[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Draft Minutes for SSTC Telecon (Tue 21 Aug 2012)
>AGENDA: > >1. Roll Call & Agenda Review. Anil Saldana Thomas Hardjono Nate Klingenstein Hal Lockhart Frederick Hirsch Scott Cantor David Staggs John Bradley > >2. Need a volunteer to take minutes. Scott volunteers. >3. Approval of minutes from previous meeting(s): > > - Minutes from SSTC Call on 7 August 2012: > >https://lists.oasis-open.org/archives/security-services/201208/msg00014.ht >ml Hal moves to accept. Frederick seconds. No objections, motion passed. >4. AIs & progress update on current work-items: > > (a) Current electronic ballots: (none) > > (b) Status/notes regarding past ballots: (none) > > (c) SAML 2.1 work: > - Status: SSTC agrees to proceed on this in 2012. > - AIs: > o Thomas to ask Admin about template doc > > - https://wiki.oasis-open.org/security/SAML2Revision Scott will request new documents, and he'll propose new filenames if needed before doing so. He will transfer the boilerplate and properties into the old docs and rename them to produce new drafts. > (d) SSTC Webinar: > - Proposed topic: scope of work for the 2.0.1 spec. > - AI: Decide webinar date. > - AI: collect data on SAML2.0 deployments > >https://lists.oasis-open.org/archives/security-services/201207/msg00004.ht >ml Scheduled for Sep 20th. Not posted yet. Hal asked about a NASA deployment, Thomas provided some info. Nate also provided some material. Scott mentioned apparent use of SAML by the OnStar system, but we don't have contacts at GM to confirm that. > (e) Asynchronous Single Logout Protocol Extension (Chad) > >https://lists.oasis-open.org/archives/security-services/201207/msg00001.ht >ml >https://lists.oasis-open.org/archives/security-services/201206/msg00019.ht >ml Scott will post a new WD after he gets the latest files from Chad. > (f) XPA updates (David S. & Duane) > >https://lists.oasis-open.org/archives/security-services/201208/msg00010.ht >ml David said Duane will update on next call. > (g) Issue tracker: SECURITY-21 Just tracking this for work in 2.1. > (h) SAML in JSON > - Continue discussion from last telecon. Discussion around possible ue of JOSE for signature/encryption, and the benefits of its newer features in light of all the papers attacking XML Encryption (and less to Signature). Hal: We could definitely see leverage from JOSE that we could then map back to XML Encryption. Alludes to new attacks, still confidential, involving maintaining support for CBC mode and that creating vulnerabilities. Tough to fix when you have wide deployment. John: That's why we're trying to focus on these attacks up front in JOSE before we have wide deployment. All: Remains worth looking at benefits of JOSE mechanisms once that settles a bit more. Hal: Also want to discuss the Breaking SAML paper. Do we need to craft a TC message around this, or post something to the xml.org site? Scott: Had significant problems getting edits made to the xml.org site because of its spam protection. Action to chairs: Contact Robin about the site. Discussion about the issue and whether it's worth addressing publicly. Thomas will craft a draft internally with Hal/Scott, and we'll circulate. Thomas: Should we address it in the webinar? Hal: Maybe a slide on it, but not the focus certainly. John: Worth doing that much, but should focus on the fact that the community is robust and attentive to these issues and they got addressed. Hal: Worth asking for statements from the implementations mentioned in the paper? Scott/John: Probably not, we think all of them were confirmed by the authors as fixed before they published. >5. Assorted mail items: > > - OASIS IDtrust Member Section Steering Committee Elections > >https://lists.oasis-open.org/archives/security-services/201208/msg00015.ht >ml Thomas: Anybody on the TC on the committee? John: We'd have to have the TC join that member section. Historically it was the PKI group, so SAML wasn't involved. Hal: The TC joining is independent of how member dues are assessed to members that join. John: I think to join you have to be a member of a TC that is itself a member. Some debate over this point. John: I'm sure we could do this if we wanted. Discussion about IPR mode compatibility. No issues identified. John: I'm all for it. It's much less PKI-centric than it used to be. Hal: If you want it, propose the TC join in a future meeting after doing a bit of research into the pros/cons, if any. John: I'll do some checking and speak to Anil. >6. Other items: > - Oasis sponsor at the International Cloud Symposium > https://www.oasis-open.org/events/cloud/2012 > > - NSTIC Identity Ecosystem meeting (Chicago, Aug 16-17, 2012) > http://www.idecosystem.org John: Went as well as it could. Still work to do on bylaws. No IPR policy initially, so that needs work. Several WGs are starting up. Several at the Standards WG objected to it becoming a new SDO and instead should work with the ones we have. Participants self-selected into various categories and then voted for people within those categories. John is in a run-off in the IT category with an Oracle person. Oracle, Microsoft were in attendance plus some less usual suspects, people attending trying to learn how things related to their work. E-mail John for more info. Hal: What is this? ;-) John: The Oracle attendees were more the legal/policy/govt folks, not the techies. Thomas: What's the next steps for this? John: 90 day period to get bylaws/charter done. WGs spinning up, usual rationalization amongst themselves and other groups. I'm working with the secretariat to help get infrastructure going. Other Business: Scott will send something to the list about the metadata work that was outlined in the wiki to try and get consensus. Will also be working to incorporate some of the schema suggestions sent to the list, but invites additional comment on that. >7. Next SSTC Call: > - Tuesday 4 September 2012.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]