OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Minutes for Telecon, Tuesday Feb 12, 2002

Minutes for SSTC Telecon, Tuesday Feb 12, 2002
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson

> Main Theme: Getting to last call and completion...
> 1) Roll Call

- Attendance attached to bottom of these minutes
- Quorum achieved.

> 2) IPR - patent review

- Burt & RobP: Overlap with RSA Patent
    - Browser POST Profile overlaps with couple of patents held by Burt
    - will send description to list
    - patent numbers 6085320 & 6189098-B1
    - general description is access by user by delivery of signed
      assertion as proof of authentication
    - two patents are essentially the same, just with different claims
    - RSA not making legal claims now concerning anyone's products
    - RSA having discussions about how to facilitate furthering SAML
    - considering offering royalty-free license as long as other
      parties reciprocate
- Joe & Jeff will confer with OASIS how to proceed, but Joe likes
  approach here of royalty-free license for purpose of implementing
  SAML-compliant product
- Prateek: RSA offering contingent on something -- on what?
- Joe: similar offerings from other IP-holders on SAML-relevant patents
- Phill: this is typical approach
- Joe: this is different from RAND approach
- Joe: before we submit to OASIS, we must submit statement of what IP
  intersections we know of
- Eve: need positive statement required from everyone, or is silence
- Joe: would like positive statement from everyone, but will check with

> 3) Implementation / Use

- Joe: Karl has not been rigorous in qualifying "use"
- doesn't want vaporware claims
- doesn't require product on pricelist, etc, but needs to be "real
  use", e.g. pilot
- need total of 3 in each area of SAML spec
- if we have 3, each in different areas of SAML, that is not sufficient
- Eve: recently generated assertion-based checklist for conformance
- Joe: a number of participants have indicated desire to be counted,
  but need those to indicate areas of conformance
- Joe: we need to decide if Eve's checklist is acceptable
- Eve's checklist:
  < http://lists.oasis-open.org/archives/security-
    services/200201/msg00283.html >
- Joe: Karl has given some relief through late March, so this doesn't
  have to be done in next two weeks, but we don't want this to drag out
- Eve: will resent digested checklist to mail list

> 4) Issue Review
>         Blocking Issues:
> A) URI resource name canonicalization

- Irving: had spirited discussion with Stephen Farrell this morning
- which URIs in our spec need this?
- conclusion was Resource
- these will come from external pieces of infrastructure, and may have
  different rules
- if we specify exact binary matching, we may end up with all the same
  security holes web world has endured in the past
- Hal: thinks this is fundamentally mis-headed
- Irving: discussion with SF lead to possible compromise, a 'MUST'
    "Things that use SAML must canonicalize Resource names before
    putting into SAML assertion"
- Prateek: this only applies to HTTP resources
- Irving: could be others, but definitely HTTP
- Phill: are we talking about stronger warning or changing text?
- Irving: SF wanted normative text, with 'MUST'
- Hal: thinks this is a security considerations issue
- Irving: wants normative text that says that if PEP asks wrong
  question (e.g. due to lack of canonicalization in request), PEP is
  at fault
- Prateek: thinks both PEP and PDP must be on guard against non-
  canonicalized resource names
- Hal: merely following canonicalization rules hasn't been sufficient
  in solving problem
- If PEP is in proxy, and proxy doesn't have same canonicalization
  rules as resource behind it, this is a problem clearly outside of
- Phill: wants to warn implementors to use caution in this area
- Prateek: thinks this is responsibility of PDP
- Irving: if we don't say enough, we will end up with broken systems
  and people blaming SAML
- How do we get our wording down to prevent this?
- Phill: agrees that this is testable, but not sure what the MUST
  statement should be.  could be:
    "All the parties must interpret resources in consistent manner,
    including canonicalization and case-sensitivity rules"
- Prateek: why is it not enough to state that PDPs must follow
  canonicalization rules?
- canonicalization rules do not include case-sensitivity issues
- Irving: it's up to PEP to decide what name to use for resource in
- Hal: person that sets up the policy must have same notion of
  resources as PEP
- Joe: trying to close discussion
- Joe: closest thing to right answer heard so far is that PEP & PDP
  must use same set of rules, but this is not enforceable in spec
- Irving: SF would not find this acceptable, as it allows to much
  freedom to get it wrong
- Joe: can we go to last call without resolving this issue
- Phill: no
- Joe: agrees
- Joe: depending on how this is addressed in spec, reviewers will
  view spec differently
- If we can't craft a resolution, we could craft a few alternatives
- [Action] Phill: write description of issue, and candidate
    - Sender normalizes
    - Receiver normalizes
    - no statement, but an approach for testing for failures
- Joe: suggests continuing debate on list

- Joe: other blocking issues?  hasn't been able to do sweep of issues
- Hal: hasn't either, but doesn't know of any blocking issues
- Eve: not a blocking issue, but spec needs to change
- Resource and Decision we agreed to be required, but in spec is still
- [Action] Phill: will correct
- Scott: Resource was agreed upon to add to Attribute Query, but is
  still missing
- Irving: is withdrawing the "modest proposal" that has been discussed
  on list
- Eve: one possible one on conformance doc, still not comfortable with
  table at the beginning

> 5) Doc Set approval for last call

- Phill is adding text for resource name canonicalization
- Phill also changing Resource & Decision to required, and adding
  Resource to Attribute Query
- Joe: question is whether to move docs with these changes to last call
- are we ready to close the docs for last call, or do we need to see
  the editorial changes first before voting?
- Phill: moves to accept without seeing changes
- [Vote] some opposition
- Irving: there's enough changing text that he's uncomfortable moving
- Joe: shares opinion
- Eve: could table vote until end of call
- tabled

> 6) Remaining Issues list entries

- numerous changes, but no showstoppers
- Jeff: not all have been incorporated into doc
- RLBob: not all need to before last call

> 7) Tabled item of voting to go to last call

- Joe: Irving's concern is with voting on what we haven't seen
- Jeff, Hal share concern
- Joe: impact is waiting until next quorum meeting to vote, which would
  be next Tuesday
- OASIS news comes out on Fridays, so total delay would be 10 days
- Can have Dee Schur write that "SAML will go into last call on Tues.
  Check their site ..." this Friday
- Going to last call tomorrow gives us date of 2/27 for publishing to
  OASIS, which is pushing Karl's good graces
- If we wait for next week to vote, last call will go thru 3/6
- Next meeting would be 3/12 do decide what to do
- Joe: would prefer not to vote until next Tues
- motion can remain on table until Tues, where it will be 1st item on
- motion remains tabled
- Joe: editors, please turn around docs by Thurs, and include checklist
  of items completed in email to list, and keep changebars on
- [Action] Hal - send resolution of remaining issues discussed here to

> 8) Adjourn

- Adjourned


Attendance of Voting Members:

  Allen Rogers Authentica
  Irving Reid Baltimore
  Simon Godik Crosslogix
  Gil Pilz E2open
  Hal Lockhart Entegrity
  Carlisle Adams Entrust
  Don Flinn Hitachi
  Joe Pato HP
  Jason Rouault HP
  Prateek Mishra Netegrity
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Rob Philpott RSA Security
  Jahan Moreh Sigaba
  Jeff Hodges Sun
  Eve Maler Sun
  Emily Xu Sun
  Marlena Erdos Tivoli
  Bob Morgan UWashington
  Phillip Hallam-Baker Verisign
  Thomas Hardjono Verisign

Attendance of Observers or Prospective Members:

  Scott Cantor OSU
  Burt Kaliski RSA

Membership Status Changes:

  Maryann Hondo IBM - lost voting status due to inactivity

tel;work:727-561-9500 x241
org:OpenNetwork Technologies
title:Product Architect
adr;quoted-printable:;;13577 Feather Sound Drive=0D=0ASuite 390;Clearwater;Florida;33762;USA
fn:Steve Anderson

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC