[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Minutes: SSTC Conference Call (September22nd, 2009)
Anil Saldhana wrote: > Tom Scavo wrote: >>> Proposed Agenda SSTC Conference Call >>> September 22nd, 2009, 12:00pm ET >>> >> >> Thomas Hardjono presiding >> >> >>> Dial in info: +1 408-774-4073 >>> Conference code: 4480739 >>> Password: 72657265 (SAMLSAML) >>> >>> 1. Roll Call & Agenda Review >>> >> >> Anil Saldhana took the Roll Call. >> > Rollcall:- > > Voting Members: > Rob Philpott EMC Corporation > John Bradley Individual > Scott Cantor Internet2 > Nathan Klingenstein Internet2 > Bob Morgan Internet2 > Thomas Hardjono M.I.T. > Tom Scavo National Center for Supercomputing Applica... > Frederick Hirsch Nokia Corporation > Paul Madsen NTT Corporation > Ari Kermaier Oracle Corporation > Hal Lockhart Oracle Corporation > Anil Saldhana Red Hat > Kent Spaulding Skyworth TTG Holdings Limited > Duane DeCouteau Veterans Health Administration > > Members:- > Emily Xu Sun Microsystems > Christian Guenther - NSN > Thinh Nguyenphu - NSN Kyle Meadors - Drummond Group > Quorum: 14 out of 17 voting members (82%) > Status: Richard Frank (IBM) and Srinath Godavarti (Formerly Nortel) > lost voting status > >> [insert Roll Call results here] >> >> Aliases used below: >> >> TS = Scavo, Tom >> RP = Philpott, Rob >> BM = Morgan, Mr Bob >> AB = Barbir, Abbie >> HL = Lockhart, Hal >> DD = DeCouteau, Duane >> SC = Cantor, Scott >> NK = Klingenstein, Mr. Nathan >> PM = Madsen, Paul >> FH = Hirsch, Mr. Frederick >> AS = Saldhana, Mr. Anil >> TH = Hardjono, Mr. Thomas >> >> New Action Items >> >> - Port the SSTC Work Summary to the wiki [HL] >> - Create new Working Drafts of the HoK Profiles [TS] >> - Produce CD version of Identity Assurance profile and update the >> wiki [BM] >> - Produce CD version of Condition for Delegation Restriction [SC] >> - Investigate and report on CARML. [HL] >> - Produce CS version of Text-based Challenge/Response profile [AS] >> - Include the question whether or not to increase the frequency of >> meetings [TH] >> >> >>> 2. Need a volunteer to take minutes >>> >> >> TS volunteered to take minutes >> >> >>> 3. Approval of minutes from last meeting (25 August 2009): >>> >>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/200908/msg00083.html >>> >>> >> >> RP moves to accept the minutes, BM seconds. Motion carries unanimously. >> >> >>> 4. AIs & progress update on current work-items: >>> >>> (a) Current electronic ballots: none >>> >> >> SAML Status Presentation for the ITU-T >> >> AB asked HL for a SAML update to be presented to the ITU-T. (There's a >> formal arrangement between OASIS and ITU-T such that the latter >> normally reviews and adopts OASIS Standards.) HL prepared a >> presentation: >> >> http://www.oasis-open.org/committees/download.php/34320/SAML%20Status%20for%20ITU-T.ppt >> >> >> AB will actually make the presentation to ITU-T. >> >> As a by-product, HL produced a work summary for the SSTC: >> >> http://www.oasis-open.org/committees/download.php/34321/Post%20SAML%202.0%20Profiles.doc >> >> >> Should this be included in the wiki? If so, at what level of visibility? >> >> >>> (b) Status of past (closed) ballots: >>> >>> XSPA - spec has been submitted to OASIS for approval as Full >>> Standard. >>> >> >> DD reports that the profile has been submitted to OASIS tc-admin for >> OASIS Standard ballot. The familiarization period is anticipated to >> begin on Oct 1, 2009. >> >> DD also reports that both wikis have been updated. >> >> >>> SAML V2.0 Attribute Extensions Version 1.0 >>> SAML V2.0 Metadata Extension for Entity Attributes Version 1.0 >>> SAML V2.0 Metadata Interoperability Profile Version 1.0 >>> >> >> Minor errata were incurred as these documents transitioned from CD to >> CS. SC has no plans to bring these documents back to the Working Draft >> stage to correct these non-substantive errata. >> >> SC posted relevant attestations to the mailing list: >> >> http://lists.oasis-open.org/archives/security-services/200909/msg00035.html >> >> >> If there any other implementations of these (or any other CS) specs, >> please submit a formal attestation so these documents can move >> forward. >> >> >>> SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as >>> a CS >>> SAML V2.0 Holder-of-Key Assertion Profile Version 1.0 >>> >> >> Similar to the previous three documents, TS reports that these two >> documents also incurred errata as they were transitioned from CD to >> CS. This includes a normative reference from the Holder-of-Key Web >> Browser SSO Profile (CS) to the Holder-of-Key Assertion Profile (CD). >> The only way to correct this (and other) errata is to bring these >> documents back to Working Draft. NK agrees we should do this. >> >> Editors take note: In the future, OASIS tc-admin will transition >> documents from CD to CS. This means that all modifications to the CS >> version (apart from dates and version numbers) must be anticipated in >> advance. >> >> >>> (c) 15-Day review of sstc-saml-approved-errata-2.0-draft-49 (action >>> for Hal) >>> >> >> This document was previously ost, then found. An announcement is >> imminent. >> >> >>> (d) Progress on getting Jira instance for SSTC (Scott). >>> >> >> No update. >> >> >>> (e) Dwayne to add a page for the XSPA page in the SAML wiki. >>> http://www.oasis-open.org/apps/org/workgroup/security/ballots.php >>> >> >> DD