[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes for Telecon, Tuesday 12 October 2004
Minutes for SSTC Telecon, Tuesday 12 October 2004 Dial in info: +1 865 673 6950 #351-8396 Minutes taken by Steve Anderson
====================================================================== Summary ======================================================================
Votes:
- Minutes from 21 September 2004 call accepted - Adding Consent attribute to ResponseType be considered "non-substantive" - Consent attribute be added to the schema ResponseType
Action Item Status Changes:
- #0198: Solicit Liberty IOP documents - done, CLOSED
New Action Items:
- Jeff to provide feedback to Prateek's Glossary tweak - Jeff to address Quadrasis comments on glossary - Eve to add note to website regarding profile process - Chairs to solicit attestations of use of SAML 2.0
====================================================================== Raw Notes ======================================================================
> > Agenda: > > 1. Roll call >
- Attendance attached to bottom of these minutes - Quorum achieved
> > 2. Accept minutes from previous meeting, 21 September > < http://lists.oasis-open.org/archives/security-services/ > 200409/msg00088.html > >
- [VOTE] unanimous consent, accepted
> > 3. Dist list discussions: > > Eve/Anne’s XACML-related: > < http://lists.oasis-open.org/archives/security-services/ > 200410/msg00018.html > >
- Eve: a few typos, and one other item - in these discussions, we need to be sensitive to substantive vs. non-substantive - typos - line 265 in Profiles - instruct editors to fix - line 1970 in Profiles - instruct editors to fix - needs discussion - use of xsi:type - we are making further constraint to use xsi:type that XACML doesn't make - anyone wanting to speak against? - [no one] - so this xsi:type attribute goes on AttributeValue element - instruct editors to fix - notes that they found issues on XACML side as well
> > Gary E nits: > < http://lists.oasis-open.org/archives/security-services/ > 200410/msg00017.html > >
- Scott: had chatted with Gary already about this - instruct editors to fix
> > Paul M: > < http://lists.oasis-open.org/archives/security-services/ > 200410/msg00011.html > >
- Scott: nothing in metadata was meant to constrain what could/could not be advertised - explanation would be useful - instruct editors to fix
> > Paul M metadata errors: > < http://lists.oasis-open.org/archives/security-services/ > 200410/msg00005.html > >
- instruct editors to fix - Scott: schemas are authoritative, as keeping snippets in synch is difficult
> > Prateek Glossary tweak: > < http://lists.oasis-open.org/archives/security-services/ > 200410/msg00002.html > >
- Prateek not on call - Jeff: hasn't looked at these yet - Scott: in (1), he is relaxing concept of federation to be based on name-value pairs - John: this intersects with Tech Overview material - will look thru affected content - Rob: says "pair of providers"? should be generalized - Eve: agreed - Paul: mentions time period? there's no SAML mechanism for such a time period - Scott: agrees, such a time period may exist, but outside of scope - [ACTION] Jeff to provide feedback to Prateek's Glossary tweak
> > Thomas W WantsAuthnRequstSigned, etc comments: > < http://lists.oasis-open.org/archives/security-services/ > 200410/msg00009.html > >
- Scott: responded on list - basically SSO is special case - don't think we need to go down this slippery slope - [consensus agreement] - Eve: text proposed in < http://lists.oasis-open.org/archives/security-services/ 200410/msg00007.html > has clarification that we should incorporate - instruct editors to fix
> > Jeff posed new MIME registration memo’s >
- Eve: just noting - instruct editors to incorporate
> > 4. Public comment messages: > > Scott follow-up: > < http://lists.oasis-open.org/archives/security-services-comment/ > 200409/msg00003.html > >
- Scott: comment pre-dates CD2 - followed up already - needs no further action
> > Glossary comments: > < http://lists.oasis-open.org/archives/security-services-comment/ > 200409/msg00001.html > >
- Scott: also pre-dates CD2 - doesn't think we've incorporated in latest - Eve: thinks these are good points, and largely editorial - [ACTION] Jeff to address Quadrasis comments on glossary - Eve: if anything controversial comes up, we'll discuss then
> > 5. Action Item review > > #0183: Comment s solicited on John Linn response to Thomas > Gross paper > Owner: Prateek Mishra > Status: Open > Assigned: 23 Jul 2004 > Due: 23 Jul 2004 > Comments: > Rob Philpott 2004-07-23 17:10 GMT > Per 20-July con-call: Prateek (by July 23) to comment on the > draft of John Linn's draft of our response to the Thomas Gross > security analysis. >
- Prateek is not on call - Eve: this would be good to discuss on focus call
> > #0144: Explain optional subject decision > Owner: Eve Maler > Status: Open > Assigned: 29 Apr 2004 > Due: --- > Comments: > Prateek Mishra 2004-04-29 21:51 GMT > *** AI: Eve: Optional subject implemented in core spec prose. > Schema shows that subject is optional. > > o Eve: Has wanted to create a rationale for some of the > decisions made on spec. Decision on subject less statements is > a good example of what needs to be documented. Making an > explicit design decision that is not really explicit on. By > choosing to add prose to core spec we're making a stealth > abstract profile (generic design decision) that applies to all > explicit profiles. > > o Scott: data model (design) decision to require subjects in > all SAML statements. > > Rob Philpott 2004-07-20 02:05 GMT > 13-Jul con-call minutes note that the issue should be closed. > and that Eve "may work on commentary". > > Rob Philpott 2004-07-23 17:02 GMT > 20July con-call: > Eve: The thought here was that we may have an optional > post-V2.1 deliverable that explains the "XML rationales" for > various things. > > JohnK: But there are selected places in the actual specs where > it would be helpful; he has suggested these. Eve: Let's treat > these comments one by one, then. > > Rob Philpott 2004-08-03 05:35 GMT > 27-Jul: Per SSTC call: Still open. Deferred to post SAML 2.0 >
- Eve: this is deferred until post-2.0
> > #0166: Investigate use of Wiki from teh web site > Owner: Scott Cantor > Status: Open > Assigned: 22 Jun 2004 > Due: --- > Comments: > Rob Philpott 2004-06-22 16:40 GMT > Scott will investigate the establishment of a wiki for SSTC > use to be linked from the SSTC web site. > > Rob Philpott 2004-08-03 21:49 GMT > 6-Jul: Per AI update from Scott: > Not high priority, but I think Internet2 can host this at some > point with > the OpenSAML site. >
- Scott: making slow progress - there is tentative commitment for this by Internet2
> > #0163: Need process for submission of profiles/authn context > classes, etc. > Owner: Rob Philpott > Status: Open > Assigned: 22 Jun 2004 > Due: --- > Comments: > Rob Philpott 2004-06-22 16:29 GMT > On the web site, we need to state what the process is for > submitting and dealing with additional authn context classes, > new profile documents, etc. > > Rob Philpott 2004-06-23 16:03 GMT > Note that this is different from AI 164 for SCott and John K > to propose text within the spec documents that points to the > web site. >
- Eve: is this just a matter of putting a note on website? - can do this herself - Rob: do we need to come to agreement on what the process should be? - Eve: if people let us know that they have profiles, we can let the world know with link from our web page - implies no warrantees - Rob: as long as we're not uploading, and just linking, so we should be OK, wrt IPR - Jeff: agrees - [ACTION] Eve to add note to website regarding profile process
> > #0197: Need to update Bindings examples > Owner: Scott Cantor > Status: Open > Assigned: 22 Sep 2004 > Due: --- > Comments: > Rob Philpott 2004-09-22 05:08 GMT > Per email to list: > http://lists.oasis-open.org/archives/security-services/200409/msg00060.html > > Need to update Bindings examples. >
- Scott: should be able to get to this in next couple of weeks - Eve: non-normative, so OK
> > #0180: Need to update SAML server trust document > Owner: Jeff Hodges > Status: Open > Assigned: 12 Jul 2004 > Due: --- > Comments: > Rob Philpott 2004-07-20 01:59 GMT > Original AI was for Eve to follow up with Jeff to determine > whether he would be updating this doc. That was done. > > Discussion of this AI on 13-Jul indicates that the update will > be a post 2.0 deliverable. Reassigned AI to Jeff for now. >
- Eve: post-2.0 item
> > #0123: Obtain MIME type registration for HTTP lookup of SAML > Owner: Jeff Hodges > Status: Open > Assigned: 13 Feb 2004 > Due: --- > Comments: > Rob Philpott 2004-06-23 15:29 GMT > Attached is the initial rev of an I-D seeking to register the > MIME media type > "application/saml+xml". Please review. > > I've pinged the I-D editor to request a filename for the doc, > I'll submit it to > both the I-D editor and the SSTC doc repository once that's > finalized (std > procedure for I-Ds). > > In concocting this draft, I've noted that MIME media type > registrations aren't > necessarily the simple little registration exercise I'd > thought they were. They > (the ietf-types@iana.org denizens) may desire more content, > e.g. sec > considerations, in this doc. We'll see. Nominally, I think > it's "good enough" > as is, especially since the SAML spec sets have thorough sec > considerations > sections and I've referenced said spec sets carefully. Anyway, > we'll see. > > Also, I based this on a draft registration for > application/rdf+xml. In that > draft, Aaron Schwartz claimed an optional parameter of > "charset", and indicated > that the considerations thereof are the same as for > "application/xml" (as > documented in http://www.ietf.org/rfc/rfc3023.txt). > Additionally, he did the > same thing for the "encoding considerations", i.e. said they > were the same as > for "application/xml". So, without excrutiating research, I > did the same thing > in this draft. fwiw/fyi. > > anyway, lemme know whatcha think. > > thanks, > > JeffH > > Rob Philpott 2004-08-03 05:33 GMT > 27-Jul: * Scott – we need to do one for metadata as well. Roll > the metadata one into AI #123. > > Rob Philpott 2004-09-22 04:59 GMT > 14-Sep: JeffH: comments received from reviewers re magic > numbers and XML awareness of MIME processor. Should be ready > to go to IESG. > > 21-Sep: Jeff posted assertion and metadata-secific documents > to the list. These are to be added to the relevant documents > as an appendix before public review. >
- Rob: Jeff had done this, but asked to leave open until finalized - Jeff: submitted to IESG, still in that process
> > #0184: Send SSTC response to Thomas Grss paper to the author > Owner: Prateek Mishra > Status: Open > Assigned: 23 Jul 2004 > Due: --- > Comments: > Rob Philpott 2004-07-23 17:11 GMT > Per 20-July con-call: AI: ultimately to provide a formal > response to Thomas Gross. >
- gated by #0183 - Prateek not on call
> > #0160: Separate Privacy concerns language from > Element/Attribute descriptions > Owner: Prateek Mishra > Status: Open > Assigned: 30 Apr 2004 > Due: --- > Comments: > Prateek Mishra 2004-04-30 18:14 GMT > Jeff H - We need to highlight privacy considerations related > to core, could be notes in core, could be section. > *** AI: Prateek - will generate list potential changes from > core > > Rob Philpott 2004-07-23 17:05 GMT > 20-July: Still open. Eve: Note that the explanation of > constraints on session indexes now includes a rationale along > these lines. >
- Prateek not on call
> > #0198: Solicit Liberty IOP documents > Owner: Rob Philpott > Status: Open > Assigned: 22 Sep 2004 > Due: --- > Comments: > Rob Philpott 2004-09-22 05:11 GMT > Hal moves that chairs liaise with Liberty and get permission > to use IOP documents and make derivative works > > See > http://www.oasis-open.org/archives/security-services/200409/msg00050.html
- Rob: done - CLOSED - status is that there are ongoing discussions with Liberty
> > 6. Any other business >
- Scott: Thomas proposed an addition to metadata that we can consider < http://www.oasis-open.org/archives/security-services/ 200410/msg00015.html > - proposal is to add metadata support for IdP Discovery - Scott: feels that optional additions to metadata don't accomplish much - and if such a change is deemed "substantive" and would initiate another OASIS review cycle, would be against it - [discussion of "substantive"] - Scott: not sure if Thomas' solution is the right solution or if there is a solution -- hasn't implemented himself - Eve: are people ok adding an optional aspect like this without review? - Paul: (thinking thru) starting at SP, you don't know what IdP to look in metadata for this reference - Paul will talk further with Thomas - Paul: noted that Consent attribute is not permitted on Response < http://www.oasis-open.org/archives/security-services/ 200409/msg00105.html > - seems to be an oversight (rather than editorial), but not "substantive" - [MOTION] Consent attribute be added to the schema ResponseType - [TABLED] - [MOTION] Adding Consent attribute to ResponseType be considered "non-substantive" - Eve: it was on ResponseType in the submission received from Liberty, and it's semantics are clear, so should be considered "non-substantive" - [VOTE] no objections - [RESUME PREVIOUS MOTION] - [VOTE] no objections - Jeff: he and Gary noticed something this morning - if you're conveying AssertionIdRef and AssertionUriRef, particularly in Advice, there's no way to add context for relying party to determine how it should be used - relying party has to go deref all of them - Eve: are you suggesting we employ the "any" wildcard? - Jeff: not sure - Scott: believes that with UriRef, IdRef becomes useless - Jeff: ok, but this observation still stands - really is an optimization - Scott: we still have an "any" in advice, right? - Jeff: true - Scott: could define an element in a profile for this use - Jeff: will think more on this - Rob: reminder, next week is focus call, and next quorum call is 26 Oct - public review will be ending at end of the month - first quorum meeting after that is 9 Nov, when we'll be voting to re-approve specs, get IP declarations, get attestations, etc - actually, need to start getting attestations now - [ACTION] Chairs to solicit attestations of use of SAML 2.0
> > 7. Adjourn >
- Adjourned
----------------------------------------------------------------------
Attendance of Voting Members:
Conor P. Cahill AOL, Inc. John Hughes Atos Origin Hal Lockhart BEA Ronald Jacobson Computer Associates Tim Alsop CyberSafe Paul Madsen Entrust Dana Kaufman Forum Systems Irving Reid Hewlett-Packard Company Anthony Nadalin IBM Scott Cantor Internet2 Bob Morgan Internet2 Forest Yin Netegrity Peter Davis Neustar Frederick Hirsch Nokia John Kemp Nokia Scott Kiester Novell Cameron Morris Novell Charles Knouse Oblix Steve Anderson OpenNetwork Darren Platt Ping Identity John Linn RSA Security Rob Philpott RSA Security Jahan Moreh Sigaba Bhavna Bhatnagar Sun Microsystems Jeff Hodges Sun Microsystems Eve Maler Sun Microsystems Mike Beach The Boeing Company
Attendance of Observers or Prospective Members:
Rebekah Metz Booz Allen Hamilton
Membership Status Changes:
Rebekah Metz Booz Allen Hamilton - Requested membership on 9/28/2004 Senthil Sengodan Nokia - Lost voting status after 10/12/2004 call Emily Xu Sun Microsystems - Lost voting status after 10/12/2004 call
-- Steve Anderson OpenNetwork
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]