OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Proposed Minutes SSTC Telecon (Tue 10/16/2012)


Proposed Minutes SSTC Telecon (Tue 10/16/2012)
----------------------------------------------


1. Roll Call & Agenda Review.

Frederick Hirsh
Chad La joie
Anil Saldhana
Nate Klingenstein
Scott Cantor
Hal Lockhart
Ian Young
Mohammad Jafari
Thomas Hardjono
John Bradley

Agenda: add Hal's email about metadata format.


2. Need a volunteer to take minutes.

Thomas taking minutes.



3. Approval of minutes from previous meeting(s):

   - Minutes from SSTC Call on 18 September 2012:
https://lists.oasis-open.org/archives/security-services/201209/msg00022.html

Motion:  Chad.
Second: Hal.
No objections. Motion passes.



4. AIs & progress update on current work-items:

(i) Support of SAML for metadata in other formats

- Background:  during the recent Webinar on SAML2.1 Hal received a question from the audience regarding the possible use of metadata expressed in other formats, and whether SAML could support it. See email on the list:  
https://lists.oasis-open.org/archives/security-services/201210/msg00005.html

- Scott expressed doubts if SAML could be used with other protocols.  Hal clarified by stating that the question pertains only to Metadata portion.  We already have various formats for metadata in other protocols.  So the questions becomes: is such a thing (metadata in other formats) useful for this TC? Expressing metadata in JSON for example, is not difficult.

- Chad asks if there was anything wrong with the current format of our metadata.  There is a project called Global Federated Identity and Privilege Management (GFIPM) that uses SAML. John Bradley concurs.

- Nate states that he is aware of GFIPM, and takes an AI to reach-out to that community.

- John Bradley: the OIDC (OpenID-Connect) and folks such as Roland Herzberg(?) are looking into other formats for metadata in the OIDC.  JohnB suggest that it would be beneficial for everyone to have a canonical metadata format that could be used across systems. The OIDC has not mandated the use of XML parsers, so it is difficult to mandate the usage of entity-descriptors in XML (which thus requires XML parsers). And so in the OIDC community it makes sense to use JSON format (for metadata).

- Scott suggest that it would make more sense to have something like SAML metadata but with a wider applicability, since it is too difficult to get existing softwares to speak JSON.  JohnB: likes the SAML format (since it is canonical, can be signed, etc), and suggest perhaps leaving only the entity descriptors to be in JSON format. Scott: there exists a number of discovery tools that make use of SAML metadata, but it will be difficult to determine *which parts* of the metadata should be expressed in JSON. Scott suggest that a better approach to discovery is using domain-based lookup.

- Hal: reiterates that SAML2.1 is making metadata mandatory, so we need to provide a better answer (than what was given in the Webinar).  Hal suggests to expand that question/exploration to the wider community.

- JohnB suggest that alternate metadata formats need not be tightly-coupled with SAML or XML.  For example: 3rd party issued attribute statements.  Nate states that the XRD/XRDS efforts tried that approach but did not work.

- Scott suggest that the SSTC needs to wait for a concrete proposal (brought to the SSTC), and not for the SSTC to pre-empt discussions in the other communities (eg. OIDC community). JohnB states that with the growing deployments of OIDC, we can anticipate that Attribute Providers may be seeking a single metadata format (that would be supported by different protocols). Thomas states that since we are doing SAML2.1, perhaps we need to wait for new spec contributions.

- JohnB states that OIDC has a metadata format for individual IdPs, but for a Centralized IdP approach there are a couple of proposals making its way in the OIDC community. So a decision has not yet been made there. JohnB states that it's the "SAML people" in OIDC that desire the centralized approach.  Scott says that it sounds like a business problem and implementation issue.

- Thomas asks JohnB for AI, if JohnB could be go-between, and also to communicate with folks during the IETF Atlanta in November. Scott and Thomas plan to be at IETF Atlanta.


(ii) SAML2.1:

- Scott states that his time has become limited since he has taken-on a new role (busy until towards end of 2013).  Chad should still be able to contribute.  Also hoping that Ian Young can contribute.

- No updates on SAML2.1.

- SAML2.1 Wiki: the Agreement Section is ok.  Scott hopes to hand-off initial docs to Chad and Ian.


(iii)  Webinar:

-  Hal:  Webinar went well.  Over 70+ people connected online. The only impacting issue seems to be the metadata format question. Would have been good if we had a better answer for that question. Scott says he tried to answer but the audio was poor.  Hal suggest for next time we should use a back-channel (eg. chat room).

- Hal received some follow-up questions.  One  of them was about whether it was illegal to use alternate metadata in SAML2.0. The answer is: No.


(iv) Asynchronous Single Logout Protocol Extension (Scott):  Now in 30 day Public Review.


(v) Other items:

- Thomas says that IIW in Mountain View CA is next week, followed by the MIT Kerberos Conference (week after), and followed by the IETF in Atlanta (first week of November).



o Meeting adjourns at 12:49PM.

----------------------------------------------------

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]