[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Proposed Agenda for Nov 4 SSTC Conference Call - V 2
[Minute taker's note: I was drawn into the ensuing conversation, so some details of the discussion may be missing from these notes. Please feel free to contribute any details I may have missed.] On Tue, Nov 4, 2008 at 9:41 AM, Hal Lockhart <hal.lockhart@oracle.com> wrote: > Proposed Agenda SSTC Conference Call > November 4, 2008, 12:00pm ET > > Dial in info: +1 215 446 3648 > Access code 270-9441# > > Roll Call & Agenda Review Roll call (by Anil Saldhana) ======== Voting Members ============ George Fletcher AOL John Bradley Individual Scott Cantor Internet2 Bob Morgan Internet2 Eric Tiffany Liberty Alliance Project Tom Scavo NCSA Frederick Hirsch Nokia Corporation Ari Kermaier Oracle Corporation Hal Lockhart Oracle Corporation Anil Saldhana Red Hat Eve Maler Sun Microsystems Emily Xu Sun Microsystems Duane DeCouteau Veterans Health Administration David Staggs Veterans Health Administration Members ======= Nathan Klingenstein Internet2 Quorum Achieved: 14 out of 22 voting members Status: Nathan (Gained Voting); Peter Davis, Paul Madsen , Brett Burley (Lost Voting) > Need a volunteer to take minutes Tom Scavo volunteered to take minutes. > 1. Minutes from SSTC/SAML concall October 21, 2008 > http://lists.oasis-open.org/archives/security-services/200810/msg00048.html October 21, 2008 minutes approved unanimously > 2. Document Status > > 2.1 SAML V2.0 Attribute Extensions Draft 1 uploaded > http://lists.oasis-open.org/archives/security-services/200810/msg00061.html This document is an indirect result of Microsoft's recent announcement to support the SAML protocol in future products. Microsoft has a requirement for extended XML attributes in the SAML Attribute element. Currently Microsoft is using a proprietary namespace to define these XML attributes. Scott suggests we bring these new attribute definitions under the OASIS namespace. One such XML attribute holds the unique identifier of the IdP. Using this new XML attribute, the source of the claim (which is what Microsoft calls an attribute) carries through to proxy IdPs, for example. This document will carry whatever extended XML attributes prove to be useful, by Microsoft and others. It will be an ongoing, living document. Extended XML attributes will be added to this document over time, not unlike the SAML errata document. Hal asks if there any comments regarding the chosen namespace or the extended attributes themselves? There are no comments, so the conclusion is that the SSTC will accept the document as is. Committee members are encouraged to review the document and provide feedback on the mailing list. > 2.2 SAML V2.0 Holder-of-Key Web Browser SSO Profile > http://lists.oasis-open.org/archives/security-services/200811/msg00001.html Nate has posted a new revision of this document that incorporates recent comments made on the mailing list. The most significant change in the current revision is the renaming of an XML attribute (hoksso:ProtocolBinding) used in metadata to signal support of this profile. There was lengthy discussion regarding the use and interpretation of <saml:SubjectConfirmation> in an AuthnRequest. In particular, it was pointed out that the strongly matching requirement discussed in Core is applicable in this case (and that a reference to same would be appropriate). Also, the SP's signature over an AuthnRequest containing a <saml:SubjectConfirmation> element is probably not necessary. Nate has taken these comments under advisement. There was also some discussion regarding the WantsAssertionSigned attribute in metadata. Initially, Tom recommended that this attribute be profiled in this document, but arguments by Nate and Scott have convinced him (Tom) that this is misguided. Therefore Tom retracts his suggestion regarding WantsAssertionSigned. Hal wonders if there is general agreement with respect to the outstanding issues? Nate thinks there is. Additional comments and concerns should be directed to the mailing list. Nate offers Tom the opportunity to guest edit the next revision of this document. > 2.3 Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of SAML uploaded > http://lists.oasis-open.org/archives/security-services/200811/msg00004.html Duane reports that a recent revision of this document incorporates Scott's comments from September. Generally speaking, this document is focused on developing a minimum vocabulary describing access control between health care enterprises. Thus the document is heavy on language involving SAML attributes. A vocabulary that is standard to the health-care industry is used. Duane believes the current revision is in pretty good shape. He also notes that the document content has been discussed within the HITSP group. David reiterates Duane's assessment that the document is ready to go. David makes a motion that the current document revision be accepted as a Committee Draft. The motion is seconded by Duane. As a point of discussion, Scott notes that the prefix used for defining attribute names presumes the existence of a corresponding OASIS TC. David notes that there is indeed a TC by that name, and in fact we are invited to participate. So the concern about the prefix name is in fact a non-issue. Motion carries by unanimous consent. The document editors are reminded that the CD version of this document must be submitted in multiple formats, including ODT, PDF, and HTML. > 3. Discussion Threads > > 3.1 Status of Simple Sign Profile > http://lists.oasis-open.org/archives/security-services/200810/msg00024.html Jeff is not on the call but Scott believes this document should in fact be a Working Draft. Assuming that the document is meant to be a Working Draft (despite its name), Scott makes a motion to approve the document as a Committee Draft. If the document is approved as a CD, the document editors will of course take the document to CD format. The motion is approved by the SSTC unanimously. Hal will contact Jeff and ask him to produce the CD version of this document. > 3.2 Broken Links > http://lists.oasis-open.org/archives/security-services/200810/msg00025.html It was concluded that certain links to CS documents are broken because the documents the links refer to do not exist. Hal will ask Mary about the missing CS documents. > 3.3 Discussion on whether to specify use of DER to encode certificates > http://lists.oasis-open.org/archives/security-services/200810/msg00049.html Hal summarizes the debate as follows: 1) On the one hand, everybody uses DER encoding, the RFC requires it (to compute a signature), and therefore the Holder-of-Key Assertion Profile should require DER as well. 2) On the other hand, any decent library should be able to inspect the certificate, determine the encoding used, and act accordingly, so there's no point in specifying a particular encoding. This issue has been simultaneously presented to the XML Signature WG. Members of the XML Signature WG are investigating this issue. Tom questions whether or not the encoding used can be (easily) determined on-the-fly. Is this true? One approach is to make DER a recommended encoding in SAML Core (via errata). Hal suggests this issue be deferred until the next call. > 3.4 Discussion on Metadata Interoperbility Profile > http://lists.oasis-open.org/archives/security-services/200810/msg00051.html Scott reports that he has not yet responded to a previous set of comments regarding the current revision of this document. That said, he does not believe this profile is a deployment profile. He agrees, however, that the title may suggest that any metadata use outside of this profile is by definition not interoperable. Thus suggestions for a better title are welcome. > 3.5 More good OAuth reference material > http://lists.oasis-open.org/archives/security-services/200810/msg00055.html Links to OAuth-related material (some authored by Jeff Hodges) are noted. > 3.6 InterOp Demo Proposal | HIMSS 2009 -- REVISED PROPOSAL > http://lists.oasis-open.org/archives/security-services/200810/msg00059.html Please take note of this revised proposal, especially the lower cost required for participation. > 4. Other business > > > 5. Action Items > > #0332: Revise Query Extension for SAML AuthnReq > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- Sampo is not on the call. AI is still open. > #0333: Publish a new revision of Profile for Use of DisplayName in OASIS template > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- Sampo is not on the call. AI is still open. > #0342: revise and re-publish XSPA SAML Profile doc > Owner: David Staggs > Status: Open > Assigned: 2008-10-13 > Due: --- Closed. > Hal Next call is in two weeks (18 Nov 2008).
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]