OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Minutes for SSTC Conference Call, April 12, 2005, v2 (added attendance)


Minutes  for SSTC Conference Call, April 12 , v2
Minute Taker - Frederick Hirsch
V2 - added attendance information at end
 
26 of 38 voting members present, quorum established, 2/3 present. 

1.       Approval of minutes from 29-Mar SSTC con-call

     (a)
http://lists.oasis-open.org/archives/security-services/200503/msg00109.h
tml 

Approved without objection 

2.  On-going CD vote for Metadata Extensions Draft (PLEASE VOTE!)

    Vote closes Wednesday, April 13, 9AM Eastern.

 http://www.oasis-open.org/apps/org/workgroup/security/ballot.php?id=730


Please vote today. No other comment.

3. Is CD status appropriate for informational documents?

OASIS Response:
http://lists.oasis-open.org/archives/security-services/200503/msg00113.h
tml 

OASIS response indicates it is appropriate if TC so decides.

Prateek - plan to bring response paper back for vote at next full
meeting. 

4. Other informational notices

A. Request for SAML 2.0 speaker
http://lists.oasis-open.org/archives/security-services/200504/msg00062.h
tml 

Jahan - it is likely that Jahan will give presentation in May. They may
be looking for a tutorial in September.

     B. SAML 2.0 slide-set uploaded (dates from Decemeber 2005, add to
document repository)
http://lists.oasis-open.org/archives/security-services/200504/msg00069.h
tml 

 Prateek has posted some slides to repository.

5  CD vote on Executive Overview Draft

 
http://www.oasis-open.org/apps/org/workgroup/security/download.php/12103
/sstc-saml-exec-overview-2.0-draft-08-diff.pdf 

Vote to move to CD status on this 

Frederick - moved

Eve - seconded

Tony - has been cd draft in the past, not sure this is something for an
"executive", what is the target audience?

Paul - was meant to be summary for executive. What is your specific
concern?

Tony - a technical executive could understand it, but I know some that
would not understand it

Gordon - excellent high-level overview, but it is technical

Eve - appropriate for technical managers managing implementers

Paul - not meant to be marketing

Gordon - for technical managers 

Eve  - executive overview means summary

Jeff agrees.

Scott - thought it was a CIO document, technical document

Eve - CIO's should understand it.

No other comments.

Vote passed without objection. Executive overview draft moved to CD
status, since 2/3 voting members present.

6.   Reminder: Andy Moir is looking for feedback on V1.1 spec
conformance certification program.  Review period has now closed (April
11).

http://lists.oasis-open.org/archives/security-services/200503/msg00054.h
tml

Comments: 
A.
http://lists.oasis-open.org/archives/security-services/200504/msg00079.h
tml

B.
http://lists.oasis-open.org/archives/security-services/200504/msg00083.h
tml 

Andy  has received additional private comments, will put together
response to all comments while protecting privacy of private
respondents. Will send email to SSTC list today or tomorrow.

Tony - how is final decision be made?

Andy - will send response for feedback, then to Patrick Gannon and OASIS
board.

Tony - this directly effects the TC, so is the TC out of any vote
process here?

Andy - This is a referral arrangement, not a direct OASIS program, hence
not controlled and operated by OASIS and TC. Program already exists
outside of TC today.

Tony - would like to see this addressed in comments. Not sure of value
if not something everyone can use.

Andy - Understood

Greg Whitehead - Reiterates concern of any vendor running a program for
other vendors in the industry - a competitive concern

Eve - has similar concern

Andy asks for specifics

Eve - If one vendor is elevated among others as gatekeeper, means
company might have to bring early versions of product to a competitor,
not something a vendor might want to do

Greg - can make long list of specific concerns, but there is a major
concern related to a conflict of interest - a company selling a product
and also gating how other companies can bring products forward - even if
everything done well

Heather Hinton - PingId could get stamp of approval, simply by being
chosen 

Prateek has additional comments

Darrin - When the group is formed to govern this service, these concerns
were raised and addressed, so how concerns are dealt with should be in
Andy's response.

