OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Minutes for SSTC Telecon (19 Feb 2013)


1. Roll Call & Agenda Review

2. Need a volunteer to take minutes.
Mark volunteers.

3. Aproval of minutes from previous meetings.
     - Minutes from SSTC Call on 22 January 2013:
https://lists.oasis-open.org/archives/security-services/201302/msg00006.html
     - Minutes from SSTC Call on 5 February 2013:
https://www.oasis-open.org/apps/org/workgroup/security/email/archives/201302/msg00014.html

Chad moves to approve minutes and Nate seconds. There were no objections and the minutes were 

adopted.

4. AIs & progress update on current work-items:

  (a) Current electronic ballots: (none)
There are no ballots so item 4a was skipped.

  (b) Status/notes regarding past ballots: (none)
There are no items at this time so 4b was skipped.

  (c) SAML 2.1 work (Scott and Chad)
      - SAML2.1 wiki:
        https://wiki.oasis-open.org/security/SAML2Revision

      - Chad's list:
        https://wiki.oasis-open.org/security/SAML21

      - Sample ToC for an SSO Profile:
        https://wiki.oasis-open.org/security/SAML21ExampleProtocol
No comments were received. 
Chad has posted a high-level ToC for review.
Thomas suggested we can cut an paste from the previous ToC, where appropriate, to expedite.
Chad suggested we break it down in to specific topics. The ToC he posted was for SSO, and 

offered as an example of how other sections can be organized and presented.


  (d) Conceptual/overview of Metadata (Rainer Hoerbe)
      - Apologies from Rainer.
        http://files.hoerbe.at/daunlod/eadocx-quickdoc.pdf
Item 4d was skipped until Rainer can be present on a call for discussion.


  (e) SAML ECP (Scott)
      - Any updates?
Scott: still receiving feedback, an update will be forthcoming at a future date.
There was a call for questions for Scott, and there were no questions.
Thomas asked if anyone was waiting for ECP, and nobody knew of anyone waiting for it.
Thomas asked if there is a notion of ECP being re-used like Oauth tokens?
Scott: Yes. He also noted that a solution is needed for non-browser clients, such as with SSH. 

Doubts about the security of Oauth were also raised, but recognized others would debate the 

issue. Issues with the GSSAPI specification and implementation were raised.
Anil asked how many implementations of ECP there are.
Scott said it was unknown, but would suspect that the original Liberty Alliance members may 

have implemented it before adopting SAML 2.0, and noted the Cisco and Office 365 have some of 

the specification incorporated, as an example.
A discussion of non-browser clients ensued, and it was noted that cookies are not defined by 

the specification.



  (f) XPA updates (Mohammad Jafari)
     - Any updates?
There were no updates to report at this time.


  (g) IETF Drafts (Prateek)
      - SAML 2.0 Bearer Assertion Profiles for OAuth 2.0.
      - Assertion Framework for OAuth 2.0.
      https://lists.oasis-open.org/archives/security-services/201302/msg00010.html
Prateek said he is hoping for review and advice from SAML implementors.
The work cited refers to SAML assertions in bearer tokens. Slide 1 describes Oauth flows and 

entities and the use of SAML assertions as an authorization grant in Oauth. Oauth was 

described as a two-legged flow, as compared to the SAML three-legged flow. The goal is to 

connect existing SAML and Oauth flows. This is summarized on slide 2, which shows the exchange 

of an authorization grant for an access token. A case was described of authenticating locall 

at an enterprise and exchanging it for an access token.
Prateek is looking for feedback.
Phil mentioned that the IETF general assertions framework is without specification.
Scott asked about delegation.
Phil: it is loosely bound.
Scott: delegation vs impersonation?
Thomas said there is some jitter around whether the AuthN statement needs to call Oauth.
A discussion ensued about Oauth scope vs SAML audience.
Scott: Audience in SAML is no less defined, scope in Oauth is no better defined.
Thomas suggested that reading the framework doc would be valuable for continuing this 

discussion.

  (h) Updating SAML.org
      - Thomas to contact Robin Cover
Thomas will contact Robin Cover to get an update.


5. Assorted mail items:
No items to discuss.


6. Other items:
   - RSA2013 coming up
   - IETF in March
IETF is in Orlando, FL, in March.


7. Next SSTC Call:
   - Tuesday 5 March 2013.
No new items.

Adjourned at 12:46pm (EST)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]