OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] Minutes for Telecon, Tuesday 1 October 2002

Minutes from prior meeting...

[security-services] Minutes for Telecon, Tuesday 17 September 2002

Minutes from 1-Oct based on agenda..

1. Roll call

reached quorum

2. agenda bashing

add action item #7 (see below)

Mike Just is on another call.

2.1 minutes approval

minutes from prior meeting (see above) approved by unanimous consent w/addition
of action item #7 (see below).

3. outcome of submission of draft-sstc-ws-sec-profile-03 to WSSTC

SSTC submission of WS-Security profile is complete. 
draft-sstc-ws-sec-profile-04 with appropriate author list
was submitted to the WSS TC. Appropriate declaration from authors is
available from SSTC archives. 

Formal minutes of WSS from September 24 not yet published so we need
to verify successful submission.

4. discussion of draft-sstc-xmlsig-guidelines-02

Scott presents contents of draft-sstc-xmlsig-guidelines-02. Main
issue is around the recent development of exclusive canonicalization and
its use in SAML. Important to note that exclusive canonicalization is
relevant to both the transformation and canonicalization.

AI: Jeff to send this doc over to Liberty arena for feedback -- #8

transform issue: 
  Summary (by Prateek)..

    A second area of concern is interoperability and transforms. The problem
    here is that the XML-DSIG specification does not mandate support for
    transforms (uses SHOULDs not MUSTs). So there is a difficulty in the    
interoperability area.

    Issues: (a) What to do in the short-term before SAML 1.1?
            (b) What recommendations to make for SAML 1.1?

    (a) One proposal would be to restrict attention to interoperability on the
        POST profile, and, provide some reasonable guidelines for generic use 
        (not worry about interoperability in general).

    (b) Need to figure out XMLish and other concerns around the use of ID in 
        SAML assertions. This should be part of SAML 1.1.

  Raw Notes (JeffH's)..

scott: w3c dsig spec doesn't have MTIs in it, so we need to profile it to
narrow the space down to something implementable. easiest thing to do wrt to
referencing the target xml frag is to have the target's schema support id attrs
on it's elements.

there are interop implications to using a shortcut to doing the xforms

for now folks can be conformant... (didn't capture it)

do need to define a best practice for saml 1.0 xform-wise

only way to be secure (right now)
 do xform
  take result bytes
   input them to one's app

most xml (parsing) libs these days are DOM-based
 so one ends up parsing one's xml stuff twice

so until saml spec is updated, what xforms do we promulgate  to promote

one approach: get post profile to interop for now
 empty uri ref will work w/emp sig xform
 this will work for that one profile

these issues then are an issue for other profiles that ref SAML, such as WSS

scott impl'd his SAML lib to try to support signing indep of the particular

an action item later on will be to address the id attr in terms of the SAML
 do we want to use the saml id:attr? or use the xsd:id attr?
 there are issues with either choice

 right thing to do one way or another is to get an id attr in the saml schema.

AI: scott will take another pass on the sstc-xmlsig-guidelines doc (a -03) in
the next week or so.  -- #9

5. discussion of credentials collection

Discussion on Mike Just's "SAML Credentials Collection" paper. Mike Just
is absent from the call, with Carlisle Adams subbing for him. Hal expresses
concern about the use-case discussed in the current draft (September 13, 2002).
Main issue is how this accounts for the use case where several web servers 
"front" for an authentication authority. The web servers need to interact with
the authentication authority, possibly via a multiple sequence of steps.

nominal questions on the doc..

[Irving, Jeff, Hal] Relationship to WS-Security? 

[Prateek, Carlisle] Is the interaction between System Entity and CC in scope? 
Or is it just the relationship bewteen the CC and the AA? 

seeAlso: recent discussion on the list

Carlisle will communicate this feedback to Mike Just. Expectation is that Mike
will rev the doc. 

6. adjourn

Action items 

AI1. Scott Cantor to take the XML DSIG discussions from the thread
      and turn it to a "best practices" document


AI2. Carlisle Adams to take the "Standardize Issuer Format" back
      to the XACML for more clear requirements and/or proposal. 

still  open.

AI3. Eve to ask other TCs about how they did their charter

still open

AI4. Prateek to check with OASIS folks on submitting 


AI5. Rob and Irving to look over Eve's submission on fragment

still open.

AI6. Jeff to determine if conformance language around the notions of
      profiles vs. extensions is really an issue

still open.

AI7. Prateek & Jeff to look at Liberty provider metadata's applicability 
      for SAML specs

still open.

AI8. Jeff to solicit comment on draft-sstc-xmlsig-guidelines-0{2|3} from
Liberty arena.


AI9. Scott to rev the draft-sstc-xmlsig-guidelines-02 doc to -03.



Allen	Rogers		Authentica	
Irving 	Reid 		Baltimore	
Ronald	Jacobson	Computer Associates	
Mingde	Xu		CrossLogix	

Hal 	Lockhart	Entegrity	
Carlisle Adams 		Entrust	
Robert 	Griffin 	Entrust	
Don	Flinn		Hitachi	

Prateek 		Mishra 	Netegrity	
Charles Knouse 		Oblix	

Rob	Philpott	RSA Security	
Jahan	Moreh		Sigaba	

Jeff 	Hodges 		Sun	

Emily	Xu		Sun	

Simon	Godik	(individual)	
Bob 	Morgan 	(individual)	


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC