OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: draft minutes (w/o attendance) SSTC concall 20-May-2008



============================================================================
SSTC/SAML concall Tue May 20 09:10:06 PDT 2008
----------------------------------------------------------------------------
minutes by =JeffH


proposed agenda:
http://lists.oasis-open.org/archives/security-services/200805/msg00050.html


AI summary
----------

AI: BC signs up to help Eve on SSTC home page revamp
AI: PM to address this bug in Technical Overview CD-02 Section 4.6
AI: SSTC at large to be prepared to discuss/consider xspa-saml-profile-01 as a
     work item on next call



Brian Campbell wrote:
 > (Added 4.4 at the suggestion of David Staggs)
 >
 > Proposed Agenda SSTC Conference Call
 > May 20, 2008, 12:00pm ET
 >
 > Dial in info: +1 215 446 3648
 > Access code 270-9441#
 >
 > Roll Call & Agenda Review
 >
 > Need a volunteer to take minutes
 >
 >
 > 1. Approve minutes from May 6, 2008
 > http://lists.oasis-open.org/archives/security-services/200805/msg00024.html


Brian Campbell (bc): approved by unanimous consent.


 > 2. Administrative
 >
 > 2.1 SSTC Home Page
 > Eve Maler (closing out AI#327) submitted proposal
 > http://lists.oasis-open.org/archives/security-services/200805/msg00033.html

Eve (em) working on this. see msg on list..
"AI #0327: Draft proposal for SSTC home page cleanup"

  Eve doesn't want to "loose data", wishing to have folks looking over her shoulder
  and to take action items and help do editing

AI: BC signs up to help Eve - will connect offline on specifics


  Scott Cantor(sc): proposes that the wiki "saml dev" discussion forum shud be 
shut down and
  pointed to saml-dev@ list

  Jeff Hodges (jh) agrees, as does em


 > 2.2 Updating Specification Status after ballots
 > http://lists.oasis-open.org/archives/security-services/200805/msg00042.html

bc: references Fredericks msg on the topic, he thinks that this won't affect us
in near term.

msg thread beginning 19-May-2008 entitled
"[security-services] FW: [chairs] Updating Specification Status after ballots"

bc: so if anyone has questions, can ask Mary and/or BC; but otherwise thinks we
proceed as we are and see what happens, if anything


 > 3. Document Status
 >
 > 3.1 Subject-based Profiles for SAML V1.1 Assertions
 > (Re)Submitted to TC Admin for initial public review on May 19th

bc: just fyi, wrt these docs...

 > 3.3 Holder-of-Key Web Browser SSO Profile
 > AIs #329, 330 & 331
 >
 > 3.4 Proposal: Query Extension for SAML AuthnReq
 > AI #332
 >
 > 3.5 Proposal: Profile for Use of DisplayName
 > AI #333


bc: ..all above, just want to do bookkeeping on them, no additional discussion 
today?
we just need to track the AIs (will cover them again at the end of this meeting..)


 > 4 Other business

 > 4.1 Error in Technical Overview CD-02 Section 4.6
 > http://lists.oasis-open.org/archives/security-services/200805/msg00027.html

bc: Rob noticed this, treatment of signatures on the response. see msg above.

seems to be something we shud fix

pm: I'm most recent editor, will fix it.

AI: PM to address this bug in Technical Overview CD-02 Section 4.6


 > 4.2 SAML 2.0 Interoperability Testing
 > http://lists.oasis-open.org/archives/security-services/200805/msg00026.html
 > http://projectliberty.org/liberty_interoperable/events/saml_2_0_interoperabi
 > lity_test

Eric Tiffany (et): any questions on this? read the msgs and sign up if yer 
interested.



 > 4.3 X509SubjectAltName or full cert as in nameid?
 > 
http://lists.oasis-open.org/archives/security-services-comment/200805/msg00002.html

bc: discussion btwn David Kemp & Tom Scavo wrt SubjectAltNames as a 
NameIdentifier, or perhaps entire cert

Tom Scavo (ts): so david is basically wondering about the attr sharing profile 
which is at CS stage, he's suggesting that perhaps somethg other than (just) 
x.509 SubjectNamem might be used as NameIdentifier.

ts: suggested that if he has something specific in mind, he should make his 
suggestions more explicit. ts doesn't plan on doing anything unless others also 
believe should be done.

sc: agrees with TS that just using SubAltName might not be enough granularity

[disc of all the name types in SubAltName...  general agreement that suggestion 
isn't specific enough...]

bc: so pending any further discussion at this time, wait for him to reply..
where do we have NameIDFormats that apply to SubjectAltName?...

Hal Lockhart (hl): in section 8.3 in -core- we have these name types...

[general agreement that they might map, but not directly nor conguently, but 
something cud be done...]



 > 4.4 Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of
 > SAML & XSPA TC
 > http://lists.oasis-open.org/archives/security-services/200805/msg00048.html
[note draft spec attached to above message: xspa-saml-profile-01]

david staggs (ds): HITSP (health info tech stds panel) -- trying to create a 
"transaction package" for health info package(s) -- hoping SAML TC can help do 
this correctly, want to create a profile for American health info council use 
case -- attached a draft of such a profile to that message, hope the TC can 
pick up as a work item and do it correctly

   xspa-saml-profile-01  "Cross-Enterprise Security and Privacy Authorization 
(XSPA)
   Profile of Security Assertion Markup Language (SAML)"

bc: what do you want us to do? advise or progress the doc?

ds: the latter, would be a good idea to do this in the SSTC

em: criterion for doing this in sstc is eg  wide applicability of such a profile
   if widely applicable maybe we shud do it here...

ds: likely users/deployers will be government-wide most likely, so pretty wide 
applicability

em: so we should hear more about it

ds: HITSP needs to identify/reference "Standards", rather that cook up own 
profile a la GSA did with eGov effort, so really needs this to run thru a group 
like SSTC

rob philpott (rp): we've done such w/x.508 attr profile, but this draft spec 
looks more govt-specific -- there's a lot of health-care specific stuff in this 
draft spec -- so perhaps another health-specific group shoudl progress this,

ds: IHG has looked at this, but they are out of bandwidth,and we think oasis 
might be a good one too, so up to sstc to figure out whether sstc wants to just 
comment or progress it or whatever...also this new TC that's being created (by 
TS), it might take it on...

   XSPA - Cross Security Privacy Authz TC
    looking for conveners (talked to e.g. EM)  mostly of interest to those 
serving health care.

[discussion/queries wrt the HITSP IPR policies and ramifications thereof]

em: was this sent to sstc as submission or ?

ds: this is a proposed work item...

em: so there are default IPR mode wrt sstc...

hl: but that applies to only sstc output...and with stuff sent to the (list) 
archives means that there's some default IPR licensing on that stuff upon 
submission

ds: getting back to the spec...

hl: suggests defer it to next call, can review before then and then consider 
the request on next call...

bc: concurs...

AI: SSTC at large to be prepared to discuss/consider xspa-saml-profile-01 as a
     work item on next call


 > 5 Action Items (Report created 19 May 2008 04:36pm EDT)

 > #0333: Publish a new revision of Profile for Use of DisplayName in OASIS
 > template
 > Owner: Sampo Kellomki
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---

remains open



 > #0332: Revise Query Extension for SAML AuthnReq
 > Owner: Sampo Kellomki
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---

remains open




 > #0331: Revise Holder-of-Key Web Browser SSO Profile to make X.509 mandatory
 > to implement
 > Owner: Nathan Klingenstein
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---

remains open




 > #0330: Revise Holder-of-Key Web Browser SSO Profile to make clear what 'TLS'
 > means, i.e. SSL 3, TLS 1, or TLS 1.1
 > Owner: Nathan Klingenstein
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---


remains open



 > #0329: Revise Holder-of-Key Web Browser SSO Profile WRT Authn Statements
 > Owner: Nathan Klingenstein
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---

remains open



 > #0328: Revise SimpleSign
 > Owner: Jeff Hodges
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---


remains open


Additional business?
---------------------------------

em: any thoughts from IIW that are saml-relevant?

[no answer]

**meeting adjorned**




============================================================================


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]