OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Minutes of OASIS SSTC focus group meeting for Sep3, 2002

Started at 12:01 EDT. 
This was a Focus Group meeting

1. WSSTC & profile of SAML thereof

2. mike just: credentials collection discussion

3. Jeff H: 1.x SAML release: to-do items, signups?

4. re-do charter to reflect post-1.0 

5. eve maler: upcoming sstc schedule (eg: biweekly concalls?)

Actions items:
Mike Just to submit a proposal on Credentials Collection
Eve Maler to propose changes for fixing the Fragment Identifier issue
Scott Cantor to take the XML DSIG discussions from the thread and turn
it to a "best practices" document
Carlisle Adams to take the "Standardize Issuer Format" back to the XACML
for more clear requirements and/or proposal. 
Eve to ask other TCs about how they did their charter modifications.

Agenda items for Sep 17:
Review of action items.
Discussion on fragment identifiers.
Discussion on credentials collection

1. WSSTC and SAML Profile
Jeff: My understanding is that profiling SAML in the context of WSSTC is
officially on the table. There are now two approaches, one submitted by
Prateek on behalf of OASIS SSTC. The second is an effort between IBM,
Microsoft and Verisign (Phil Hallam-Baker).

Prateek: We have submitted the draft (10 days ago). Subsequently there
were a couple of questions regarding the submission. We clarified that
this is in fact a submission from the OASIS SSTC. We have also clarified
that the IP status is similar to other OASIS standards/submissions.

Carlisle: Why was the addendum submitted?

Maryann: The addendum was posted as a result of interoperability. Also,
there were two sumbissions one on SAML profile and the other on XrML
profiles. The SAML profiles sumbitted is very similar to the profile
submitted by the SSTC.

Jeff H: In Summary, the SSTC is fairly assured that the WSSTC is going
to address the SAML profile.

2. Credential Collection
Mike Just: propose to move forward with this item. Mike will draft a
proposal by next Friday so that we can discuss it on our next call on
Sep 17.
Carlisle: there are a few people interested in this item.
Bob Morgan: yes, there was quite a lot of interest. It narrowly missed
being part of SAML 1.0

3. Discussion of TODO list
Fragment Identifier
Jeff H: Fragment Identifier requires change to normative spec.
Eve: Yes, the change is minor. Eve will take this item and will propose

Asserion Cache
Eve: We should keep the "assertion cache" issue open until we have more
people on the call to decide if we want to drop this or take it on.

Jeff: XML DSIG issue needs to be looked into. We could profile XML DSIG
more narrowly. Also, there is the issue of canonicalization which is now
finalized in XML DSIG. This is an important item and we should more
precisely specify it. Can we do some tightening up in 1.x or would
making any changes beyond a separate "best practices" makes sense?

Scott Cantor: We can make some minor revisions in the spec, which can
also be in the best practices document. 

Jeff: We certainly do not want to break backward compatibility.

Scott Cantor will take the XML DSIG discussions from the thread and turn
it to a "best practices" document

Standardize issuer name formats (request came from XACML)
Jeff H: This is issue DS-8-6 
Eve: This was talked about and dropped, but again came up from the XACML
Jeff H: It appears that this issue was closed. We can turn it back to
Eve: It sure seems simple to solve this problem.
Bob Morgan: The counter observation is that nobody seems to know what
the "issuer" really is since the security of the assertion is based on
the signer's identity. Therefore any write-up on this should consider
the security issues and not just address the format of the issuer
Jeff: Carlisle, please take this back to the XACML for more clear
requirements and/or proposal.

Figure out versioning of modularly published profile and binding specs
Jeff H: This could be a very simple change.
Prateek: We do have a requirement that there needs to be a unique
identifier associated with each profile. 
Jeff H: The larger question is if our profile registration template
sufficient. This could be a non-issue. We will leave this item for now
and see if any other profiles come out.

Sharpen conformance language around the notions of profiles vs.
Jeff H: I will have to look at the conformance language to see what is
written. We had discussed this last time. Profiles do not extends the
schema bit extensions do. It would be good to distinguish between the
two. We need to first determine if this is an issue. We will table this

Formalizing operational agreements between sites 
Jeff H: this grew out of the Liberty specs as well as SAML
interoperability effort.
Bob Morgan: A lot of Shibboleth work has been precisely this.
Don: this could be a very big architectural discussion.
Bob Morgan: there are many layers at which we can discuss this. 
Jeff H: Someone who is active in SAML DEV can shepherd this and then
report back to the STCC.
Maryann: Is there a liaison relationship with WSI and would that be an
appropriate forum?
Jeff H: Are there any STCC people who are active in WSI?
An approach could be to gather the various usages (Shibboleth, Liberty,
SAML interop) and reference it as a starting point.

4. Redo Charter
Eve: We'd like to modify the charter to accurately reflect our current
thinking. We'd like to finalize this by the end of year. You are allowed
to clarify your charter, so there is some room for modifications.

Eve will ask other TCs about how they did their charter modifications.

5. SSTC Schedule
Eve: we have the con call number until Dec. 10. Do we want to change
Group: we will keep our biweekly conference calls. 

6. Adjourned at 13:23 EDT
Voting members
Ronald	Jacobson	Computer Associates
Mingde	Xu	CrossLogix
Hal 	Lockhart	Entegrity
Carlisle 	Adams 	Entrust
Don	Flinn	Hitachi
Jason 	Rouault 	HP
Maryann 	Hondo 	IBM
Prateek 	Mishra 	Netegrity
Jahan	Moreh	Sigaba
Bhavna	Bhatnagar	Sun
Jeff 	Hodges 	Sun
Eve 	Maler 	Sun
Emily	Xu	Sun
Bob 	Morgan 	UWashington

Prospective members
Mike	Just	Entrust

Jahan Moreh
Chief Security Architect
tel: 310.286.3070
fax: 310.286.3076

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC