OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes for Telecon, Tuesday 22 July 2003

Minutes for SSTC Telecon, Tuesday 22 July 2003
Dial in info: +1 865 673 3239  #238-3466
Minutes taken by Steve Anderson


    - Minutes from 1 July 2003 call accepted
  Previous Action Items Still Open:
    - 0038 Continue developing Metadata specs
    - 0013 Request use of WS-Trust for CC proposal

  New Action Items:
    - Eve to send out location info for F2F
    - Eve & Prateek to begin Liberty analysis
    - Chairs to post notice to interested public on SAML Dev for
      solicitation of comments on 2.0
    - Jeff to draft goal statement for v2.0
	- Eve to send Ron Monzillo question on profiles for multi-
	  participant transactional workflows
                             Raw Notes

> Agenda:
> 1. Roll call

- Attendance attached to bottom of these minutes
- Quorum achieved

> 2. Accept minutes from previous meeting, 1 July
>    < http://lists.oasis-open.org/archives/security-services/
>      200307/msg00002.html >

- [VOTE] unanimous consent, accepted

> 3. Any remaining SAML 1.1 submission issues?

- Rob: we submitted paperwork on 15th, along with attestations
- Karl came back with some requested changes, some regarding 
  contributors list
- made some editorial changes and resubmitted
- they only accepted 3 of the attestations, since Internet2 isn't a
  member organization
- if there are any others that can or want to make an attestation, 
  there is probably a little more time to get that in
- Eve: suggests that people to verify their info in Kavi, because
  inconsistencies there caused some difficulty in this process
> 4. Finalize dates and location for September F2F
>    < http://www.oasis-open.org/apps/org/workgroup/
>      security/ballots.php >

- Prateek: we have a tie for week of Mon 8 Sept between beginning of
  week vs. end of week
- Rob: confirming we are hold this on East coast
- given that, we could defer to folks traveling farthest
- seems that Monday noon start isn't that helpful
- Eve: proposes Mon 10-5, Tue 9-5, and Wed 9-noon (Sept 8-10)
- got consensus
- Eve: can host it, offering room and A/V (no catering)
- dial-in can be provided
- no external network access likely
- Eve: most will want to go thru Logan, but alternative is Manchester, 
  NH Airport, which is about an hour away
- [ACTION] Eve to send out location info for F2F

> 5. SAML 2.0 Next Steps
>    (a) Call for Editors
>    Frederick Hirsch (Nokia) and Eve Maler (SUN) have graciously
>    volunteered to act as Editors. It is likely we will require
>    additional editors for the many SAML 2.0 drafts. Please contact
>    Rob Philpott or Prateek Mishra if you are interested in this time
>    consuming, difficult but very important role.

- Prateek: soliciting volunteers for editor role

>    (b) SAML 2.0 Scope definition
>    Recall that we have requested permission to create derivative
>    works from Liberty Alliance 1.1.
>    < http://lists.oasis-open.org/archives/security-services/
>      200304/msg00072.html >
>    What are our next steps in this space?
>    Would it not be better to begin work from LA 1.2? 
>    Further, at various points lists of SAML 2.0 topics have been
>    published:
>    < http://lists.oasis-open.org/archives/security-services/
>      200307/msg00004.html >
>    What are our next steps in this space?

- Prateek: How do we approach v2.0?
- Eve: we were specifically granted use of Liberty v1.1, right?
    - Prateek/Jeff: confirmed
    - Jeff: we can begin work on 1.1
    - there is a minor change from 1.1 to 1.2
    - there are several TC members that are part of the Liberty work
    - would be a mistake to wait for 1.2
- Prateek: so how do we proceed?
    - Jeff: suggests we take the SAML 2.0 wish list that has been 
      around for a while, and compare it to Liberty 1.1
    - Eve: we need an 'elevator statement' for the goals of v2.0
    - one could be re-synch'ing SAML with current practices and real
      world usage scenarios
    - Prateek: how do we go about that?  open up for comments from
      TC members?
    - open up to external orgs, e.g. GRID
    - Jeff: sounds reasonable
    - Eve: could specifically ask for people who have been developing
    - Jeff: we shouldn't wait for detailed analysis from external orgs
      (e.g. GRID), but we can do our own analysis of their public docs
      and ask for their comments
- Prateek: wants to assign names to these items
    - Eve: Can work on Liberty analysis, but needs help from someone
      more familiar with Liberty
    - Prateek: isn't that familiar, but willing to help
    - Jeff: minimal availability until after August
    - Eve: maybe she & Prateek can start it and get review from Jeff
    - Scott: can probably lend some assistance as well
    - [ACTION] Eve & Prateek to begin Liberty analysis
    - [ACTION] Chairs to post notice to interested public on SAML Dev
      for solicitation of comments on 2.0
    - Eve: talking about 'elevator pitch'
    - the fact that we're moving past 1.0 and 1.x shows longevity
    - Scott: would add 'alignment with emerging standards' as part of
      the pitch for 2.0
    - Hal: we have a list of deferrals for 2.0
    - [ACTION] Jeff to draft goal statement for v2.0
- Frederick: would like to walk through list
  < http://www.oasis-open.org/archives/security-services/
    200302/msg00053.html >
    - Prateek: were there particular questions?
    - Frederick: yes, e.g. don't understand "simple sessions"
        - Prateek: that's adding signout type things
        - Hal: in contrast to global timeout and other non-simple
          session concepts
    - Jeff: sent msg to list pointing to prior discussions on v2.0
      < http://www.oasis-open.org/archives/security-services/
        200307/msg00045.html >
        - the msgs pointed to seem a little light
    - Eve: there was a desire for an HTTP binding, but there may not
      be one now
- perusing thru list
    - a few Liberty-related items at beginning
    - Assertion encryption
        - XML Encr wasn't finished by our 1.0 timeframe, but now is
        - Jeff: we should gather use cases
        - Hal: why not just allow any part of the assertion to be
        - [protracted discussion, not going to solve today]
    - B2B, A2A, back-office profiles
        - didn't have time for them previously
        - these will need champions
    - Profile for mid-tier usage a la Hitachi
        - will also need a champion
        - Quadrasis may have interest
    - Profiles for multilevel access controls
        - sketchy recollections of this
        - seems to speak to ability to effect access control on
          attributes in assertions
        - we'd need some concrete suggestions for this
    - Profiles for multi-participant transactional workflows
        - Irving: guessing that this is for attaching assertions to
        - characteristic of web browser profile is that assertions have
          confirmation methods that render the assertions useless in
          any other step of a workflow process (which is intentional)
        - Prateek: Irving for champion here?
        - Irving: wouldn't be right person
        - [ACTION] Eve to send Ron Monzillo question on profiles for 
          multi-participant transactional workflows
        - Scott: may also be a possible champion
        - basically doesn't think our assertions should be short-lived
    - SIDE NOTE: Eve spoke with someone who wrote a security analysis
      of web browser profile
        - will be published soon, but author didn't want to compromise
          the publication by providing the writeup directly
        - Rob: is this good new or bad?
        - Eve: good, he said it was one of the most well specified,
          high quality specifications produced lately
        - he had a just a few suggestions
        - Eve: will contact him and urge him to submit something to us
        - can do the same with the publication
    - SAML credentials collector and credentials assertions
        - Tim: can possibly take this on
        - Tim: Jeff is also interested, so he may help
    - SASL support in authentication methods
        - Scott: not the same as this, but Liberty's authN context is
          something we need here
    - Baseline attribute namespaces
        - this is standardizing some attribute namespaces
        - Irving: could have a DSML profile for a person's attributes
        - Eve: this is related to some misunderstandings in an article
          on the IBM DeveloperWorks site
            - "Debunking SAML Myths and Misunderstandings"
              < http://www-106.ibm.com/developerworks/xml/
                library/x-samlmyth.html >
            - has a mixture of correct & incorrect material
            - Chairs could respond with letter to editorial with 
              gentle corrections
        - Scott: can champion this
        - Scott: RLBob may be interested in this too
    - Hierarchical delegation of privileges among federated attribute
        - not sure what this means
        - this may just go in a set of needed delegation use cases
    - Standardized trust between SAML-enabled servers
        - Jahan: this may be formal means of what we've been doing 
        - Scott: don't want to muddy our work with metadata with trust
        - there should be a clear distinction
        - Jahan: can try to carry this
    - Persistent caching (mirroring?) of assertions at multiple sites
        - Jahan: one time use characteristic now vs. possible
          multiple use characteristics?
        - not clear
        - Scott: WS-Security's security token references are related 
        - doesn't see why we have SAML protocol to obtain assertions,
          and we also have these STRs
    - Privacy and Anonymity items
        - will be related to Liberty
        - Scott: anonymity will be in Liberty 1.2
    - SAML feature discovery through WSDL, UDDI, etc
        - appears to be metadata
        - Eve: thought this was partly just publishing a real WSDL
        - Scott: not sure UDDI would fit into that
        - Prateek: we can throw this into metadata bucket
    - Kerberos support
        - JohnHughes: will champion this, and will see if this makes
    - Pass-through authentication
        - Prateek: is this subsumed by credential collector?
        - seems to be
        - will fold into that
    - Rich/dynamic sessions (more than Liberty)
        - Prateek: we should fold this and the simple session stuff
          into an overall session topic
    - X.500 attribute support
        - Scott: related to prior discussion on standardized attrs
    - Delegation use cases
        - Liberty provides sort of "one hop" impersonation, but
          wouldn't call it delegation
        - Frederick: doesn't understand this relative to WS-Security
        - need to consult with Ron Monzillo on this as well
    - Use of intermediaries
        - Scott: relates to delegation issue
        - Prateek: should they be folded together?
        - seems like it
    - Dependency audit ("validity depends on")
        - Prateek: will champion this
    - Negative assertions
        - Eve: should call for use cases for this
    - More complex queries, e.g. all attributes in namespace X
        - Prateek: this is another extension to SAML protocol
    - Standardizing policy around which attributes get supplied
        - related to previous
        - also related to profile for multilevel access control
        - can fold all these together
- Eve: notes that we should start a 2.0 issues list
    - there were some items we promised to address in v2.0 that have
      workarounds in v1.1
    - Rob: need to call for volunteer to be editor
    - Frederick: can do it if no one else is doing it

> 6. Open Action Items
>    0038 Continue developing Metadata specs
>    Prateek Mishra

- not discussed

>    0013 Request use of WS-Trust for CC proposal
>    Maryann Hondo

- not discussed

> 7. Any other business

- none

> 8. Adjourn

- Adjourned


Attendance of Voting Members:

  Irving Reid Baltimore
  Hal Lockhart BEA
  Ronald Jacobson Computer Associates
  John Hughes Entegrity Solutions
  Scott Cantor Individual
  Bob Morgan Individual
  Prateek Mishra Netegrity
  Frederick Hirsch Nokia
  Senthil Sengodan Nokia
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Simon Godik OverXeer
  Rob Philpott RSA Security
  Edward Coyne SAIC
  Dipak Chopra SAP
  Jahan Moreh Sigaba
  Bhavna Bhatnagar Sun
  Jeff Hodges Sun
  Eve Maler Sun
  Emily Xu Sun

Attendance of Observers or Prospective Members:

  Tim Moses Entrust

Membership Status Changes:

  Mark O'Neill Vordel - Granted voting status after call


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]