/security-services/
>         200408/msg00117.html >
>

- covered already

> 
> 6. Open AI's
>
>    Report created 16 August 2004 05:46pm EDT      
>           
>    #0183: Comment s solicited on John Linn response to Thomas Gross
>           paper 
>    Owner: Prateek Mishra  
>    Status: Open   
>    Assigned: 23 Jul 2004  
>    Due: 23 Jul 2004       
>    Comments:
>    Rob Philpott 2004-07-23 17:10 GMT
>    Per 20-July con-call: Prateek (by July 23) to comment on the draft
>        of John Linn's draft of our response to the Thomas Gross security
>        analysis. 
>

- Prateek: still open

> 
>    #0179: Does conformance meet pki-cross-domain-profile-draft-01.doc
>           requirements?       
>    Owner: Rick Randall    
>    Status: Open   
>    Assigned: 12 Jul 2004  
>    Due: ---       
>    Comments:
>    Prateek Mishra 2004-07-12 21:47 GMT
>    CHeck conformance document to see if it captures the desired
>        functionality described in this document. 
>

- Rick not on call

> 
>    #0144: Explain optional subject decision       
>    Owner: Eve Maler       
>    Status: Open   
>    Assigned: 29 Apr 2004  
>    Due: ---       
>    Comments:
>    Prateek Mishra 2004-04-29 21:51 GMT
>    *** AI: Eve: Optional subject implemented in core spec prose. Schema
>        shows that subject is optional.
>    
>    o Eve: Has wanted to create a rationale for some of the decisions made on spec. Decision on subject less statements is a good example of what needs to be documented. Making an explicit design decision that is not really explicit on. By choosing to add prose to core spec we're making a stealth abstract profile (generic design decision) that applies to all explicit profiles.
>    
>    o Scott: data model (design) decision to require subjects in all SAML statements.
>    
>    Rob Philpott 2004-07-20 02:05 GMT
>    13-Jul con-call minutes note that the issue should be closed. and that Eve "may work on commentary".
>    
>    Rob Philpott 2004-07-23 17:02 GMT
>    20July con-call:
>    Eve: The thought here was that we may have an optional post-V2.1 deliverable that explains the "XML rationales" for various things.
>    
>    JohnK: But there are selected places in the actual specs where it would be helpful; he has suggested these. Eve: Let's treat these comments one by one, then.
>    
>    Rob Philpott 2004-08-03 05:35 GMT
>    27-Jul: Per SSTC call: Still open. Deferred to post SAML 2.0   
>

- Rob: deferred to post 2.0

> 
>    #0166: Investigate use of Wiki from teh web site       
>    Owner: Scott Cantor    
>    Status: Open   
>    Assigned: 22 Jun 2004  
>    Due: ---       
>    Comments:
>    Rob Philpott 2004-06-22 16:40 GMT
>    Scott will investigate the establishment of a wiki for SSTC use to be linked from the SSTC web site.
>    
>    Rob Philpott 2004-08-03 21:49 GMT
>    6-Jul: Per AI update from Scott:
>    Not high priority, but I think Internet2 can host this at some point with
>    the OpenSAML site.     
>

- Scott: still open

> 
>    #0163: Need process for submission of profiles/authn context classes, etc.     
>    Owner: Rob Philpott    
>    Status: Open   
>    Assigned: 22 Jun 2004  
>    Due: ---       
>    Comments:
>    Rob Philpott 2004-06-22 16:29 GMT
>    On the web site, we need to state what the process is for submitting and dealing with additional authn context classes, new profile documents, etc.
>    
>    Rob Philpott 2004-06-23 16:03 GMT
>    Note that this is different from AI 164 for SCott and John K to propose text within the spec documents that points to the web site.    
>

- Rob: still open

> 
>    #0180: Need to update SAML server trust document       
>    Owner: Jeff Hodges     
>    Status: Open   
>    Assigned: 12 Jul 2004  
>    Due: ---       
>    Comments:
>    Rob Philpott 2004-07-20 01:59 GMT
>    Original AI was for Eve to follow up with Jeff to determine whether he would be updating this doc. That was done.
>    
>    Discussion of this AI on 13-Jul indicates that the update will be a post 2.0 deliverable. Reassigned AI to Jeff for now.       
>

- Post 2.0 deliverable

> 
>    #0123: Obtain MIME type registration for HTTP lookup of SAML   
>    Owner: Jeff Hodges     
>    Status: Open   
>    Assigned: 13 Feb 2004  
>    Due: ---       
>    Comments:
>    Rob Philpott 2004-06-23 15:29 GMT
>    Attached is the initial rev of an I-D seeking to register the MIME media type
>    "application/saml+xml". Please review.
>    
>    I've pinged the I-D editor to request a filename for the doc, I'll submit it to
>    both the I-D editor and the SSTC doc repository once that's finalized (std
>    procedure for I-Ds).
>    
>    In concocting this draft, I've noted that MIME media type registrations aren't
>    necessarily the simple little registration exercise I'd thought they were. They
>    (the ietf-types@iana.org denizens) may desire more content, e.g. sec
>    considerations, in this doc. We'll see. Nominally, I think it's "good enough"
>    as is, especially since the SAML spec sets have thorough sec considerations
>    sections and I've referenced said spec sets carefully. Anyway, we'll see.
>    
>    Also, I based this on a draft registration for application/rdf+xml. In that
>    draft, Aaron Schwartz claimed an optional parameter of "charset", and indicated
>    that the considerations thereof are the same as for "application/xml" (as
>    documented in http://www.ietf.org/rfc/rfc3023.txt). Additionally, he did the
>    same thing for the "encoding considerations", i.e. said they were the same as
>    for "application/xml". So, without excrutiating research, I did the same thing
>    in this draft. fwiw/fyi.
>    
>    anyway, lemme know whatcha think.
>    
>    thanks,
>    
>    JeffH
>    
>    Rob Philpott 2004-08-03 05:33 GMT
>    27-Jul: * Scott - we need to do one for metadata as well. Roll the metadata one into AI #123.  
>

- Jeff: did some investigating, and we need to discuss
- talked to Ned Freed, who owns process
- we're trying to register this under "IETF Tree", so it needs to go to
  IESG
- Ned thinks this can be done in the next few weeks
- regarding PAOS, it can be registed under "Vendor Tree", which just goes
  thru Ned, and we can just alter the MIME type in our spec
- we've also talked about 2 registrations: metadata and assertion
- there are different opinions about registering under IETF vs. Vendor
- what do people want to do with IETF vs. Vendor tree?
    - Scott: ok with pursuing IETF tree
- Jeff: will proceed as planned, will allocate MIME media types in IETF
  tree
- Irving: concerned about being too specific in our MIME types
- Scott: doesn't think it's a big deal
- [more discussion, but result is that this is ok]

> 
>    #0158: Propose changes to definition of Federation in glossary 
>    Owner: Prateek Mishra  
>    Status: Open   
>    Assigned: 30 Apr 2004  
>    Due: ---       
>    Comments:
>    Rob Philpott 2004-07-23 17:05 GMT
>    20-July: Still open. Prateek will send thoughts to the list.   
>

- Prateek: will close this week

> 
>    #0176: Provide sequence diagrams for profiles  
>    Owner: Jeff Hodges     
>    Status: Open   
>    Assigned: 23 Jun 2004  
>    Due: ---       
>    Comments:
>    Rob Philpott 2004-06-23 20:14 GMT
>    as discussed at F2F #5.
>    
>    Diagram for BAP sent to list.
>    
>    Rob Philpott 2004-07-23 17:03 GMT
>    20-July: Jeff - Will finish this week. 
>

- CLOSED

> 
>    #0184: Send SSTC response to Thomas Grss paper to the author   
>    Owner: Prateek Mishra  
>    Status: Open   
>    Assigned: 23 Jul 2004  
>    Due: ---       
>    Comments:
>    Rob Philpott 2004-07-23 17:11 GMT
>    Per 20-July con-call: AI: ultimately to provide a formal response to Thomas Gross.     
>

