[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for Telecon, Tuesday 30 April 2002
Minutes for SSTC Telecon, Tuesday 30 April 2002
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson
>
>
> 1. Roll call
>
- Attendance attached to bottom of these minutes
- Quorum achieved
>
> 2. What Next after v1.0?
>
- Joe: brainstorm what do we need to do next
- examples:
- SOAP Profile
- Kerberos & SAML
- WS-Security & SAML
- Don: his customers interested in mid-tier, as opposed to perimeter
that SAML seems to focus on now
- this is area where EJB, CORBA, C++ exists
- Hal: talking about a profile, since assertions are useable
everywhere?
- Don: yes
- Hal: are you suggesting that a new use case is necessary?
- Don: would have to look at it more, but could be
- RLBob: this is of interest to people in the Shib area also,
along with other, more complex use cases
- Hal: 2 items set aside last year
- pass-through authN
- dynamic sessions
- Jeff: session management, in general, including static
sessions as well as dynamic
- RLBob: some standard way for bringing in X.500 attributes
- Phill: WS-Security
- changing WS-Security so that there is a profile there that
says where to put SAML assertions in the WS-Security payload
- how to use WS-Security for a SAML transport
- Hal: answering these questions should be a pre-req for issuing
our own SOAP profile
- Hal: XACML was planning to propose extensions to SAML
- Carlisle: example of 'obligations' or actions that PDP needs
to express to a PEP along with a decision
- Phill: are these conditions?
- Carlisle: not clear that this fits well into conditions
- Phill: so this is not a basis for trusting or acting on the
assertion
- Jeff: Joe, James Kobielus sent msg to us, which we should send
out now
- list of "it'd be great if SAML did this ..." collected from
Burton's discussion with other companies
- [sent to list during call]
- Don: would like to consider delegation
- Jeff: in what sense?
- Don: a call goes through multiple intermediates, which speak
for the initial client
- Hal: need use cases, because "delegation" can mean different
things
- Joe: perfectly reasonable to add use cases now
- Rob: Liberty Alliance
- some members have heard rumors that Project Liberty has
something to do with SAML and speculate that there may be
some useful cross-pollination to be had
- co-chairs concur, but note that the SSTC needs to wait for
Liberty folk to come forward to the SSTC
- as Project Liberty does not yet have a formal model for
liaison with the SSTC, we can only wait for Project
Liberty to approach the SSTC with any relevant information
before being able to further consider anything in that context
- SSTC members who participate in Project Liberty are encouraged
to make sure that necessary communication occurs and to inform
Project Liberty that SSTC is receptive to establishing a
formal liaison process.
- Hal: looking through deferred items from last issues list
- SASL
- foggy recollection of what this was originally about
- RLBob: use of SAML assertions in existing authN protocols
- Hal: SASL defines authN methods, and we've deliberately
NOT done that
- RLBob: browser profiles accepts SAML assertion in place
of HTTP Basic, Digest, etc, so in a sense, this is an
authN mechanism
- use of intermediaries, adding or removing assertions, etc
- some of the thinking there was that XML Protocol was going
to support/provide this, so SAML should support it too
- Joe: was this raised by Bob Blakely?
- Hal: thought it was Dave Orchard
- runtime privacy
- RLBob: Shib has made this a centerpiece
- Hal: heard a rumor that Liberty was working on this
- encryption - we vowed to incorporate this
- Jeff: very important
- XML Enc nearing standardization
- Hal: would we not do this similar to what we've done with
XMLSig?
- Jeff: still needs use cases
- Phill: could have encrypted statements or encrypted advice
- encrypted conditions would be interesting
- there was question around anonymity technique
- how to create an anonymous name identifier
- not sure if anyone wants to bring this back up
- privacy considerations
- people/orgs can control which attrs are given out and
under what circumstances
- we originally treated it as something that can be done,
but doesn't need standard around it
- feature to express that an assertion should not be cached
- dependency audit?
- Prateek: thinks it was infamous "validity depends on"
issue
- nested attrs
- one of many definitions of roles
- you're a member of a group by virtue of belonging to
another group that is a member of the original group in
question
- Don: couldn't this be done by XACML
- Hal: could be
- negative assertions
- discovery of authN protocols, presumably what is available
from an authN authority
- people should look through last issues list
- Jeff: do we want to run through Jim K's list?
- Hal: looks like Jim's list include much of what we've talked
about
- Jeff: need to consolidate and send out to list
- Hal: important to identify 5 or so top priorities
- Joe: intention here was to get ideas out on table, and get
people thinking
- Joe: other topics for discussion today?
- Hal: update on Catalyst
- Prateek: exact format of administrative model, etc, has been
posted to SAML-Dev mail list
- rehearsals (East & West coast versions) have been scheduled
for 17 June
- about 12 companies involved
- certain amount of concern/interest in things other than
browser artifact
- Carlisle: do you have all contact names you need?
- Prateek: no, specifically missing Entrust
- Carlisle: will send name
- Hal: hint to web site admin, there's no link to SAML-Dev
mailing list from SSTC site
- Jeff: will fix
- Hal: if orgs want to participate, contact us quickly!!
- Rob: if enough people will be at Catalyst, would it be useful
to hold 1-day FTF afterward?
- sounds like a good thing
- Eve: starting to collect editorial changes
- Joe: there is new template for OASIS spec
- Eve made it!
- not worth migrating to this template yet
- confusion over OASIS standardization timeframe
- submission is definitely 1 June
- unclear whether it is a 30/60/90 day process for ratification
- Joe: looking forward to SAML Dev group to find issues
- Hal: expects issues to be more cases of ambiguity needing
clarification, rather than true semantic issues
- Eve: SAML Dev group has opportunity to accumulate all out of
band coordination issues necessary for interoperability
- Rob: (regarding OASIS ratification timeline) reading from DSML
call for vote, OASIS members have 1 calendar quarter to
review, and 30 days to vote
- Eve: getting back to editorial changes, next week will be a
problem due to travel obligations, but week after is possible
- Concern over getting company names accurate
- we just have one month before submitting to Karl
- Joe: next meeting
- doesn't think we need meeting next week
- Prateek: SAML Interop wanted to take up the off week
- Jeff: we used to use off week for focus group calls, which
would good time for SAML Interop
- that will be on different phone number
- Eve: so she will cancel this number for 7 May & 21 May
- phone number will be posted shortly for those calls
- Joe: after 1 June submission, we can reconsider frequency of
formal calls
- next formal SAML call will be 14 May
>
> 3. Adjourn
>
- Adjourned
-----------------------------------------------------------------------
Attendance of Voting Members:
Irving Reid Baltimore
Hal Lockhart Entegrity
Carlisle Adams Entrust
Don Flinn Hitachi
Joe Pato HP
Jason Rouault HP
Marc Chanliau Netegrity
Prateek Mishra Netegrity
Charles Knouse Oblix
Steve Anderson OpenNetwork
Rob Philpott RSA Security
Jahan Moreh Sigaba
Bhavna Bhatnagar Sun
Jeff Hodges Sun
Eve Maler Sun
Bob Morgan UWashington
Phillip Hallam-Baker Verisign
Attendance of Observers or Prospective Members:
Robert Griffin Entrust
Simon Godik Crosslogix
Ron Jacobson CA
Membership Status Changes:
Gil Pilz E2open - lost voting status due to inactivity
--
Steve
Attachment:
sanderson.vcf
Description: Card for Steve Anderson
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC