[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for Telecon, Tuesday Feb 12, 2002
Minutes for SSTC Telecon, Tuesday Feb 12, 2002 Dial in info: +1 334 262 0740 #856956 Minutes taken by Steve Anderson > > Main Theme: Getting to last call and completion... > > 1) Roll Call > - Attendance attached to bottom of these minutes - Quorum achieved. > > 2) IPR - patent review > - Burt & RobP: Overlap with RSA Patent - Browser POST Profile overlaps with couple of patents held by Burt - will send description to list - patent numbers 6085320 & 6189098-B1 - general description is access by user by delivery of signed assertion as proof of authentication - two patents are essentially the same, just with different claims - RSA not making legal claims now concerning anyone's products - RSA having discussions about how to facilitate furthering SAML - considering offering royalty-free license as long as other parties reciprocate - Joe & Jeff will confer with OASIS how to proceed, but Joe likes approach here of royalty-free license for purpose of implementing SAML-compliant product - Prateek: RSA offering contingent on something -- on what? - Joe: similar offerings from other IP-holders on SAML-relevant patents - Phill: this is typical approach - Joe: this is different from RAND approach - Joe: before we submit to OASIS, we must submit statement of what IP intersections we know of - Eve: need positive statement required from everyone, or is silence sufficient? - Joe: would like positive statement from everyone, but will check with Karl/OASIS > > 3) Implementation / Use > - Joe: Karl has not been rigorous in qualifying "use" - doesn't want vaporware claims - doesn't require product on pricelist, etc, but needs to be "real use", e.g. pilot - need total of 3 in each area of SAML spec - if we have 3, each in different areas of SAML, that is not sufficient - Eve: recently generated assertion-based checklist for conformance - Joe: a number of participants have indicated desire to be counted, but need those to indicate areas of conformance - Joe: we need to decide if Eve's checklist is acceptable - Eve's checklist: < http://lists.oasis-open.org/archives/security- services/200201/msg00283.html > - Joe: Karl has given some relief through late March, so this doesn't have to be done in next two weeks, but we don't want this to drag out - Eve: will resent digested checklist to mail list > > 4) Issue Review > > Blocking Issues: > > A) URI resource name canonicalization > - Irving: had spirited discussion with Stephen Farrell this morning - which URIs in our spec need this? - conclusion was Resource - these will come from external pieces of infrastructure, and may have different rules - if we specify exact binary matching, we may end up with all the same security holes web world has endured in the past - Hal: thinks this is fundamentally mis-headed - Irving: discussion with SF lead to possible compromise, a 'MUST' statement "Things that use SAML must canonicalize Resource names before putting into SAML assertion" - Prateek: this only applies to HTTP resources - Irving: could be others, but definitely HTTP - Phill: are we talking about stronger warning or changing text? - Irving: SF wanted normative text, with 'MUST' - Hal: thinks this is a security considerations issue - Irving: wants normative text that says that if PEP asks wrong question (e.g. due to lack of canonicalization in request), PEP is at fault - Prateek: thinks both PEP and PDP must be on guard against non- canonicalized resource names - Hal: merely following canonicalization rules hasn't been sufficient in solving problem - If PEP is in proxy, and proxy doesn't have same canonicalization rules as resource behind it, this is a problem clearly outside of SAML - Phill: wants to warn implementors to use caution in this area - Prateek: thinks this is responsibility of PDP - Irving: if we don't say enough, we will end up with broken systems and people blaming SAML - How do we get our wording down to prevent this? - Phill: agrees that this is testable, but not sure what the MUST statement should be. could be: "All the parties must interpret resources in consistent manner, including canonicalization and case-sensitivity rules" - Prateek: why is it not enough to state that PDPs must follow canonicalization rules? - canonicalization rules do not include case-sensitivity issues - Irving: it's up to PEP to decide what name to use for resource in request - Hal: person that sets up the policy must have same notion of resources as PEP - Joe: trying to close discussion - Joe: closest thing to right answer heard so far is that PEP & PDP must use same set of rules, but this is not enforceable in spec - Irving: SF would not find this acceptable, as it allows to much freedom to get it wrong - Joe: can we go to last call without resolving this issue - Phill: no - Joe: agrees - Joe: depending on how this is addressed in spec, reviewers will view spec differently - If we can't craft a resolution, we could craft a few alternatives - [Action] Phill: write description of issue, and candidate resolutions - Sender normalizes - Receiver normalizes - no statement, but an approach for testing for failures - Joe: suggests continuing debate on list - Joe: other blocking issues? hasn't been able to do sweep of issues list - Hal: hasn't either, but doesn't know of any blocking issues - Eve: not a blocking issue, but spec needs to change - Resource and Decision we agreed to be required, but in spec is still optional - [Action] Phill: will correct - Scott: Resource was agreed upon to add to Attribute Query, but is still missing - Irving: is withdrawing the "modest proposal" that has been discussed on list - Eve: one possible one on conformance doc, still not comfortable with table at the beginning > > 5) Doc Set approval for last call > - Phill is adding text for resource name canonicalization - Phill also changing Resource & Decision to required, and adding Resource to Attribute Query - Joe: question is whether to move docs with these changes to last call - are we ready to close the docs for last call, or do we need to see the editorial changes first before voting? - Phill: moves to accept without seeing changes - [Vote] some opposition - Irving: there's enough changing text that he's uncomfortable moving forward - Joe: shares opinion - Eve: could table vote until end of call - tabled > > 6) Remaining Issues list entries > - numerous changes, but no showstoppers - Jeff: not all have been incorporated into doc - RLBob: not all need to before last call > > 7) Tabled item of voting to go to last call > - Joe: Irving's concern is with voting on what we haven't seen - Jeff, Hal share concern - Joe: impact is waiting until next quorum meeting to vote, which would be next Tuesday - OASIS news comes out on Fridays, so total delay would be 10 days - Can have Dee Schur write that "SAML will go into last call on Tues. Check their site ..." this Friday - Going to last call tomorrow gives us date of 2/27 for publishing to OASIS, which is pushing Karl's good graces - If we wait for next week to vote, last call will go thru 3/6 - Next meeting would be 3/12 do decide what to do - Joe: would prefer not to vote until next Tues - motion can remain on table until Tues, where it will be 1st item on agenda - motion remains tabled - Joe: editors, please turn around docs by Thurs, and include checklist of items completed in email to list, and keep changebars on - [Action] Hal - send resolution of remaining issues discussed here to list > > 8) Adjourn > - Adjourned ----------------------------------------------------------------------- Attendance of Voting Members: Allen Rogers Authentica Irving Reid Baltimore Simon Godik Crosslogix Gil Pilz E2open Hal Lockhart Entegrity Carlisle Adams Entrust Don Flinn Hitachi Joe Pato HP Jason Rouault HP Prateek Mishra Netegrity Charles Knouse Oblix Steve Anderson OpenNetwork Rob Philpott RSA Security Jahan Moreh Sigaba Jeff Hodges Sun Eve Maler Sun Emily Xu Sun Marlena Erdos Tivoli Bob Morgan UWashington Phillip Hallam-Baker Verisign Thomas Hardjono Verisign Attendance of Observers or Prospective Members: Scott Cantor OSU Burt Kaliski RSA Membership Status Changes: Maryann Hondo IBM - lost voting status due to inactivity
begin:vcard n:Anderson;Steve tel;fax:727-561-0303 tel;work:727-561-9500 x241 x-mozilla-html:FALSE url:www.opennetwork.com org:OpenNetwork Technologies version:2.1 email;internet:sanderson@opennetwork.com title:Product Architect adr;quoted-printable:;;13577 Feather Sound Drive=0D=0ASuite 390;Clearwater;Florida;33762;USA x-mozilla-cpt:;-6352 fn:Steve Anderson end:vcard
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC