[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Minutes 2010-11-16 Correction
My name is wrong in section (f) > -----Original Message----- > From: Nate Klingenstein [mailto:ndk@internet2.edu] > Sent: Wednesday, November 17, 2010 11:04 AM > To: security-services@lists.oasis-open.org > Subject: Re: [security-services] Minutes 2010-11-16 (no attendance) > > > Tacking attendance on to the minutes: > > Hal Lockhart > George Fletcher > Rob Philpott > Gregory Neven > Franz-Stefan Preiss > John Bradley > Scott Cantor > Nathan Klingenstein > Chad La Joie > Bob Morgan > Anthony Nadalin > Frederick Hirsch > Phil Hunt > Ari Kermaier > Hal Lockhart > Emily Xu > David Staggs > > And, I forgot to thank George at the end of the call for taking these > minutes, so I'll take the opportunity to do so now. > > Talk to you all on Nov. 30. > > On 2010-11-16 18:14, George Fletcher wrote: > > Please review and send corrections. It very possible I got > some of the > > security/crypto semantics wrong:) > > > > Thanks, > > George > > > > SSTC Call 16 Nov 2010 > > > > 1. Roll Call & Agenda Review. > > > > 2. Need a volunteer to take minutes. > > -- George Fletcher > > > > 3. Approval of minutes from last meetings: > > > > - Minutes from SSTC Call on 2 Nov 2010: > > > > > > > http://www.oasis-open.org/apps/org/workgroup/security/email/ar > chives/201011/msg00011.html > > > > Motion: Hal moves, John seconds, motion passes to > approve the minutes > > > > > > 4. AIs & progress update on current work-items: > > > > (a) Current electronic ballots: none currently open. > > > > (b) Status/notes regarding past ballots: > > > > (i) Service Provider Request Initiation Protocol and > > Profile V1.0 as a Committee Specification. > > Status: 11 out of 16 Yes (69%). > > > > (ii) SAML V2.0 Identity Assurance Profiles Version 1.0 as > > a Committee Specification. > > Status: 11 out of 15 Yes (73%). > > > > > > (c) Kerberos related items. [Josh/Thomas] > > - Kerberos Attribute Profile: > > - AI: Josh/Thomas will suggest additions to Attribute Profile. > > - AI: Thomas to move ahead with Web SSO and Subj Confirmation > > profiles. > > > > (d) SAML V2.0 Identity Assurance Profiles, Version 1.0 > > - Status: 15-day review closed on 10 Sept. > > - Status: Ballot passed 4 Nov. See above. > > > > Next steps: Mary to create a committee specification, Scott > > helping to generate > > the HTML. > > Scott: some ambiguity around specs that references it's own > > schema > > -- Mary requesting a designated cross reference > > -- not sure what is in the created package > > -- something to watch for in the future > > -- prefers a normative reference to the schema in > the document > > -- not concerned with fixing it for this spec > > -- Mary accepted the HTML that Scott generated > > > > (e) SAML V2.0 Metadata Profile for Algorithm Support Version 1.0: > > - Status: Thomas to ask Mary for (i) CSD version > (from draft-03) > > and > > (ii) to Start new 15 day of CSD. > > > > Waiting on the the CSD from Mary > > Will ask Thomas to update the public template once the CSD is > > generated > > > > (f) Gregory Neven (IBM): Primelife Project (presentation) > - 30 mins. > > > > Presentation: > > > http://www.oasis-open.org/apps/org/workgroup/security/email/ar > chives/201011/msg00034.html > > > > Identity Mixer and U-Prove > > -- some technical differences > > -- U-Prove -- can only show a token once (one-time-use) > > -- Identity Mixer -- can generate as many tokens > as you want > > > > Slide 8: Maybe ConditionStatement should be PredicateStatement > > > > Ask: Is defining predicates over attributes a good idea? > > > > Tom Lockhard will act as liason between XACML and SS TCs Hal Lockhart will act as liason between XACML and SS TCs > > > > John Bradley: Proposing that SAML Assertions have ranges? > > -- Is the SAML Assertion a signed IDMix token? or > does the SAML > > Assertion > > contain signed IDMix tokens? > > -- Greg: Not yet defined how to put IDMix tokens into SAML > > Assertion > > -- would need a new XMLDSig mechanism > > -- could also support predicates over attributes > in normal > > SAML Assertions > > -- just loses the anonymous token featurs of IDMix or > > U-Prove > > > > What is the appeal of using SAML Assertions as a wrapper? > > -- already defined standard in wide use > > -- seems to be a natural extension > > > > Most of the challenges to define the full flow are on > the XACML > > side > > > > SAML work is standardization of the additional statement type > > -- also needs an AssertionRequest to specify predicates over > > attributes > > > > Do we need to support two issuers? > > -- issuer of the attributes > > -- issuer of the masked token > > -- Greg: in the case of IDMix technology > > -- the user is creating the SAML Assertion > > -- John: looked at this in the "infocard" TC > > -- called selective blinding > > -- generally need a smart client to take advantage of this > > -- may map ok to the existing SAML schema > > > > Scott: Does WS-Fed support any predicates over attributes > > -- WS-Trust allows for ranges or member of a set > > > > Scott: +1 using a different statement name > > -- how much of the XACML schema gets pulled in if we > pull in the > > predicate part? > > -- Hal: simplist is to pull in all the XACML > ConditionStatement > > -- Hal: it's just more work to subset the full > set, but may > > be the better option > > -- Greg: if not using IDMix, an online IDP could sign any > > predicate so > > recommending not doing too much sub-setting > > -- Hal: concern is that deployers don't want to > implement the > > full set > > -- Scott: maybe define a subset for at least conformance > > purposes > > -- Hal: One subset is the "target" functions > > > > Sufficient interest (based on conversation) to > standardize this > > in the SSTC > > AI: Greg to propose a working draft for the SSTC to consider > > -- focus on the "predicate statement", identify functions > > -- not a finished draft, rather initial profile > > > > (g) Hal Lockhart: Session Token Profile (new work) > > > > Purpose: pass state information between > > -- Assertion contain AuthenticationStatement and > AttributeStatement > > -- main state that will change frequently -- time of > last activity > > -- Mechanism (two options) > > -- Assertion signed [encrypted] and passed in a cookie > > -- Cookie contains unguessable "reference" that > resolves to > > the Assertion > > > > Some concern about cookie size and how store the > Assertion in a > > cookie > > > > Supporting RESTful transport for SAML protocols > > -- outside the scope of this profile > > > > Describe the Cookie passing mechanism of a new binding (as an > > option) > > > > Rob: Does the Assertion include an SSO Assertion? > > -- managing the different validatiy periods is important > > > > A bit like creating a Session Assertion instead of an > SSO Assertion > > -- call it SessionToken > > > > Scott: may be able to reuse the URI binding (designed to be > > unguessable) > > -- need to make sure that if reusing the URI binding, the > > non-collision > > values also need to be unguessable > > > > Hal: proposed reusing the Artifact Protocol > > -- Scott: the Artifact is a protocol message mechanism not an > > unguessable > > URI binding > > > > > > (h) NSN Attribute Management proposal (Thinh/Phil) - any updates? > > > > Phil: Draft posted before the last meeting > > -- no changes since the last posting > > -- if no questions, would like to move to CD > > > > Research community is looking at this but don't have feedback > > quite yet > > -- Chad: doesn't know if they will have feedback or not > > -- Tom: to provide Phil information by the end of the > week as to > > what the > > scope of changes might be > > > > Plan to wait for CD vote till the next SSTC call (two weeks) > > -- allow for more comments by those interested > > > > Scott: will try and do a schema pass before the next SSTC call > > > > > > (i) Channel binding proposal (Scott) - any updates? > > > > Scott: no updates > > -- some issues > > -- interest in determining if it's possible to inject > into web > > browsers > > > > > > (j) Metadata extension for Login/Discovery (Scott) - any updates? > > > > Scott: addition to add general searchable keywords > > -- will be updating the draft > > > > > > (k) Enhanced Client or Proxy Profile (Scott) - any updates? > > > > Scott: no updates > > -- still has to do the holder-of-key work > > -- resistence in the Kitten group about adopting two > different > > SAML proposals > > > > > > > --------------------------------------------------------------------- > > To unsubscribe from this mail list, you must leave the OASIS TC that > > generates this mail. Follow this link to all your TCs in OASIS at: > > > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr > oups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]