[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Minutes: SSTC Conference Call (September22nd, 2009)
Anil Saldhana wrote:
> Tom Scavo wrote:
>>> Proposed Agenda SSTC Conference Call
>>> September 22nd, 2009, 12:00pm ET
>>>
>>
>> Thomas Hardjono presiding
>>
>>
>>> Dial in info: +1 408-774-4073
>>> Conference code: 4480739
>>> Password: 72657265 (SAMLSAML)
>>>
>>> 1. Roll Call & Agenda Review
>>>
>>
>> Anil Saldhana took the Roll Call.
>>
> Rollcall:-
>
> Voting Members:
> Rob Philpott EMC Corporation
> John Bradley Individual
> Scott Cantor Internet2
> Nathan Klingenstein Internet2
> Bob Morgan Internet2
> Thomas Hardjono M.I.T.
> Tom Scavo National Center for Supercomputing Applica...
> Frederick Hirsch Nokia Corporation
> Paul Madsen NTT Corporation
> Ari Kermaier Oracle Corporation
> Hal Lockhart Oracle Corporation
> Anil Saldhana Red Hat
> Kent Spaulding Skyworth TTG Holdings Limited
> Duane DeCouteau Veterans Health Administration
>
> Members:-
> Emily Xu Sun Microsystems
> Christian Guenther - NSN
> Thinh Nguyenphu - NSN
Kyle Meadors - Drummond Group
> Quorum: 14 out of 17 voting members (82%)
> Status: Richard Frank (IBM) and Srinath Godavarti (Formerly Nortel)
> lost voting status
>
>> [insert Roll Call results here]
>>
>> Aliases used below:
>>
>> TS = Scavo, Tom
>> RP = Philpott, Rob
>> BM = Morgan, Mr Bob
>> AB = Barbir, Abbie
>> HL = Lockhart, Hal
>> DD = DeCouteau, Duane
>> SC = Cantor, Scott
>> NK = Klingenstein, Mr. Nathan
>> PM = Madsen, Paul
>> FH = Hirsch, Mr. Frederick
>> AS = Saldhana, Mr. Anil
>> TH = Hardjono, Mr. Thomas
>>
>> New Action Items
>>
>> - Port the SSTC Work Summary to the wiki [HL]
>> - Create new Working Drafts of the HoK Profiles [TS]
>> - Produce CD version of Identity Assurance profile and update the
>> wiki [BM]
>> - Produce CD version of Condition for Delegation Restriction [SC]
>> - Investigate and report on CARML. [HL]
>> - Produce CS version of Text-based Challenge/Response profile [AS]
>> - Include the question whether or not to increase the frequency of
>> meetings [TH]
>>
>>
>>> 2. Need a volunteer to take minutes
>>>
>>
>> TS volunteered to take minutes
>>
>>
>>> 3. Approval of minutes from last meeting (25 August 2009):
>>>
>>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/200908/msg00083.html
>>>
>>>
>>
>> RP moves to accept the minutes, BM seconds. Motion carries unanimously.
>>
>>
>>> 4. AIs & progress update on current work-items:
>>>
>>> (a) Current electronic ballots: none
>>>
>>
>> SAML Status Presentation for the ITU-T
>>
>> AB asked HL for a SAML update to be presented to the ITU-T. (There's a
>> formal arrangement between OASIS and ITU-T such that the latter
>> normally reviews and adopts OASIS Standards.) HL prepared a
>> presentation:
>>
>> http://www.oasis-open.org/committees/download.php/34320/SAML%20Status%20for%20ITU-T.ppt
>>
>>
>> AB will actually make the presentation to ITU-T.
>>
>> As a by-product, HL produced a work summary for the SSTC:
>>
>> http://www.oasis-open.org/committees/download.php/34321/Post%20SAML%202.0%20Profiles.doc
>>
>>
>> Should this be included in the wiki? If so, at what level of visibility?
>>
>>
>>> (b) Status of past (closed) ballots:
>>>
>>> XSPA - spec has been submitted to OASIS for approval as Full
>>> Standard.
