OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: Proposed Minutes for SSTC Telecon (17 February 2015)


Apologies.. NZ has written its thoughts up but I though the call was next week.
Will try to get it together later this week.
Cheers
Colin

-----Original Message-----
From: security-services@lists.oasis-open.org [mailto:security-services@lists.oasis-open.org] On Behalf Of Thomas Hardjono
Sent: Wednesday, 18 February 2015 7:12 a.m.
To: Nate Klingenstein; OASIS SSTC
Cc: Thomas Hardjono
Subject: [security-services] RE: Proposed Minutes for SSTC Telecon (17 February 2015)


Adding roll-call for 2/17/2015

Scott Cantor
Thomas Hardjono
Rainer Hoerbe
Mohammad Jafari
Nathan Klingenstein
Hal Lockhart
Scott Robertson
Ross Micheals

Quorum was achieved.



________________________________________
From: Nate Klingenstein [ndk@internet2.edu]
Sent: Tuesday, February 17, 2015 12:28 PM
To: OASIS SSTC
Cc: Thomas Hardjono
Subject: Proposed Minutes for SSTC Telecon (17 February 2015)

> 2. Need a volunteer to take minutes.

Nate volunteered to take minutes.

> 3. Approval of minutes from previous meeting(s):
>
>   - Minutes from 20 January 2015 meeting:
>
> https://lists.oasis-open.org/archives/security-services/201501/msg0000
> 8.html

Quorum was achieved late in the call.  Hal moved that the minutes be accepted; Scott seconded.  No discussion or objections and the minutes were adopted.

>  (d) SAML 2.1 work:
>      - SAML2.1 wiki:
>        https://wiki.oasis-open.org/security/SAML2Revision
>
>      - Starter docs:
> https://lists.oasis-open.org/archives/security-services/201403/msg0001
> 0.html
>
>      - Martijn had indicated that he is interested to work on the 2.1 project.

Martijn was unable to join today's call.  The most immediate follow-up is to encourage their deeper involvement to ensure that they can contribute most efficiently to the larger body of work.

Scott's interpretation of their stance was that if a profile were done separately and published it would meet their needs, but they would like to see more visible changes to increase the probability of vendor adoption.  It's unclear to the SSTC whether or not a 2.1 release would be more impactful than a deployment profile.

From the perspective of 2.0, there could be a lot of new implementation in 2.1 as immediately proposed, and adding these new features would seem to be a prerequisite for the amount of work being volunteered for.  The TC expressed a preference to accommodating the requirements of people willing to do the work, though the SSTC of course retains all ultimate control over the process and its outcomes.

There are no implicit definitional new requirements or broken interoperability, and conformance is another can of worms entirely, and it's unclear how real conformance testing and frameworks relates to conformance requirements in [often very old] documents or whether OASIS has any serious program in place for testing implementations itself.  Many other TC's have made other arrangements for testing programs and certification.

Hal observed that security specifications present a particular problem because in addition to the interoperability and portability concerns that most specifications face, we also have security requirements and most purchasers and consumers have no way to determine whether security requirements have been successfully met.

Given differing opinions about what is important and what isn't important, and what's mandatory to implement, the extent of backward compatibility may have different interpretations regardless of any statements made by the SSTC, so perceptual considerations will factor into decision processes.  There are real questions around conformance in general, but those are separate and important.  The extent to which conformance is tied to 2.1 is ultimately up to the SSTC and more specifically committee members willing to do the work.

>  (e) Conceptual/overview of Metadata (Rainer Hoerbe)
>      - SAML Metadata Guidance Version 1.0 WD-03 now a Committee Note.
>      - Any updates.

The document has been published as a Committee Note, so we can remove the item for the agenda.  Thank you to Rainer for his dedication and hard work.

>  (f) XSPA updates (Mohammad Jafari)
>     - Any updates.

There are no updates immediately because the work on the XSPA profiles has not yet resumed.

> 6. Other items:

There are some clarifications that Scott needs to add to the algorithm support for metadata extension now that the specification is being more fully implemented and supported, particularly in Shibboleth.  This could be done in errata, but it could also be a newer 2.0 version that would involve minimal changes to the specification.  He was leaning towards the latter because, although there's an errata process in OASIS, but Hal pointed it out that it can't be used for committee specifications, so that made the decision quick.

https://wiki.oasis-open.org/security/SAML2MetadataAlgSupport

We look forward to hearing from you next month.
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]