OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes: focus group call Tue 24-Feb-2004

send comments to the list if there're bugs herein or missing items. thanks.

focus call notes Tue 2/24/2004 9:04:36 AM

AI summary:

AI: Eve will type up her strawman (wrt assn subj placement thoughts) and send 
to list.

AI: scott & tim & john to chat next week wrt particulars of these (kerberos 
related) items.


attendance (fwiw, no worries, not an "official" call)...

john hughes
tim alsop
eve maler
ron monzillo
paula austel
tony nadalin
mike macintosh
scott cantor
jeff hodges (notes editor)
peter davis
RLBob Morgan
rick randall

agenda bashing...

ended up with we'll discuss:
  authnreq protocol
  subject conf
  rel btwn prot&schema & bind&prots


ScottC holding forth on his thinking of normalizing use of AuthnReq/Resp across 
both so-called front- and back-channels (ed.'s words)

asserts that browser artifact profile is call-by-reference rather than 

scottc's gonna recast the front-channel web browser profiles in terms of the 
authnreq approach this week and incorp in draft spec -- folks should review

eve: expressed wish that feature proposals be explicitly identified as such in 
messages on the list, such that they can get explicitly discussed on the concalls.


Ron asking questions wrt subject conf. can we seperate the authnreq discussoin 
from the mult-vs-single-subj-per-assn and related impact on subject conf 


eve: is there a use case for mult-subj-per-assn?
   e.g. having

Ron: there's two use cases
  one is having an "conf/attesting entity" in addition to a "subject"

scott: have to be careful to sep discussion of what we want vs what we ahve today.

eve: we should be careful to sep "having the ability to factor out" vs 
"mandating that we're going to factor out subject with a new assn format"

rlbob: current saml specs say that if a colleciton of assns must mean the same 
thing if we cram them together, and the converse.

eve: agrees

rlbob & eve: we *could* change this.

eve: but we don't appear to have any use cases to do so.

RonM: if we move subj to the outer assn container, then what does that mean for 
subj conf?

scottc: need to figure out the mult-or-single-subj issue first, and _then_ 
decide about what to do with subj conf.  further we should sep subjconf and 
subj, but that's a diff discussion.

ron: agrees. but wonders about some of the details therein and the meaning of 
subjconf. thinks what we have is more "stmtconf" rather than subjconf.

scott: observes that by having subjconf be a part of subj ihtertwines the 
topics of subjs and confirming them, hence his thinking of splitting them.

ron: wondering about the relshp btwn confirming subjconf/subj
a saml assn is a cert, and the issuer is vouching for its content, once you 
have validated the subjconf, you are operating in a diff plane now.

there's validtn of the assn content, and then once you confirm the subj ident 
by confirming the subjconf, then you can then "use" all the rest of the content 
of the assn.

his point is that what we're really trying to do is confirm the name ident of 
the subject as well as all the other content of the stmt.

eve: there seems to be a bit of a disagreement btwn folks here and Rons 

scottc: in summary there seems to be two use cases that'd get ruled out if we 
move subj to assn-wide. one is mult subjs about mult diff entities (no real use 
for this?), the other is mult subjs about same entity, but with diff conf methods.

eve & scott: noting that subjconf could be "promoted" to assn-wide optionally 
if its the same in all stmts.

scott: but if have a saml stmt that isn't about a subj, is more just a claiml, 
but if you think about subjconf as presently defined, its not clear how that 
applies to a stmt that reps some claim given our present understanding of this 
stuff [and we'll ahve to figger it out (ed.)]

ron: lets say you decouple subj from confmethod, and you add such a conf mthd 
as a conftype to every stmt, and you allow conftype to ref a confelement 
somewhere else, so you get the ability to ref it from mult places. but if you 
have a bearer meth in one place, and another stmt, then you can bind a diff 
conf meth to that stmt.

scott & eve & ron: [figuring it out]

eve in summary: so what yer asking about Ron is possible.

eve: stating a strawman:  will need to ck with Irving...

what if we promote subj w/o conf to assn-wide, and also contains a optional 
subjconf elem. stmts have an optional subjconf. in case where someone wants to 
extend saml, w/o assn-wide subj,  they can extend the subjassntype, but add 

AI: Eve will type up her strawman and send to list.


Scott: are the other points I made on the list wrt subjconf striking a chord 
with anyone? ie that the current approach is suboptimal?

Ron: essentially agrees.

scott: the content of subjconf is broken -- stuff in there he doesn't 
understand and what it might be used for -- eg both an "any" and a "keyinfo".

ron: wants to understand what the degrees of freedom are..... we seem to have a 

scott: agrees. having mult confmeths today is unspecified and a mess, so he 
proposes that in any confmeth elem, have one meth and some data,  and then you 
can have mult confmeths.


eve: talk about authnreq protocol?

scott: put concrete text in the spec to see how it looks and get some review. 
biggest area of discussion is about "what is this for?"

put in processing rules that said "you'll get back an authnstmt no matter 
what", wonders whether it should be an "assn req" protocol.

see sstc-saml-core-2.0-draft-06-diff.pdf, sec 3.4, line 1507, p 36.

need to work thru profiles of it and the front-channel bindings.

eve: seems like its a bit cart-before-horse having it in the spec without 
having worked thru the applications of it...

scott & rlbob: seems its pretty clear, and doubtful it'll be misunderstood as 
it presently is.

[general agreement that generralizing it to, eg, an assnreq _would_ be possible 
to misunderstand/use...]

ron: didn't quite understand what scott meant by "use case". but ron sees use 
for this authnreq, somewhat because the other existing saml queries dont allow 
one to say "i need an assn with these properties..."

scott: but there's subjconf in the existing assn queries which can be used to 
influence results.

ron: what about the returning "at least one assn stmt"?

scott & eve: can return any number of assns & stmts, don't constrain it. 
profiles of the protocol can constrain the results.

ron: was looking to this profile for doing something a little bit diff than authn.

eve: are you wanting to keep it in, and revising it there?

ron: kinda needs some generalization, but lets keep it there and refine as-is. 
but he wants to discuss and work thru his use case and figure out whether 
what's there applies or not and figure out the gap if not.

so where do things like kerberos fit in to this?

rlbob: kerb in the sense of getting a service ticket for an itermediary?

JohnH: willing to see if they can figure out how the kerb stuff they're doing 
can be built on top of the stuff scottc is putting into the spec.

AI: scott & tim & john to chat next week wrt particulars of these items.


johnH & rlbob & ron -- discussion of kerb profile detail stuff.

eve: we're out of time, we should continue this on the list.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]