[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Minutes for Telecon, Tuesday 1 October 2002
Minutes from prior meeting... [security-services] Minutes for Telecon, Tuesday 17 September 2002 http://lists.oasis-open.org/archives/security-services/200209/msg00018.html Minutes from 1-Oct based on agenda.. http://lists.oasis-open.org/archives/security-services/200210/msg00006.html ------------------------------------> 1. Roll call reached quorum 2. agenda bashing add action item #7 (see below) Mike Just is on another call. 2.1 minutes approval minutes from prior meeting (see above) approved by unanimous consent w/addition of action item #7 (see below). 3. outcome of submission of draft-sstc-ws-sec-profile-03 to WSSTC SSTC submission of WS-Security profile is complete. draft-sstc-ws-sec-profile-04 with appropriate author list was submitted to the WSS TC. Appropriate declaration from authors is available from SSTC archives. Formal minutes of WSS from September 24 not yet published so we need to verify successful submission. 4. discussion of draft-sstc-xmlsig-guidelines-02 Scott presents contents of draft-sstc-xmlsig-guidelines-02. Main issue is around the recent development of exclusive canonicalization and its use in SAML. Important to note that exclusive canonicalization is relevant to both the transformation and canonicalization. AI: Jeff to send this doc over to Liberty arena for feedback -- #8 transform issue: Summary (by Prateek).. A second area of concern is interoperability and transforms. The problem here is that the XML-DSIG specification does not mandate support for transforms (uses SHOULDs not MUSTs). So there is a difficulty in the interoperability area. Issues: (a) What to do in the short-term before SAML 1.1? (b) What recommendations to make for SAML 1.1? (a) One proposal would be to restrict attention to interoperability on the POST profile, and, provide some reasonable guidelines for generic use (not worry about interoperability in general). (b) Need to figure out XMLish and other concerns around the use of ID in SAML assertions. This should be part of SAML 1.1. --------------- Raw Notes (JeffH's).. scott: w3c dsig spec doesn't have MTIs in it, so we need to profile it to narrow the space down to something implementable. easiest thing to do wrt to referencing the target xml frag is to have the target's schema support id attrs on it's elements. there are interop implications to using a shortcut to doing the xforms for now folks can be conformant... (didn't capture it) do need to define a best practice for saml 1.0 xform-wise only way to be secure (right now) do xform take result bytes input them to one's app most xml (parsing) libs these days are DOM-based so one ends up parsing one's xml stuff twice so until saml spec is updated, what xforms do we promulgate to promote interop? one approach: get post profile to interop for now empty uri ref will work w/emp sig xform this will work for that one profile these issues then are an issue for other profiles that ref SAML, such as WSS work. scott impl'd his SAML lib to try to support signing indep of the particular profile. an action item later on will be to address the id attr in terms of the SAML schema do we want to use the saml id:attr? or use the xsd:id attr? there are issues with either choice right thing to do one way or another is to get an id attr in the saml schema. ----------------- AI: scott will take another pass on the sstc-xmlsig-guidelines doc (a -03) in the next week or so. -- #9 5. discussion of credentials collection Discussion on Mike Just's "SAML Credentials Collection" paper. Mike Just is absent from the call, with Carlisle Adams subbing for him. Hal expresses concern about the use-case discussed in the current draft (September 13, 2002). Main issue is how this accounts for the use case where several web servers "front" for an authentication authority. The web servers need to interact with the authentication authority, possibly via a multiple sequence of steps. nominal questions on the doc.. [Irving, Jeff, Hal] Relationship to WS-Security? [Prateek, Carlisle] Is the interaction between System Entity and CC in scope? Or is it just the relationship bewteen the CC and the AA? seeAlso: recent discussion on the list Carlisle will communicate this feedback to Mike Just. Expectation is that Mike will rev the doc. 6. adjourn Action items -------------> AI1. Scott Cantor to take the XML DSIG discussions from the thread and turn it to a "best practices" document done. AI2. Carlisle Adams to take the "Standardize Issuer Format" back to the XACML for more clear requirements and/or proposal. still open. AI3. Eve to ask other TCs about how they did their charter modifications. still open AI4. Prateek to check with OASIS folks on submitting draft-sstc-ws-sec-profile-03 done. AI5. Rob and Irving to look over Eve's submission on fragment identifiers still open. AI6. Jeff to determine if conformance language around the notions of profiles vs. extensions is really an issue still open. AI7. Prateek & Jeff to look at Liberty provider metadata's applicability for SAML specs still open. AI8. Jeff to solicit comment on draft-sstc-xmlsig-guidelines-0{2|3} from Liberty arena. New. AI9. Scott to rev the draft-sstc-xmlsig-guidelines-02 doc to -03. New. --------------- attendees ----------------- Allen Rogers Authentica Irving Reid Baltimore Ronald Jacobson Computer Associates Mingde Xu CrossLogix Hal Lockhart Entegrity Carlisle Adams Entrust Robert Griffin Entrust Don Flinn Hitachi Prateek Mishra Netegrity Charles Knouse Oblix Rob Philpott RSA Security Jahan Moreh Sigaba Jeff Hodges Sun Emily Xu Sun Simon Godik (individual) Bob Morgan (individual) --- end
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC