[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Minutes of June 25 Telcon
-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Tuesday, July 09, 2002 10:41 AM
To: 'security-services@lists.oasis-open.org'
Subject: [security-services] Minutes of June 25 TelconAttendees:
Allen Rogers Authentica
Aravindan Ranganathan Sun Microsystems
Carlisle Adams Entrust
Chris McLaren Netegrity
Eve Maler Sun Microsystems
Hal Lockhart Entegrity Solutions
Irving Reid Baltimore
Jahan Moreh Sigaba
Jason Rouault HP
Jeff Hodges Sun Microsystems
Joe Pato HP
Phillip Hallam-Baker Verisign
Prateek Mishra Netegrity
Rob Philpott RSA Security
Robert Griffin Entrust
Ronald Jacobson Computer Associates
Simon Godik (individual)Prospective members:
Mingde Xu CrossLogixObservers:
Scott Cantor OSU
Don Bowen Sun MicrosystemsThis constituted quorum.
There is a need for substitute chairs for the next several meetings. Volunteers should send email to Joe and Jeff.
No advance agenda was published. The following items for discussion were agreed at the beginning of the meeting:
The OASIS Standardization Process and Errata Handling
The Catalyst Interop
WS-Security
The spec has been submitted to OASIS for member review. This process will take 3 months, beginning July 1, followed by one month of voting. That brings us to Nov 1.
The question raised is how to handle errata. One specific "must fix" item relating to URIs and fragmant identifiers has been identified. There will be others, no doubt.
No one wanted to pull the spec and modify it at this point. On the other hand, the issues must be fixed and the OASIS membership has to see the actual spec that are approving.
After considerable discussion the following was agreed.
1. Notice will be given (in the document? on the web page?) that there is an errata document.
2. Identified problems and proposed solutions will be put in a "proposed errata" document section.
3. Changes will be voted and then put in a "actual errata" section of the document.
4. At the end of the review period and prior to the actual voting, all problems will be resolved and actual errata changes applied to the documents.
SAML Interop Event
Prateek: Being held at Burton Catalyst Conference in SF, July 15. F2F dry runs held June 17-19. Very successful, planned for a week. All complete after 2 1/2 days. Few SAML problems. More problems with SSL.
Rob: East coast dry run at RSA, 4 vendors: Baltimore, Entegrity, Netegrity, RSA. Put up interoperability grid and checked off each portal-application combination. Few SAML problems all easily fixed. Some follow up discussion about use of validity interval in Browser/artifact profile.
Hal: Demo consists of 12 applications, 9 portals. Login at any portal, connect to any app. Apps use attribute MemberLevel to determine user capabilities.
Don Bowen: West coast dry run at Sun - 8 Vendors - Crosslogix, ePeople, IBM/Tivoli, Novell, Oblix, OverXeer, Sigaba, Sun - Also went very well. Validity interval issue discusssed at length. One unresolved problem, Sun and IBM could not interoperate SSL, although both could interoperate with everyone else. to be resolved. Expect to use the time in SF Sat and Sun to resolve remaining issues.
Hal: Also will be testing over the Internet. Make sure we don't have east/west versions.
WS-Security Profile for SAML
Prateek led a review and discussion of both the WS-Security document published by IBM, Microsoft and Verisign and the new SAML WS-Security Profile document he is editor of.
It is a renamed version of the SOAP Profile. Prateek would like to publish a (near final) update prior to Catalyst.
Hal and Prateek had a debate about the use of Authentication Statements and the two defined types of Subject Confirmation (Holder of Key and Sender Vouches) and their trust implications.
Prateek welcomes comments on the document flows especially.
Walk thru of WS-Security document.
Defined headers. Key concept - Actor. can be intermediary can add or remove headers.
SAML Assertion is inserted in header as Security token.
A token reference is also supported. Agreed the SAML profile should support this. Useful optimization in some environments. Use Assertion ID as reference value. No need for secrecy or single use as with Artifact.
Much discussion about use of Exclusive XML Cannonicalization. Consensus: superior to Inclusive cannonicalization as it deals with automatic expansion of tags in XML.
No change required for Profile, but should evolve SAML signature definition to use Exclusive. Discussion about how to do that.
consensus: nothing to be done in profile about encryption.
Need more text in profile to clarify intended uses and security considerations of two types of Subject Confirmation Method.
Web Services - Politics
Previously approved open letter to WS-sec folks never sent. Events are moving rapidly. Will submit to standards group within a week.
TC voted to empower chairs to provide quote for press release consistent with previous statement, but changed wording if necessary.
Ajourn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC