OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Draft Minutes for SSTC F2F, Thursday 1 April 2004

Enclosed are draft minutes for the SSTC Face-Face meeting, Thursday 1 April 2004.

regards, Frederick

Frederick Hirsch

 <<sstc-04-04-01-f2f-minutes.txt>>  <<sstc-f2f-sso-table.pdf>> 

Minutes SSTC F2F, Day 3: Thursday 1-April (8:30-11:30)
Minute-Taker: Frederick Hirsch

8:30-9:15: Kerberos Proposal Resolution

9:15-9:30: Review/approve SAML V1.1 technical Overview as a Committee Draft

9:30-10:30:Review issues list (incl prioritized small issues)

10:30-10:45 Break

10:45-11:30: Review/establish schedule for remaining work and next F2F

11:30: Adjourn


- ITU-T Status (Hal Lockhart)

- Baseline Attribute Status and Next Steps
             sstc-hughes-mishra-baseline-attributes-01 (yet to appear :-) 
- Review AI and list and extract dates from owners/close items 

- Establish which work items are "complete" and those that need work

Action Items
AI - Scott Determine how Kerberos principals can be represented as NameIdentifiers.
AI - Prateek - forward Technical Overview 1.1 to external parties that had comments on draft
Chairs - publish message to list asking for review of technical overview 1.1 and indicate that vote to bring to committee draft will be at SSTC meeting in two weeks from this week.
AI Jeff H  to propose glossary definition for binding and profile, issue TECH-4
AI Scott, "Binding conditions" proposal
AI Prateek to review core for locations where privacy considerations are implicit
AI Eve, implement decision on core 18 after checking with Ron
AI Hal, to send focus call information to XACML list regarding SSTC focus call
AI Rob - put Kavi polls for location and dates for next F2F
AI Prateek - to put out notice to saml-dev, id-ff vendors and others for saml2 related implementation experience, now, give early notice regarding later attestations.
AI JeffH - send notice to Liberty members requesting interest in creating SSTC implementations from parties that have met Liberty 1.1 conformance tests 
AI Eve -  publish tentative schedule on home page
AI Eve to publish core-09 by Tuesday
AI Frederick to send his updates on bindings and profile to Scott who will then incorporate additional edits.
AI John H - draft of technical 1 pager with final deadine end of April
8:30-9:15: Kerberos Proposal Resolution

Tim Alsop presented a whiteboard overview.

picture: [Active Directory]  [workstation with credential store]--[web server with credential store]

Two primary use cases discussed, (1) browser and web server with web server determinining identity of user using kerberos (2) work station creating SAML assertion using kerberos on work station. Not necessarily specifically a browser environment.

Note that "Windows integrated authentication", or SP-Nego (SP Negotiate) is not a standard, but a specification that was submitted as an IETF draft since expired, but implemented. Mozilla and Apache web server plugins exist. 

impersonation - authenticate user at work station using Kerberos, cache credentials at web server, then
web server can authenticate elsewhere on network using those credentials. This allows end-end authentication in a network.

Greg W - authentication step discussed yesterday, step 4,doesn't require a detailed SSTC specification, since many authentication methods are possible

John H - this could go into the technical overview document to explain how kerberos may be used for authentication

John Hughes presented more detailed scenario.
Requirement - pull or push saml assertion to service outside the kerberos domain that produces the original saml assertion.

1 Authenticate to KDC at active directory
2. generate assertion using authenticated principal, proprietary implementation, within kerberos domain
want to go to remote domain, 
3. AuthnRequest to SAML component within source kerberos domain with secure connection
4. Get samlp:Response with Artifact or Assertion

Scott - How to use Kerberos with SOAP is undefined, not standard
Frederick - WSS Kerberos Token Profile would be helpful in this area

Scott - could define DCE RPC interface to be SAML protocol, but not done
Tim - trying various approaches, have not worked out solution at this point

Scott - do not use Artifact unless needed.

John H - indicated that there may be a unique issue to this profile regarding how to push assertions, with a potential solution of using a browser  applet to send the assertion from the browser, as opposed to using the HTML form post technique, for example.

AI - Scott Determine how Kerberos principals can be represented as NameIdentifiers. 1510 possibility.

Issue of how to support kerberos interaction discussed, possibility of using SAML browser methods but might require knowledge of user agent capabilities, otherwise could use SOAP technique.

Scott - using SOAP makes it easier to address markets.

Tim - Could also put kerberos ticket inside assertion, possible Kerberos confirmation method.

Tim Kerberos ticket lifetime can be passed in AuthnRequest, to address lifetime issues. 
Scott - Schema includes Conditions to allow this

Prateek - Part of Kerberos work will be in SAML 2.0, part will be outside SAML 2.0 but enabled by it.


John Hughes - draft 04 of technical overview published this morning

9:15-9:30: Review/approve SAML V1.1 technical Overview as a Committee Draft

 - comments from Frederick incorporated
 - corrections to one of the diagrams
 - restructured: discussion of source site first, destination site first moved since not necessarily part of standard

Conor - prefer push, pull

Jeff H - SAML 2.0 should carefully define terms so we use SP or IDP, similar source and destination
John H - 1.1 technical overview used older terms

John H - want to bring document to closure
Eve - committee draft is appropriate
Prateek - will forward to external parties that had comments on draft

Decision: will vote to publish as a committee draft at SSTC meeting in two weeks. Chair action item to send message to list regarding upcoming vote.
Eve leads Issues list discussion

9:30-10:30:Review issues list (incl prioritized small issues)

Draft 08 has not yet been published on site, discussed draft 08

Core 06 - Closed - Assertion level subject- prose based optional subject
Core 15 - closed - health warning on xsi:typeExtensions 

priorize high A to lower C, A for today
Core-7 -Soap 1.1 vs 1.2 - priority C
Scott - use of SOAP internal to SAML, more of an issue with WSS SAML Token Profile, not in this group

Core 8 - open but resolved, so priority C. Scott has details

Core 9 - Eve, Scott priority C, "anyAttribute evil" response to Ann in this category

Core 11 - validity period - still open, Scott has short solution proposal, priority A

Core 12 - add "for issuer" to item, C

Core 13 - pending - resolve by removing restriction

core 14 - Ron issue - need input from Ron - B

core 16 - new issue, Authentication vs Authn, decision would be helpful for cleanness and elegance. B

core 17 - bag of conditions - B

core 18 - could make decision today, A

Bindings 3 - discuss later - related to conformance, e.g mandatory to implement.  B

Tech 1 - terminology as Jeff mentioned, would like to clean up drafts earlier B

Tech 2 - at last F2F there was consensus that there are no use cases, A

Tech 3 - impersonation - text changes were done for KeyInfo, changes needed for holder of key, Scott may be out of scope.

Tech 4 - glossary additions - need to define binding, profile, 
Jeff H AI define binding and profiles
"atomic unit of interoperability" proposed

Prateek - would like to change definition federation, email thread.

Federation Definition - B

Issues added during F2F

Domain Model, "SAML Authority" == "IDP", same as Tech 1

Consent vs Reason - B

Element vs Attribute Review - AuthenticationMethod, SessionIndex are examples, C

QName prefixes in Status - interop issue, new issue to add to issues list, "Replace QNames for Status with URIs", B

Scott's "Binding conditions", Scott to draft proposal

Encryption key (1 or more)  distribution and recipient  A

Privacy considerations? 
Jeff H - We need to highlight privacy considerations related to core, could be notes in core, could be section.
Prateek - will generate list potential changes from core

Rename Authentication context statement A 

AuthnMethod? decided, Scott and John K have action associated with that.
Schema extensibility - already issue Core-9
anyAttribute - evil? - already issue Core-9

Issue List Detailed Discussion A items

Core-11  Scott described issue.

Conor - encryption does not impact validity, just used for confidentiality only while passing third party

Scott not with name identifier mapping, can be passed around, if not in assertion can be used. Hal - needs to be in an assertion. Why not have assertion with just name identifier in it, make statement optional

Proposal - subject-less assertion with no statements. :)

Can change federation time frame by changing name in protocol

Prateek - potential issue, how to define the lifetime of a federation, possibly the federation identifier

Greg - two lifetimes: 1-time, only for this session, or otherwise indefinite time

Scott Exchanging encrypted references to principals - could hand out permanent identifier that should not have one.

Conor - NameIdentifier response includes assertion

encrypt name identifier - either name identifier or assertion containing name identifer

Prateek  All federated identifier establishment contain time period

Tony - hard to manage if mandated

Conor - dont want to mandate use of assertion, want to simplify at SPs

Eve suggests focus group call on the topic.

Conor could change name of Reauthenticate On or after to Renew On or After...

Hal - relying party decision, offering guidance

New issue : lifetime for federated identifiers

Eve updated issues list.

core 18 KeyInfo or SubjectConfirmationData

Scott - should be choice
Prateek -some wanted both
Scott could put KeyInfo inside SubjectConfirmationData
Eve would require explaination
Prateek - biometric in SubjectConfirmationData, key in KeyInfo
Eve - decision to make choice group

Mike - what is difference in meaning for KeyInfo at top versus KeyInfo inside SubjectConfirmationData
Eve - no, just a syntactic 

discussion ensues, decision to remove KeyInfo

Prateek - eliminating holder of key, Ron will have comments

Decision - remove KeyInfo, allow within SubjectConfirmationData

AI - Eve to implement decision on core 18 after checking with Ron


Scott draws table see PDF sstc-f2f-sso-table.pdf. Proposed refers to Scotts refactoring presented yesterday.

Concern about number of table entries, complexity.
Need for different entries to meet different requirements discussed.

Conor - FORM POST needed for SPs that do not use SOAP call.
Scott - feels different about Artifact vs POST

Hal - proposes implementation guidelines on when to use each cell, depending on requirements.

JeffH - wide range of deployment scenarios. 

Scott - metadata Endpoint = binding, location, location
element name corresponds to message in table
binding refers to binding column

Prateek - As editor of conformance draft will start working on draft.  Would like to see Federation identifier establishment and management factored out separately from single sign on functionality. Will raise issue of whether both will be required for conformance to SAML 2 - issue for later discussion. 

Scott - really wants to see destination site first supported 

Hal - suggests packages

JeffH - what does SAML 2 mean?
Hal gives summary of XACML meeting regarding SSTC.

Next step propose agenda item on next SSTC focus call on relevant topics related to type information.
XACML members interested in topic to attend SSTC focus call.
Plan for next Tuesday

Prateek requests email from XACML on mail list before meeting.

Discussion deferred until Tuesday.

10:45-11:30: Review/establish schedule for remaining work and next F2F

Discussed possible additional F2F, end of May beginning of June. Rob to arrange call.

Eve - Plan committee draft vote by end of June to start 30 day public review. Might get enough comments to require a second committee draft.

Eve - should get additional review earlier, drafts are public.
Scott - once a round of changes are in we can have drafts for early review

Candidate committee draft for final comments within TC, last call,  end April 30.
include OASIS news notice

F2F mid-May to mid-June

CD + 30 day public review, end-June

Collect attestations: now to Aug 15 (AI Prateek to contact ID-FF vendors)

OS Balloting request Aug 15

Conor - suggests contacting Liberty vendors that have certified 1.1 Liberty conformance.

Eve - last call must include delta document, 1 page technical overview, 

Burton Catalyst is mid-July, July 21-23, possible outreach

Eve - motion to thank Tony and IBM for hosting, much appreciated hospitality.
Motion passed without objection.

John Kemp - examine authentiation context method - deferred

action items added to list above.

Meeting Adjorned.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]