No other discussion

7. SAML 2.0 Technical Overview (new draft uploaded April 11)

http://www.oasis-open.org/apps/org/workgroup/security/download.php/12203
/sstc-saml-tech-overview-2.0-draft-04-diff.pdf

Comments:
http://lists.oasis-open.org/archives/security-services/200504/msg00076.h
tml 

Eve - needs a lot of work, suggests Prateek add his material and planned
changes.

Prateek plans to generate next version.

Prateek - Please review, will save time answering questions later.

8. Attribute sharing profile for X.509-based Authn (new draft uploaded
April 5)

http://www.oasis-open.org/apps/org/workgroup/security/download.php/12155
/sstc-saml-x509-authn-based-attribute-protocol-profile-2.0-draft-03.pdf

Comments:
A.
http://lists.oasis-open.org/archives/security-services/200504/msg00042.h
tml 

Rick is not on the call, but a new version has been published as well as
comments noted. 

Tom - submitted editorial comments to Rick who plans to update the
document.

9. Errata Document (new draft uploaded April 11)

http://www.oasis-open.org/apps/org/workgroup/security/download.php/12210
/sstc-saml-errata-2.0-draft-04.pdf

This draft (04)
has proposed text for all PEs except PE 10. New errata was discussed on
focus call of April 5.

http://lists.oasis-open.org/archives/security-services/200504/msg00038.h
tml

Note: PE5 is still open and subject of extensive thread discussed below.


Jahan - two minor corrections have been made this morning but not posted
. Haven't added material from focus call last week, will add to next
version. 

Scott's proposals for PE resolutions were sent before last week's focus
call.

PE1 - relay state for HTTP redirects - Scott posted proposal 2 weeks
ago, reviewed in focus call.

Scott's proposal accepted without objection.

PE2 - language clarification 

Scott's proposal accepted without objection.

PE3 - missing piece, doesn't break anything

Scott - need to add to extension proposal for this, so suggest this be
moved to issue list for future extensions or revisions

No object to moving to issues list.

Prateek - is there an issues section?

Jahan - no, who keeps the issues list?

Rob asks whether Eve was the last owner of the issues list.

Eve - all 2.0 issues were closed, one issues was deferred.

Agreement to start new post-2.0 issues list, including this PE and the
deferred item from the current issues list.

Jahan offers to own new post-2.0 issues list.

PE4 Language proposal from Scott

Scott's proposal accepted without objection.

PE5 - text proposed, then a correction to change persistent to
transient, be aware of this.

Scott - suggest we have more discusson on general AllowCreate question
to be resolved, Scott's proposal was early. Need specific proposals from
others related to this concern.

Discussion will be required on list.

Open issue.

PE6 Language proposal from Scott

Greg - ok if there is a use for it.

Scott's proposal accepted without objection.

PE7 combine with PE9 

Prateek - This was discussed briefly on focus call

Scott - interop participants should review 

Open issue, pending review by all.

AI - Rob to review PE7

PE 8 Proposal from Thomas

Prateek - scope?

Scott - limited to termination

No implicit logout in MNI.

Prateek, just terminate or include update

Thomas - Just terminate

Proposal accepted without objection.

PE9 - merged with PE7

PE10, Open, Jahan to propose text.

Jahan - Where to put PEs when closed, since it will disturb E section.
Propose not changing any numbers, PEs stay the same, once everything
closed, then re-number and re-order. Plan to post new version by
tomorrow.

10.  Open AIs

#0221: Request copy of Thomas Grosz paper for inclusion in SSTC archives

Owner: Maryann Hondo	
Status: Open	
Assigned: 2005-04-12	
Due: --- 
 
Prateek asks on status. Maryann wrote letter to IEEE, waiting for reply
- issue is IEEE copyright. Paper is available on net, but goal is to
have copy.
Open. 
	
________________________________

	
#0220: Respond to Rick R on subject confirmation issue on the X509
Attribute Sharing Profile	
Owner: Scott Cantor	
Status: Open	
Assigned: 2005-03-30	
Due: --- 
Open 
	
________________________________

	
#0219: Propose specific errata text for E4	
Owner: Scott Cantor	
Status: Open	
Assigned: 2005-03-30	
Due: --- 
Closed 
	
________________________________

	
#0218: Propose specific errata text for E3	
Owner: Thomas Wisniewski	
Status: Open	
Assigned: 2005-03-30	
Due: ---	
 Closed
 
________________________________

	
#0217: Explore with OASIS how best to do publication of redlined specs
based on errata.	
Owner: Eve Maler	
Status: Open	
Assigned: 2005-03-30	
Due: --- 
Eve sent mail message to Mary McCrae on 30 March, will re-send.
Open 
	
________________________________

	
#0216: Formulate some suggested redline text for E7 for review.	
Owner: Jahan Moreh	
Status: Open	
Assigned: 2005-03-30	
Due: --- 
 Open
	
________________________________

	
#0213: Prepare final CD draft of metadata-1x document and submit it to
OASIS	
Owner: Eve Maler	
Status: Open	
Assigned: 2005-03-29	
Due: --- 
 Open
Eve offers to also take care of executive overview.
	
________________________________

	
#0210: Links to new IPR policy to be sent to SSTC	
Owner: Rob Philpott	
Status: Open	
Assigned: 2005-03-15	
Due: --- 
Open 
	
________________________________

	
#0208: Run additional tests to check issues with deflate encoding and
rfc1951 (java libraries)	
Owner: Scott Cantor	
Status: Open	
Assigned: 2005-03-01	
Due: --- 
Open 
	
________________________________

	
#0180: Need to update SAML server trust document	
Owner: Jeff Hodges	
Status: Open	
Assigned: 2004-07-12	
Due: --- 
Open 
 
new AI - Prateek - Revise tech overview, v produce ersion 05 draft
 
Eve/Scott  proposes links to external material explaining SAML,
including Wiki.
	

11. Discussion threads

A. XPath attribute profile 

Prateek - What should TC be made aware of? Status? 

Cameron - plans to update document, simpler version, enumerate supported
XPaths. Would like to pursue CD status eventually?

Prateek - please upload PDF version as well

    i. request for pdf version of file
http://lists.oasis-open.org/archives/security-services/200504/msg00072.h
tml

   ii. Use-Cases posted to list
http://lists.oasis-open.org/archives/security-services/200504/msg00044.h
tml

   iii. XPath Attribute Profile: XPath as an Identifier
http://lists.oasis-open.org/archives/security-services/200504/msg00049.h
tml

   iv. XPath Attribute Profile: XPath URI as a URN
<http://lists.oasis-open.org/archives/security-services/200504/msg00050.
html>  
http://lists.oasis-open.org/archives/security-services/200504/msg00050.h
tml

B. PE5 - NameIDPolicy  (Should this be re-named?) 

i. Proposal From Scott Cantor
 
http://lists.oasis-open.org/archives/security-services/200504/msg00048.h
tml


      ii. Discussion
http://lists.oasis-open.org/archives/security-services/200504/msg00075.h
tml

http://lists.oasis-open.org/archives/security-services/200504/msg00077.h
tml

 
http://lists.oasis-open.org/archives/security-services/200504/msg00080.h
tml




Prateek - need to rename.

Brian - this portion of the specification may be more general than
intended, but other portions of the spec are also very general. A
profile may be needed here, rather than modifying core.

General discussion regarding correct approach, specification/conformance
changes, whether missing a profile or whether this is part of SSO
profile.

Prateek - suggests smaller group work on this issue.

Scott - need to allow pre-provisioned name identifiers.

Greg - perhaps "unless name identifiers managed out of band, then ..."

Scott - proposed text along these lines. SP can't assume what IDP will
do, given flag.

Greg - out of band, means both sides agree.

Prateek - federation agreement is at another level

Rob - this can be interop issue

Scott - need to hear example of this

Brian - IDP has stricter reading of AllowCreate, will not issue
identifiers unless True, other implementations will not use flag, then
default is false, deadlock since IDP waiting to create identifier but
not allowed to

Scott concurs, hence wanted default to be True, but Liberty requirements
were different.

Brian - false value raises issues.

Scott, can you propose improved wording? Not clear whether this is IDP
discretionary

Treat as advisory data from SP, decision at IDP, an audit viewpoint

Brian - Relationship to Consent attribute is not clear

Scott - added wording regarding this

Brian - needs to understand consensus of group

Prateek agrees with audit viewpoint, will review Scott's wording. 

Scott suggests additional improvements to proposed wording would help.
Looking for agreement that flag is intended as input to IDP processing,
rather than indicating normative behavour

Rob - local policy discretion is applied to everything we do

Brian - what is value without processing rules

Greg what if, "IDP implementations that strongly protect user privacy
may refuse to return an identifier if AllowCreate is not set to true",
this allows SP to decide whether reason to set AllowCreate to false
(protect SP in privacy circumstances) otherwise always set to true....
This would be appropriate for cases where privacy matters (e.g. Liberty)
and ability for SP to express policy to IDP (enabling audit of SP
behavour)

Rob in case false is set, IDP can only use pre-decided name identifiers

Greg - Liberty  use case, circle of trust using cookie introductoin
mechanism, (1) SP knows location of IDP even though haven't visited, no
state or cookies, then application wants to personalize page, see if
authenticated at IDP, set AllowCreate to false, don't want to establish
federated relationship, would rather have explicit federation request if
not in place already. Don't want federations to occur silently, enabling
unclear tracking

Discussion converging toward audit approach.

Greg - Different policies at IDP might result into different behaviours
based on AllowCreate, this can give SP guidance on use of flag.

Brian - some SPs will always use false

Greg - offers to get Liberty feedback next week at Liberty F2F

Scott will take another pass at wording, reflecting this discussion

Greg - could propose extension to metadata to define how this is used

Continued discussion on whether there is agreement on taking audit/hint
approach, or another profile approach. Questions about how these
profiles would compose.

AI Scott to provide revised proposal text.

Meeting Ajourned.

-------------------------

Attendance of Voting Members

Steve Anderson BMC
Thomas Wisniewski Entrust
Irving Reid Hewlett-Packard Company
Guy Denton IBM
Heather Hinton IBM
Anthony Nadalin IBM
Scott Cantor Internet2
Bob Morgan Internet2
Wendy Gray JPMorganChase
Peter Davis NeuStar
Jeff Hodges NeuStar
Frederick Hirsch Nokia
Senthil Sengodan Nokia
Abbie Barbir Nortel
Cameron Morris Novell
Paul Madsen NTT USA
Ari Kermaier Oracle
Vamsi Motukuru Oracle
Darren Platt Ping Identity
Prateek Mishra Principal Identity
Jim Lien RSA Security
Rob Philpott RSA Security
Jahan Moreh Sigaba
Eve Maler Sun Microsystems
Emily Xu Sun Microsystems
Mike Beach The Boeing Company
Greg Whitehead Trustgenix

Attendance of Prospective Members or Observers

Martin Soukup Nortel
Alberto Squassabia Ping Identity
Brian Campbell Ping Identity
Andy Moir OASIS
Sharon Boeyen Entrust

Membership Status Changes

Atul Tulshibagwale Trustgenix - Requested membership 4/11/2005
Brian Campbell Ping Identity - Requested membership 4/11/2005
Ronald Jacobson Computer Associates - Lost voting status after 4/12/2005
call
------


 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]