[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes from 16 Dec 2008 SSTC telecon
Oasis SSTC Meeting - December 16, 2008 Chaired by Hal Lockhart >> >> Roll Call & Agenda Review Voting Members ================ John Bradley Individual Jeff Hodges Individual Scott Cantor Internet2 Nathan Klingenstein Internet2 Bob Morgan Internet2 Eric Tiffany Liberty Alliance Project Tom Scavo NCSA Frederick Hirsch Nokia Corporation Hal Lockhart Oracle Corporation Brian Campbell Ping Identity Corporation Anil Saldhana Red Hat Kent Spaulding Skyworth TTG Holdings Limited Eve Maler Sun Microsystems Emily Xu Sun Microsystems Duane DeCouteau Veterans Health Administration David Staggs Veterans Health Administration Members ======== Peter Davis NeuStar, Inc. Paul Madsen NTT Corporation Ari Kermaier Oracle Corporation Rob Philpott EMC Corporation Quorum: 16 out of 19 Voting Members (84%) Membership Status Change: Peter Davis and Rob Philpott have both regained voting status > > Logistics note: Hal is canceling the 30 December 2008 call. Our next > call will be 13 January 2009. > >> Need a volunteer to take minutes > > Eve volunteered. > >> 1. Minutes >> >> 1.1 Minutes from SSTC/SAML conference call November 18, 2008 >> http://lists.oasis-open.org/archives/security-services/200812/msg00010.html >> > > APPROVED by unanimous consent. > >> 1.2 Minutes from SSTC/SAML conference call December 2, 2008 >> http://lists.oasis-open.org/archives/security-services/200812/msg00017.html >> > > APPROVED by unanimous consent. > >> 2. Announcements >> >> 2.1 Draft SP 800-63 Revision 1: E-Authentication Guideline is >> available for a second public comment period (Assertions are in for >> Level 4) >> http://lists.oasis-open.org/archives/security-services/200812/msg00036.html >> > > Eric Tiffany noted this news recently. Our attempt to "raise NIST's > consciousness" has resulted in this new guideline, which is good > news. Please do review it to ensure it's accurate. > >> 2.2 xspa-saml-profile-cd-01 for public review >> Bounced back by TC Admin for changes to meet OASIS Requirements > > Mary McRae asked us to fix a few formatting issues to bring it into > alignment with OASIS requirements. It's in process. > >> 3. Document Status >> >> 2.1 sstc-saml-attribute-ext-cd-01.pdf uploaded >> http://lists.oasis-open.org/archives/security-services/200812/msg00019.html >> > > Scott Cantor has posted the CD version (voted to this status last > time). We anticipate packaging up a number of items for public > review, including this. > >> 2.2 HoK Assertion Profile (draft-07) >> http://lists.oasis-open.org/archives/security-services/200812/msg00030.html >> >> >> 2.3 HoK Assertion Request Profiles (draft-01) >> http://lists.oasis-open.org/archives/security-services/200812/msg00031.html >> > > Tom, holder of the pen on these to date, notes: > > Draft 07 of the HoK assertion profile had some changes to the > NotBefore and NotOnOrAfter bits, as requested in some (unsolicited!) > public comments that came in. He believes it's ready to move to CD, > but it can also sit and wait for the HOK browser SSO profile (Nate's > profile). Hal will plan for a CD vote after the holidays, with a > packaging of related specs for public review when they're all ready > for that. > > The HoK assertion request profile is still new so it's a bit rough, > and the requirements are very conservative. Please take a look. > >> 2.4 sstc-saml-holder-of-key-browser-sso-draft-10.pdf >> (sstc-saml-holder-of-key-browser-sso-draft-10.pdf) uploaded >> http://lists.oasis-open.org/archives/security-services/200812/msg00033.html >> > > Nate, holder of the pen on this to date, notes: > > This draft clarifies which assertions should be bundled with the > response. Tom will pick this up going forward, with some changes he's > got planned. Tom can have draft 11 ready by the 13 Jan 2009 meeting, > including all changes/cleanup already planned and also changes > suggested by the comments that have come in. > >> 3. Discussion Threads >> >> 3.1 PE78: Reassignment of persistent identifiers >> http://lists.oasis-open.org/archives/security-services/200812/msg00012.html >> > > Tom, who started the thread, summarizes: The bottom line is that if > the SSTC believes that non-reassignability was intended in the > original spec, then we're free to add this clarification as an > erratum. Otherwise we need to consider spinning off a new > identifier. Scott feels the original intent was close to this, and > the opposite proposition is nonsensical, so an erratum would be > reasonable. Hal is concerned that the proposition isn't testable. > > Option 2, "A given value, once associated with a principal, MUST NOT > be assigned to a different principal at any time in the future.", > isn't testable but it's the intended sense of the committee. > > Scott moves, and JeffH seconds, TO accept option 2 on PE78. PASSED by > unanimous consent. > > Scott suggests that we dispose of PE75, PE76, and PE77 on the next call. > >> 3.2 2.3 SAMLv2.0 HTTP POST "SimpleSign" Binding >> http://lists.oasis-open.org/archives/security-services/200812/msg00005.html >> >> Ready for Public Review? > > And if it's ready, how do we want to bundle specs? Eve suggests > putting it out to public review separately from others, to ensure it > gets sufficient attention from communities that are starting to use it > in interesting ways. JeffH agrees. That means XSPA would be on its > own too. It turns out they can't be packaged together anyway, so > never mind. :-) > > We had thought a 15-day review on SimpleSign would be sufficient, but > with the holidays, either starting a 30-day review now or deferring > the start to after the holidays would be best. Tom sent a diff to > JeffH, and he will add it to the document repository. > > Eve moves (and JeffH seconds) that we move SimpleSign to a public > review, of at least 15 days in length, ending no sooner than January > 9. Motion PASSED by unanimous consent. (The point of the motion is > to ensure that Mary can tackle the request soonish, ideally this > week.) Hal will work with Mary on the request. > >> 4. Other business > > 4.1 > > Scott notes that the other profile he submitted last week (for tagging > metadata: the Metadata Extension for Entity Attributes Profile) had > some comments from Brian. We should tackle that next time. He's > looking for comments on the list prior to then. > > 4.2 > > Eve asks about the InfoCard Profile work. Scott says it's tabled > until the IMI group figures out its schedules; it's likely to pick up > that work, though John B. notes that there isn't much appetite for > taking on additional work until the initial ISIP wave of work is > done. Hal wonders if the scenario documents used in the RSA '08 > Concordia workshop would make good work items for the SSTC, or at > least get them submitted so they're more "official". Eve thinks they > might indeed be useful as guidelines. The scenario Scott had written > is fully encapsulated in the InfoCard token profile he's already > written, he feels. > > Eve will bring this up as a discussion topic in the Concordia call > later today. > > 4.3 > > Eric notes that Liberty is changing its staffing, and he'll no longer > be on staff in the new year. Joni Brennan is taking over his staff > responsibilities at least in the interim. The Level of Assurance > profile document that he wrote a while back is due for a revision; > he'll make a small edit but he hopes others will pick up that work > item and he'll reach out to them. > >> 5. Action Items (Report created 15 December 2008 09:15pm EST) >> >> #0332: Revise Query Extension for SAML AuthnReq >> Owner: Sampo Kellomki >> Status: Open >> Assigned: 2008-05-19 >> Due: --- >> >> #0333: Publish a new revision of Profile for Use of DisplayName in >> OASIS template >> Owner: Sampo Kellomki >> Status: Open >> Assigned: 2008-05-19 >> Due: --- > > > These are still open. > > > Eve Maler +1 425 947 4522 > Principal Engineer eve.maler @ sun.com > Business Alliances group Sun Microsystems, Inc. -- -------------------------------------- Anil Saldhana Leader, JBoss Security & Identity Management Red Hat Inc URL: http://jboss.org/jbosssecurity BLOG: http://anil-identity.blogspot.com ---------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]