OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Minutes for Telecon, Tuesday 6 January 2004


Minutes for SSTC Telecon, Tuesday 6 January 2004
Dial in info: +1 865 673 3239  #238-3466
Minutes taken by Steve Anderson

======================================================================
                              Summary
======================================================================

  Votes:
  
    - Minutes from 9 December 2003 call accepted
   
  Previous Action Items Still Open:
  
    - #0086: Non-HTTP use-cases related to the LECP profile
    - #0084: Reconcile terminology in glossary and current use-case
             document
    - #0088: Understanding ID-FF AuthNContext Elements

  New Action Items:
  
    - Rob to setup poll for F2F attendance
    - Tony to draft amendments to current charter, post to list,
      and move for a vote
    - Eve to produce recommendation on extensibility
    - Scott to contact Jahan to followup on Roles & Metadata
    - Scott & Tony to make recommendations based on IBM security
      analysis paper
    - Jeff to contact Bill Howard regarding W-8
    - [MISSING ACTION] for Hal, regarding sessions
    
======================================================================
                             Raw Notes
======================================================================

> 
> Agenda:
> 
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved

> 
> 2. Accept minutes from previous meeting, 9 December
>    < http://lists.oasis-open.org/archives/security-services/
>      200312/msg00054.html >
>

- [VOTE] unanimous consent, accepted

> 
> 3. Updates for upcoming Boston F2F (Feb 3-5, 2004)
>

- Rob: times are listed on Kavi calendar
    - Tues: 11am-5:30pm
    - Wed: 9:30am-5:30pm
    - Thurs: 9:30am-4pm
- Do folks want to adjust this?
- Hal: need a poll for headcount sometime this month
- BEA will provide snack & lunch
- Rebekah: will there be dial-in access?
- Hal: yes, assuming we can use the same bridge as concalls
- Eve: yes, can use this one
- Hal: will need to know who will be interested for what agenda items
  for dial-in
- [ACTION] Rob to setup poll for F2F attendance

> 
> 4. SAML 1.1 Interop update (week of Feb 23)
>

- Rob: will be having more discussions with internal RSA folks on this
  soon
- Rob: looks like 8-12 vendors participating

>
> 5. Charter questions/comments/suggestions (Tony)
>    < http://www.oasis-open.org/archives/security-services/
>      200311/msg00062.html >
>

- Tony: proposed IBM's changes to charter
- looking for interest in amending charter to incorporate this
- thinks it gives charter more clarity and depth, covering broader work
- Tony: willing to take current charter, make amendments, post to list,
  and move for a vote
- [ACTION] Tony to draft amendments to current charter, post to list,
  and move for a vote

> 
> 6. SAML extensibility options (if Eve/Scott are prepared to discuss)
>

- Eve: had 2 threads going, general extensibility with XSD, and specific
  issues with nameid-07
    - no conclusions yet
    - think type derivation will continue to be recommendation
    - probably means the any wildcard will need to go away, in favor
      of anytype type
    - Scott: want to make it easier to add attributes
    - Eve: wants the two of them to come to consensus, then write a WP,
      then incorporate into spec if TC approves
    - Rebekah: would like early draft of direction, since it may affect
      recommendations she's working on
    - Eve: may not have as big an effect
    - Rebekah: do we have thoughts on standard set of XML parsers that 
      can handle our schema uses?
    - Eve: we've never taken an official position, but Scott has tested
      against several
    - we may want to take our new paradigm to SamlDev for feedback
    - Eve: also need examples to incorporate into doc
    - [ACTION] Eve to produce recommendation on extensibility

> 
> 7. Roles and metadata (from list discussion)
>

- Rob: there was lots of email activity, and sounds like consensus was
  reached
- Jahan not on call
- Scott: believes it's just a matter of incorporation into draft
- [ACTION] Scott to contact Jahan to followup on Roles & Metadata

>
> 8. Recent document postings
>

- Rob: want to review changes to each of these

>
>    a. [Eve] Scope: 
>       < http://www.oasis-open.org/apps/org/workgroup/security/
>         download.php/4749/sstc-saml-scope-2.0-draft-12.pdf >
>

- Eve: brought up to date with use case decisions
- discussion of inconsistent problems with links, likely with Kavi
- Eve: not anticipating changing the work items much
- will be archived as results go into specs
- this doc helpful for external parties to see what we're working on

>
>    b. [Eve] Core: 
>       < http://www.oasis-open.org/apps/org/workgroup/security/
>         download.php/4866/sstc-saml-core-2.0-draft-02-diff.pdf >
>

- Eve: Rev history is kept pretty accurate
- prototyped out nameid solution to see what it might look like
- did not issue fresh schema files, due to timing with other upcoming
  changes, but in general will try to keep these in synch
- encourages *prompt* comments on list

>
>    c. [Eve] Glossary: 
>       < http://www.oasis-open.org/apps/org/workgroup/security/
>         download.php/4877/sstc-saml-glossary-2.0-draft-01.pdf >
>

- Eve: terms from nameid had to go somewhere
- made mistake when I sent this out, failed to note addition of 
  "provider" (should be emboldened, which is the indication of
  change since this is table based)

>
>    d. [Eve] Issues: 
>       < http://www.oasis-open.org/apps/org/workgroup/security/
>         download.php/4595/sstc-saml-2.0-issues-draft-05.pdf >
>

- Eve: was just a trivial issue that was updated

>
>    e. [Frederick] Bindings: 
>       < http://www.oasis-open.org/apps/org/workgroup/security/
>         download.php/4647/sstc-saml-bindings-2.0-draft-02.pdf >
>

- Frederick: made template change and added rev history

>
>    f. [Frederick] Sec-Consider: 
>       < http://www.oasis-open.org/apps/org/workgroup/security/
>         download.php/4644/sstc-saml-sec-consider-2.0-draft-01.pdf >
>

- Frederick: same as above 

> 
> 9. Work item/solution proposals - Which are we ready to discuss?  
>    Our current deadline is 20-Jan to receive first drafts. 
>    How are we doing?
>

- Rob: have people reviewed these? are we ready to discuss now?

>
>    a. [Tony] W-27 SAML security vulnerability analysis paper from
>       IBM (http://www.acsac.org/2003/abstracts/73.html)- 
>       Are enhancements needed to address the raised issues?
>

- Rob: are there action items we want to add in response to this?
- Eve: doc has list of recommendations
- Scott: can we add a single issue capturing these?
- Eve: would like for give one person an AI to analyze and produce
  recommendations
- Scott: planned to wait until we had some 2.0 meat before analyzing &
  recommending changes
- [ACTION] Scott & Tony to make recommendations based on IBM security
  analysis paper

>
>    b. [Rebekah] W-28b Attributes: 
>       < http://www.oasis-open.org/apps/org/workgroup/security/
>         download.php/4884/draft-sstc-attribute-02.pdf >
>

- Rebekah: sent additional email describing latest posting
- thinks 28a1, 28a2, 28b and 28d are addressed in this proposal
- [confusion on distinction between these items]
- Hal: people are asking SAML to define some common attributes, not
  just where to put them
- Rebekah: is 28a1 aimed at just that?
- RLBob: not really
- Scott: was really to describe attribute namespace
- 28a1 is something that belongs in Rebekah's doc in a sense
- Rob: will look at this posting to see if attribute use is consistent
  with RSA's
- Eve: trying to cleanup work item doc

>
>    c. [Frederick] LECP: 
>       < http://www.oasis-open.org/apps/org/workgroup/security/
>         download.php/4641/hirsch-sstc-lecp-draft-05.pdf >
>

- Frederick: updated to match latest federation docs contributed, and
  made filenames match new convention
- Eve: notes that the work items we've taken on is increasing the 
  number of our protocols

>
>    d. [Scott] NameID: 
>       < http://www.oasis-open.org/apps/org/workgroup/security/
>         download.php/4587/draft-sstc-nameid-07.pdf >
>

- Discussed earlier


- Rob: all these below need solution proposals, and we're rapidly
  approaching the 20 Jan deadline
- Eve: will any of these be ready for next week's focus call?

>
>    e. W-2a SSO with Attribute Exchange (Owner: Prateek Mishra) 
>

- Prateek not on call

>
>    f. W-5: SSO Profile Enhancements (Owner: Prateek Mishra) 
>

- Prateek not on call

>
>    g. W-5b: SOAP Client Profile (Owner: Tony Nadalin) 
>

- Tony: just started on a draft
- maybe ready at F2F
- will have "stuff" by 20 Jan
- Frederick: may have some material to contribute as well
- Ron: can you describe this item?
- Tony: in contrast to LECP, this is for a fully capable SOAP client to
  use SAML
- Scott: LECP still communicate to IdPs & SPs with normal HTTP
- Ron: thinks there is overlap
- Tony: more of a relationship than overlap
- Ron: may understand better when proposal is available

>
>    h. W-8: Authentication Context (Owner: Bill Howard)
>

- Rob: what do we do with this one?
- Jeff: would have to touch base with Bill
- [ACTION] Jeff to contact Bill Howard regarding W-8
- may need to reassign

>
>    i. W-9: XML Encryption (Owner: Hal Lockhart) 
>

- Hal: there was a mission AI on sessions, which he's been working on
- can try to get a proposal on this out in a couple weeks
- wants to get sessions proposal out next week
- [MISSING ACTION] for Hal, regarding sessions

>
>    j. W-14: SAML Server Trust (Owner: Jeff Hodges) 
>

- Jeff: need to get with John Linn
- consensus is that having a non-normative doc is useful
- 1st draft is feasible by 20 Jan

>
>    k. W-15: Delegation and Intermediaries (Owner: Bob Morgan, 
>       Scott Cantor) 
>

- RLBob: solution draft is feasible by 20 Jan
- doc that is available is a set of delegation models
- if people have more they want factored in, chime in now

>
>    l. W-17: credentials collector and assertions (Owner: Tim Moses ---
>       BUT Tim no longer wishes to pursue this item here. Maybe this is
>       the call to announce this change and move it to inactive in the
>       scope document?)
>

- Jeff: some work along this line is going on in Liberty, and allusion
  seems to be that we can wait for results of that
- as for whether it ought to be a SAML 2.0 item is not clear
- Rob: do you think anyone will have opportunity to make clarification
  by 20 Jan?
- Jeff: certainly a clarification by then

>
>    m. W-19: HTTP-based Assertion referencing (Owner: Scott Cantor) 
>

- Scott: thinks available doc describes direction
- not a complete solution proposal, but more than a use case
- wasn't planning on doing more before 20 Jan
- Rob: ok

>
>    n. W-21: Baseline Attribute Namespaces (Owner: Bob Morgan) 
>

- RLBob: some of this was referred to in Rebekah's doc
- in terms of a more precise solution proposal, could work with her
- Rebekah: lines 283-315 in her doc are most relevant
- Eve: you guys can work on an aggregate doc that addresses several of
  these work items

>
>    o. W-25: Keberized Browser Profile (Owner: John Hughes) 
>

- JohnH: proposes discussing this on next week's focus call
- doc is available already, and will revise with more detail probably
  Monday

>
>    p. W-27: Security analysis enhancements(Owner: Tony Nadalin) 
>

- already discussed

>
>    q. W-28a1: Existing Attribute Usage Codification (Owner: we need an
>       owner for this -- maybe it's Rob or Rebekah?) 
>

- already discussed

>
>    r. W-28a2: Reconciling Atribute usage with XACML (Owner: Rebekah
>       Lepro) 
>

- already discussed

>
>    s. W-28d: Issuername Enhancement (Owber: Rebekah Lepro) 
>

- Rebekah: addressed in doc discussed earlier
- solution suggested looking at nameid proposal
- [discussion of splitting up, Scott becoming co-owner of part]
- Rob: so we'll have solution material by 20 Jan?
- Scott: yes

>
>    t. W-30: Migration Paths (SAML 1.X, ID-FF 1.X) (Owner: Scott,
>       Prateek) 
>

- Scott: should wait until we know better what 2.0 looks like
- Rob: agrees

>
> 10. Action item review (see below) - Kavi AI's have not been updated
>     recently - Also see minutes from 22-Dec focus group con-call
>

- if any of these should have been closed, please say so

>
>     #0093: Discovery Protocol Solution Proposal 
>     Owner: Scott Cantor 
>     Status: Open 
>     Comments:
>       Prateek Mishra 2003-11-24 04:36 GMT
>         AI: Scott Cantor: AI is to take relevant spec from Liberty
>         and produce draft proposal 
>

- Scott: should be CLOSED
- sent material to list

>
>     #0096: Find an owner for W28a1: Existing attribute Usage
>            Codification 
>     Owner:  
>     Status: Open 
>

- CLOSED

>
>     #0086: Non-HTTP use-cases related to the LECP profile 
>     Owner: Bob Morgan 
>     Status: Open 
>     Comments:
>       Prateek Mishra 2003-11-24 03:27 GMT
>         ACTION: Bob Morgan - more use cases. More generic use cases,
>         may be not involving HTTP. May involve web dav. 
>

- RLBob: had suggested that we could have more use cases, but we
  don't yet
- leave open

>
>     #0084: Reconcile terminology in glossary and current use-case
>            document 
>     Owner: John Kemp 
>     Status: Open 
>     Comments:
>       Prateek Mishra 2003-11-24 03:19 GMT
>         Terminology used in sstc-saml-2.0-issues-draft-01.pdf is not
>         consistent with terminology found in the current SAML glossary. 
>

- JohnK: haven't done this
- not sure if still relevant, but can
- Scott: more relevant to do in next doc/solution proposal/whatever
- Rob: since I own the glossary, I could take this issue over
- Jeff: suggests that as we write spec drafts, use terminology in the 
  glossary, and if there's inconsistency, deal with it then, rather than
  going back to correct old revs
- [open or closed??]

>
>     #0087: UCs for Making Assertions about Issuers of Assertions 
>     Owner: Irving Reid 
>     Status: Open 
>     Comments:
>       Prateek Mishra 2003-11-24 03:51 GMT
>         ACTION: Scott, Bob, and Irving will develop UCs for Making
>         Assertions about Issuers of Assertions
>       Prateek Mishra 2003-12-08 22:25 GMT
>         Scott has published a note on this issue:
>         < http://lists.oasis-open.org/archives/security-services/
>           200310/msg00213.html >
>         Bob and Irving will comment. 
>

- Irving: followed up to previous email (by Scott)
- thinks there is nothing more to do
- CLOSED

>
>     #0088: Understanding ID-FF AuthNContext Elements 
>     Owner: Scott Cantor 
>     Status: Open 
>     Comments:
>       Prateek Mishra 2003-11-24 03:56 GMT
>         Scott will find someone who understands ID-FF AuthNContext
>         work to explicate difference between statementRef and class.
>         Ref is reallife URI that implies context. Class notion is some
>         sort of higher order
>

- Scott: still on hook to do this, hopefully this week

> 
> 11. Any other business
>

- Rob: there were some AIs from the 16 Dec focus call that haven't 
  been added to Kavi
    - will add one belonging to Frederick
    - and one for Scott
- Eve: has a few editorial AIs
    - JohnH was to produce update to Exec Overview
    - Fresh FAQ
        - this material can also be addressed in Exec Overview
        - will post questions that still need answers this week
- Eve: do we know what focus call agenda will include?
    - attribute stuff
    - Kerberos stuff
    - new protocols around nameid
    - Rob: Prateek will try to post agenda by 9 Jan, and he may add to
      this list

> 
> 12. Adjourn
>

- Adjourned


----------------------------------------------------------------------

Attendance of Voting Members:

  Hal Lockhart BEA
  John Hughes Entegrity Solutions
  Irving Reid HP
  Jason Rouault HP
  Paula Austel IBM
  Maryann Hondo IBM
  Michael McIntosh IBM
  Anthony Nadalin IBM
  Scott Cantor Individual
  Bob Morgan Individual
  Greg Whitehead Individual
  Rebekah Lepro NASA
  Peter Davis Neustar
  Frederick Hirsch Nokia
  John Kemp Nokia
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  John Linn RSA Security
  Rob Philpott RSA Security
  Dipak Chopra SAP
  Jeff Hodges Sun
  Eve Maler Sun
  Emily Xu Sun
  Mike Beach The Boeing Company


Attendance of Observers or Prospective Members:

  Frank Siebenlist Argonne Natl Lab
  Von Welch NCSA
  Tim Alsop CyberSafe
  Paul Madsen Entrust
  Ron Monzillo Sun
  Darren Platt Individual


Membership Status Changes:

  Frank Siebenlist Argonne Natl Lab - Granted voting status after 1/6/2004 call
  Carolina Canales-Valenzuela Ericsson - Requested membership 12/10/2003
  Rick Randal Booz Allen Hamilton - Requested membership 12/12/2003
  Ron Monzillo Sun - Requested membership 1/5/2004
  Darren Platt Individual - Requested membership 1/5/2004
  Ken Woods Sun - Lost prospective status after 1/6/2004 call

--
Steve Anderson
OpenNetwork




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]