[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Proposed Agenda for SSTC telecon (24 January 2012)
And here are the notes: On Fri, Jan 20, 2012 at 11:38, Thomas Hardjono <hardjono@mit.edu> wrote: > AGENDA: > > 1. Roll Call & Agenda Review. The following people were present: John Bradley Scott Cantor Thomas Hardjono Fredrik Hirsch Nate Klingenstein Chad La Joie Hal Lockhart Tony Nadalin Quorum was achieved with 4 out of 6 voting members present > 2. Need a volunteer to take minutes. Chad will take minutes > 3. Approval of minutes from last meetings: > > Minutes from SSTC Call on 10 January 2012: > http://lists.oasis-open.org/archives/security-services/201201/msg00014.html Hal motioned to accept, Nate seconded. No objection. Motion passes, minutes accepted. > 4. AIs & progress update on current work-items: > > (a) Current electronic ballots: (none) nothing to discuss > (b) Status/notes regarding past ballots: (none) noting to discuss > (c) Kerberos Web browser SSO Profile (Josh/Thomas) > - Status: CSD and 15-day PR closed. > - No comments received during 15-day PR. > - AI: Request ballot creation for CS. Hal moves TC Admin create ballot for committee specification of Kerberos Web Browser SSO Profile. Scott seconds. No objection. Motion passes. > (d) Metadata Extensions for Documentation/Registration (Chad) > - Status: sstc-saml-metadata-rpi-v1.0-wd09.zip uploaded > - Status: CSD2 and open 15 day PR apptoved at 1/10/2012 telecon. > - AI: Chad to submit request to TC-admin. On TC Admins list; ticket numbers 827, 828 > (e) Metadata Extensions for Login and Discovery User (MDUI) (Scott) > - Status: WD10 uploaded. > - Status: CSD3 and open 15 day PR approved at 1/10/2012 telecon. > - AI: Scott to submit request to TC-admin. Submitted to the TC Admin queue > (f) SAML2.0 Approved Errata (Scott) > - SECURITY-16 PE: Mitigation for XML Encryption CBC deficiencies > - Status: text updated 1/10/2012 > > http://lists.oasis-open.org/archives/security-services/201201/msg00011.html No changes in wording since last call. Scott will start work on errata document when some items get cleared off his plate. > (g) SAML 2.0.1 and Security Considerations doc > - Plans for 2012? Nate: We would like to proceed with this. The most substantive aspect of that work would be security consideration and conformance. The rest is rolling red-line errata in to the specification. Scott: Conformance will require more work than security consideration. No consensus yet on what a new conformance document would look like. Scott: Also a question about whether to roll in various extensions and whether they are mandatory to implement. Hal: We agreed we'd 2.0.1 and it would cover three areas: - clarifying document while maintaining one-the-wire compatibility - security considerations - conformance - extensions Hal: It's been a while since the last SAML release. We should not feel constrained in changing the schema. Hal & Scott: The specification and protocol versions were separated in v2. So we could rev the specification without changing the protocol version. Scott: Just cleaning up red-lines will be of limited use. People who have implemented SAML already won't get much out of that work. For this to be useful, implementations metadata and IOP need to be mandatory to implement. Scott: Insofar as the work of producing the new document, it would be hard for him to justify the work if the interoperability story isn't improved. Hal: We need to generate a list of what we'd change in 2.0.1 and agree to it. Scott: I'll do some analysis on extensions and current specs and propose a list of what to behavior to change in 2.0.1 Hal: What he hears is a request for simpler conformance class. Just POST, essentially. Hal: Also want to look at any requirements from the OAuth SAML token. John B. doesn't know of anything new that would be required. Scott: We should also look at rev'ing dependencies (e.g., XML Signature and Encryption). XML sig and enc 2.0 probably won't get implemented any time soon. XML sign and enc 2.0 are easier to implement so having SAML profiles that supported these new specs would be good. Probably not a lot of work. XML sign and enc spec is "done" and headed to last call once the impls are done. Tony (I think): Should we move extensions in to the SAML core namespace? Scott: Probably not. Maybe just collapse (less implemented) extensions into a single extension namespace. Maybe we could wrap statement types in to the core spec. > (h) Addition of SessionIndex (Chad) Nothing to add beyond what was in the email to the list. http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201201/msg00015.html > 5. Assorted mail items: > - Privacy Preserving Attribute Verification (Prateek) Anil not present, nothing to discuss. May be on the agenda for the next time. > 6. Other items: No other items -- Chad La Joie www.itumi.biz trusted identities, delivered
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]