Re: [security-services] Minutes 2010-11-16 Correction

[Anil Saldhana <Anil.Saldhana@redhat.com>]

Status Changes:  Rob Philpott regains voting rights.

On 11/30/2010 09:58 AM, Fletcher, George wrote:
> Thanks for the correction Hal.  Sorry about that.
>
> Thanks,
> George
>
> On Nov 30, 2010, at 10:03 AM, "Hal Lockhart"<hal.lockhart@oracle.com>  wrote:
>
>> My name is wrong in section (f)
>>
>>> -----Original Message-----
>>> From: Nate Klingenstein [mailto:ndk@internet2.edu]
>>> Sent: Wednesday, November 17, 2010 11:04 AM
>>> To: security-services@lists.oasis-open.org
>>> Subject: Re: [security-services] Minutes 2010-11-16 (no attendance)
>>>
>>>
>>> Tacking attendance on to the minutes:
>>>
>>> Hal Lockhart
>>> George Fletcher
>>> Rob Philpott
>>> Gregory Neven
>>> Franz-Stefan Preiss
>>> John Bradley
>>> Scott Cantor
>>> Nathan Klingenstein
>>> Chad La Joie
>>> Bob Morgan
>>> Anthony Nadalin
>>> Frederick Hirsch
>>> Phil Hunt
>>> Ari Kermaier
>>> Hal Lockhart
>>> Emily Xu
>>> David Staggs
>>>
>>> And, I forgot to thank George at the end of the call for taking these
>>> minutes, so I'll take the opportunity to do so now.
>>>
>>> Talk to you all on Nov. 30.
>>>
>>> On 2010-11-16 18:14, George Fletcher wrote:
>>>> Please review and send corrections. It very possible I got
>>> some of the
>>>> security/crypto semantics wrong:)
>>>>
>>>> Thanks,
>>>> George
>>>>
>>>> SSTC Call 16 Nov 2010
>>>>
>>>> 1. Roll Call&  Agenda Review.
>>>>
>>>> 2. Need a volunteer to take minutes.
>>>>    -- George Fletcher
>>>>
>>>> 3. Approval of minutes from last meetings:
>>>>
>>>>    - Minutes from SSTC Call on 2 Nov 2010:
>>>>
>>>>
>>>>
>>> http://www.oasis-open.org/apps/org/workgroup/security/email/ar
>>> chives/201011/msg00011.html
>>>>     Motion: Hal moves, John seconds, motion passes to
>>> approve the minutes
>>>>
>>>> 4. AIs&  progress update on current work-items:
>>>>
>>>>   (a) Current electronic ballots: none currently open.
>>>>
>>>>   (b) Status/notes regarding past ballots:
>>>>
>>>>      (i)  Service Provider Request Initiation Protocol and
>>>>           Profile V1.0 as a Committee Specification.
>>>>           Status: 11 out of 16 Yes (69%).
>>>>
>>>>      (ii) SAML V2.0 Identity Assurance Profiles Version 1.0 as
>>>>           a Committee Specification.
>>>>           Status: 11 out of 15 Yes (73%).
>>>>
>>>>
>>>>   (c) Kerberos related items. [Josh/Thomas]
>>>>       - Kerberos Attribute Profile:
>>>>       - AI: Josh/Thomas will suggest additions to Attribute Profile.
>>>>       - AI: Thomas to move ahead with Web SSO and Subj Confirmation
>>>> profiles.
>>>>
>>>>   (d) SAML V2.0 Identity Assurance Profiles, Version 1.0
>>>>       - Status: 15-day review closed on 10 Sept.
>>>>       - Status:  Ballot passed 4 Nov. See above.
>>>>
>>>>       Next steps: Mary to create a committee specification, Scott
>>>> helping to generate
>>>>         the HTML.
>>>>         Scott: some ambiguity around specs that references it's own
>>>> schema
>>>>         -- Mary requesting a designated cross reference
>>>>         -- not sure what is in the created package
>>>>         -- something to watch for in the future
>>>>         -- prefers a normative reference to the schema in
>>> the document
>>>>         -- not concerned with fixing it for this spec
>>>>         -- Mary accepted the HTML that Scott generated
>>>>
>>>>   (e) SAML V2.0 Metadata Profile for Algorithm Support Version 1.0:
>>>>       - Status: Thomas to ask Mary for (i) CSD version
>>> (from draft-03)
>>>> and
>>>>         (ii) to Start new 15 day of CSD.
>>>>
>>>>       Waiting on the the CSD from Mary
>>>>       Will ask Thomas to update the public template once the CSD is
>>>> generated
>>>>
>>>>   (f) Gregory Neven (IBM): Primelife Project (presentation)
>>> - 30 mins.
>>>>       Presentation:
>>>>
>>> http://www.oasis-open.org/apps/org/workgroup/security/email/ar
>>> chives/201011/msg00034.html
>>>>       Identity Mixer and U-Prove
>>>>       -- some technical differences
>>>>          -- U-Prove -- can only show a token once (one-time-use)
>>>>          -- Identity Mixer -- can generate as many tokens
>>> as you want
>>>>       Slide 8: Maybe ConditionStatement should be PredicateStatement
>>>>
>>>>       Ask: Is defining predicates over attributes a good idea?
>>>>
>>>>       Tom Lockhard will act as liason between XACML and SS TCs
>> Hal Lockhart will act as liason between XACML and SS TCs
>>
>>>>       John Bradley: Proposing that SAML Assertions have ranges?
>>>>        -- Is the SAML Assertion a signed IDMix token? or
>>> does the SAML
>>>> Assertion
>>>>           contain signed IDMix tokens?
>>>>        -- Greg: Not yet defined how to put IDMix tokens into SAML
>>>> Assertion
>>>>           -- would need a new XMLDSig mechanism
>>>>           -- could also support predicates over attributes
>>> in normal
>>>> SAML Assertions
>>>>              -- just loses the anonymous token featurs of IDMix or
>>>> U-Prove
>>>>
>>>>       What is the appeal of using SAML Assertions as a wrapper?
>>>>       -- already defined standard in wide use
>>>>       -- seems to be a natural extension
>>>>
>>>>       Most of the challenges to define the full flow are on
>>> the XACML
>>>> side
>>>>
>>>>       SAML work is standardization of the additional statement type
>>>>       -- also needs an AssertionRequest to specify predicates over
>>>> attributes
>>>>
>>>>       Do we need to support two issuers?
>>>>       -- issuer of the attributes
>>>>       -- issuer of the masked token
>>>>       -- Greg: in the case of IDMix technology
>>>>          -- the user is creating the SAML Assertion
>>>>       -- John: looked at this in the "infocard" TC
>>>>          -- called selective blinding
>>>>          -- generally need a smart client to take advantage of this
>>>>       -- may map ok to the existing SAML schema
>>>>
>>>>       Scott: Does WS-Fed support any predicates over attributes
>>>>       -- WS-Trust allows for ranges or member of a set
>>>>
>>>>       Scott: +1 using a different statement name
>>>>       -- how much of the XACML schema gets pulled in if we
>>> pull in the
>>>> predicate part?
>>>>          -- Hal: simplist is to pull in all the XACML
>>> ConditionStatement
>>>>          -- Hal: it's just more work to subset the full
>>> set, but may
>>>> be the better option
>>>>       -- Greg: if not using IDMix, an online IDP could sign any
>>>> predicate so
>>>>          recommending not doing too much sub-setting
>>>>          -- Hal: concern is that deployers don't want to
>>> implement the
>>>> full set
>>>>          -- Scott: maybe define a subset for at least conformance
>>>> purposes
>>>>       -- Hal: One subset is the "target" functions
>>>>
>>>>       Sufficient interest (based on conversation) to
>>> standardize this
>>>> in the SSTC
>>>>       AI: Greg to propose a working draft for the SSTC to consider
>>>>       -- focus on the "predicate statement", identify functions
>>>>       -- not a finished draft, rather initial profile
>>>>
>>>>   (g) Hal Lockhart:  Session Token Profile (new work)
>>>>
>>>>       Purpose: pass state information between
>>>>       -- Assertion contain AuthenticationStatement and
>>> AttributeStatement
>>>>       -- main state that will change frequently -- time of
>>> last activity
>>>>       -- Mechanism (two options)
>>>>          -- Assertion signed [encrypted] and passed in a cookie
>>>>          -- Cookie contains unguessable "reference" that
>>> resolves to
>>>> the Assertion
>>>>
>>>>       Some concern about cookie size and how store the
>>> Assertion in a
>>>> cookie
>>>>
>>>>       Supporting RESTful transport for SAML protocols
>>>>       -- outside the scope of this profile
>>>>
>>>>       Describe the Cookie passing mechanism of a new binding (as an
>>>> option)
>>>>
>>>>       Rob: Does the Assertion include an SSO Assertion?
>>>>       -- managing the different validatiy periods is important
>>>>
>>>>       A bit like creating a Session Assertion instead of an
>>> SSO Assertion
>>>>       -- call it SessionToken
>>>>
>>>>       Scott: may be able to reuse the URI binding (designed to be
>>>> unguessable)
>>>>       -- need to make sure that if reusing the URI binding, the
>>>> non-collision
>>>>          values also need to be unguessable
>>>>
>>>>       Hal: proposed reusing the Artifact Protocol
>>>>       -- Scott: the Artifact is a protocol message mechanism not an
>>>> unguessable
>>>>                 URI binding
>>>>
>>>>
>>>>   (h) NSN Attribute Management proposal (Thinh/Phil) - any updates?
>>>>
>>>>       Phil: Draft posted before the last meeting
>>>>       -- no changes since the last posting
>>>>       -- if no questions, would like to move to CD
>>>>
>>>>       Research community is looking at this but don't have feedback
>>>> quite yet
>>>>       -- Chad: doesn't know if they will have feedback or not
>>>>       -- Tom: to provide Phil information by the end of the
>>> week as to
>>>> what the
>>>>               scope of changes might be
>>>>
>>>>       Plan to wait for CD vote till the next SSTC call (two weeks)
>>>>       -- allow for more comments by those interested
>>>>
>>>>       Scott: will try and do a schema pass before the next SSTC call
>>>>
>>>>
>>>>   (i) Channel binding proposal (Scott) - any updates?
>>>>
>>>>       Scott: no updates
>>>>       -- some issues
>>>>       -- interest in determining if it's possible to inject
>>> into web
>>>> browsers
>>>>
>>>>
>>>>   (j) Metadata extension for Login/Discovery (Scott) - any updates?
>>>>
>>>>       Scott: addition to add general searchable keywords
>>>>       -- will be updating the draft
>>>>
>>>>
>>>>   (k) Enhanced Client or Proxy Profile (Scott) - any updates?
>>>>
>>>>       Scott: no updates
>>>>       -- still has to do the holder-of-key work
>>>>       -- resistence in the Kitten group about adopting two
>>> different
>>>> SAML proposals
>>>>
>>>>