- will be done after Prateek's comments

> 
>    #0160: Separate Privacy concerns language from Element/Attribute descriptions  
>    Owner: Prateek Mishra  
>    Status: Open   
>    Assigned: 30 Apr 2004  
>    Due: ---       
>    Comments:
>    Prateek Mishra 2004-04-30 18:14 GMT
>    Jeff H - We need to highlight privacy considerations related to core, could be notes in core, could be section.
>    *** AI: Prateek - will generate list potential changes from core
>    
>    Rob Philpott 2004-07-23 17:05 GMT
>    20-July: Still open. Eve: Note that the explanation of constraints on session indexes now includes a rationale along these lines.      
>

- Prateek: will close this week

> 
> 7. Any other business
>

- Eve: our issues list
    - the entire list of technical issues that are still open is small
      and they can probably just be closed
    - CORE-23: closed
    - BIND-3:
        - we did lots of work in conformance doc in this regard
        - JohnK: our operational modes address his "profiles" comment
        - CLOSED
    - BIND-4:
        - CLOSED
        - need to duplicate for CORE, and mark DEFERRED
    - TECH-4
        - Jeff: thinks glossary needs another thorough pass
        - good enough for now
        - Eve: did 'artifact' get added?
        - Jeff: apparently not
        - CLOSED in favor of AI
        - [ACTION] Jeff to add 'artifact' to glossary
    - TECH-5: CLOSED
    - TECH-6: CLOSED, relates to Prateek's AI
    - TECH-7: 
        - Eve: thinks we should make an effort to add more examples
        - will stay OPEN
        - not sure if we'll stay on weekly call schedules, but on focus
          calls we can assign AIs
- Eve: outreach docs
    - Charles has apparently done some work on Implementation Guidelines
    - Eve would like to publish them even in early draft form
    - Charles: might be difficult right now
    - Eve: would like outreach docs done by the time we go to OASIS Std
    - [ACTION] Charles to post Implementation Guidelines draft by next 
      week
    - Eve: for Tech Overview, John Hughes is changing jobs
    - [ACTION] Eve to help John Hughes with Tech Overview
    - Eve: suggests making Migration document an agenda item
    - Rob: can this be part of Implementation Guide?
    - seems fair
    - Rob: would like to keep number of docs minimized
    - Exec Overview, Paul is working on
    - Website, Eve is working on
    - FAQ, maybe we can discuss this on a future call as well
- Rob: do we want to move back to biweekly calls?
	- [discussion]
	- [MOTION] Keep weekly schedule for now, but make calls on 24 Aug and 
	  7 Sept focus calls
	- [VOTE] no objections, passes

> 
> 8. Adjourn
>

- Adjourned


       

----------------------------------------------------------------------

Attendance of Voting Members:

  Conor P. Cahill AOL, Inc.
  Hal Lockhart BEA
  Ronald Jacobson Computer Associates
  Gavenraj Sodhi Computer Associates
  Tim Alsop CyberSafe
  Paul Madsen Entrust
  Dana Kaufman Forum Systems
  Irving Reid Hewlett-Packard Company
  Paula Austel IBM
  Maryann Hondo IBM
  Anthony Nadalin IBM
  Nick Ragouzis Individual
  Scott Cantor Internet2
  Prateek Mishra Netegrity
  Forest Yin Netegrity
  Peter Davis Neustar
  Frederick Hirsch Nokia
  John Kemp Nokia
  Senthil Sengodan Nokia
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Ari Kermaier Oracle
  Vamsi Motukuru Oracle
  Darren Platt Ping Identity
  Jim Lien RSA Security
  John Linn RSA Security
  Rob Philpott RSA Security
  Dipak Chopra SAP
  Jahan Moreh Sigaba
  Bhavna Bhatnagar Sun Microsystems
  Jeff Hodges Sun Microsystems
  Eve Maler Sun Microsystems
  Emily Xu Sun Microsystems
  Mike Beach The Boeing Company
  Greg Whitehead Trustgenix


Attendance of Observers or Prospective Members:

  Cameron Morris Novell
  Abbie Barbir Nortel
  Tim Moses Entrust


Membership Status Changes:

  Abbie Barbir Nortel - Requested membership 8/16/2004
  Cameron Morris Novell - Granted voting status after call
  Scott Kiester Novell - Granted voting status after call

--
Steve Anderson
OpenNetwork




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]