[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Minutes 2010-11-16 Correction
Status Changes: Rob Philpott regains voting rights. On 11/30/2010 09:58 AM, Fletcher, George wrote: > Thanks for the correction Hal. Sorry about that. > > Thanks, > George > > On Nov 30, 2010, at 10:03 AM, "Hal Lockhart"<hal.lockhart@oracle.com> wrote: > >> My name is wrong in section (f) >> >>> -----Original Message----- >>> From: Nate Klingenstein [mailto:ndk@internet2.edu] >>> Sent: Wednesday, November 17, 2010 11:04 AM >>> To: security-services@lists.oasis-open.org >>> Subject: Re: [security-services] Minutes 2010-11-16 (no attendance) >>> >>> >>> Tacking attendance on to the minutes: >>> >>> Hal Lockhart >>> George Fletcher >>> Rob Philpott >>> Gregory Neven >>> Franz-Stefan Preiss >>> John Bradley >>> Scott Cantor >>> Nathan Klingenstein >>> Chad La Joie >>> Bob Morgan >>> Anthony Nadalin >>> Frederick Hirsch >>> Phil Hunt >>> Ari Kermaier >>> Hal Lockhart >>> Emily Xu >>> David Staggs >>> >>> And, I forgot to thank George at the end of the call for taking these >>> minutes, so I'll take the opportunity to do so now. >>> >>> Talk to you all on Nov. 30. >>> >>> On 2010-11-16 18:14, George Fletcher wrote: >>>> Please review and send corrections. It very possible I got >>> some of the >>>> security/crypto semantics wrong:) >>>> >>>> Thanks, >>>> George >>>> >>>> SSTC Call 16 Nov 2010 >>>> >>>> 1. Roll Call& Agenda Review. >>>> >>>> 2. Need a volunteer to take minutes. >>>> -- George Fletcher >>>> >>>> 3. Approval of minutes from last meetings: >>>> >>>> - Minutes from SSTC Call on 2 Nov 2010: >>>> >>>> >>>> >>> http://www.oasis-open.org/apps/org/workgroup/security/email/ar >>> chives/201011/msg00011.html >>>> Motion: Hal moves, John seconds, motion passes to >>> approve the minutes >>>> >>>> 4. AIs& progress update on current work-items: >>>> >>>> (a) Current electronic ballots: none currently open. >>>> >>>> (b) Status/notes regarding past ballots: >>>> >>>> (i) Service Provider Request Initiation Protocol and >>>> Profile V1.0 as a Committee Specification. >>>> Status: 11 out of 16 Yes (69%). >>>> >>>> (ii) SAML V2.0 Identity Assurance Profiles Version 1.0 as >>>> a Committee Specification. >>>> Status: 11 out of 15 Yes (73%). >>>> >>>> >>>> (c) Kerberos related items. [Josh/Thomas] >>>> - Kerberos Attribute Profile: >>>> - AI: Josh/Thomas will suggest additions to Attribute Profile. >>>> - AI: Thomas to move ahead with Web SSO and Subj Confirmation >>>> profiles. >>>> >>>> (d) SAML V2.0 Identity Assurance Profiles, Version 1.0 >>>> - Status: 15-day review closed on 10 Sept. >>>> - Status: Ballot passed 4 Nov. See above. >>>> >>>> Next steps: Mary to create a committee specification, Scott >>>> helping to generate >>>> the HTML. >>>> Scott: some ambiguity around specs that references it's own >>>> schema >>>> -- Mary requesting a designated cross reference >>>> -- not sure what is in the created package >>>> -- something to watch for in the future >>>> -- prefers a normative reference to the schema in >>> the document >>>> -- not concerned with fixing it for this spec >>>> -- Mary accepted the HTML that Scott generated >>>> >>>> (e) SAML V2.0 Metadata Profile for Algorithm Support Version 1.0: >>>> - Status: Thomas to ask Mary for (i) CSD version >>> (from draft-03) >>>> and >>>> (ii) to Start new 15 day of CSD. >>>> >>>> Waiting on the the CSD from Mary >>>> Will ask Thomas to update the public template once the CSD is >>>> generated >>>> >>>> (f) Gregory Neven (IBM): Primelife Project (presentation) >>> - 30 mins. >>>> Presentation: >>>> >>> http://www.oasis-open.org/apps/org/workgroup/security/email/ar >>> chives/201011/msg00034.html >>>> Identity Mixer and U-Prove >>>> -- some technical differences >>>> -- U-Prove -- can only show a token once (one-time-use) >>>> -- Identity Mixer -- can generate as many tokens >>> as you want >>>> Slide 8: Maybe ConditionStatement should be PredicateStatement >>>> >>>> Ask: Is defining predicates over attributes a good idea? >>>> >>>> Tom Lockhard will act as liason between XACML and SS TCs >> Hal Lockhart will act as liason between XACML and SS TCs >> >>>> John Bradley: Proposing that SAML Assertions have ranges? >>>> -- Is the SAML Assertion a signed IDMix token? or >>> does the SAML >>>> Assertion >>>> contain signed IDMix tokens? >>>> -- Greg: Not yet defined how to put IDMix tokens into SAML >>>> Assertion >>>> -- would need a new XMLDSig mechanism >>>> -- could also support predicates over attributes >>> in normal >>>> SAML Assertions >>>> -- just loses the anonymous token featurs of IDMix or >>>> U-Prove >>>> >>>> What is the appeal of using SAML Assertions as a wrapper? >>>> -- already defined standard in wide use >>>> -- seems to be a natural extension >>>> >>>> Most of the challenges to define the full flow are on >>> the XACML >>>> side >>>> >>>> SAML work is standardization of the additional statement type >>>> -- also needs an AssertionRequest to specify predicates over >>>> attributes >>>> >>>> Do we need to support two issuers? >>>> -- issuer of the attributes >>>> -- issuer of the masked token >>>> -- Greg: in the case of IDMix technology >>>> -- the user is creating the SAML Assertion >>>> -- John: looked at this in the "infocard" TC >>>> -- called selective blinding >>>> -- generally need a smart client to take advantage of this >>>> -- may map ok to the existing SAML schema >>>> >>>> Scott: Does WS-Fed support any predicates over attributes >>>> -- WS-Trust allows for ranges or member of a set >>>> >>>> Scott: +1 using a different statement name >>>> -- how much of the XACML schema gets pulled in if we >>> pull in the >>>> predicate part? >>>> -- Hal: simplist is to pull in all the XACML >>> ConditionStatement >>>> -- Hal: it's just more work to subset the full >>> set, but may >>>> be the better option >>>> -- Greg: if not using IDMix, an online IDP could sign any >>>> predicate so >>>> recommending not doing too much sub-setting >>>> -- Hal: concern is that deployers don't want to >>> implement the >>>> full set >>>> -- Scott: maybe define a subset for at least conformance >>>> purposes >>>> -- Hal: One subset is the "target" functions >>>> >>>> Sufficient interest (based on conversation) to >>> standardize this >>>> in the SSTC >>>> AI: Greg to propose a working draft for the SSTC to consider >>>> -- focus on the "predicate statement", identify functions >>>> -- not a finished draft, rather initial profile >>>> >>>> (g) Hal Lockhart: Session Token Profile (new work) >>>> >>>> Purpose: pass state information between >>>> -- Assertion contain AuthenticationStatement and >>> AttributeStatement >>>> -- main state that will change frequently -- time of >>> last activity >>>> -- Mechanism (two options) >>>> -- Assertion signed [encrypted] and passed in a cookie >>>> -- Cookie contains unguessable "reference" that >>> resolves to >>>> the Assertion >>>> >>>> Some concern about cookie size and how store the >>> Assertion in a >>>> cookie >>>> >>>> Supporting RESTful transport for SAML protocols >>>> -- outside the scope of this profile >>>> >>>> Describe the Cookie passing mechanism of a new binding (as an >>>> option) >>>> >>>> Rob: Does the Assertion include an SSO Assertion? >>>> -- managing the different validatiy periods is important >>>> >>>> A bit like creating a Session Assertion instead of an >>> SSO Assertion >>>> -- call it SessionToken >>>> >>>> Scott: may be able to reuse the URI binding (designed to be >>>> unguessable) >>>> -- need to make sure that if reusing the URI binding, the >>>> non-collision >>>> values also need to be unguessable >>>> >>>> Hal: proposed reusing the Artifact Protocol >>>> -- Scott: the Artifact is a protocol message mechanism not an >>>> unguessable >>>> URI binding >>>> >>>> >>>> (h) NSN Attribute Management proposal (Thinh/Phil) - any updates? >>>> >>>> Phil: Draft posted before the last meeting >>>> -- no changes since the last posting >>>> -- if no questions, would like to move to CD >>>> >>>> Research community is looking at this but don't have feedback >>>> quite yet >>>> -- Chad: doesn't know if they will have feedback or not >>>> -- Tom: to provide Phil information by the end of the >>> week as to >>>> what the >>>> scope of changes might be >>>> >>>> Plan to wait for CD vote till the next SSTC call (two weeks) >>>> -- allow for more comments by those interested >>>> >>>> Scott: will try and do a schema pass before the next SSTC call >>>> >>>> >>>> (i) Channel binding proposal (Scott) - any updates? >>>> >>>> Scott: no updates >>>> -- some issues >>>> -- interest in determining if it's possible to inject >>> into web >>>> browsers >>>> >>>> >>>> (j) Metadata extension for Login/Discovery (Scott) - any updates? >>>> >>>> Scott: addition to add general searchable keywords >>>> -- will be updating the draft >>>> >>>> >>>> (k) Enhanced Client or Proxy Profile (Scott) - any updates? >>>> >>>> Scott: no updates >>>> -- still has to do the holder-of-key work >>>> -- resistence in the Kitten group about adopting two >>> different >>>> SAML proposals >>>> >>>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]