[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for SSTC Telecon, Tuesday Nov 27
Minutes for SSTC Telecon, Tuesday Nov 27 Dial in info: +1 334 262 0740 #856956 Minutes taken by Steve Anderson 1 -- Roll Call - Attendance attached to bottom of these minutes. Quorum achieved. 2 -- Review of agenda - Creating agenda on the fly - Vote on issue raised by Prateek concerning Bindings/Profile Registry - Review action items sent out by Prateek - Eve’s issue of ‘outreach’ 3 -- Vote on creation of Bindings/Profile Registry, proposed by Prateek - Charles: curious about mechanism, as this seems to be ongoing process - Hal: in short term, TC will continue, in long term OASIS will provide oversight - We’re only talking about human-readable descriptions - Text of proposal from Prateek’s email sent 25 Nov 2001 with subject "Please read BEFORE formal vote at TC call on November 27" - "(1) The SSTC will maintain a web-page titled "Additional SAML Bindings and Profiles". This page will include text explaining (1) How to submit a binding or a profile for publication (2) Additional information describing the status of such submissions (such drafts do not have standard status) (3) a list of drafts received by the SSTC." - Prateek: a short summary of what a bindings or profile should answer will be in bindings document - Carlisle: wrt item 2, there’s no mechanism for making publications standard? - Prateek: OASIS provides such mechanism, but publication in this registration does not equate standards status - Prateek: open to friendly amendment - Carlisle looking for clarification that standards status is not precluded - RLBob: agrees, points out that other standards bodies may be used - Hal: might want to add wording to clarify the possible existence of other registries - Carlisle amendment: "inclusion of such documents in this area does not imply anything about their standards status" - Prateek also amends with "(4) guidelines for structuring such drafts will also be published on this web page." - [VOTE] passes by unanimous consent 4 -- Eve’s Issue over ‘Outreach’ - Eve sent email on this 20 Nov 2001 with subject "Issue: Outreach and rollout plans" - Looking for consistent whitepaper generation and publicity generation - Concerned that spec will be delivered, but no one will notice - Eve doesn’t have bandwidth, nor does Jeff - Hal offers to contribute, but looking for more direction - Eve: need someone to drive issue, identify all the necessary output items, and see that they are completed - Prateek: many represented companies have developed similar material, can they be used? - Eve: very much would like to see that happen, and would contribute material herself - Darren offers to assist, will call Eve directly to try to break down the more detailed to-do bits - Hal: willing to write up some overview/FAQ material - Prateek: willing to have a bindings -08 by 21-Dec, but guess is that conformant style & boilerplate won't be done - [ACTION] Eve to check with BobB by 21-Dec to see if he will own overall editing 5 -- Action Items - Prateek urges a 2-week timelimit on the remaining action items - Items from Prateek’s email sent 20 Nov 2001 with subject "Bindings action items from F2F#4" (should be "F2F#5") - Item 1: lines 472-473, Section 4.1.3, Bob Blakley will provide improved text to replace - BobB not on call - Not done - Item 2: lines 732-733, Section 4.1.6.1, Bob Morgan and Phil Baker. - Proposed text has been sent to list this morning - renamed "targetRestrictions" - Action Item is closed - Item 3: lines 788-791, Section 4.2.2, Irving to propose text to make the language more precise and clarify any connections with SAML faultcode. - Irving no longer on call - Scott: suggests any text must consider work in general SAML status codes - Prateek: agrees - Therefore, this action item is dependent upon the "status code proposal" discussion Scott has begun on list - Not done - Item 4: lines 824-829, Section 4.2.3.1.1, Irving to research and propose language to weaken requirement on signing over entire message (body and headers). - Not done - Item 5: Need for additional ConfirmationMethod identifiers (Prateek and Phil) - Not done - Prateek & Phill will send text to list by end of the week - Item 6: Section 3.1, SAML SOAP binding, Simon Godik to review and add text to reflect F2F#5 discussion - Simon has sent draft to list - Prateek: has Simon reviewed raw minutes from F2F#5? - Simon: no - Prateek: can you resubmit after reviewing those minutes - Jeff: suggests that Prateek extract part of minutes he’s concerned with and send to Simon & the list - [Action Item] Prateek to send relevant portions of raw notes to the list - Stays open - Item 7: Prateek to publish bindings-07 during week of December 3. - Just a deadline reminder - Item 8: In depth reviewers for bindings-07 - Noted - Item 9: Prateek to publish bindings-08 during week of December 17 - Also just a deadline reminder - Supplementary Items from Prateek’s email sent 27 Nov 2001 with subject "Additional bindings action items" - Item 1: [Bob Blakley] doc structuring issue: sections 3.1.2 thru 3.1.8 refer to a family of bindings, where 3.1.9 refers to a specific binding - BobB to provide text - Still open - Item 2: [Jeff Hodges] Research Cipher suites and related information - Jeff: thinks it is basically done - Prateek: next step is to incorporate into bindings draft - Jeff: text also to incorporate into security considerations doc - Jeff: direction has been to go with TLS and to find a cipher suite for AES - What is the state of affairs in Browsers? - V3 browsers not in common use at this point - Hal determined NS comm 4.7x supports 3des + rc4 - Hal: Still question over patent issues with RC4 - Jeff: effective statement is to support what is widely used in the installed base - Prateek: just point to the ‘strong enough’ cipher suite - Jeff: agreed, with addition of ‘widely used’ - RLBob: is ‘mandatory to implement’ really necessary here, since this is not interop among ourselves, but rather interop with the browsers? - Prateek: can we just state some weak cipher suites that are NOT recommended - Hal: but we will need to test against something - Jeff Bohren: do we need to consider possibility of renewed export restrictions - RLBob: possibility does not appear to have any traction - <<extended discussion ...>> - discussion evolved to specifying RSA-WITH-3DES for web browser profile - discussion moved to SOAP binding - Jeff: proposes TLS-rsa-3des as MUST, TLS-RSA-AES as a SHOULD - RLBob: suggests that in this context, just say TLS, no SSL - conclusion: prateek to take Jeff's suggested text for binding doc & recast for web brows. contesxt (ssl-rsa-3des-sha must) & soap binding context separately (tls-rsa-3des must, rsa-aes should, SHA each) - Item 3: [Simon Godik] Renumber 3.1.9 to 3.2. Explain why this section is required in a SAML spec - Tried, but cannot renumber - Simon will look into question of ‘why required’ - Item 4: [Prateek] Add high-level diagram for web browser profile in Section 4.1.1 - Will appear in next rev of bindings doc - Item 5: [Bob Blakley] lines 481-482, Provide revised text that reflects that we are generating a new 20 byte string for every new assertion and that these 20 bytes contain somewhere between 20 bytes and 8 bytes of entropy. - Not done - Item 6: [Simon Godik] lines 549 - 569, Would like additional text indicating that before Step 6 the source and destination site could have additional interactions using SAML protocol (e.g., additional queries). - Not done - Simon will provide text - Simon: where can all action items from last F2F be viewed? - Jeff/Joe will publish such a list by next week - Prateek: two sub-lists are already being maintained, one by Phill for core-related items and one by Prateek for bindings-related items - Should be consolidated 6 -- Adjourn Adjourned. -------------------------------------------------------------------------- Attendence of Voting Members: Irving Reid Baltimore Larry Hollowood Bank of America Ken Yagen Crosslogix Simon Godik Crosslogix Gil Pilz E2open Hal Lockhart Entegrity Carlisle Adams Entrust Robert Griffin Entrust Jason Rouault HP Marc Chanliau Netegrity Prateek Mishra Netegrity Jeff Hodges Oblix Charles Knouse Oblix Steve Anderson OpenNetwork Jeff Bohren OpenNetwork Mark Griesi OpenNetwork Darren Platt RSA Jahan Moreh Sigaba Eve Maler Sun Aravindan Ranganathan Sun Marlena Erdos Tivoli Bob Morgan UWashington Phillip Hallam-Baker Verisign Thomas Hardjono Verisign Attendance of Observers or Prospective Members: Scott Cantor OSU Membership Status Changes: Mary Ellen Zurko IBM -- granted voting status after concall Joe Hawkins Novell -- granted voting status after concall Emily Xu Sun -- granted voting status after concall -- Steve Anderson OpenNetwork Technologies sanderson@opennetwork.com 727-561-9500 x241
begin:vcard n:Anderson;Steve tel;fax:727-561-0303 tel;work:727-561-9500 x241 x-mozilla-html:FALSE url:www.opennetwork.com org:OpenNetwork Technologies version:2.1 email;internet:sanderson@opennetwork.com title:Product Architect adr;quoted-printable:;;13577 Feather Sound Drive=0D=0ASuite 330;Clearwater;Florida;33762;USA x-mozilla-cpt:;-15216 fn:Steve Anderson end:vcard
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC