OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Proposed Agenda for SSTC telecon (24 January 2012)


And here are the notes:

On Fri, Jan 20, 2012 at 11:38, Thomas Hardjono <hardjono@mit.edu> wrote:
> AGENDA:
>
> 1. Roll Call & Agenda Review.

The following people were present:
John Bradley
Scott Cantor
Thomas Hardjono
Fredrik Hirsch
Nate Klingenstein
Chad La Joie
Hal Lockhart
Tony Nadalin

Quorum was achieved with 4 out of 6 voting members present

> 2. Need a volunteer to take minutes.

Chad will take minutes

> 3. Approval of minutes from last meetings:
>
>   Minutes from SSTC Call on 10 January 2012:
> http://lists.oasis-open.org/archives/security-services/201201/msg00014.html

Hal motioned to accept, Nate seconded.  No objection.  Motion passes,
minutes accepted.

> 4. AIs & progress update on current work-items:
>
>  (a) Current electronic ballots: (none)

nothing to discuss

>  (b) Status/notes regarding past ballots: (none)

noting to discuss

>  (c) Kerberos Web browser SSO Profile (Josh/Thomas)
>      - Status: CSD and 15-day PR closed.
>      - No comments received during 15-day PR.
>      - AI: Request ballot creation for CS.

Hal moves TC Admin create ballot for committee specification of
Kerberos Web Browser SSO Profile.  Scott seconds.  No objection.
Motion passes.

>  (d) Metadata Extensions for Documentation/Registration (Chad)
>      - Status:  sstc-saml-metadata-rpi-v1.0-wd09.zip uploaded
>      - Status:  CSD2 and open 15 day PR apptoved at 1/10/2012 telecon.
>      - AI: Chad to submit request to TC-admin.

On TC Admins list; ticket numbers 827, 828

>  (e) Metadata Extensions for Login and Discovery User (MDUI) (Scott)
>      - Status: WD10 uploaded.
>      - Status: CSD3 and open 15 day PR approved at 1/10/2012 telecon.
>      - AI: Scott to submit request to TC-admin.

Submitted to the TC Admin queue

>  (f) SAML2.0 Approved Errata (Scott)
>       - SECURITY-16 PE: Mitigation for XML Encryption CBC deficiencies
>       - Status: text updated 1/10/2012
>
> http://lists.oasis-open.org/archives/security-services/201201/msg00011.html

No changes in wording since last call.  Scott will start work on
errata document when some items get cleared off his plate.

>  (g) SAML 2.0.1 and Security Considerations doc
>      - Plans for 2012?

Nate: We would like to proceed with this.  The most substantive aspect
of that work would be security consideration and conformance.  The
rest is rolling red-line errata in to the specification.

Scott: Conformance will require more work than security consideration.
 No consensus yet on what a new conformance document would look like.

Scott: Also a question about whether to roll in various extensions and
whether they are mandatory to implement.

Hal: We agreed we'd 2.0.1 and it would cover three areas:
  - clarifying document while maintaining one-the-wire compatibility
  - security considerations
  - conformance
  - extensions

Hal: It's been a while since the last SAML release.  We should not
feel constrained in changing the schema.

Hal & Scott: The specification and protocol versions were separated in
v2.  So we could rev the specification without changing the protocol
version.

Scott: Just cleaning up red-lines will be of limited use.  People who
have implemented SAML already won't get much out of that work.  For
this to be useful, implementations metadata and IOP need to be
mandatory to implement.

Scott: Insofar as the work of producing the new document, it would be
hard for him to justify the work if the interoperability story isn't
improved.

Hal: We need to generate a list of what we'd change in 2.0.1 and agree to it.

Scott: I'll do some analysis on extensions and current specs and
propose a list of what to behavior to change in 2.0.1

Hal: What he hears is a request for simpler conformance class.  Just
POST, essentially.

Hal: Also want to look at any requirements from the OAuth SAML token.
John B. doesn't know of anything new that would be required.

Scott: We should also look at rev'ing dependencies (e.g., XML
Signature and Encryption).  XML sig and enc 2.0 probably won't get
implemented any time soon.  XML sign and enc 2.0 are easier to
implement so having SAML profiles that supported these new specs would
be good.  Probably not a lot of work.  XML sign and enc spec is "done"
and headed to last call once the impls are done.

Tony (I think): Should we move extensions in to the SAML core
namespace?  Scott: Probably not.  Maybe just collapse (less
implemented) extensions into a single extension namespace.  Maybe we
could wrap statement types in to the core spec.

>  (h) Addition of SessionIndex (Chad)

Nothing to add beyond what was in the email to the list.
http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201201/msg00015.html

> 5. Assorted mail items:
>   - Privacy Preserving Attribute Verification (Prateek)

Anil not present, nothing to discuss.  May be on the agenda for the next time.

> 6. Other items:

No other items

-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]