RE: [security-services] Minutes 2010-11-16 Correction

[Hal Lockhart <hal.lockhart@oracle.com>]

My name is wrong in section (f)

> -----Original Message-----
> From: Nate Klingenstein [mailto:ndk@internet2.edu]
> Sent: Wednesday, November 17, 2010 11:04 AM
> To: security-services@lists.oasis-open.org
> Subject: Re: [security-services] Minutes 2010-11-16 (no attendance)
> 
> 
> Tacking attendance on to the minutes:
> 
> Hal Lockhart
> George Fletcher
> Rob Philpott
> Gregory Neven
> Franz-Stefan Preiss
> John Bradley
> Scott Cantor
> Nathan Klingenstein
> Chad La Joie
> Bob Morgan
> Anthony Nadalin
> Frederick Hirsch
> Phil Hunt
> Ari Kermaier
> Hal Lockhart
> Emily Xu
> David Staggs
> 
> And, I forgot to thank George at the end of the call for taking these 
> minutes, so I'll take the opportunity to do so now.
> 
> Talk to you all on Nov. 30.
> 
> On 2010-11-16 18:14, George Fletcher wrote:
> > Please review and send corrections. It very possible I got 
> some of the 
> > security/crypto semantics wrong:)
> >
> > Thanks,
> > George
> >
> > SSTC Call 16 Nov 2010
> >
> > 1. Roll Call & Agenda Review.
> >
> > 2. Need a volunteer to take minutes.
> >    -- George Fletcher
> >
> > 3. Approval of minutes from last meetings:
> >
> >    - Minutes from SSTC Call on 2 Nov 2010:
> >
> >         
> > 
> http://www.oasis-open.org/apps/org/workgroup/security/email/ar
> chives/201011/msg00011.html
> >
> >     Motion: Hal moves, John seconds, motion passes to 
> approve the minutes
> >
> >
> > 4. AIs & progress update on current work-items:
> >
> >   (a) Current electronic ballots: none currently open.
> >
> >   (b) Status/notes regarding past ballots:
> >
> >      (i)  Service Provider Request Initiation Protocol and
> >           Profile V1.0 as a Committee Specification.
> >           Status: 11 out of 16 Yes (69%).
> >
> >      (ii) SAML V2.0 Identity Assurance Profiles Version 1.0 as
> >           a Committee Specification.
> >           Status: 11 out of 15 Yes (73%).
> >
> >
> >   (c) Kerberos related items. [Josh/Thomas]
> >       - Kerberos Attribute Profile:
> >       - AI: Josh/Thomas will suggest additions to Attribute Profile.
> >       - AI: Thomas to move ahead with Web SSO and Subj Confirmation 
> > profiles.
> >
> >   (d) SAML V2.0 Identity Assurance Profiles, Version 1.0
> >       - Status: 15-day review closed on 10 Sept.
> >       - Status:  Ballot passed 4 Nov. See above.
> >
> >       Next steps: Mary to create a committee specification, Scott 
> > helping to generate
> >         the HTML.
> >         Scott: some ambiguity around specs that references it's own 
> > schema
> >         -- Mary requesting a designated cross reference
> >         -- not sure what is in the created package
> >         -- something to watch for in the future
> >         -- prefers a normative reference to the schema in 
> the document
> >         -- not concerned with fixing it for this spec
> >         -- Mary accepted the HTML that Scott generated
> >
> >   (e) SAML V2.0 Metadata Profile for Algorithm Support Version 1.0:
> >       - Status: Thomas to ask Mary for (i) CSD version 
> (from draft-03) 
> > and
> >         (ii) to Start new 15 day of CSD.
> >
> >       Waiting on the the CSD from Mary
> >       Will ask Thomas to update the public template once the CSD is 
> > generated
> >
> >   (f) Gregory Neven (IBM): Primelife Project (presentation) 
> - 30 mins.
> >
> >       Presentation: 
> > 
> http://www.oasis-open.org/apps/org/workgroup/security/email/ar
> chives/201011/msg00034.html
> >
> >       Identity Mixer and U-Prove
> >       -- some technical differences
> >          -- U-Prove -- can only show a token once (one-time-use)
> >          -- Identity Mixer -- can generate as many tokens 
> as you want
> >
> >       Slide 8: Maybe ConditionStatement should be PredicateStatement
> >
> >       Ask: Is defining predicates over attributes a good idea?
> >
> >       Tom Lockhard will act as liason between XACML and SS TCs

Hal Lockhart will act as liason between XACML and SS TCs

> >
> >       John Bradley: Proposing that SAML Assertions have ranges?
> >        -- Is the SAML Assertion a signed IDMix token? or 
> does the SAML 
> > Assertion
> >           contain signed IDMix tokens?
> >        -- Greg: Not yet defined how to put IDMix tokens into SAML 
> > Assertion
> >           -- would need a new XMLDSig mechanism
> >           -- could also support predicates over attributes 
> in normal 
> > SAML Assertions
> >              -- just loses the anonymous token featurs of IDMix or 
> > U-Prove
> >
> >       What is the appeal of using SAML Assertions as a wrapper?
> >       -- already defined standard in wide use
> >       -- seems to be a natural extension
> >
> >       Most of the challenges to define the full flow are on 
> the XACML 
> > side
> >
> >       SAML work is standardization of the additional statement type
> >       -- also needs an AssertionRequest to specify predicates over 
> > attributes
> >
> >       Do we need to support two issuers?
> >       -- issuer of the attributes
> >       -- issuer of the masked token
> >       -- Greg: in the case of IDMix technology
> >          -- the user is creating the SAML Assertion
> >       -- John: looked at this in the "infocard" TC
> >          -- called selective blinding
> >          -- generally need a smart client to take advantage of this
> >       -- may map ok to the existing SAML schema
> >
> >       Scott: Does WS-Fed support any predicates over attributes
> >       -- WS-Trust allows for ranges or member of a set
> >
> >       Scott: +1 using a different statement name
> >       -- how much of the XACML schema gets pulled in if we 
> pull in the 
> > predicate part?
> >          -- Hal: simplist is to pull in all the XACML 
> ConditionStatement
> >          -- Hal: it's just more work to subset the full 
> set, but may 
> > be the better option
> >       -- Greg: if not using IDMix, an online IDP could sign any 
> > predicate so
> >          recommending not doing too much sub-setting
> >          -- Hal: concern is that deployers don't want to 
> implement the 
> > full set
> >          -- Scott: maybe define a subset for at least conformance 
> > purposes
> >       -- Hal: One subset is the "target" functions
> >
> >       Sufficient interest (based on conversation) to 
> standardize this 
> > in the SSTC
> >       AI: Greg to propose a working draft for the SSTC to consider
> >       -- focus on the "predicate statement", identify functions
> >       -- not a finished draft, rather initial profile
> >
> >   (g) Hal Lockhart:  Session Token Profile (new work)
> >
> >       Purpose: pass state information between
> >       -- Assertion contain AuthenticationStatement and 
> AttributeStatement
> >       -- main state that will change frequently -- time of 
> last activity
> >       -- Mechanism (two options)
> >          -- Assertion signed [encrypted] and passed in a cookie
> >          -- Cookie contains unguessable "reference" that 
> resolves to 
> > the Assertion
> >
> >       Some concern about cookie size and how store the 
> Assertion in a 
> > cookie
> >
> >       Supporting RESTful transport for SAML protocols
> >       -- outside the scope of this profile
> >
> >       Describe the Cookie passing mechanism of a new binding (as an 
> > option)
> >
> >       Rob: Does the Assertion include an SSO Assertion?
> >       -- managing the different validatiy periods is important
> >
> >       A bit like creating a Session Assertion instead of an 
> SSO Assertion
> >       -- call it SessionToken
> >
> >       Scott: may be able to reuse the URI binding (designed to be 
> > unguessable)
> >       -- need to make sure that if reusing the URI binding, the 
> > non-collision
> >          values also need to be unguessable
> >
> >       Hal: proposed reusing the Artifact Protocol
> >       -- Scott: the Artifact is a protocol message mechanism not an 
> > unguessable
> >                 URI binding
> >
> >
> >   (h) NSN Attribute Management proposal (Thinh/Phil) - any updates?
> >
> >       Phil: Draft posted before the last meeting
> >       -- no changes since the last posting
> >       -- if no questions, would like to move to CD
> >
> >       Research community is looking at this but don't have feedback 
> > quite yet
> >       -- Chad: doesn't know if they will have feedback or not
> >       -- Tom: to provide Phil information by the end of the 
> week as to 
> > what the
> >               scope of changes might be
> >
> >       Plan to wait for CD vote till the next SSTC call (two weeks)
> >       -- allow for more comments by those interested
> >
> >       Scott: will try and do a schema pass before the next SSTC call
> >
> >
> >   (i) Channel binding proposal (Scott) - any updates?
> >
> >       Scott: no updates
> >       -- some issues
> >       -- interest in determining if it's possible to inject 
> into web 
> > browsers
> >
> >
> >   (j) Metadata extension for Login/Discovery (Scott) - any updates?
> >
> >       Scott: addition to add general searchable keywords
> >       -- will be updating the draft
> >
> >
> >   (k) Enhanced Client or Proxy Profile (Scott) - any updates?
> >
> >       Scott: no updates
> >       -- still has to do the holder-of-key work
> >       -- resistence in the Kitten group about adopting two 
> different 
> > SAML proposals
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe from this mail list, you must leave the OASIS TC that
> > generates this mail.  Follow this link to all your TCs in OASIS at:
> > 
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php 
> 
>