[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Re: Proposed Agenda for SSTC Call (10August 2010)
I was on this call, but joined late - can you please add me to the list of attendees? Thanks regards, Frederick Frederick Hirsch Nokia On Aug 11, 2010, at 3:29 PM, ext Anil Saldhana wrote: > > On 08/10/2010 11:42 AM, Nate Klingenstein wrote: >> >>> 1. Roll Call& Agenda Review. >> Quorum was achieved. > > Voting Members: > John Bradley Individual > Scott Cantor Internet2 > Nathan Klingenstein Internet2 > Thomas Hardjono M.I.T. > Anthony Nadalin Microsoft Corporation > Phil Hunt Oracle Corporation > Hal Lockhart Oracle Corporation > Anil Saldhana Red Hat > David Staggs Veterans Health Administration > > Members: > Ari Kermaier Oracle Corporation > Paul Madsen NTT Corporation > George Fletcher AOL > > Quorum: 9 out of 13 voting members (69%) > Status: Ari and George Fletcher regain voting status. > >>> 2. Need a volunteer to take minutes. >> Nate volunteered. >>> 3. Approval of minutes from last meetings: >>> Minutes from SSTC Call on 27 July 2010: >>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201008/msg00009.html >>> >> The approval of the minutes was delayed until the following call due >> to errata in the attendee list. >>> 4. AIs& progress update on current work-items: >>> >>> (a) Current electronic ballots: HOK Web Browser SSO. Please vote. >> The ballot has closed with 10 of 12 votes in favor and none against. >> The approval of the Holder-of-Key Web Browser SSO Profile as Committee >> Specification was succeesful. >>> (d) SAML V2.0 Holder-of-Key Assertion Profile Version 1.0 >>> - Status: CS-01 version of this doc is on WiKi. >>> - Status: Thomas to ask Mary. >> Thomas has not done this yet, so the action item remains outstanding. >>> (e) Kerberos related items. [Josh/Thomas] >>> - Kerberos Attribute Profile: >>> - Status: Public review period closed on 15 June 2010. >>> - Status: CMU Use-case discussions (sent to >>> security-comments list). >>> - AI: Josh/Thomas will suggest additions to Attribute Profile. >> Thomas, Josh, Scott, and Jeff from CMU have been discussing over email >> how to amend the attribute profile. CMU would like to be able to send >> a decrypted KRB_CRED blob from a KDC in an assertion and deliver it >> from an IdP to an SP. The API exists, but RFC 4120 may prohibit this >> implicitly because KRB_CREDs should not be sent around in plaintext. >> >> The other trouble may lie in the cipher suite used. The IdP and SP do >> have a public keypair that can be used to negotiate an encryption >> method, but in XML encryption, the actual data would be encrypted with >> the key using XML encryption, but in this case the data would be >> encrypted as specified by Kerberos (ASN.1?) and the algorithm types >> and other pieces of information may not align with the cipher suites >> as named by Kerberos. The mapping of algorithms from XML encryption >> to Kerberos cipher suites is likely to be pretty obvious and easy to >> profile, and Scott isn't suggesting some sort of new protocol be >> invented. >> >> Because confidentiality and security are handled by the SAML layer, >> it's not entirely important to have the encryption at the Kerberos >> level, but they would like to be compliant with the RFC. Scott would >> also like to allow for an encrypted use case anyway, so he would like >> to include something, but he doesn't exactly know what do to for >> that. Further input from CMU is being awaited. >> >> Thomas and Josh will provide an update and expanded edition of the >> Attribute Profile and circulate it to Scott and CMU to determine >> whether it's acceptable. The cipher suite and encryption issues may >> be beyond the scope of the Attribute Profile itself. >> >>> (f) SAML V2.0 Identity Assurance Profiles, Version 1.0 >>> - Status: Public review period closed on 13 June 2010. >>> - Status: Awaiting comments/resolutions. >> >> Scott believes that necessary revisions have been made and would like >> to have this voted to 15 day public review. The feedback has been >> responded to, so we should be ready to move to CD. >> >> http://wiki.oasis-open.org/security/SAML2IDAssuranceProfile >> >> Paul moved that we approve WD-02 to CD status and move it to a 15 day >> public review. Nate seconds the motion, and there were no >> objections. Paul will do the CD edit and update the Wiki, and Thomas >> will submit the public review package. >> >>> (g) NSN Attribute Management proposal (Thinh/Phil) - any updates? >> >> Phil has no updates from his perspective on the proposal, but >> continues to encourage people to read the document. He is also happy >> to address any background questions from individuals new to the >> proposal. His next goal is to finish the profiles. >> >> This is the fourth approach, now using notification messages, which he >> likes because it doesn't oblige SAML endpoints to do things. He wants >> affirmation that others agree that the current proposal, relying on >> notification messages, is the proper approach. >> >> http://www.oasis-open.org/committees/document.php?document_id=38737&wg_abbrev=security >> >> >> Chuck Mortimore from Salesforce found it useful to perform this >> notification in the SAML context, but believes that change propagation >> might be performed using another protocol. Part of the >> proposal(section 2.4) involves the negotiation of the protocol that >> would then be used. For now, Phil will just profile the use of SAML >> for the change propagation, but he will allow others to profile >> additional protocols, such as STS, SPML, OpenID, PoCo, etc. >> >> NSN has identified another use case that Phil would like to sort out. >> He thinks a normal AuthnRequest might be able to address the use case, >> but NSN disagrees. Section 2.7 includes a comment discussing this use >> case. >> >>> (h) SSO initiation CD (Scott) - any updates? >> Scott would like to take this document, along with the Algorithm >> Support CD, to 60 day public review, because he doesn't believe there >> are many other documents that will imminently need review as well. He >> made the motion and John Bradley seconded, to no objections. Thomas >> will handle the submission process. >> >> http://wiki.oasis-open.org/security/RequestInitProtProf >> http://wiki.oasis-open.org/security/SAML2MetadataAlgSupport >> >>> (i) SOA-TEL Token Correlation Profile (Federico/TI) - any updates? >> Federico was not on the call. >>> 5. New work items: >>> - Project Moonshot (potential new work item) >> >> The Moonshot BoF was held at the recent IETF meeting and a new mailing >> list has been established. We anticipate that Josh will join an SSTC >> call in the near future to provide more introductory information, and >> draft documents are likely to follow. >> >> A parallel item at the IETF, a pair of SAML SASL mechanisms being >> looked at in the Kitten working group, has led to discussion about how >> or whether to bring each forward. One proposed by Cisco requires a >> web browser and one proposed by Scott uses a side channel. There are >> also proposals for OAuth and OpenID. The Kitten working group will >> need to resolve this pile of proposals and figure out what to carry >> forward to the IETF. Scott also wants to look at how to add >> holder-of-key crypto to his proposal. >> >>> 6. Related work items: >>> - SAML 2.0 Bearer Assertion Profile for OAuth 2.0 (IETF) - Brian >>> Campbell. >> This is another proposal that is unrelated to the SASL work that may >> be of interest to individuals who want to transport SAML tokens over >> OAuth. Scott and Brian have disagreements and we would like to >> solicit input from other implementers who may have interest whether >> the draft is overly restrictive or a good simplification. >>> - IIW-East conference (in DC in September). >> >> Details have been uploaded and registration started this week. >> >>> 7. Propose an SSTC Face-to-Face meeting for September 2010: >>> - Awaiting for room confirmation. >> >> Thomas will contact Jane, and then provide a poll using the OASIS >> ballot mechanism to see who is available to attend the OASIS >> conference itself, as well as to see who is interested in an SSTC >> face-to-face, possibly on given dates. >> > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]