OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: conf call minutes 2004-11-09

OASIS SSTC -- Conference Call Minutes 11/9/2004
Minutes taker: Ari Kermaier

Dial in info: +1 865 673 6950 #351-8396

Attendance of Voting Members
 
  Conor P. Cahill AOL, Inc.
  John Hughes Atos Origin
  Hal Lockhart BEA
  Rick Randall Booz Allen Hamilton
  Ronald Jacobson Computer Associates
  Paul Madsen Entrust
  Dana Kaufman Forum Systems
  Irving Reid Hewlett-Packard Company
  Paula Austel IBM
  Michael McIntosh IBM
  Nick Ragouzis Individual
  Scott Cantor Internet2
  Bob Morgan Internet2
  Prateek Mishra Netegrity
  Forest Yin Netegrity
  Peter Davis Neustar
  Frederick Hirsch Nokia
  Abbie Barbir Nortel
  Scott Kiester Novell
  Cameron Morris Novell
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Ari Kermaier Oracle
  Vamsi Motukuru Oracle
  Jim Lien RSA Security
  John Linn RSA Security
  Rob Philpott RSA Security
  Dipak Chopra SAP
  Bhavna Bhatnagar Sun Microsystems
  Jeff Hodges Sun Microsystems
  Eve Maler Sun Microsystems
  Ron Monzillo Sun Microsystems
  Mike Beach The Boeing Company
  Greg Whitehead Trustgenix
 
Attendance of Prospective Members or Observers

  Rebekah Metz Booz Allen Hamilton
  Emily Xu Sun Microsystems
  Gavenraj Sodhi Computer Associates

Membership Status Changes

  Partha Panda Entrust - Requested membership on 10/27/2004
  Alistair Young UHI Millennium Institute - Requested membership on 11/3/2004
  Rebekah Metz Booz Allen Hamilton - Granted voting status after 11/9/2004 call
  Carolina Canales-Valenzuela Ericsson - Lost voting status after 11/9/2004 call
  Maryann Hondo IBM - Lost voting status after 11/9/2004 call
  Senthil Sengodan Nokia - Lost prospective status after 11/9/2004 call
  Makoto Hatakeyama NEC - Lost prospective status after 11/9/2004 call
  Yuzo Koga NTT - Lost prospective status after 11/9/2004 call
  Irving Reid Hewlett-Packard Company - LOA 11/10/2004 through 12/25/2004
 

 
1. Accept minutes from October 26 Conference Call 
      http://lists.oasis-open.org/archives/security-services/200410/msg00083.html

Prateek: Passed w/o objection.
Eve: Motion to also accept minutes from 10/12/2004. Passed w/o objection.
 
1. SSTC plans CD and OASIS submission vote on December 7
If successful, SSTC plans to submit specification set to OASIS by December 15.

Prateek: End of January when we can hope specs could move to OASIS Standard.

2.  Reminder: We need three attestations before OASIS submission on December 15.
http://lists.oasis-open.org/archives/security-services/200410/msg00026.html

Rob: Acutally need attestation a few days before 12/15/2004 (but not necessarily by 12/07/2004).
Paul: Attestations have in the past identified specific spec pieces used.
Hal: We're treating spec as a unit this time.

3. Metadata thread (Rob, Scott)
http://lists.oasis-open.org/archives/security-services/200411/msg00032.html

Scott: Had phone discussion on spec ambiguity/confusion over how attribute consumer descriptor might  apply to attribute queries. Not considered as possible use case, because queries can be explicit. Might  be able to make cut-paste changes to spec to describe bindings of descriptors to bindings where they're  intended to apply:
1 - Elimination of distinct role of attr consumer descriptor, by copying contents to SP role (and  possibly reuse data structure for future needs outside of SSO SP role).
2 - Distinction between attribute authority (queries) and IdP (attribute push), so copy attribute  information from attr authority descriptor to IdP descriptor to make it explicity available for IdP in  a distinct matter.
Hopefully this will not rise to level of substantive changes (no new roles or different processing  rules), but rather just restructuring of schema elements.
Prateek: No formal action to take right now.

4. Possible SAML 1.1 error
http://lists.oasis-open.org/archives/security-services/200411/msg00025.html

Prateek: Maybe good starting point for maintaining SAML 1.1 errata. Any volunteers for editor?
Eve: I think it was Jahan that was agreed to be the keeper of errata in SAML 1.1 (not on call).
Prateek: We'd affirmed that we'd maintain such a document, but haven't done any work on it yet.
Rob: Play it by ear, based on adoption of 2.0, life-span of TC.
Eve: SAML 1.1 will have wide deployment before 2.0 gets good adoption.
Various: Discussion about USGov approval of 1.0 only; maybe 1.1 should supersede/withdraw 1.0  (currently doesn't); WSSTC just finishing 1.1-based profile. We need to decide how we're going to  support errata for 1.x going forward.
Prateek: Need to contact Jahan and see if he's ready to start mainting errata for 1.1, and need  proposal for dealing with spec lifecycle issues.
Jeff: Look at IETF RFC 2026 for supersecion pointers.
(Prateek: Will defer discussion of normative references to SSL/TLS and Liberty PAOS, etc. till later  discussion of ITUT.)

5. Paul Madsen draft-02 of exec overview 
 http://lists.oasis-open.org/archives/security-services/200411/msg00002.html 
Paul: Looking for comments on level of detail, etc. but hasn't received any yet.

7. Greg W re: SAML 1.x Metadata
        http://lists.oasis-open.org/archives/security-services/200411/msg00012.html 
NOTE: draft is now available from http://www.oasis- open.org/apps/org/workgroup/security/download.php/9967/draft-saml1x-metadata-01.pdf

Greg: Straightforward profile, overall. Possible controversies: Usage of URIs to define versions in  metadata and identify SAML 2.0 profiles. Issuer string should be used as ID.
Scott: Can spin new version based on above-discussed schema changes.
Eve: Maybe mention in technical overview so people have a pointer to proposal.
Prateek: May be valuable to advance proposal to Committee Draft.
Scott: Need to think about how to identify spec versions in metadata other than just by namespace URI  (problems for 1.0/1.1 and 2.0/2.1).
Prateek: Call for comments by next quorate meeting, and soon after progress it CD.
Scott: Not till after 2.0 metadata is baked/CD.
Prateek: So comments by 12/21/2004 meeting.

8.  Next steps with SAML 2.0 Technical Overview
           
          I cannot find the location of the most current draft; the only version I could find is:
          http://www.oasis-open.org/apps/org/workgroup/security/download.php/4150/sstc-saml-tech- overview-2.0-draft-00.pdf
           

John Hughs: A more up-to-date version than 01 is available on his laptop. About 80%-90% done, but 4  areas of work: 1- Put in some SAML 2.0 XML samples (once we've got schema final). 2 - Describe  relationship to other frameworks (Eve to do). 3 - Kerberos (maybe drop it for lack of input). 4 -  Federation examples (John to do).
Eve: Proposed timeframe for when specs released to OASIS standard.
Prateek: Has some more content to contribute.


1. Open AIs (relevant to SAML 2.0)


#0203: Analyze/correct usage of SAML entity terminology
Owner: Eve Maler
Status: Open
Assigned: 31 Oct 2004
Due: ---
Comments:
Eve Maler 2004-10-31 19:56 GMT
Rob Philpott sent a comment about the potentially confusing usage of the terms "principal", "subject",  "user", and "identity" in the specs (see comment #6): 

http://lists.oasis-open.org/archives/security-services/200410/msg00058.html 

At the 26 Oct 2004 quorate call, Eve agreed to analyze the usage of these terms, make sure we're using  terms correctly, and find the right place to put commentary around this.

Eve Maler 2004-10-31 19:58 GMT
Oops: Eve agreed to examine "entity" usage specifically; it was Scott who agreed to clean up the  principal/subject/user distinction.

Discussion: 
Eve: Basically completed. Found 1 instance of "assertion consumer" changed to "relying party".  Everything else is pretty consistently "asserting party" and "relying party".
Jeff: Added "confirming entity" to glossary today.
Eve: Dramatic reading of added text.
Scott: Suggest making reference to Authentication Request section.
Eve: AI remains open, want to repeat exercise for other specs. Hoping to finish tonight and upload.


#0199: Glossary updates
Owner: Jeff Hodges
Status: Open
Assigned: 25 Oct 2004
Due: ---
Comments:
Prateek Mishra 2004-10-25 20:14 GMT
http://lists.oasis-open.org/archives/security-services/200410/msg00025.html 

- Jeff to provide feedback to Prateek's Glossary tweak 

- Jeff to address Quadrasis comments on glossary

Discussion:
Still open - Jeff will complete today.


 
#0163: Need process for submission of profiles/authn context classes, etc.
Owner: Eve Maler
Status: Open
Assigned: 22 Jun 2004
Due: ---
Comments:
Rob Philpott 2004-06-22 16:29 GMT
On the web site, we need to state what the process is for submitting and dealing with additional authn  context classes, new profile documents, etc.

Rob Philpott 2004-06-23 16:03 GMT
Note that this is different from AI 164 for SCott and John K to propose text within the spec documents  that points to the web site.

Eve Maler 2004-10-12 16:27 GMT
Add a lightweight registration/"linking-to" notice on the website.

Discussion:
Language done, but waiting for approval from OASIS.


#0160: Separate Privacy concerns language from Element/Attribute descriptions
Owner: Prateek Mishra
Status: Open
Assigned: 30 Apr 2004
Due: ---
Comments:

Discussion:
Remains open (completed review, just need to publish notes).


 
 
#0123: Obtain MIME type registration for HTTP lookup of SAML
Owner: Jeff Hodges
Status: Open
Assigned: 13 Feb 2004
Due: ---

Discussion:
Waiting for final text to incorporate into appendices. (Update references, mostly.) Also, might have  remove separate section for bibliography. Also, should insert as appendices rather than document  sections.



Adjourned 1:16pm EST.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]