[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Minutes 2010-11-16 Correction
Thanks for the correction Hal. Sorry about that. Thanks, George On Nov 30, 2010, at 10:03 AM, "Hal Lockhart" <hal.lockhart@oracle.com> wrote: > My name is wrong in section (f) > >> -----Original Message----- >> From: Nate Klingenstein [mailto:ndk@internet2.edu] >> Sent: Wednesday, November 17, 2010 11:04 AM >> To: security-services@lists.oasis-open.org >> Subject: Re: [security-services] Minutes 2010-11-16 (no attendance) >> >> >> Tacking attendance on to the minutes: >> >> Hal Lockhart >> George Fletcher >> Rob Philpott >> Gregory Neven >> Franz-Stefan Preiss >> John Bradley >> Scott Cantor >> Nathan Klingenstein >> Chad La Joie >> Bob Morgan >> Anthony Nadalin >> Frederick Hirsch >> Phil Hunt >> Ari Kermaier >> Hal Lockhart >> Emily Xu >> David Staggs >> >> And, I forgot to thank George at the end of the call for taking these >> minutes, so I'll take the opportunity to do so now. >> >> Talk to you all on Nov. 30. >> >> On 2010-11-16 18:14, George Fletcher wrote: >>> Please review and send corrections. It very possible I got >> some of the >>> security/crypto semantics wrong:) >>> >>> Thanks, >>> George >>> >>> SSTC Call 16 Nov 2010 >>> >>> 1. Roll Call & Agenda Review. >>> >>> 2. Need a volunteer to take minutes. >>> -- George Fletcher >>> >>> 3. Approval of minutes from last meetings: >>> >>> - Minutes from SSTC Call on 2 Nov 2010: >>> >>> >>> >> http://www.oasis-open.org/apps/org/workgroup/security/email/ar >> chives/201011/msg00011.html >>> >>> Motion: Hal moves, John seconds, motion passes to >> approve the minutes >>> >>> >>> 4. AIs & progress update on current work-items: >>> >>> (a) Current electronic ballots: none currently open. >>> >>> (b) Status/notes regarding past ballots: >>> >>> (i) Service Provider Request Initiation Protocol and >>> Profile V1.0 as a Committee Specification. >>> Status: 11 out of 16 Yes (69%). >>> >>> (ii) SAML V2.0 Identity Assurance Profiles Version 1.0 as >>> a Committee Specification. >>> Status: 11 out of 15 Yes (73%). >>> >>> >>> (c) Kerberos related items. [Josh/Thomas] >>> - Kerberos Attribute Profile: >>> - AI: Josh/Thomas will suggest additions to Attribute Profile. >>> - AI: Thomas to move ahead with Web SSO and Subj Confirmation >>> profiles. >>> >>> (d) SAML V2.0 Identity Assurance Profiles, Version 1.0 >>> - Status: 15-day review closed on 10 Sept. >>> - Status: Ballot passed 4 Nov. See above. >>> >>> Next steps: Mary to create a committee specification, Scott >>> helping to generate >>> the HTML. >>> Scott: some ambiguity around specs that references it's own >>> schema >>> -- Mary requesting a designated cross reference >>> -- not sure what is in the created package >>> -- something to watch for in the future >>> -- prefers a normative reference to the schema in >> the document >>> -- not concerned with fixing it for this spec >>> -- Mary accepted the HTML that Scott generated >>> >>> (e) SAML V2.0 Metadata Profile for Algorithm Support Version 1.0: >>> - Status: Thomas to ask Mary for (i) CSD version >> (from draft-03) >>> and >>> (ii) to Start new 15 day of CSD. >>> >>> Waiting on the the CSD from Mary >>> Will ask Thomas to update the public template once the CSD is >>> generated >>> >>> (f) Gregory Neven (IBM): Primelife Project (presentation) >> - 30 mins. >>> >>> Presentation: >>> >> http://www.oasis-open.org/apps/org/workgroup/security/email/ar >> chives/201011/msg00034.html >>> >>> Identity Mixer and U-Prove >>> -- some technical differences >>> -- U-Prove -- can only show a token once (one-time-use) >>> -- Identity Mixer -- can generate as many tokens >> as you want >>> >>> Slide 8: Maybe ConditionStatement should be PredicateStatement >>> >>> Ask: Is defining predicates over attributes a good idea? >>> >>> Tom Lockhard will act as liason between XACML and SS TCs > > Hal Lockhart will act as liason between XACML and SS TCs > >>> >>> John Bradley: Proposing that SAML Assertions have ranges? >>> -- Is the SAML Assertion a signed IDMix token? or >> does the SAML >>> Assertion >>> contain signed IDMix tokens? >>> -- Greg: Not yet defined how to put IDMix tokens into SAML >>> Assertion >>> -- would need a new XMLDSig mechanism >>> -- could also support predicates over attributes >> in normal >>> SAML Assertions >>> -- just loses the anonymous token featurs of IDMix or >>> U-Prove >>> >>> What is the appeal of using SAML Assertions as a wrapper? >>> -- already defined standard in wide use >>> -- seems to be a natural extension >>> >>> Most of the challenges to define the full flow are on >> the XACML >>> side >>> >>> SAML work is standardization of the additional statement type >>> -- also needs an AssertionRequest to specify predicates over >>> attributes >>> >>> Do we need to support two issuers? >>> -- issuer of the attributes >>> -- issuer of the masked token >>> -- Greg: in the case of IDMix technology >>> -- the user is creating the SAML Assertion >>> -- John: looked at this in the "infocard" TC >>> -- called selective blinding >>> -- generally need a smart client to take advantage of this >>> -- may map ok to the existing SAML schema >>> >>> Scott: Does WS-Fed support any predicates over attributes >>> -- WS-Trust allows for ranges or member of a set >>> >>> Scott: +1 using a different statement name >>> -- how much of the XACML schema gets pulled in if we >> pull in the >>> predicate part? >>> -- Hal: simplist is to pull in all the XACML >> ConditionStatement >>> -- Hal: it's just more work to subset the full >> set, but may >>> be the better option >>> -- Greg: if not using IDMix, an online IDP could sign any >>> predicate so >>> recommending not doing too much sub-setting >>> -- Hal: concern is that deployers don't want to >> implement the >>> full set >>> -- Scott: maybe define a subset for at least conformance >>> purposes >>> -- Hal: One subset is the "target" functions >>> >>> Sufficient interest (based on conversation) to >> standardize this >>> in the SSTC >>> AI: Greg to propose a working draft for the SSTC to consider >>> -- focus on the "predicate statement", identify functions >>> -- not a finished draft, rather initial profile >>> >>> (g) Hal Lockhart: Session Token Profile (new work) >>> >>> Purpose: pass state information between >>> -- Assertion contain AuthenticationStatement and >> AttributeStatement >>> -- main state that will change frequently -- time of >> last activity >>> -- Mechanism (two options) >>> -- Assertion signed [encrypted] and passed in a cookie >>> -- Cookie contains unguessable "reference" that >> resolves to >>> the Assertion >>> >>> Some concern about cookie size and how store the >> Assertion in a >>> cookie >>> >>> Supporting RESTful transport for SAML protocols >>> -- outside the scope of this profile >>> >>> Describe the Cookie passing mechanism of a new binding (as an >>> option) >>> >>> Rob: Does the Assertion include an SSO Assertion? >>> -- managing the different validatiy periods is important >>> >>> A bit like creating a Session Assertion instead of an >> SSO Assertion >>> -- call it SessionToken >>> >>> Scott: may be able to reuse the URI binding (designed to be >>> unguessable) >>> -- need to make sure that if reusing the URI binding, the >>> non-collision >>> values also need to be unguessable >>> >>> Hal: proposed reusing the Artifact Protocol >>> -- Scott: the Artifact is a protocol message mechanism not an >>> unguessable >>> URI binding >>> >>> >>> (h) NSN Attribute Management proposal (Thinh/Phil) - any updates? >>> >>> Phil: Draft posted before the last meeting >>> -- no changes since the last posting >>> -- if no questions, would like to move to CD >>> >>> Research community is looking at this but don't have feedback >>> quite yet >>> -- Chad: doesn't know if they will have feedback or not >>> -- Tom: to provide Phil information by the end of the >> week as to >>> what the >>> scope of changes might be >>> >>> Plan to wait for CD vote till the next SSTC call (two weeks) >>> -- allow for more comments by those interested >>> >>> Scott: will try and do a schema pass before the next SSTC call >>> >>> >>> (i) Channel binding proposal (Scott) - any updates? >>> >>> Scott: no updates >>> -- some issues >>> -- interest in determining if it's possible to inject >> into web >>> browsers >>> >>> >>> (j) Metadata extension for Login/Discovery (Scott) - any updates? >>> >>> Scott: addition to add general searchable keywords >>> -- will be updating the draft >>> >>> >>> (k) Enhanced Client or Proxy Profile (Scott) - any updates? >>> >>> Scott: no updates >>> -- still has to do the holder-of-key work >>> -- resistence in the Kitten group about adopting two >> different >>> SAML proposals >>> >>> >>> >> --------------------------------------------------------------------- >>> To unsubscribe from this mail list, you must leave the OASIS TC that >>> generates this mail. Follow this link to all your TCs in OASIS at: >>> >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr >> oups.php >> >> > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]