[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes for Telecon, Tuesday 17 August 2004
Minutes for SSTC Telecon, Tuesday 17 August 2004 Dial in info: +1 865 673 6950 #351-8396 Minutes taken by Steve Anderson ====================================================================== Summary ====================================================================== Votes: - Minutes from 10 August 2004 call accepted - Change the conformance document for IdP & SP SOAP-based SLO to MUST (4 cells), per Prateek's email < http://lists.oasis-open.org/archives/security-services/ 200408/msg00150.html > - Chairs to solicit participants for virtual interop as soon as possible on SAML TC and SAML Dev lists - Designate current drafts (with amendment to conformance above) as Committee Drafts - Submit Committee Drafts to OASIS for public review - Keep weekly schedule for now, but make calls on 24 Aug and 7 Sept focus calls New Action Items: - Frederick to identify MTI algoriths for signature and encryption and determine where to capture it - Charles to post Implementation Guidelines draft by next week - Eve to help John Hughes with Tech Overview ====================================================================== Raw Notes ====================================================================== > > Agenda: > > 1. Roll call > - Attendance attached to bottom of these minutes - Quorum achieved, with 34 of 41 voting members in attendance at start > > 2. Accept minutes from previous meeting, 10 August > < http://lists.oasis-open.org/archives/security-services/ > 200408/msg00100.html > > - [VOTE] unanimous consent, accepted > > 3. Discussion on optional SP support for SLO over SOAP > - JohnK: wants to mandate implementation of SOAP SLO for IdP & SP (not light) in both directions, to mitigate security concern - [MOTION] Change the conformance document for IdP & SP SOAP-based SLO to MUST (4 cells), per Prateek's email < http://lists.oasis-open.org/archives/security-services/ 200408/msg00150.html > - Prateek: thinks this is appropriate - we got here thru oversight - Hal: would this be a requirement on an implementation on someone that isn't otherwise implementing SOAP (e.g. POST profile based)? - Scott: we require implementing the Artifact profile - Hal: ok - Hal: if this is a security motivation, it's pretty weak - JohnK: fair enough, but this question has come up, and we're at least moving the right direction - Ari: is there any need to extend this to Federation Termination? - Conor: there isn't as much of a security consideration in that case - Hal: we're not actually requiring people to logout, and in fact some implementations cannot perform this without interacting with user - Steve: this forbids an implementation that for whatever reason cannot accomplish SOAP-initiated logout from doing NIM, based on "MUST NOT" cells in SP-lite - Scott: if implementation can do NIM, presumably they can do SOAP-initiated SLO - [VOTE] no objections, passes - Editors directed to make the change > > 4. Vote on CD status: > > Note that the files currently in the repository will be edited one > final time to rename them and fix their "Status" paragraphs. We > will include any additional edits agreed to during this con-call. > > A zip file containing all PDF's and schema files is at: > < http://www.oasis-open.org/apps/org/workgroup/security/ > download.php/8736/sstc-saml-2.0-pre-cd.zip > > - Tony: we need to cover the issue of interop - what is the proposal, given that there is no interop scheduled currently? - Rob: we've not scheduled them at this stage in past versions - it's been an out-of-band exercise previously - Hal: would a significant number of companies be able to do an interop during the OASIS approval process? - Maryann: how would feedback be handled? - Hal: there's the rub - Conor: x.1 version - Conor: doesn't believe in holding up CD vote for interop, but would support doing one during OASIS approval process - Scott: relates to vagueness of attestations in OASIS process - Hal: so we should decide for ourselves what the right thing to do is - Maryann: concerning attestations and IP, when do IP statements need to be made? - Hal: should be doing it all along, but prior to submission to OASIS for vote, chairs should remind folks to make claims - Jeff: IPR issues are documented in OASIS process - in submission to OASIS package, we need to include any IPR declarations - Conor: we should move forward with CD, and start putting together interop for whoever is ready, but it won't be formal - Jeff: OASIS process has no notion of interop, which isn't necessarily good, it's just up to us to decide - Tony: who believes interop is right thing to do? - Conor: no one feels it is wrong, question is what should be held up? - CD should not - Jeff: this TC has a good history of interops, they've just been after the fact - Hal: proposes chairs put out call for interop participants - Rob: has done so regarding RSA Conf 2005 - Hal: suggests virtual interop sooner - Rob: individuals can vote how they feel on the process as is - Eve: there is a list of minor edits that are necessary to produce CD versions, which should be complete by EOD tomorrow - Hal: rather than drop interop talk, suggests we aggressively pursue short term virtual interop, and withhold judgement on whether to hold up submission for OASIS vote - [MOTION] Chairs to solicit participants for virtual interop as soon as possible on SAML TC and SAML Dev lists - [VOTE] no objections, passes - [MOTION] Designate current drafts (with amendment to conformance above) as Committee Drafts - [VOTE] no objections, passes (with more than 2/3 majority) - [MOTION] Submit Committee Drafts to OASIS for public review - Paula: objects to sending these out without understanding interop implications - Scott: believes we are sending these out _with_ interop experience - Rob: although not with _these_ specs - Eve: and this step encourages more interop feedback - Scott: limiting interop experience to just this TC is too incestuous - Hal: it would be completely reasonable to defer re-confirming CDs and submitting to OASIS for approval after completion of public review if interop is still underway - [VOTE] 28 approval, 3 abstain, vote passes > > 5. Recent discussion threads: > > a) Contributor lists > - Rob made proposal, got mostly positive responses < http://www.oasis-open.org/archives/security-services/ 200408/msg00142.html > - Maryann make counterproposal < http://www.oasis-open.org/archives/security-services/ 200408/msg00145.html > - Maryann: thinks it's simpler - Hal: isn't the current approach the way we've done it in the past? - yes - Rob: we're changing the contributor list to consist of those that contributed to _this_ version - Maryann: contributions that were accepted only? what about rejected contributions? (e.g. Michael McIntosh) - Rob: believes both - Eve: we've followed self-nomination process, which generally gets approved - Rob: will look thru mail archive for other contributions - Maryann: is the TC response to IBM security analysis part of CD package? - no, separate doc - FYI there is an open AI on this - Scott: does the list vary doc to doc? - suggests making them the same - Eve: would be simpler - Rob: we did them separately in the past, but there were much fewer docs - Eve: could just put acknowledgements on entry point doc - Frederick: paper isn't a concern - [no strong sentiment on uniform list, so will be specific lists] > > b) Additional text for MTI modes in dsig/encryption. Started with: > < http://lists.oasis-open.org/archives/security-services/ > 200408/msg00102.html > > - Prateek: also could capture aspects such as including cert or cert chain with dsig - Scott: thinks it's more important to address algorithms first - Rob: concerned about normative nature of this at current stage - could put in recommendations to implementers, and in normative text in 2.1 - [ACTION] Frederick to identify MTI algoriths for signature and encryption and determine where to capture it - Prateek: Scott has listed some > > c) Text for OneTimeUse replay detection. Started with: > < http://lists.oasis-open.org/archives/security-services/ > 200408/msg00101.html > > - Scott: we decided to propose some weak wording in core, and leave it up to profiles to make use of it - Rob: this change was made in last draft - discussion closed > > d) Do we need some interop testing? Before CD? Before > standardization? Keep this out of the SSTC's process? Started > with: > < http://lists.oasis-open.org/archives/security-services/ > 200408/msg00117.html > > - covered already > > 6. Open AI's > > Report created 16 August 2004 05:46pm EDT > > #0183: Comment s solicited on John Linn response to Thomas Gross > paper > Owner: Prateek Mishra > Status: Open > Assigned: 23 Jul 2004 > Due: 23 Jul 2004 > Comments: > Rob Philpott 2004-07-23 17:10 GMT > Per 20-July con-call: Prateek (by July 23) to comment on the draft > of John Linn's draft of our response to the Thomas Gross security > analysis. > - Prateek: still open > > #0179: Does conformance meet pki-cross-domain-profile-draft-01.doc > requirements? > Owner: Rick Randall > Status: Open > Assigned: 12 Jul 2004 > Due: --- > Comments: > Prateek Mishra 2004-07-12 21:47 GMT > CHeck conformance document to see if it captures the desired > functionality described in this document. > - Rick not on call > > #0144: Explain optional subject decision > Owner: Eve Maler > Status: Open > Assigned: 29 Apr 2004 > Due: --- > Comments: > Prateek Mishra 2004-04-29 21:51 GMT > *** AI: Eve: Optional subject implemented in core spec prose. Schema > shows that subject is optional. > > o Eve: Has wanted to create a rationale for some of the decisions made on spec. Decision on subject less statements is a good example of what needs to be documented. Making an explicit design decision that is not really explicit on. By choosing to add prose to core spec we're making a stealth abstract profile (generic design decision) that applies to all explicit profiles. > > o Scott: data model (design) decision to require subjects in all SAML statements. > > Rob Philpott 2004-07-20 02:05 GMT > 13-Jul con-call minutes note that the issue should be closed. and that Eve "may work on commentary". > > Rob Philpott 2004-07-23 17:02 GMT > 20July con-call: > Eve: The thought here was that we may have an optional post-V2.1 deliverable that explains the "XML rationales" for various things. > > JohnK: But there are selected places in the actual specs where it would be helpful; he has suggested these. Eve: Let's treat these comments one by one, then. > > Rob Philpott 2004-08-03 05:35 GMT > 27-Jul: Per SSTC call: Still open. Deferred to post SAML 2.0 > - Rob: deferred to post 2.0 > > #0166: Investigate use of Wiki from teh web site > Owner: Scott Cantor > Status: Open > Assigned: 22 Jun 2004 > Due: --- > Comments: > Rob Philpott 2004-06-22 16:40 GMT > Scott will investigate the establishment of a wiki for SSTC use to be linked from the SSTC web site. > > Rob Philpott 2004-08-03 21:49 GMT > 6-Jul: Per AI update from Scott: > Not high priority, but I think Internet2 can host this at some point with > the OpenSAML site. > - Scott: still open > > #0163: Need process for submission of profiles/authn context classes, etc. > Owner: Rob Philpott > Status: Open > Assigned: 22 Jun 2004 > Due: --- > Comments: > Rob Philpott 2004-06-22 16:29 GMT > On the web site, we need to state what the process is for submitting and dealing with additional authn context classes, new profile documents, etc. > > Rob Philpott 2004-06-23 16:03 GMT > Note that this is different from AI 164 for SCott and John K to propose text within the spec documents that points to the web site. > - Rob: still open > > #0180: Need to update SAML server trust document > Owner: Jeff Hodges > Status: Open > Assigned: 12 Jul 2004 > Due: --- > Comments: > Rob Philpott 2004-07-20 01:59 GMT > Original AI was for Eve to follow up with Jeff to determine whether he would be updating this doc. That was done. > > Discussion of this AI on 13-Jul indicates that the update will be a post 2.0 deliverable. Reassigned AI to Jeff for now. > - Post 2.0 deliverable > > #0123: Obtain MIME type registration for HTTP lookup of SAML > Owner: Jeff Hodges > Status: Open > Assigned: 13 Feb 2004 > Due: --- > Comments: > Rob Philpott 2004-06-23 15:29 GMT > Attached is the initial rev of an I-D seeking to register the MIME media type > "application/saml+xml". Please review. > > I've pinged the I-D editor to request a filename for the doc, I'll submit it to > both the I-D editor and the SSTC doc repository once that's finalized (std > procedure for I-Ds). > > In concocting this draft, I've noted that MIME media type registrations aren't > necessarily the simple little registration exercise I'd thought they were. They > (the ietf-types@iana.org denizens) may desire more content, e.g. sec > considerations, in this doc. We'll see. Nominally, I think it's "good enough" > as is, especially since the SAML spec sets have thorough sec considerations > sections and I've referenced said spec sets carefully. Anyway, we'll see. > > Also, I based this on a draft registration for application/rdf+xml. In that > draft, Aaron Schwartz claimed an optional parameter of "charset", and indicated > that the considerations thereof are the same as for "application/xml" (as > documented in http://www.ietf.org/rfc/rfc3023.txt). Additionally, he did the > same thing for the "encoding considerations", i.e. said they were the same as > for "application/xml". So, without excrutiating research, I did the same thing > in this draft. fwiw/fyi. > > anyway, lemme know whatcha think. > > thanks, > > JeffH > > Rob Philpott 2004-08-03 05:33 GMT > 27-Jul: * Scott - we need to do one for metadata as well. Roll the metadata one into AI #123. > - Jeff: did some investigating, and we need to discuss - talked to Ned Freed, who owns process - we're trying to register this under "IETF Tree", so it needs to go to IESG - Ned thinks this can be done in the next few weeks - regarding PAOS, it can be registed under "Vendor Tree", which just goes thru Ned, and we can just alter the MIME type in our spec - we've also talked about 2 registrations: metadata and assertion - there are different opinions about registering under IETF vs. Vendor - what do people want to do with IETF vs. Vendor tree? - Scott: ok with pursuing IETF tree - Jeff: will proceed as planned, will allocate MIME media types in IETF tree - Irving: concerned about being too specific in our MIME types - Scott: doesn't think it's a big deal - [more discussion, but result is that this is ok] > > #0158: Propose changes to definition of Federation in glossary > Owner: Prateek Mishra > Status: Open > Assigned: 30 Apr 2004 > Due: --- > Comments: > Rob Philpott 2004-07-23 17:05 GMT > 20-July: Still open. Prateek will send thoughts to the list. > - Prateek: will close this week > > #0176: Provide sequence diagrams for profiles > Owner: Jeff Hodges > Status: Open > Assigned: 23 Jun 2004 > Due: --- > Comments: > Rob Philpott 2004-06-23 20:14 GMT > as discussed at F2F #5. > > Diagram for BAP sent to list. > > Rob Philpott 2004-07-23 17:03 GMT > 20-July: Jeff - Will finish this week. > - CLOSED > > #0184: Send SSTC response to Thomas Grss paper to the author > Owner: Prateek Mishra > Status: Open > Assigned: 23 Jul 2004 > Due: --- > Comments: > Rob Philpott 2004-07-23 17:11 GMT > Per 20-July con-call: AI: ultimately to provide a formal response to Thomas Gross. > - will be done after Prateek's comments > > #0160: Separate Privacy concerns language from Element/Attribute descriptions > Owner: Prateek Mishra > Status: Open > Assigned: 30 Apr 2004 > Due: --- > Comments: > Prateek Mishra 2004-04-30 18:14 GMT > Jeff H - We need to highlight privacy considerations related to core, could be notes in core, could be section. > *** AI: Prateek - will generate list potential changes from core > > Rob Philpott 2004-07-23 17:05 GMT > 20-July: Still open. Eve: Note that the explanation of constraints on session indexes now includes a rationale along these lines. > - Prateek: will close this week > > 7. Any other business > - Eve: our issues list - the entire list of technical issues that are still open is small and they can probably just be closed - CORE-23: closed - BIND-3: - we did lots of work in conformance doc in this regard - JohnK: our operational modes address his "profiles" comment - CLOSED - BIND-4: - CLOSED - need to duplicate for CORE, and mark DEFERRED - TECH-4 - Jeff: thinks glossary needs another thorough pass - good enough for now - Eve: did 'artifact' get added? - Jeff: apparently not - CLOSED in favor of AI - [ACTION] Jeff to add 'artifact' to glossary - TECH-5: CLOSED - TECH-6: CLOSED, relates to Prateek's AI - TECH-7: - Eve: thinks we should make an effort to add more examples - will stay OPEN - not sure if we'll stay on weekly call schedules, but on focus calls we can assign AIs - Eve: outreach docs - Charles has apparently done some work on Implementation Guidelines - Eve would like to publish them even in early draft form - Charles: might be difficult right now - Eve: would like outreach docs done by the time we go to OASIS Std - [ACTION] Charles to post Implementation Guidelines draft by next week - Eve: for Tech Overview, John Hughes is changing jobs - [ACTION] Eve to help John Hughes with Tech Overview - Eve: suggests making Migration document an agenda item - Rob: can this be part of Implementation Guide? - seems fair - Rob: would like to keep number of docs minimized - Exec Overview, Paul is working on - Website, Eve is working on - FAQ, maybe we can discuss this on a future call as well - Rob: do we want to move back to biweekly calls? - [discussion] - [MOTION] Keep weekly schedule for now, but make calls on 24 Aug and 7 Sept focus calls - [VOTE] no objections, passes > > 8. Adjourn > - Adjourned ---------------------------------------------------------------------- Attendance of Voting Members: Conor P. Cahill AOL, Inc. Hal Lockhart BEA Ronald Jacobson Computer Associates Gavenraj Sodhi Computer Associates Tim Alsop CyberSafe Paul Madsen Entrust Dana Kaufman Forum Systems Irving Reid Hewlett-Packard Company Paula Austel IBM Maryann Hondo IBM Anthony Nadalin IBM Nick Ragouzis Individual Scott Cantor Internet2 Prateek Mishra Netegrity Forest Yin Netegrity Peter Davis Neustar Frederick Hirsch Nokia John Kemp Nokia Senthil Sengodan Nokia Charles Knouse Oblix Steve Anderson OpenNetwork Ari Kermaier Oracle Vamsi Motukuru Oracle Darren Platt Ping Identity Jim Lien RSA Security John Linn RSA Security Rob Philpott RSA Security Dipak Chopra SAP Jahan Moreh Sigaba Bhavna Bhatnagar Sun Microsystems Jeff Hodges Sun Microsystems Eve Maler Sun Microsystems Emily Xu Sun Microsystems Mike Beach The Boeing Company Greg Whitehead Trustgenix Attendance of Observers or Prospective Members: Cameron Morris Novell Abbie Barbir Nortel Tim Moses Entrust Membership Status Changes: Abbie Barbir Nortel - Requested membership 8/16/2004 Cameron Morris Novell - Granted voting status after call Scott Kiester Novell - Granted voting status after call -- Steve Anderson OpenNetwork
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]