OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] OASIS SSTC conference call minutes 01/27/2009


Scott's second AI is for the 'SessionNotOnOrAfter' attribute

paul

Paul Madsen wrote:
497F4BF2.6080501@rogers.com" type="cite">OASIS SSTC conference call minutes
2009-01-27
Scribe:  Paul Madsen

--AI--: Scott to create CD version of 'SAML V2.0 Metadata Extension for Entity Attributes Draft 2'

--AI--: Scott to propose wording for NotOnOrAfter attribute errata for core, send to list


Roll Call & Agenda Review

Attendees

pending

1. Minutes

1.1 Minutes from SSTC/SAML conference call January 13, 2009
http://lists.oasis-open.org/archives/security-services/200901/msg00029.html

additions:
http://lists.oasis-open.org/archives/security-services/200901/msg00030.html

No objection to unanimous consent

Approved minutes are archive message http://lists.oasis-open.org/archives/security-services/200901/msg00036.html

2. Announcements

2.1 Public Federal Register announcement of SAML standard in HC
http://lists.oasis-open.org/archives/security-services/200901/msg00027.html

DS: big step, announcement that the Sec of Human Health has accepted the HITSP recommendation, including TP20

Triggers legal obligations for federal agencies to use SAML. Next version will require use of additional OASIS standards,

HITSP leadership has voted to approve XSPA profile of SAML, will be pushed out as requirement

XSPA profile will be demoed at HIMSS

David calls for participation from other TCs, e.g. WS-Trust and XACML

HIMSS happens in 60 days

3. Document Status

3.1 SAML V2.0 HoK Assertion Profile (draft-09) 
http://lists.oasis-open.org/archives/security-services/200812/msg00026.html

TS: I sent a summary email on Jan 20 to list. Interested should refer to that

There was a SAML dev thread initiated by NZ Gov's Brett Beaument

HoK Draft 9 is response to those comments.

SC: is this draft 9 or 7? The link in the document in the agenda says 'draft 7'...?

TS: thanks. Link that Hal put in the agenda is wrong

Correct link is

http://lists.oasis-open.org/archives/security-services/200901/msg00026.html

3.2 SAML Errata Working Document for SAML V2.0 - Working Draft 47
http://lists.oasis-open.org/archives/security-services/200901/msg00033.html

SC: updated to move everything disposed of to closed list. Some discussion on last call that we might want to start a public errata review

HL: lets save that for 4.3

4. Discussion

4.1 Move SAML V2.0 Metadata Extension for Entity Attributes Draft 2 to CD?
http://lists.oasis-open.org/archives/security-services/200901/msg00022.html

SC: Brian had substantive comments earlier.

BC: this is back to the attributes/full assertions..?

SC: which option were you arguing for?

BC: no preference, just not both. Goal is simpler implementation, but never works out

SC: we are trying to make deployements easier, not implementation

BC: I withdraw my objection


SC: my feeling is to get it out there,

SC: motion to move 'SAML V2.0 Metadata Extension for Entity Attributes Draft 2' to CD

BC: second

Vote approved by unanimous consent

--AI--: Scott to create CD version of 'SAML V2.0 Metadata Extension for Entity Attributes Draft 2'

4.2 Potential Errata: Core description of SessionNotOnOrAfter insufficient? 
http://lists.oasis-open.org/archives/security-services/200901/msg00034.html

RP: potential errata around interpretation of core spec on SessionNotOnOrAfter attribute.

Suggest adding clarification as to how SessionNotOnOrAfter attribute should/must be interpreted by RPs.

3 approaches to RP processing rules

1) Core defines and profiles cant override
2) Core defines and profiles override
3) Core defers to profiles

SC: agree that original language is lacking. Think that this attribute is pretty profile specific, shouldnt
have processing rules in core. Therefore likes Option 3.

RP: suggest adding text to core along the lines of 'interpretation of this attribute is profile specific'

SC: I can add to next errata draft.

AK: wondering if this is actually profile specific, rather than policy spefific at RP. RP can decide itself
whether to rely on authentication once IDP session expired. We shouldn't ahve normative language restricting the RP's choice.

RP: Web SSO profile does apply normative language. Need text in core pointing to such rules.

--AI--: Scott to propose/add wording for next errata, send to list

AK: what about session index? related?

SC: session index and SessionNotOnOrAfter are linked, the SessionNotOnOrAfter attribute will be easier to deal with if vague
in core. Profiles define behaviour. Might imply an errata for the Web SSO profile around this.

4.3 Other Potential Errata and Errata Planning

SC: not aware of any other errata in the pipeline.

HL: so, next steps? We can do a new errata. Cant be sure we wont see some new errata tomorrow but thats always the case

SC: I have a long standing action item on one, but not sure when I will tackle it. The metadata profile I was working on
 might produce an errata. Regardless, I suggest get another errata draft out now without the above, review the possibility of adding in at next call.

5. Other business

HL:  no AOB

6. Action Items (Report created 26 January 2009 08:59pm EST)

 
#0332: Revise Query Extension for SAML AuthnReq
Owner: Sampo Kellomki
Status: Open
Assigned: 2008-05-19
Due: ---

closed

#0333: Publish a new revision of Profile for Use of DisplayName in OASIS template
Owner: Sampo Kellomki
Status: Open
Assigned: 2008-05-19
Due: ---

closed

Adjourned


Hal
--
Paul Madsen
e:paulmadsen @ ntt-at.com
p:613-482-0432
m:613-282-8647
web:connectid.blogspot.com
ConnectID

No virus found in this incoming message. Checked by AVG. Version: 7.5.552 / Virus Database: 270.10.14/1918 - Release Date: 27/01/2009 7:26 AM

--
Paul Madsen
e:paulmadsen @ ntt-at.com
p:613-482-0432
m:613-282-8647
web:connectid.blogspot.com
ConnectID


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]