>>>
>>
>> DD reports that the profile has been submitted to OASIS tc-admin for
>> OASIS Standard ballot. The familiarization period is anticipated to
>> begin on Oct 1, 2009.
>>
>> DD also reports that both wikis have been updated.
>>
>>
>>> SAML V2.0 Attribute Extensions Version 1.0
>>> SAML V2.0 Metadata Extension for Entity Attributes Version 1.0
>>> SAML V2.0 Metadata Interoperability Profile Version 1.0
>>>
>>
>> Minor errata were incurred as these documents transitioned from CD to
>> CS. SC has no plans to bring these documents back to the Working Draft
>> stage to correct these non-substantive errata.
>>
>> SC posted relevant attestations to the mailing list:
>>
>> http://lists.oasis-open.org/archives/security-services/200909/msg00035.html
>>
>>
>> If there any other implementations of these (or any other CS) specs,
>> please submit a formal attestation so these documents can move
>> forward.
>>
>>
>>> SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as
>>> a CS
>>> SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>>>
>>
>> Similar to the previous three documents, TS reports that these two
>> documents also incurred errata as they were transitioned from CD to
>> CS. This includes a normative reference from the Holder-of-Key Web
>> Browser SSO Profile (CS) to the Holder-of-Key Assertion Profile (CD).
>> The only way to correct this (and other) errata is to bring these
>> documents back to Working Draft. NK agrees we should do this.
>>
>> Editors take note: In the future, OASIS tc-admin will transition
>> documents from CD to CS. This means that all modifications to the CS
>> version (apart from dates and version numbers) must be anticipated in
>> advance.
>>
>>
>>> (c) 15-Day review of sstc-saml-approved-errata-2.0-draft-49 (action
>>> for Hal)
>>>
>>
>> This document was previously ost, then found. An announcement is
>> imminent.
>>
>>
>>> (d) Progress on getting Jira instance for SSTC (Scott).
>>>
>>
>> No update.
>>
>>
>>> (e) Dwayne to add a page for the XSPA page in the SAML wiki.
>>> http://www.oasis-open.org/apps/org/workgroup/security/ballots.php
>>>
>>
>> DD reports this is done:
>>
>> http://wiki.oasis-open.org/security/XSPASAML2Profile
>>
>>
>>> (f) Kerberos related items (Josh):
>>> - Kerberos Attribute profile (draft-02):
>>>
>>> http://www.oasis-open.org/apps/org/workgroup/security/download.php/34160/sstc-saml-attribute-kerberos-02.odt
>>>
>>>
>>> - Kerberos Subject Confirmation Method (draft-00):
>>>
>>> http://www.oasis-open.org/apps/org/workgroup/security/download.php/34161/sstc-saml-kerberos-subject-confirmation-method%2000.odt
>>>
>>>
>>
>> SC wonders if this new Confirmation Method (CM) is potentially
>> controversial. (The spec proposes a new CM rather than using the
>> existing holder-of-key CM.) It is likely WSS implementations may
>> break. Also we seem to be setting a precedent, which is not bad per
>> se, but we need to consider this proposal carefully.
>>
>> For background information on issue, please consult the following
>> threads of discussion:
>>
>> http://lists.oasis-open.org/archives/security-services/200906/msg00027.html
>>
>> http://lists.oasis-open.org/archives/security-services/200907/msg00017.html
>>
>> http://lists.oasis-open.org/archives/security-services/200908/msg00016.html
>>
>>
>> Further comments to the list, please.
>>
>>
>>> (g) Expressing Identity Assurance profile for SAML2.0 (LOA) (Bob
>>> Morgan)
>>>
>>> http://www.oasis-open.org/committees/download.php/34277/sstc-saml-assurance-profile-draft-01.pdf
>>>
>>>
>>
>> BM uploaded a new version of this document (above). Some sections were
>> moved, an example was added, and other tweaks were made. No normative
>> changes were made, however. BM believes this document is ready for CD.
>> So moved (by BM). PM seconded. No objections. Motion caries
>> unanimously.
>>
>>
>>> (h) Delegation Condition Extension Profile (Scott)
>>>
>>
>> SC uploaded a new version of this document:
>>
>> http://www.oasis-open.org/committees/download.php/34357/sstc-saml-delegation-cd-02.pdf
>>
>>
>> SC created a new introduction and included some new diagrams that
>> describe multiple actors. The goal was to motivate the use cases. SC
>> would like to get this document back out to public review. No
>> substantive changes were made, however. SC moves to take the document
>> to CD. BM seconds. No objections. Motion carries.
>>
>> Next step is to request a CS ballot. Is the schema correct? Yes, all
>> schema fragments are valid. Are normative refs synchronized? There are
>> no xrefs, so this shouldn't be a problem. SC moves the SSTC request a
>> CS ballot. BM seconds. No objections. Motion carries.
>>
>> PS. Don't forget to include the voting member list in the CD,
>> otherwise there won't be an opportunity to do this as the document is
>> automatically transitioned to CS.
>>
>>
>>> 5. New work items:
>>>
>>> (i) SAML Attribute Management protocol proposal (Thinh Nguyenphu/NSN)
>>>
>>> http://www.oasis-open.org/committees/download.php/34222/SAML%20Attribute%20Mgt%20Protocol.ppt
>>>
>>>
>>
>> Thinh Nguyenphu gave the above presentation. He reviewed the use cases
>> (slide 2) and proposed a new SAML Attribute Management Protocol (slide
>> 4).
>>
>> HL: In what sense is the account at the SP transient? Answer:
>> Basically, we have a stateless SP so we would like to save attributes
>> back to the IdP.
>>
>> HL: Do the two use cases look the same to the IdP? Answer: Yes
>>
>> SC: As a point of clarification, the SSTC won't modify the SAML
>> Standards.
>>
>> HL: Some comments were posted online:
>>
>> http://lists.oasis-open.org/archives/security-services/200909/msg00016.html
>>
>>
>> HL: Recommends CARML (Liberty) for these use cases. Perhaps CARML
>> should be contributed to the SAML TC?
>>
>> BM: All of CARML or just the relevant portions? (This of course would
>> be up to the SSTC.)
>>
>> SC: ID-WSF solves these use cases as well.
>>
>> SC: Are there IPR issues associated with these use cases?
>>
>> FH: Can you solve this problem without the complexity of full ID-WSF?
>>
>> General consensus of the SSTC is that update capability is useful, but
>> this isn't necessarily the job of this TC. We should leverage other
>> solutions (CARML, SPML, etc.) if indeed they are relevant.
>>
>>
>>> (ii) SAML Name Identifier protocol proposal (Thinh Nguyenphu/NSN)
>>>
>>> http://www.oasis-open.org/committees/download.php/34221/SAML%20Name%20Identifier%20Protocol.ppt
>>>
>>>
>>
>> Christian Günther from Munich, Germany gave the above presentation
>>
>> SC: Why not just use federated login and persistent identifiers?
>>
>> RP: We have customers who have requested bulk import of identifiers
>> from IdP to SP (and in one case, from SP to IdP).
>>
>> SC: (re second bullet on slide 3) Not clear why you need anything more
>> than Web Browser SSO. Why does the SP send an identifier in this case?
>>
>> At this point, we're taking it to the list for further discussion.
>>
>>
>>> 6. Assorted threads on saml-dev/comment list
>>> - Oasis Identity Management 2009 (29-30 Sept, NIST, Gaithersburg, MD)
>>> http://events.oasis-open.org/home/forum/2009/registration
>>>
>>
>> This is actually an OASIS event and OASIS members are encouraged to
>> attend.
>>
>> New business:
>>
>> Scott uploaded a new errata draft:
>>
>> http://www.oasis-open.org/committees/download.php/34096/sstc-saml-errata-2.0-draft-50.pdf
>>
>>
>> Next call four weeks from today: Tuesday, October 20, 2009
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]