[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes, SSTC Concall, September 25, 2007
On 9/25/07, Hal Lockhart <hlockhar@bea.com> wrote: > Proposed Agenda SSTC Concall, September 25, 2007 > > Dial in info: +1 865 673 6950 > Access code: 270-9441# > > Roll Call & Agenda Review Attendance data provided by Steve Anderson, BMC Software Attendance of Voting Members Steve Anderson BMC Software Brian Campbell Ping Identity Scott Cantor Internet2 Jeff Hodges NeuStar Ari Kermaier Oracle Hal Lockhart BEA Systems, Inc Paul Madsen NTT Corporation Eve Maler Sun Microsystems Anthony Nadalin IBM Rob Philpott EMC Corporation Anil Saldhana Red Hat Tom Scavo National Center for Supercomputing Applications Kent Spaulding Tripod Technology Group David Staggs Veteran's Health Admin Eric Tiffany IEEE Industry Standards Emily Xu Sun Microsystems Attendance of Non-Voting Members Peter Davis NeuStar Attendance of Observers Giles Hogben ENISA Membership Status Changes Charles Knouse HP - Granted membership 9/6/2007 Jeff Hodges NeuStar - Granted voting status after 9/11/2007 call Ari Kermaier Oracle - Granted voting status after 9/11/2007 call Prateek Mishra Oracle - Lost voting status after 9/11/2007 call Peter Davis NeuStar - Lost voting status after 9/11/2007 call George Fletcher AOL - Lost voting status after 9/11/2007 call Abbie Barbir Nortel - Lost voting status after 9/25/2007 call Carolina Canales-Valenzuela Ericsson - Lost voting status after 9/25/2007 call > Need a volunteer to take minutes Tom Scavo volunteered to take minutes. > 1. Approve minutes from September 11 > http://lists.oasis-open.org/archives/security-services/200709/msg00020.html Minutes unanimously approved with the modification noted in the above message. > 2. Administrative > 2.1 ESOE Beta 1 -- Enterprise Sign On Engine > http://lists.oasis-open.org/archives/security-services/200709/msg00025.html The above announcement is FYI. Note that ESOE is not an Internet2 project: http://lists.oasis-open.org/archives/security-services/200709/msg00031.html > 3. Document Status > > 3.1 Docs on their way to OS > Metadata Profile for the OASIS Security Assertion Markup Language (SAML) > V1.x > & Metadata Extension for SAML V2.0 and V1.x Query Requesters > > Will go for OASIS vote in October There will be a 15-day review period after which voting by institutional representatives will commence. Brian: How does one determine who is the institutional representative? Hal: I don't know if there's an easy way to determine this, so contact me offline and I will find out for you. > 3.2 Docs pending public review > > Pending 15 Day Review > *SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based > Systems (CD 04) > *SAMLv2.0 HTTP POST "SimpleSign" Binding (CD 02) > > The following are needed. > > 1. The dates of the original 60-day review, including a link to the > announcement > > 2. The comment resolution log of any reported issues > > 3. A change-marked copy of the spec noting the differences from the > version submitted for the 60-day public review. These items will be discussed in the mailing list. Should we instead request a 60-day review of these two documents? (This, too, will be discussed in the mailing list.) AIs: Tom and Scott own these two documents (resp.). > Pending 60 Day Review > *SAML V2.0 Deployment Profiles for X.509 Subjects (CD 02) > *Identity Provider Discovery Service Protocol and Profile (CD 02) > > Need work on conformance sections: > > SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based > Systems - contains no conformance section > > SAMLv2.0 HTTP POST "SimpleSign" Binding - contains an inadequate > conformance > section: > "A specification that is approved by the TC at the Public Review Draft, > Committee Specification or OASIS Standard level must include a separate > section, listing a set of numbered conformance clauses, to which any > implementation of the specification must adhere in order to claim > conformance to the specification (or any optional portion thereof)." Note that the above two items refer to the previous documents awaiting 15-day public review, not the documents awaiting 60-day public review (as mistakenly noted above). These additional items will be discussed in the mailing list. > 3.3 SAML v2.0 Errata > http://lists.oasis-open.org/archives/security-services/200708/msg00030.h > tml (AI#305) Eve has determined the latest rev to the "working errata" document is 40: http://www.oasis-open.org/archives/security-services/200709/msg00018.html > Abbie was to discuss work with Eve. Eve talked to Abbie about adding outstanding errata to the working errata doc. Abbie has agreed to do this. Eve will work with Abbie to make this happen. Eve requests that we consider the "approved errata" document at this time. No comments were received during public review period. We are at the point where the SSTC can vote to move the approved errata doc to the next level. Eve makes the following motion: The SSTC requests a ballot to approve moving the errata document to its final state (know as Approved Errata). Jeff H seconds this motion. No further discussion. Motion unanimously approved. > 4 Discussions > > 4.1 SAML metadata lifecycle issues > > Anyone prepared to discuss this? AI: Scott will propose some errata related to metadata. These errata are separate from the previously discussed metadata lifecycle issues, so the two items (errata and metadata lifecycle issues) can proceed independently of one another. > 4.2 Proposal for extensions to Authentication Context > > Giles to attend the call for discussion No SSTC member present voiced an objection to allow Giles to participate in today's call. > Hal posted some previous off-list discussion http://www.oasis-open.org/archives/security-services/200709/msg00026.html http://www.oasis-open.org/archives/security-services/200709/msg00027.html http://www.oasis-open.org/archives/security-services/200709/msg00028.html http://www.oasis-open.org/archives/security-services/200709/msg00029.html Last time we discussed the issue of AuthnContext (AC), Giles presented a number of use cases. This time around he proposes adding a number of extensions to AC: http://wiki.enisa.europa.eu/index.php?title=Authentication_Interoperability Briefly (see the above wiki link for more detail), there are five AC extensions being proposed: 1. Privacy features of credentials (e.g., pseudonyms) 2. Issuance and registration mechanisms (e.g., documentation lists) 3. Assurance levels (LoA) 4. User friendly abstractions 5. Reputation of the subject (e.g., number of signing on a PGP key) Discussion highlights: Hal: AC is intended to be used as run-time information in support of SSO. In practice, it should not be necessary to propagate all the details of the authentication process, just those bits of information immediately useful to the relying party. In other words, we should try to keep the AC as lightweight as possible. Ari: For instance, in the case of password-protected transport, it should not be necessary to communicate key length. Eric: GSA E-authentication uses attributes, not AC, to communicate LoA. An open question is: How to translate LoA attributes to AC? Giles: There are numerous LoA models (worldwide) that need to be considered. Paul: AC schema need to be defined, and semantics need to be well understood and documented. Eve: An AC URI might indicate what schema and/or specification is being asserted. Giles: What about dynamic AC? Eve: There isn't much support for dynamic AC in the current AC model. Jeff: Assurance levels need to be baked, not parsed at runtime. Hal: We should try to keep the SP's job simple, otherwise SPs will choose to do their own authentication. Hal: The previous distinction regarding AC and attributes is important. Attributes are a property of the subject. AC is a property of the authentication process (independent of the subject). Eve: Reputation of the issuer (as opposed to reputation of the subject) may be important as well Giles personal goal (over the next couple of months): Map the EU LoA model to SAML AC. > 5 Other business No new business. > 6 Action Items (Report created 25 September 2007 12:38am EDT) > > #0283: Change final arrows to solid in Tech Overview diagrams > throughout. > Owner: Paul Madsen > Status: Open > Assigned: 2007-03-27 > Due: --- Paul reports that the arrows have been fixed and a ZIP file has been uploaded to Kavi. Paul will upload a new version of the Tech Overview asap. This AI will remain open. > #0304: Incorporate appropriate use of LDAP language tags in new LDAP > attr profile > Owner: Scott Cantor > Status: Open > Assigned: 2007-08-23 > Due: --- This AI will remain open. > #0305: Prepare final version(s) of the SAML v2.0 Errata document > Owner: Abbie Barbir > Status: Open > Assigned: 2007-08-23 > Due: --- This AI will remain open. > #0308: Recommend wording on potential erratum on metadata and DNSSEC > Owner: Peter Davis > Status: Open > Assigned: 2007-09-18 > Due: --- This AI will remain open. > #0309: Locate the link to the current "working errata" document and > follow up with Abbie Barbir (who we think volunteered) about getting the > new crop of errata recorded. > Owner: Eve Maler > Status: Open > Assigned: 2007-09-18 > Due: --- This item was discussed earlier on the call. This AI will remain open. Next regular meeting is scheduled for Tue, Oct 9, 2007
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]