OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Minutes for 21-Jun SSTC con-call


Actions or votes have a * next to them.


1.  Approve minutes from 7-Jun-2005 con-call:
 a. Minutes of SSTC Conference Call, 07-June-2005

>*no objections, accepted.

2. Pending CD edit status?
 a. metadata-ext [Eve: AI 213]
 b. X.509 Authn-based attribute protocol profile
 c. Thomas Grosz response paper

>*Action: Rob to check with Eve on status of documents

3. John H: Groups - sstc-saml-tech-overview-2.0-draft-06.pdf uploaded
 a. Technical Overview - comments request
 
> John H: Received several comments, need to review.
> Nick R: 4 images that the left right order needs to be swapped.  ECP Diagrams, show more endpoints.  
> Thomas: Do not associate logout with federation, move to SSO configuration or another section.  Previous version labeled SSO Federation, current version should have that label.
> John H: Please get comments to me quickly


>*Action: John H to get feedback from Nick R and Thomas.  Post any outstanding issues to list. John H to get new version out for next meeting (2 weeks).  Need help with SAML 1.1 to 2.0 sections.  Needs input from Eve on SAML 1.1 to SAML 2.0

4. Jahan: Errata.
 a. PE14 (Overlaps with PE5) - We agreed to vote on PE14 on this call

>Motion to Eliminate PE5 in favor of PE14.
>*Moved: Scott, no objections, accepted.

>PE7 Still open - Rob to review
>PE10 Still Open - Jahan

>PE14 - Needs to vote (text to be accepted).

>Scott: - not perfect but vast improvement
>*Moved: Greg, no objections, accepted.

>PE16
>Prateek: There is a gap here.  Is the ECP going to generate the cookie or consume.  Based on Nick and John Kemps response.  Consensus was, ECP would consume.  We need a sentence to explain this.
>Connor: Want to make sure the ECP passes on the cookie.
>Prateek: Seprate issue, sometimes the ECP will behave like an SP
>Connor: Not sure it will.  SP does a redirect and then back to get the cookie.  SP doesn't do discovery it asks ECP to do it.
>Nick: Liberty says it may use cookie to discover this.  Devices find they don't already know
>Connor: Not opposed to wording - If ECP can figure out where common domain is, it can use that.
>Greg: No reason to preclude anything.

>Prateek: Change the conformance matrix to include an option entry for identity discovery profile 
>Prateek: ECP acts as an SP as discussed in the profile
>Prateek: 2nd, it doesn't pick anything

>ECP chooses whatever is available to it to use

>Scott: Line 725 - Language ill-chosen

>Strike Line 725 
>Mention this topic in guidelines

>Prateek proposes: Close this item without making change to conformance matrix

>Prateek: Open new errata to strike line 725

>Jahan motions to close this item without making change to conformance matrix
>Nick: Difference between allowing someone to do this and interoperability testing.  ECP can do a lot of thing
>Connor: No requirement for ECP to use cookie
>Nick: Ability to use cookie discover info is useful.  Many ways ECP can do this, one of them is feature in matrix.  Putting this as optional makes it possible to test this
>Connor: ECP is not in the domain so profile needs to be changed
>Nick: Nothing to prohibit the ECP from doing this
>Prateek: These are implementation guidelines
>Connor: Cookie always in client or in ECP, not up on host, stored on client.  If ECP knows about cookie it can catch it on the fly.  Question is how does it know that.
>Nick: Multiple users from multiple security context.  ECP doesn't know this until client declares this.
>Connor: Your ECP needs to have the concept of a session
>Nick: It can use ECP or discovery.  One of these is listed in the matrix.  One is list that the ECP might want conformance certified on.
>Connor: Specs don't address using it fully on an ECP.  Only way to do it is if Common Domain should be in meta data.  Isn't in meta data because both systems would need servers that can access entities in that domain.
>Nick: ECP will decide what common domain is applicable based on user agent.  Taking context of request and figure out what domain it is placed in.
>Nick: In the list because IDP discovery feature, give the opportunity if they can demonstrate to give them interoperability.  

>Nick: We should not remove this item and leave it.
>Connor: I think it is confusing.
>Prateek: As conformance editor I found it confusing.

>*Motion to close errata with no change to conformance matrix
>*Moved: Jahan, no objections, accepted.

>PE17 
>Thomas -Scott's e-mail has new text.
>*Action: Hold on for next draft

5. Merritt: SAML Adoption Enhancement subcommittee
 a. Merritt provided first draft to chairs for review.

>Prateek:  Merritt's proposal to create sub-committee.
>Rob: Wait for Merrit to get voting rights in TC.
>Hal: Someone can offer to act as chair
>*Action: Table for next meeting

6. Other list discussions and postings:
 a. Greg: Third-party AuthnRequest use case

>Scott: Easy way to handle this is to add an extension and profile it.  Text I proposed is not very nice.
>Rob: Errata is one thing, changing spec is more of a process  
>Scott: Not in favor of errata text he is proposing
>Rob: Any suggestions on how to proceed?  Maybe we should keep it in the errata document so we have it for next rev of spec.
>Scott: Believes Greg thinks it is pretty bad
>Rob: Propose we do a new profile document for this

>*Action item: Nick work with Scott and Greg to author new profile document.

 b. Prateek M: ECP operational mode and the identity provider discovery profile
 c. Jeff H: fyi: upcoming SAMLv2 Conformance Event
 d. Nick R: SAML over SOAP in a Multipart/Related MIME part of SwA?

>Covered in discussion on list

 e. Nick R: PE2 and <ArtifactResolutionService>

>Scott proposed new text with clarifications.
>*Action: Nick R to send Scott text.

 f. Nick R: Potential Errata, HTTPS in URI Binding

>*Action:  Remove line 1349 text. Nick R to coordinate with Jahan

 g. Nick R: Adding Metadata to SAMLConf? A strawman

>Scott: In Toronto, people claimed it is not testable so not in conformance document.
>Nick R: If we adopt this, Liberty would have to re-examine metadata requirements
>Nick R: Proposal is to add it to conformance document.  Company doing conformance testing will have to come up with a way to test it.
>Rob: This is a significant change to specification; we would need a new rev. of standard.
>Nick R: Leave it all optional and refer to parts of metadata specification now.  
>Scott: If we can articulate it in a concrete form then we can add it to conformance.

>*Action: Nick R to make a proposal to add an errata for this

 h. Ron M: [Fwd: [wss] Groups - SAML Token profile V1.1 - Working Draft 3 (withchanges) (WSS-SAML-TOKEN-PROFILE-1.1-wd-03.pdf) uploaded]

> Rob: Please review this document and send comment to WSS TC

 i. Tom W: Authentication Response IssuerName vs. Assertion IssuerName
 j. Tom W: Affiliation ID
 k. Tom W: ECP SSO Profile and Metadata

>Scott: Need clarification in the metadata section
>*Action: Scott to take up with Jahan for an errata.


Attendance of Voting Members
  Conor P. Cahill AOL, Inc.
  Hal Lockhart BEA Systems, Inc
  Steve Anderson BMC Software
  Rick Randall Booz Allen Hamilton
  Thomas Wisniewski Entrust
  Carolina Canales-Valenzuela Ericsson
  Dana Kaufman Forum Systems
  Irving Reid Hewlett-Packard Company
  Guy Denton IBM
  Heather Hinton IBM
  Anthony Nadalin IBM
  John Hughes Individual
  Nick Ragouzis Individual
  Scott Cantor Internet2
  Bob Morgan Internet2
  Frederick Hirsch Nokia
  Cameron Morris Novell
  Ari Kermaier Oracle
  Vamsi Motukuru Oracle
  Brian Campbell Ping Identity
  Darren Platt Ping Identity
  Alberto Squassabia Ping Identity
  Prateek Mishra Principal Identity
  Jim Lien RSA Security
  Rob Philpott RSA Security
  Jahan Moreh Sigaba
  Greg Whitehead Trustgenix

Attendance of Non-Voting Members
  Gilbert Pilz BEA Systems, Inc.

Attendance of Voting Members - Probation
  Abbie Barbir Nortel
  David Staggs Veteran's Health Admin

Attendance of Applicants
  Merritt Maxim CA

Attendance of Observers
  Martin Soukup Nortel

Membership Status Changes
  Guy Denton IBM - Restored voting status due to 7 June dial-in issues
  Claude Louis-Charles BAE Systems - Requested membership 6/15/2005
  Eve Maler Sun Microsystems - Requested Voting status 6/17/2005
  Peter Michalek Individual - Lost Voting status after 6/21/2005 call
  Peter Davis NeuStar - Lost Voting status after 6/21/2005 call
  Paul Madsen NTT USA - Lost Voting status after 6/21/2005 call
  John Linn RSA Security - Lost Voting status after 6/21/2005 call
  Merritt Maxim CA - Requested membership 6/21/2005




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]