OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes from the December 22, F2F Focus Group Call



Eve Maler

Scott Cantor

Frederick Hirsch

Mike MacIntosh

Tim Moses

Bob Morgan

Tim Olsop




1. No focus call on December 29, 2003!!


2. W-5a: LECP proposal


ACTION: (FH) Update lecp-proposal-v4.pdf with ID-FF 1.2 schema changes


ACTION: (FH) update to respond to Tony's security questions but we need to ask Tony for the

specific problem he had in mind.


ACTION: Mike McIntosh to post link to Thomas Gross analysis of artifact profile.


ACTION: (FH) Check with Liberty Interop for any problems that may have arisen with

actual use of LECP profile.


Scott: Original attack on LECP profile is based on issues having to do with the

target of the POST from the client. This problem is solved or obviated by use of

meta-data describing the target of the POST and has been captured in ID-FF 1.2.

This is quite different from the Thomas Gross vulnerability described in the conference paper.


Frederick Hirsch: leads discussion on lecp-proposal-v4.pdf



Scott Cantor: Browser profile protocol flows need to be fully fleshed out; LECP is a special

case or instance of these profiles. This may depend upon W-5 - Profile Enhancements or a

broader SOAP profile. We can defer this to the next F2F.



3. W-6: Proxied SSO


Scott: Input solution requires privacy we need to figure out whether we need to generalize this case

where we do not need privacy.


A second issue has to do with "controls" over the proxy. This is a three party situation: IdP, Proxy and SP,

so the question arises whether IdP can indicate to Proxy what is needed and whether the Proxy can indicate

its preferences.


Next F2F we should examine relationship to the overall browser profile profile and this item.


ACTION: (SC) Request liberty contributors to send draft to SSTC dealing with second issue.



4. W-7: Discovery Protocol


Scott: Renamed from introduction protocol to discovery protocol.


ACTION: (SC) Update based on replacement of hash of succint id by literal provider id.


Scott: The protocol should be explicit about all encoding steps.


5. Issues around SAML extensibility


6. Eve to include editorial discussion on next conference call on January 6th.


7. Prateek to send reminders to work item owners for January 6th conference call. Concerned that we have 6 or 8 major

work items without solution proposals at this time.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]