OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Proposed Minutes for SSTC Call (26 July 2011)


On 07/26/2011 12:19 PM, Nate Klingenstein wrote:
217F3A92-986C-41B0-B422-1B8149204189@internet2.edu" type="cite">

1. Roll Call & Agenda Review.

Voting Members:
----------------------    
Franz-Stefan Preiss     IBM    
Scott Cantor     Internet2    
Nathan Klingenstein     Internet2    
Chad La Joie     Internet2    
Thomas Hardjono     M.I.T.    
Frederick Hirsch     Nokia Corporation  
Anil Saldhana     Red Hat    

Members:
Gregory Neven     IBM
Hal Lockhart     Oracle
Ari Kermaier     Oracle    

Quorum: 7 out of 7 voting members (100%)

Status Changes:  According to Oasis TC Policy, non-quorated meetings are counted towards your voting eligibility.
http://www.oasis-open.org/policies-guidelines/tc-process#meetings
"Meetings without Quorum shall still count towards attendance for purposes of Members gaining, maintaining, or losing voting rights."


217F3A92-986C-41B0-B422-1B8149204189@internet2.edu" type="cite">
Quorum was achieved with all voting members in attendance.

2. Need a volunteer to take minutes.

Nate volunteered to take the minutes.

3. Approval of minutes from last meetings:

(i) Minutes from SSTC Call on 14 June 2011:
http://lists.oasis-open.org/archives/security-services/201106/msg00015.html

Scott moved to approve the minutes and Nate seconded.  No objections were raised.


As quorum was not achieved on these calls, there are no minutes to approve.  These notes were, however, adopted by the SSTC.

 (c) Session Token Profile (Hal)
     - Status: CSD02 - PR02
     - Status: PR started 11 July 2011 and ends Tuesday, 26 July 2011.

http://lists.oasis-open.org/archives/security-services/201107/msg00008.html

The public review closed on the day of the call.  Only one comment was received, but he feels he cannot ignore it.  It's technically not in scope, but there is a new RFC for HTTP cookies.  It looks like a big improvement to him, but a change is that the HttpOnly attribute has been standardized.  There will probably be another revision that changes all normative references from the old RFC to the new RFC and the comment about HttpOnly being non-standard will be removed.

After that, another CSD will be created and another 15 day review period will be triggered.

 (d) Attribute Predicate Profile (Gregory/Franz-Stefan)
     - Status: WD01 uploaded May 16.
     - AI:  Uploaded WD03.
     - Any updates?

No major updates have been made to the attribute predicate profile.  WD03 was uploaded a month ago and no comments have been received from the SSTC on the calls or on the list.

Franz-Stefan moved to proceed WD03 of the attribute predicate profile to CSD01, and he also wants to request a 30 day public review.  Nate seconded, and there were no objections.


 (e) Kerberos profiles: [Josh/Thomas]
     - Status: CS Ballots created for the 3 Kerberos docs
     - Status: Will resubmit ballot in August (after vacation season).

Josh and Thomas would like to resubmit these profiles for approval after the prior ballots failed to gain enough votes to get approval.  New ballots need to be created for each of the documents.

Hal moved to ask TC-Admin to do a new CS ballot for all three following Kerberos documents.  Scott seconded.


 (f) Change Notify Protocol Version 1.0 (Thinh/Phil)
     - Status: Request submitted for 15-day CSD Public Review.
     - Status 15 day CSD PR request still in TC-Admin Queue (#534).

http://tools.oasis-open.org/issues/browse/TCADMIN-534

Neither Thinh nor Phil was available for the call.  However, this request is still sitting in the TC-Admin Queue, for reasons that are not clear.  Hal investigated the status of -534 and the corresponding CSD request -528 and found no progress in two weeks, so Thomas will investigate the current status with TC-Admin.

 (g) Channel binding proposal (Scott)
     - Status: awaiting other items in other groups.
     - Any updates?

No updates.

 (h) Enhanced Client or Proxy Profile (Scott)
     - Status: WD02 uploaded last week.
     - Status: work waiting for items in IETF Kitten WG.
     - Any updates?

No updates.

 (i) Metadata Extensions for Documentation/Registration (Chad)
     - Status: WD07 uploaded June 23rd.
     - AI: Chad asks SSTC for
        (a) vote for WD07 to become CSD02, and
        (b) public review (15-day PR).
     - Status: will request TC when TC achieves quorum.

Chad officially moved to vote for WD07 to become CSD02 and to request a public review.  Scott seconded the request, and there were no objections.

Chad will verify that a zip file containing all the relevant files has been uploaded and he will submit the request.


 (j) Errata document (Scott):
     - PE-12.
     - Any updates?

http://lists.oasis-open.org/archives/security-services/201106/msg00036.html

Scott is ready to get PE-12 adopted, following a final revision on June 29.  This was in response to feedback from the paper authors, and the consensus is that PE-12 is basically done.  He wants to move for PE-12 to be added to the draft errata document when it is next prepared.  Hal seconded, with no objections, and the motion passed.

It's been awhile since an errata has been filed, but Scott wants to file another errata soon as regards XML signature wrapping attacks on SAML implementations.  He doesn't have a great idea about what to put in the documents because the flaws are generally implementation flaws rather than specification flaws, but there's at least one concrete errata that he wants to move on: blocking use of the Object element should be recommended.

Scott hopes to prepare this errata within the next call or two.  January or February is when these researchers want to go fully public, but some implementations were vulnerable and already have patches already released.

 (k) Metadata Extensions for Login and Discovery User (MDUI) (Scott)
     - Status: WD07 uploaded 27 June 2011.
     - Status: WD ready for CSD. Asking for full Public Review.

Two more working drafts correcting small errors have been uploaded, with the diff going against WD06.  There is a security considerations section now.  The only substantive change is responding to a request to allow the space character in keywords by escaping it using the + character as a substitution.  WD08 fixed a namespace, and WD09 explains that the + character is not permissible in keywords because it will be treated as an escaped space.

Scott moved to adopt WD09, which he uploaded July 25, as CSD01 for Login and Discovery UI, and he also requests a 30 day public review.  Chad seconded.  Nobody objected and the motion passed.


7. Next SSTC Call:
  - Tue 09 August 2011

We look forward to talking to you then.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]