reports this is done: >> >> http://wiki.oasis-open.org/security/XSPASAML2Profile >> >> >>> (f) Kerberos related items (Josh): >>> - Kerberos Attribute profile (draft-02): >>> >>> http://www.oasis-open.org/apps/org/workgroup/security/download.php/34160/sstc-saml-attribute-kerberos-02.odt >>> >>> >>> - Kerberos Subject Confirmation Method (draft-00): >>> >>> http://www.oasis-open.org/apps/org/workgroup/security/download.php/34161/sstc-saml-kerberos-subject-confirmation-method%2000.odt >>> >>> >> >> SC wonders if this new Confirmation Method (CM) is potentially >> controversial. (The spec proposes a new CM rather than using the >> existing holder-of-key CM.) It is likely WSS implementations may >> break. Also we seem to be setting a precedent, which is not bad per >> se, but we need to consider this proposal carefully. >> >> For background information on issue, please consult the following >> threads of discussion: >> >> http://lists.oasis-open.org/archives/security-services/200906/msg00027.html >> >> http://lists.oasis-open.org/archives/security-services/200907/msg00017.html >> >> http://lists.oasis-open.org/archives/security-services/200908/msg00016.html >> >> >> Further comments to the list, please. >> >> >>> (g) Expressing Identity Assurance profile for SAML2.0 (LOA) (Bob >>> Morgan) >>> >>> http://www.oasis-open.org/committees/download.php/34277/sstc-saml-assurance-profile-draft-01.pdf >>> >>> >> >> BM uploaded a new version of this document (above). Some sections were >> moved, an example was added, and other tweaks were made. No normative >> changes were made, however. BM believes this document is ready for CD. >> So moved (by BM). PM seconded. No objections. Motion caries >> unanimously. >> >> >>> (h) Delegation Condition Extension Profile (Scott) >>> >> >> SC uploaded a new version of this document: >> >> http://www.oasis-open.org/committees/download.php/34357/sstc-saml-delegation-cd-02.pdf >> >> >> SC created a new introduction and included some new diagrams that >> describe multiple actors. The goal was to motivate the use cases. SC >> would like to get this document back out to public review. No >> substantive changes were made, however. SC moves to take the document >> to CD. BM seconds. No objections. Motion carries. >> >> Next step is to request a CS ballot. Is the schema correct? Yes, all >> schema fragments are valid. Are normative refs synchronized? There are >> no xrefs, so this shouldn't be a problem. SC moves the SSTC request a >> CS ballot. BM seconds. No objections. Motion carries. >> >> PS. Don't forget to include the voting member list in the CD, >> otherwise there won't be an opportunity to do this as the document is >> automatically transitioned to CS. >> >> >>> 5. New work items: >>> >>> (i) SAML Attribute Management protocol proposal (Thinh Nguyenphu/NSN) >>> >>> http://www.oasis-open.org/committees/download.php/34222/SAML%20Attribute%20Mgt%20Protocol.ppt >>> >>> >> >> Thinh Nguyenphu gave the above presentation. He reviewed the use cases >> (slide 2) and proposed a new SAML Attribute Management Protocol (slide >> 4). >> >> HL: In what sense is the account at the SP transient? Answer: >> Basically, we have a stateless SP so we would like to save attributes >> back to the IdP. >> >> HL: Do the two use cases look the same to the IdP? Answer: Yes >> >> SC: As a point of clarification, the SSTC won't modify the SAML >> Standards. >> >> HL: Some comments were posted online: >> >> http://lists.oasis-open.org/archives/security-services/200909/msg00016.html >> >> >> HL: Recommends CARML (Liberty) for these use cases. Perhaps CARML >> should be contributed to the SAML TC? >> >> BM: All of CARML or just the relevant portions? (This of course would >> be up to the SSTC.) >> >> SC: ID-WSF solves these use cases as well. >> >> SC: Are there IPR issues associated with these use cases? >> >> FH: Can you solve this problem without the complexity of full ID-WSF? >> >> General consensus of the SSTC is that update capability is useful, but >> this isn't necessarily the job of this TC. We should leverage other >> solutions (CARML, SPML, etc.) if indeed they are relevant. >> >> >>> (ii) SAML Name Identifier protocol proposal (Thinh Nguyenphu/NSN) >>> >>> http://www.oasis-open.org/committees/download.php/34221/SAML%20Name%20Identifier%20Protocol.ppt >>> >>> >> >> Christian Günther from Munich, Germany gave the above presentation >> >> SC: Why not just use federated login and persistent identifiers? >> >> RP: We have customers who have requested bulk import of identifiers >> from IdP to SP (and in one case, from SP to IdP). >> >> SC: (re second bullet on slide 3) Not clear why you need anything more >> than Web Browser SSO. Why does the SP send an identifier in this case? >> >> At this point, we're taking it to the list for further discussion. >> >> >>> 6. Assorted threads on saml-dev/comment list >>> - Oasis Identity Management 2009 (29-30 Sept, NIST, Gaithersburg, MD) >>> http://events.oasis-open.org/home/forum/2009/registration >>> >> >> This is actually an OASIS event and OASIS members are encouraged to >> attend. >> >> New business: >> >> Scott uploaded a new errata draft: >> >> http://www.oasis-open.org/committees/download.php/34096/sstc-saml-errata-2.0-draft-50.pdf >> >> >> Next call four weeks from today: Tuesday, October 20, 2009
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]