Can you send to the
list with the attendance attached?
Thanks!
Rob
Philpott
RSA
Security Inc.
The
Most Trusted Name in e-Security
Tel:
781-515-7115
Mobile:
617-510-0893
Fax:
781-515-7020
mailto:rphilpott@rsasecurity.com Action
items
Hal will generate a
posting on possible need to liaison.
Maryann will consult with
Michael and Tony regarding work item W5b and will get back with the group by
next call.
All: Need to comment on
Scott's message on 10-Feb (msg #00102)
John H and Tim will spend
early next week working on the solution proposal for W-25.
Eve: Action to implement
28-b in core.
ALL: Please review the
current action items and update them. Prateek will follow
up.
Minutes for SSTC
Conference Call, February 17
--------------------------------------------
Roll
call.
Quorum
achieved.
1. Accept minutes from the
February (2-5) F2F meeting at Burlington, MA
http://lists.oasis-open.org/archives/security-services/200402/msg00123.html
Eve Maler moves to accept
minutes of F2F meeting. K. Rajsodi seconds the motion. No objections. Accepted
by unanimous consent.
2. Interop
report.
Rob reported that interop
is going well. Needs a speaker from TC to participate in the press conference.
Rob has volunteers to be the TC representative. TC approves Rob to be the TC
representative to the press event.
3. Time-lines and next F2F
planning
- Next F2F Mar 30 - April
1
(Mike McIntosh to confirm
hotel details etc.)
Due to flight schedules it
is proposed to start the third day at 8:30 and end at
11:30
AM.
Prateek: proposes March 16
as absolute cutoff date of text for proposed specification text (no "new" text
or documents after that date)
Eve: we can refine the
proposed text during the focus call on the 23rd.
4. Focus call for the
24th
Due to RSA conference
there will be some people who cannot make the call. Rob and Prateek may be
able to call-in depending on the state of the Interop. Eve can call in Bob
Morgan can call in Scott will likely be able to call in
5.Work Item
Review
Work through latest
version of sstc-saml-scope document available from the OASIS document
repository. The following work items do not have solution proposals at this
time and are at risk:
W-5b: SOAP Client Profile
(Mike McIntosh, Tony Nadalin)
W-9: XML Encryption (Hal
Lockhart)
W-15: Delegation and
Intermediaries (bob Morgan, Scott Cantor, Ron Monzillo)
W-25: Kerberos Support
(John Hughes, Tim Alsop)
W-21a: Document describing
instances of "baselines attribute namespaces" (John Hughes, Prateek
Mishra)
Eve walked through the
document. In many cases the proposals' status is that "it passed" (based on
F2F).
Prateek: does this mean
that the editors will pick up material from ID-FF 1.2 and include it in the
material.
Eve: Session-related
editing has begun. Federation has also begun. Feredrick has split up bindings
and profiles.
Eve: Notice to editors:
all accepted proposed solution should be in draft by the next
call.
Scott: is working through
identity federation and has suggested changes to core. With this, Work Item W2
is "done".
Prateek has a number of
action items with respect to SSO with attribute exchange; he will work through
it.
Eve: W3 - Action on Jahan
to update document.
Scott: has published
schema proposal.
Jahan: Will publish a
draft as soon as TC comments on Scott's schema (probably by
3/2).
W5: The cycle over the
next week is John, Scott and then Eve.
W5a: Fredrick has split
Binding and Profiles. There is some commonality between the two. Eve suggest
that may be the commonality should move to core.
Eve: W5a is in a fairly
good shape and is pending comment from TC.
W5b: SOAP client
profile.
Scott: This is a good
starting point but does not believe we can complete in time for
2.0.
Maryann: neither Michael
nor Tony is on the call. Can I answer any questions?
Prateek: We do not know
the status of the item. We have announced a cut off date. We do not have
proposed text. Scott has put some proposals but we do not have a final
text.
Maryann: Trying to
understand what we need here.
Scott: his review resulted
in identifying issues and what needs to be addressed in order to have a
proposed text.
Prateek: needs to make
work item owner that there is no solution proposal.
Maryann: what is the
process for getting the feedback to the owners so they can respond. Scott: we
are at a point that we need an absolute schema proposal.
Ron: it seems that some of
the Subject discussion is about the Assertion and W5b is about interacting
with an authority. Therefore, there seems to be a separation between the
two.
Prateek: We need a
proposal like: "modify the AuthN req/response protocol in such and such way
and modify the Subject in some ways to satisfy the use
case".
Maryann: It seems we have
a dependency on Scott's work.
Scott: we will be done by
end of this week
Prateek: there is really
no dependency. There is a need for a solution proposal.
Scott: has posted a AuthN
request message schema and it's already on the list. The people responsible
for this work should take this AuthN request proposal and see if it fits their
needs or make alternative solution proposals.
Hal: Need to liaisons with
the XDI TC, which is doing work in the space of Authority
Domain.
Eve: what is
XDI
Hal: XRI Data Interchange.
They are at the bottom of the OASIS web page.
Action Item: Hal will
generate a posting on possible need to liaison.
Action Item: Maryann will
consult with Michael and Tony an will get back with the group by next
call.
Discovery proposal: have
accepted solution proposal. Will have text by march 16
deadline.
W8: Authentication
Context. Solution proposal has been accepted.
Eve: needs to be turned
into a spec.
John H.: should be done by
the end of this week.
W9: Hal will add proposed
text this week.
W14: SAML server trust.
Need to re-format.
Jeff: will do it by next
week.
W15: delegation and
intermediaries.
Eve: needs technical
discussion. Ron has made a proposal and revised the
proposal.
Eve: should discuss the
proposal and vote if we can.
Ron: The document as it is
written is a core document associates the assertion with the key in a way that
resyricts the use of confirmation. This does not seem appropriate to
him.
Scott: need lots of text
and proposed changes AuthN request. Does not see if it can be done by 2.0.
Need to address what "holder of key" means.
Ron: if we agree to accept
Scott's req/resp then that will take us a long way towards completing this
item.
Prateek: Next step:
comment on what Ron and Scott have put out and start summarizing the
solution.
Ron: finds a little hard
to understand some of the terms (like issuer).
Action for all: Need to
comment on Scott's message on 10-Feb (msg #00102)
W-19: Scott will provide
text and Jeff will register a MIME type.
W-21: This item is
at-risk. John H is waiting for input from Prateek and
RLBob.
W-25: Kerberos support -
Also at-risk; discussion has gone on, but there is no solution
proposal.
Eve: Add to technical
discussion list definitions and distinctions between profiles and
bindings. John H and Tim will spend early next week working on the
solution proposal.
W-27: Nothing
new.
W-28: Eve's proposal is on
the table. Rebekah asked Eve to include a bit more of her proposal for
historical reference. To be discussed on next focus call. Changes
are pretty minimal.
Eve: Action to implement
28-b in core.
6. Review of latest
version of Issues list
Not enough time to
cover this agenda item.
7. Action Item
Review
Prateek will follow up
with AI owners.
#0127 Remove short-lived
assertion restriction from SSO Profiles
Owner: Scott
Cantor
Status:
Open
Comments:
Prateek Mishra 2004-02-16
14:57 GMT
I can give a hand with
this (prateek)
#0126: Modify Trust Model
Submission and re-cast into SAML
Owner: Jeff
Hodges
Status:
Open
Assigned:
16 Feb
2004
Due: ---
Comments:
----------------------------------------------------------------------------
----
#0125: Propose language to
explain that AuthNResponse may contain attribute statements
Owner: Prateek
Mishra
Status:
Open
Assigned:
16 Feb
2004
Due: ---
Comments:
Prateek Mishra 2004-02-16
14:46 GMT
Easy to do but needs
proposal on validity of assertion life-times as well.
----------------------------------------------------------------------------
----
#0124: Update meta-data
specification with identifiers for SAML entities
Owner: Jahan
Moreh
Status:
Open
Assigned:
13 Feb
2004
Due: ---
Comments:
----------------------------------------------------------------------------
----
#0123: Obtain MIME type
registration for HTTP lookup of SAML
Owner: Jeff
Hodges
Status:
Open
Assigned:
13 Feb
2004
Due: ---
Comments:
----------------------------------------------------------------------------
----
#0122: Arrangements for
Austin F2F
Owner: Michael
McIntosh
Status:
Open
Assigned:
13 Feb
2004
Due: ---
Comments:
----------------------------------------------------------------------------
----
#0121: Make a proposal
that meets the W-28a* goals and discussion points.
Owner: Eve
Maler
Status:
Open
Assigned:
11 Feb
2004
Due: ---
Comments:
----------------------------------------------------------------------------
----
#0119: Extension of
AuthNRequest - AuthNResponse protocol
Owner: Scott
Cantor
Status:
Open
Assigned:
11 Feb
2004
Due: ---
Comments:
Prateek Mishra 2004-02-11
22:35 GMT
Scott: Proposes to change
AuthnRequest to handle some of this.
Ron: would like to
help
PROPOSAL: get basic
integration of AuthnRequest/Response and then look at the various use cases to
see how they can be integrated in. (Scott)
----------------------------------------------------------------------------
----
#0118: Solution proposal
for encryption use-cases
Owner: Hal
Lockhart
Status:
Open
Assigned:
11 Feb
2004
Due: ---
Comments:
Prateek Mishra 2004-02-11
22:33 GMT
ACTION: Hal to produce
text to describe 3 use cases for SSTC to consider.
----------------------------------------------------------------------------
----
#0117: Describe use-cases
for attribute-based SSO in relationship to ID-FF 1.2
NameIdPolicy
Owner: Prateek
Mishra
Status:
Open
Assigned:
11 Feb
2004
Due: ---
Comments:
----------------------------------------------------------------------------
----
#0116: Investigate removal
of NotBefore/NotOnOrAfter from BaseNameIdentifier
Owner: Scott
Cantor
Status:
Open
Assigned:
11 Feb
2004
Due: ---
Comments:
Prateek Mishra 2004-02-11
22:17 GMT
ISSUE: Consider removing
NotBefore/NotOnorAfter based on sessions discussion. Sync up validity period
(Scott)
ACTION: Scott to think
about this more
----------------------------------------------------------------------------
----
#0115: Update metadata
drafts with ID-FF 1.2 materials
Owner: Jahan
Moreh
Status:
Open
Assigned:
19 Jan
2004
Due: ---
Comments:
Prateek Mishra 2004-01-20
03:27 GMT
Jahan:
ACTION: Update the
metadata draft if necessary according to the latest ID-FF V1.2 materials.
(Scott will also review for this
purpose.)
http://lists.oasis-open.org/archives/security-services/200312/msg00064.html
----------------------------------------------------------------------------
----
#0114: Propose language to
address attribute-based federation
Owner: Prateek
Mishra
Status:
Open
Assigned:
19 Jan
2004
Due: ---
Comments:
http://lists.oasis-open.org/archives/security-services/200312/msg00064.html
----------------------------------------------------------------------------
----
#0112: Update (W-7)
discovery protocol solution proposal
Owner: Scott
Cantor
Status:
Open
Assigned:
19 Jan
2004
Due: ---
Comments:
Prateek Mishra 2004-01-20
03:17 GMT
ACTION: (SC) Update based
on replacement of hash of succint id by literal provider id.
----------------------------------------------------------------------------
----
#0110: Feedback from LECP
profile interop
Owner: Frederick
Hirsch
Status:
Open
Assigned:
19 Jan
2004
Due: ---
Comments:
Prateek Mishra 2004-01-20
03:14 GMT
ACTION: (FH) Check with
Liberty Interop for any problems that may have arisen with
actual use of LECP
profile.
----------------------------------------------------------------------------
----
#0109: Security concerns
with LECP profile
Owner: Anthony
Nadalin
Status:
Open
Assigned:
19 Jan
2004
Due: ---
Comments:
Prateek Mishra 2004-01-20
03:12 GMT
ACTION: (FH) update to
respond to Tony's security questions but we need to ask Tony for
the
specific problem he had in
mind.
----------------------------------------------------------------------------
----
#0105: Respond to IBM
Analysis Paper
Owner:
Status:
Open
Assigned:
19 Jan
2004
Due: ---
Comments:
Prateek Mishra 2004-01-19
23:09 GMT
- [ACTION] Scott &
Tony to make recommendations based on IBM security analysis
paper
----------------------------------------------------------------------------
----
#0098: Why does XACML use
a URI-based type system
Owner: Eve
Maler
Status:
Open
Assigned:
19 Jan
2004
Due: ---
Comments:
Prateek Mishra 2004-01-19
22:30 GMT
AI: Eve to ask Anne
Anderson for the historical use cases that underlie the XACML decision to use
a URI-based type system.
http://lists.oasis-open.org/archives/security-services/200401/msg00043.html
----------------------------------------------------------------------------
----
#0086: Non-HTTP use-cases
related to the LECP profile
Owner: Bob
Morgan
Status:
Open
Assigned:
23 Nov
2003
Due: ---
Comments:
Prateek Mishra 2003-11-24
03:27 GMT
ACTION: Bob Morgan - more
use cases. More generic use cases, may be not involving HTTP. May involve web
dav.