[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Formal Minutes from SSTC F2F#4
Oasis Security Services TC
Face to Face #4 Minutes
These minutes represent the formal decisions taken and actions assigned during the meeting of 27-29 Aug 2001. Informal minutes are available at the SSTC web site.
Minutes recorded by Gil Pilz, Gavenraj Sodhi. Distilled by Joe Pato.
The following notations are used throughout this note:
· votes are marked: [Vote]
· agreements without a formal vote are marked [General Consensus]
· actions are marked: [Action - <owner>] if the owner is TC, then this action is for all TC members
Monday, 27 Aug 2001
-------------------
8:30 -
9:00 Meet and greet;
continental breakfast
9:00 -
9:30 Administrative
(Joe)
Call to order
Roll call - attendance at end of minutes.
Quorum was not reached until 9:30 when Irving
Reid arrived. Until quorum was reached, we proceeded with the binding subgroup
report as a focus group. When quorum was reached we completed the approval and
review of agenda.
[VOTE]: Approve minutes of previous meeting - No
objections
[VOTE]: Review and approve agenda - No objections
9:30
- 10:15 Binding Subgroup
Report (Prateek)
Scope, Binding vs. Profile,
Process framework for registering bindings,
Contents of Bindings Report
10:15 - 10:30 Break
10:30 - 12:00 Binding issues
discussion
Web Browser Profiles for SAML (Prateek)
12:00 - 1:15 Lunch
1:15
- 3:00 Binding issues
discussion (cont.)
1:15
- 2:00 Shibboleth
Flows and Structures (Marlena)
2:00
- 3:00 SOAP Profile
for SAML
(Prateek)
3:00
- 3:15
Break
3:15 - 4:30 Continuation of SOAP Profile for
SAML
4:30
- 5:30 Kerberos
Authentication & SAML & Soap use of SAML
(Doug Bayer & Paul Leach)
6:00
- 7:00 Break for
day
7:00
- 9:00 Group Dinner
Tuesday, 28 Aug
2001
---------------------
8:30
- 9:00 Continental
breakfast
9:00
- 9:30 Administrative
(Joe)
Review of, and tweaks to, the Agenda for this second
day
Summary of
findings/observations from previous day
9:30 - 10:30 SAML / SOAP /
Kerberos
[Action - Paul Leach]: Look at
current SAML web browser profile and provide comments for changes,
additions.
[ACTION - TC]: a SAML/Kerberos integration discussion group will be created - send mail to Joe to join him (by 9/14)
Charter for this group:
1) Web Browser profiles and integration with Kerberos
2) SOAP Security Architecture model
3) Trust Model
10:30 - 10:45 Break
10:45
- 12:30 Binding issues
(cont.) (Prateek.)
HTTP Binding for SAML
SOAP Binding for SAML
[ACTION - Phil]: agreed, the
core spec will state that all elements need to explicitly call out the SAML
namespace. Phil to make changes.
[General Consensus]: we need
more investigation on the issue of whether we should register a new SAML MIME
type. No owner assigned - defaults to Prateek.
12:30 - 1:30 Lunch
1:30
- 2:30 XML Style
issues (Eve)
[ISSUE - Phil] We need to add
an issue that deals with blocking the substitution of various core SAML
elements. [resolved schema core-16]
[General Consensus]: native elements should have native
constructs. Non-native elements do not get their own
elements.
[General Consensus]: every
element should be global.
2:30 - 4:30 Core Assertions
(Phillip)
[Action - Hal]: to write scenarios (and / or provide definitions) for how NameIdentifier is used (e.g., when it is in SubjectConfirmation to identify an assertion vs. when it is used to represent the assertion referent)
[Action - Marlena]: to write
up use of artifacts for queries
[Action - Irving]: Multiple NameIdentifiers are dangerous - Irving to write up proposal.
[Action - Marlena]: to write a proposal to create another Web Browser profile that retrieves an Attribute Assertion rather than an Authentication Assertion.
[Action - Simon]: write a
concrete proposal that outlines the change to the nature of the authorization
query.
[Action - Phil]: Will produce a core-16 that just contains the notional and twiddles before any major changes to schema and protocols.
[Action - Charles]: To write a concrete proposal that would allow Authorities to provide helpful info about why certain requests failed. This would be really helpful during initial deployment when you can't figure out why things aren't working. This could/should be turned off in production.
4:30
- 5:00 "Closed issues"
review (Hal)
3:00
- 3:15 Break
3:15
- 5:00 Open Issues
discussion (Hal)
5:30
Break for the day
Wednesday, 29 Aug
2001
----------------------
8:30
- 9:00 Continental
breakfast
9:00
- 9:15
Administrative
Review of, and tweaks to, the Agenda for this third
day
Summary of findings/observations from previous day
9:15 - 11:15
Issues
[Action - Hal]: to take all the proposed closed issues (green) and send them out for ratification at the next concall. [Completed 8/31 - ratification awaiting next concall with quorum]
[Action - TC]: Next two weeks open
season on remaining issues. If an issue does not have a sponsor (a SSTC voting
member) by Friday 21 September then it will be moved to "not addressed in SAML
1.0". Sponsor is responsible for driving issue to conclusion.
[Action - Gil]: [DS-6-01:Nested Attributes] Not sure how SAML could address this
Issue Champions:
[Action - Tim]: First Contact - will write up what can be done with the current design.
[Action - Irving]: to
investigate and write up WAP limits
[Action - Prateek]: Lookup by
artifact: Agreed that he should submit a detailed proposal to the Core
outlining specific changes to specific sections. Includes new request-response
protocol not currently defined in HTTP binding
[Action - Prateek]: "Security
properties of Assertion Handle" (Bob Blakley to act as
reviewer).
[Action - Prateek]: This is an
editorial issue about the names of profiles. Prateek to revise current
document.
[Action - Gil]: To make a proposal on the
mandatory use of HTTPS
[Action - Jeff]: threat model
discussions to be removed from the bindings doc - but rationale preserved
somewhere in SAML documents.
[Action - Don]: Smart client
profile - develop a proposal
[Action - Prateek]: Push profile / use case to be dropped from document (Paul Leach's claim that this would assist SAML/Kerberos integration was never developed - Paul to present this case if he wishes to re-instate this profile)
[Action - Hal]: Agrees to
create a proposal that indicates why we should minimize the number of profiles,
specifically "Form POST".
[Action - Don]: to elaborate
the number of 1-1 relationships and propose how to fix the resulting scaling
issues.
[Action - Hal & Bob B]:
Artifacts are bearer instruments, Assertions are not
[Action - Marlena]: SHIB desires 00-02 artifact type (anonymous user & attribute assertions - non personal identifiable info) core design issue.
[Action - Bob B &
Marlena]: <Subject> in Core doc to correspond to
Artifact
[Action - Prateek]: Oracle
attacks WRT SOAP Profile
[Action - Bob B.]: Return of not current valid assertions to RP (e.g. post dated)
[Action - Prateek]: Should the Bindings Group select either the HTTP or SOAP protocol bindings for inclusion in the final spec?
[Action - Prateek]: Should the SOAP binding address the issue of intermediaries - generate proposal for how
10:30 - 10:45 Break
11:15
- 11:45 Sessions
(Hal)
11:45 - 12:45 Lunch
12:45 - 1:15 Conformance
(Robert)
1:15 - 2:00 Security Considerations
(Jeff)
[Action - Chris McClaren]: will champion the sec-consider-xx issues and drive this subprocess.
2:00
- 3:00 Review Issues,
next steps, administrivia (Joe)
[Action - Marlena, Eve, Bob, Hal]: Forward presentation slides
2:30 - 3:00 Open Discussion on
Versioning
[Vote]:
SAML will use explicit version attributes rather than rely on XML Namespaces to
contain version info. [No objection]
[Action - Chris]: to write-up
versioning strategy and distribute to mailing list [done Aug
30]
3:00
Adjourn
Items deferred from the agenda due to
constraints:
Implementation / Interop discussions
(Jeff?)
DSIG usage by SAML
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC