[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Draft Minutes for June 30 2009 SSTC Call
Frederick Hirsch wrote: > Draft Minutes, Frederick Hirsch > SSTC Conference Call > June 30, 2009, 12:00pm ET > > 1. Roll Call & Agenda Review > Voting Members ============== Rob Philpott EMC Corporation Scott Cantor Internet2 Nathan Klingenstein Internet2 Bob Morgan Internet2 Thomas Hardjono M.I.T. Tom Scavo NCSA Frederick Hirsch Nokia Corporation Paul Madsen NTT Corporation Ari Kermaier Oracle Corporation Hal Lockhart Oracle Corporation Anil Saldhana Red Hat Kent Spaulding Skyworth TTG Holdings Limited Eve Maler Sun Microsystems Emily Xu Sun Microsystems Duane DeCouteau Veterans Health Administration David Staggs Veterans Health Administration Members ======= Kyle Meadors Drummond Group George Fletcher AOL Richard Franck IBM Joshua Howlett Individual Quorum Achieved: 16 out of 20 voting members Status Change: Kyle Gains Voting Rights. > > > 2. Need a volunteer to take minutes > > Frederick Hirsch volunteered to take minutes. > > 3. Approval of minutes from last meeting (2 June 2009) > > Motion: Approve minutes from 2 June 2009 > Moved by Eve, seconded by Nate. > Motion passed - Minutes approved without objection. > > 4. AIs & progress on current work-items: > > (a) Request TC Admin to launch an electronic ballot. > > All documents are now in CD format. In progress, open action for > chairs. Hal Lockhart took action item on this. > > (b) 15-Day review of revised XSPA profile. > > David Staggs will put comments into spreadsheet for committee, for > discussion on next teleconference. > > (c) 15-Day review of sstc-saml-approved-errata-2.0-draft-49. > > Hal Lockhart will take action to start formal review. > Scott Cantor has action to produce redline drafts, but this is not in > critical path for starting public review. He noted the document for > review is ready. > > (d) Progress on getting Jira instance for SSTC (Scott). > > Scott Cantor will contact Mary McRae again, this item was deferred > earlier > > (e) Dwayne to add a page for the XSPA page in the SAML wiki. > > This remains open. > > (f) SAML V2.0 Holder-of-Key Assertion Request Profiles. > > Tom Scavo noted draft uploaded to Kavi. Some comments received on SAML > dev list. Considering comment regarding need for TLS. > Planning to produce a third draft. > > (g) SAML LOA Assurance profile. > > Bob Morgan is working on this document with regards to authentication > context, how to express certified assurance levels to metadata. Still > working on this, planning to provide before the next teleconference. > > (i) Discuss comments received on HoK Profile (Tom/Nate): > > http://lists.oasis-open.org/archives/security-services/200906/msg00009.html > > > http://lists.oasis-open.org/archives/security-services/200906/msg00019.html > > > http://lists.oasis-open.org/archives/security-services/200906/msg00023.html > > > a) SAML V2.0 Holder-of-Key Web Browser SSO Profile > > Tom Scavo noted thread initiated by Mark Stern during public review, > leading to a number of significant comments, also comment by Scott > Cantor, producing four comments. He has documented these comments in > the wiki ( > http://wiki.oasis-open.org/security/PublicComments20090326-20090525 ) > > Reverted the document back to draft, draft 12. Lines 416-421 in diff > show the most important changes in response to the comments, > emphasizing dependency on assertion profile to address man in middle > concerns. Relaxing TLS requirement not easy to do so did not address > comment #2, all others have been addressed. > > Scott Cantor noted that if hard to do then could leave it as is, > noting it is a web browser profile, so therefore it is reasonable to > keep. Bob Morgan agreed. > > Hal Lockhart asked if commenter had a suggestion for alternative > approach, answer was to allow alternate secure channels. > > Tom Scavo noted draft 12 is not substantive change, since changes were > only clarifications, since TLS change not made. > > b) Holder of Key Assertion profile had comments > > http://wiki.oasis-open.org/security/PublicComments20090326-20090525 > > Some were requests for clarification. Question of SAML NameID was not > clear, so added paragraph in lines 258-260 draft 10 diff to clarify by > referencing constrained delegation profile. Draft 10 had minor changes > and has been uploaded to Kavi. > > Hal Lockhart suggested committee respond to commenters with > resolutions of actions (link to wiki) indicating no action on > suggested TLS change. > > Hal Lockhart noted that if the changes are non-substantive no > additional public review needed. > > Tom Scavo noted that the latest drafts include all changes. > > Motion: Draft 12 of Holder -of-Key Web Browser SSO Profile and Draft > 10 of HOK assertion profile be moved to Committee Draft > Moved by Tom Scavo, Second by Bob Morgan > Motion passed -No objection to unanimous consent > > Action: to Tom Scavo to produce CDs of Holder -of-Key Web Browser SS > Profile and Holder of Key Assertion Profile > > Motion: Hold electronic ballot of Holder -of-Key Web Browser SSO > Profile and Holder of Key Assertion Profile > Moved by Scott Cantor > Second by Bob Morgan > Motion passed - No objection to unanimous consent. > > 5. New work items: > > (i) Kerberos HOK profile (Josh/thomas): > > http://www.oasisopen.org/apps/org/workgroup/security/email/archives/200906/msg00027.html > > > Josh Howlett gave some background on Kerberos Holder of key and > attribute query profiles, noted that shared proposals by email. Also > noted that shared high level architecture document on list (PDF). > > Three protocols proposed for (i) encapsulating Kerberos service > ticket, (ii) how to use attribute query to ask for attribute, and > (iii) use holder of key assertion protocol to obtain confirmation > using Kerberos. Plan to define fourth protocol for composition of > these for SSO. > > Request for comment, some questions are also noted in the documents > themselves. > > Scott Cantor suggested combining two profiles into one single > attribute profile. Scott Cantor has additional comment on the XML, > such as requests for multiple attributes (e.g. tickets). He will send > message to list with details. > > Josh Howlett plans to have update before the next teleconference. He > asks committee that if Kerberos HoK Assertion Profile is based on > X.509 HoK profile would it be confusing due to duplicate material. > Tom Scavo asked if X.509 and Kerberos profiles could be unified, in a > clear manner. He also noted that this would need to happen if Web > Browser SSO Profile is not unnecessarily delayed. Tom, Josh and Nate > agreed it would be good to unify the documents into a single document. > The committee noted this would be a substantive change, requiring a > new CD. > > Hal Lockhart suggested editors work offline to produce a combined > document. The editors noted this will probably not be ready for the > next call. > > Hal Lockhart will delay request for Committee Specification ballot > for Holder of Key Assertion Profile and not have one if decision is > reached on email list to have combined document ( to avoid confusion). > > ii) Attribute Query profile (Josh/thomas): > > http://www.oasisopen.org/apps/org/workgroup/security/email/archives/200906/msg00027.html > > > Josh Howlett asked question of whether to support requests for > multiple service tickets at one time. Not clear if use cases exist. > > iii) Encapsulating service ticket document > > Josh Howlett noted this is a very simple profile that defines > attribute - will wait for comments from Scott Cantor. > > Meeting adjourned. > > regards, Frederick > > Frederick Hirsch > Nokia
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]