OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Formal Minutes from SSTC F2F#4


Oasis Security Services TC Face to Face #4 Minutes


These minutes represent the formal decisions taken and actions assigned during the meeting of 27-29 Aug 2001. Informal minutes are available at the SSTC web site.


Minutes recorded by Gil Pilz, Gavenraj Sodhi. Distilled by Joe Pato.


The following notations are used throughout this note:

        votes are marked: [Vote]

        agreements without a formal vote are marked [General Consensus]

        actions are marked: [Action - <owner>] if the owner is TC, then this action is for all TC members


Monday, 27 Aug 2001



8:30 -  9:00  Meet and greet; continental breakfast

9:00 -  9:30  Administrative (Joe)


                 Call to order

                 Roll call - attendance at end of minutes.


Quorum was not reached until 9:30 when Irving Reid arrived. Until quorum was reached, we proceeded with the binding subgroup report as a focus group. When quorum was reached we completed the approval and review of agenda.


                 [VOTE]: Approve minutes of previous meeting - No objections

                 [VOTE]: Review and approve agenda - No objections


9:30  - 10:15  Binding Subgroup Report (Prateek)

               Scope, Binding vs. Profile,

               Process framework for registering bindings,

               Contents of Bindings Report


10:15 - 10:30  Break


10:30 - 12:00  Binding issues discussion

               Web Browser Profiles for SAML (Prateek)


12:00 - 1:15   Lunch


1:15  - 3:00   Binding issues discussion (cont.)

1:15  - 2:00   Shibboleth Flows and Structures (Marlena)

2:00  - 3:00   SOAP Profile for SAML          (Prateek)


3:00  - 3:15   Break


3:15 - 4:30   Continuation of SOAP Profile for SAML


4:30  - 5:30   Kerberos Authentication & SAML & Soap use of SAML

                                    (Doug Bayer & Paul Leach)


6:00  - 7:00   Break for day


7:00  - 9:00   Group Dinner



 Tuesday, 28 Aug 2001



8:30  - 9:00   Continental breakfast


9:00  - 9:30   Administrative (Joe)


                 Review of, and tweaks to, the Agenda for this second day

                 Summary of findings/observations from previous day


9:30 - 10:30  SAML / SOAP / Kerberos


[Action - Paul Leach]: Look at current SAML web browser profile and provide comments for changes, additions.


[ACTION - TC]: a SAML/Kerberos integration discussion group will be created - send mail to Joe to join him (by 9/14)

Charter for this group:

1)      Web Browser profiles and integration with Kerberos

2)      SOAP Security Architecture model

3)      Trust Model


10:30 - 10:45  Break


10:45  - 12:30   Binding issues (cont.) (Prateek.)

               HTTP Binding for SAML

               SOAP Binding for SAML


[ACTION - Phil]: agreed, the core spec will state that all elements need to explicitly call out the SAML namespace. Phil to make changes.


[General Consensus]: we need more investigation on the issue of whether we should register a new SAML MIME type. No owner assigned - defaults to Prateek.


12:30 - 1:30   Lunch


1:30  - 2:30   XML Style issues (Eve)


[ISSUE - Phil] We need to add an issue that deals with blocking the substitution of various core SAML elements. [resolved schema core-16]


[General Consensus]:  native elements should have native constructs. Non-native elements do not get their own elements.


[General Consensus]: every element should be global.


2:30 - 4:30  Core Assertions (Phillip)


[Action - Hal]: to write scenarios (and / or provide definitions) for how NameIdentifier is used (e.g., when it is in SubjectConfirmation to identify an assertion vs. when it is used to represent the assertion referent)


[Action - Marlena]: to write up use of artifacts for queries


[Action - Irving]: Multiple NameIdentifiers are dangerous - Irving to write up proposal.


[Action - Marlena]: to write a proposal to create another Web Browser profile that retrieves an Attribute Assertion rather than an Authentication Assertion.


[Action - Simon]: write a concrete proposal that outlines the change to the nature of the authorization query.


[Action - Phil]: Will produce a core-16 that just contains the notional and twiddles before any major changes to schema and protocols.


[Action - Charles]: To write a concrete proposal that would allow Authorities to provide helpful info about why certain requests failed. This would be really helpful during initial deployment when you can't figure out why things aren't working. This could/should be turned off in production.


4:30  - 5:00   "Closed issues" review (Hal)


3:00  - 3:15   Break 


3:15  - 5:00   Open Issues discussion (Hal)


5:30           Break for the day



 Wednesday, 29 Aug 2001



8:30  - 9:00   Continental breakfast


9:00  - 9:15   Administrative


                 Review of, and tweaks to, the Agenda for this third day

                 Summary of findings/observations from previous day


9:15 - 11:15            Issues


[Action - Hal]: to take all the proposed closed issues (green) and send them out for ratification at the next concall. [Completed 8/31 - ratification awaiting next concall with quorum]


[Action - TC]: Next two weeks open season on remaining issues. If an issue does not have a sponsor (a SSTC voting member) by Friday 21 September then it will be moved to "not addressed in SAML 1.0". Sponsor is responsible for driving issue to conclusion.


[Action - Gil]: [DS-6-01:Nested Attributes] Not sure how SAML could address this


Issue Champions:


[Action - Tim]: First Contact - will write up what can be done with the current design.


[Action - Irving]: to investigate and write up WAP limits


[Action - Prateek]: Lookup by artifact: Agreed that he should submit a detailed proposal to the Core outlining specific changes to specific sections. Includes new request-response protocol not currently defined in HTTP binding


[Action - Prateek]: "Security properties of Assertion Handle" (Bob Blakley to act as reviewer).


[Action - Prateek]: This is an editorial issue about the names of profiles. Prateek to revise current document.


[Action - Gil]: To make a proposal on the mandatory use of HTTPS


[Action - Jeff]: threat model discussions to be removed from the bindings doc - but rationale preserved somewhere in SAML documents.


[Action - Don]: Smart client profile - develop a proposal


[Action - Prateek]: Push profile / use case to be dropped from document (Paul Leach's claim that this would assist SAML/Kerberos integration was never developed - Paul to present this case if he wishes to re-instate this profile)


[Action - Hal]: Agrees to create a proposal that indicates why we should minimize the number of profiles, specifically "Form POST".


[Action - Don]: to elaborate the number of 1-1 relationships and propose how to fix the resulting scaling issues.


[Action - Hal & Bob B]: Artifacts are bearer instruments, Assertions are not


[Action - Marlena]: SHIB desires 00-02 artifact type (anonymous user & attribute assertions - non personal identifiable info) core design issue.


[Action - Bob B & Marlena]: <Subject> in Core doc to correspond to Artifact


[Action - Prateek]: Oracle attacks WRT SOAP Profile


[Action - Bob B.]: Return of not current valid assertions to RP (e.g. post dated)


[Action - Prateek]: Should the Bindings Group select either the HTTP or SOAP protocol bindings for inclusion in the final spec?


[Action - Prateek]: Should the SOAP binding address the issue of intermediaries - generate proposal for how



10:30 - 10:45  Break


11:15  - 11:45  Sessions (Hal)


11:45 - 12:45   Lunch



12:45 - 1:15  Conformance (Robert)

1:15 - 2:00  Security Considerations (Jeff)


[Action - Chris McClaren]: will champion the sec-consider-xx issues and drive this subprocess.


2:00  - 3:00   Review Issues, next steps, administrivia (Joe)


[Action - Marlena, Eve, Bob, Hal]: Forward presentation slides


2:30 - 3:00   Open Discussion on Versioning


[Vote]: SAML will use explicit version attributes rather than rely on XML Namespaces to contain version info. [No objection]


[Action - Chris]: to write-up versioning strategy and distribute to mailing list [done Aug 30]


3:00           Adjourn


Items deferred from the agenda due to constraints:


Implementation / Interop discussions (Jeff?)


DSIG usage by SAML


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC