Minutes for Telecon, Tuesday 31 August 2004

Minutes for SSTC Telecon, Tuesday 31 August 2004

Dial in info: +1 865 673 6950 #351-8396

Minutes taken by Steve Anderson

======================================================================

Summary

======================================================================

Votes:

- Minutes from 17 August 2004 call accepted

- Adopt posted schema to fix current CD

- Amend currently posted metadata schema, deleting line 107

- Make DEFLATE encoding MTI in HTTP Redirect Binding

- Add text from < http://lists.oasis-open.org/archives/

security-services/200408/msg00191.html > regarding MTI Encryption

to conformance document

- Accept text from < http://lists.oasis-open.org/archives/

security-services/200408/msg00194.html >

- Accept text from < http://lists.oasis-open.org/archives/

security-services/200408/msg00214.html >, with removal of MTI

requirement for Excl-C14N

- Add text to line 1905 of core making ACSIndex and ACSUrl

mutually exclusive

- Adopt text similar to Conor's < http://lists.oasis-open.org/

archives/security-services/200408/msg00221.html > in core

Status Changes to Previous Action:

- #0193: Minor fix for Schema Encoding

- CLOSED

- #0176: Provide sequence diagrams for profiles

- CLOSED

New Action Items:

- Scott will review minutes of F2F regarding SessionIndex and

make proposal addressing Paul and Conor's comments

- Rob to contact Tony regarding XML-Encryption thoughts

======================================================================

Raw Notes

======================================================================

> Agenda:

> 1. Roll call

- Attendance attached to bottom of these minutes

- Quorum achieved

> 2. Accept minutes from previous meeting, 17 August

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00153.html >

- [VOTE] unanimous consent, accepted

> 3. Proposed normative update to sstc-saml-schema-assertion-2.0.xsd

> (VOTE)

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00218.html >

- Scott: corrects errors in some extension work

- updated version now passes schema checker at IBM's alphaworks site

- biggest highlight was around BaseID element, which can now be

extended via complex content

- anyAttribute is still in there, but could be taken out

- decoupled NameID and EncryptedID

- mostly left SubjectConfirmation stuff alone

- this should all be less stressful on various tools

- Prateek: any functional impact?

- Scott: no, would only affect extensions

- also now provides common type hierarchy for encryption, which JohnH

had wanted, but wasn't previously feasible

- Rob: for formal process, we were already going to have to do another

CD, so we can consider making this the schema for the next CD

- Scott: there is another content ambiguity issue that can be rolled

into this

- Rob: we'll do them separately

- [MOTION] Adopt posted schema to fix current CD

- [VOTE] no objections, passes

- Scott: should be minimal changes required to prose

- [MOTION] Amend currently posted metadata schema, deleting line 107

- Scott: functional impact is that extensions will derive from

RoleDescriptor

- [VOTE] no objections, passes

- Rob: is any text needed in metadata spec?

- Scott: a little, should already have it

- Scott: there's another set of changes we could make, regarding

"other" namespace

- will send mail to list to describe

> 4. Revised Schedule

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00091.html >

> (a) CD vote on August 17, 2004

> (OASIS 30 day review period ends September 16, 2004)

> (b) Final disposition of all comments on September 21, 2004.

> Editors prepare revised document set for second CD vote.

> (c) Final disposition of all comments received during second CD

> cycle by October 19

> (OASIS 30 day review period ends October 14, 2004)

> (d) Editors submit final document set for OASIS standardization on

> October 26

- Prateek: (b) is the proposal

- Rob: 2nd CD review can't end 14 Oct

- Eve: the review timelines have to begin when Karl posts the CDs

- Prateek: so the current review ends 19 Sept

- so can we be ready with changes on 21 Sept, ready to vote for 2nd CD?

- Rob: even if we vote on 21 Sept, probably wouldn't start review until

24 Sept

- Prateek: we'll still aim for 21 Sept to receive and handle comments

- Rob: we're looking at submitting to OASIS for vote mid Nov

- Prateek: will update and repost this schedule info

> 5. Updates to conformance document (VOTE)

> (a) DEFLATE encoding as MTI

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00189.html >

- Prateek: was discussed on last week's focus call

- currently unclear in text whether this is MTI, although our intent

was fairly clear

- Scott: should we put this MUST in the bindings doc?

- Prateek: fair enough

- [MOTION] Make DEFLATE encoding MTI in HTTP Redirect Binding

- [VOTE] no objections, passes

> (b) Encryption as MTI

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00191.html >

- Prateek: was discussed on last week's focus call

- Implementations MUST be able to process encrypted equivalents of

name identifiers, attributes and assertions

- Rob: does this apply to all operational modes?

- Prateek: yes

- Scott: where appropriate

- Prateek: right, where the generic versions are produced or consumed

- [MOTION] Add text from < http://lists.oasis-open.org/archives/

security-services/200408/msg00191.html > regarding MTI Encryption

to conformance document

- [VOTE] no objections, passes

> (c) Sections 8.2 and 8.4 as MTI

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00194.html >

- Prateek: was discussed on last week's focus call

- these sections define attribute name format identifiers and consent

identifiers

- notion is that all of these are MTI wherever relevant

- Scott: similar in spirit to Section 8.3

- whatever "support" means

- similar to situation in SAML 1.1, effectively but not formally MTI

- Rob: just want to be clear on impact to implementations

- [MOTION] Accept text from < http://lists.oasis-open.org/archives/

security-services/200408/msg00194.html >

- [VOTE] no objections, passes

> (d) MTI security algorithms

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00214.html >

- Frederick: repeats what is said in XML-Enc and XML-Sig, but also

requires Excl C14N, some encryption algorithms, etc

- Hal: I thought we already required Excl C14N

- Scott: has been a should

- Frederick: suggests modifying proposed text to eliminate MTI

requirement for Excl C14N

- Frederick: DSAwithSHA1 is required in XML-Sig, but no one appears to

use it, so we should say that we're NOT requiring it, so that if

XML-Sig changes, implementations will be clear that it is not needed

for SAML

- [MOTION] Accept text from < http://lists.oasis-open.org/archives/

security-services/200408/msg00214.html >, with removal of MTI

requirement for Excl-C14N

- [VOTE] no objections, passes

> 6. Discussion on list

> (a) AssertionConsumerServiceIndex vs. AssertionConsumerURL

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00200.html >

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00223.html >

< < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00237.html >

- Scott: the Index and URL were intended to be mutually exclusive, so

we can add text to that end

- could have formed these in schema using a choice, but would have

created long names

- Prateek: ok with just adding a sentence to spec and leaving schema

alone

- [MOTION] Add text to line 1905 of core making ACSIndex and ACSUrl

mutually exclusive

- [VOTE] no objection, passes

- Scott: Conor made a related suggestion that signing the AuthNRequest

can also create the necessary trust

- thinks this is a good comment to add, editorially

- [MOTION] Adopt text similar to Conor's < http://lists.oasis-open.org/

archives/security-services/200408/msg00221.html > in core

- [VOTE] no objection, passes

- Scott: also coming out of this discussion is use of recipient attr

to prevent certain attacks

- SAML 1.1 used one way, and Liberty used another

- current SAML 2 profile does both, which is overkill

- Is the notion of recipient placed in bearer confirmation data still

something we want to do, given that we have other mechanisms?

- doesn't feel strongly about this

- Prateek: isn't this all elective changes? there's no driving

reason to change this

- Scott: correct, not raising this as a problem, just a duplicity

- Rob: doesn't see need to change

- Scott: Is the recipient on the status response type still needed?

< http://lists.oasis-open.org/archives/security-services/

200408/msg00222.html >

- We should either remove it (and add comparable mechanism to

request abstract type) or say more about it

- currently underspecified

- prefers removing it

- Scott will repost issue to solicit feedback from Liberty folks

> (b) Comments on core-2.0-cd-01

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00224.html >

- Paul: of the 4 points, they were all editorial and Scott has ideas on

how to address all of them

- Scott: correct

> (c) SessionIndex and Privacy Text

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00213.html >

- Paul: this thread has been going on a bit

- originally was looking for caveat "only when privacy is a concern"

- seems to have gotten agreement on that

- discussion went on to mechanisms

- Scott: points out that it's easier to say when NOT to do this

- As for Conor's comments, this repeats discussion from a previous F2F

- point is using AssertionID rather than SessionIndex

- part of issue of using AssertionID was case of multiple Assertions

- text for SessionIndex has been difficult to produce

- Irving: can't remember particulars of F2F discussion, but suspects

we had good reason to not just use AssertionID

- and the small integer approach was intended to create blurring effect

- [ACTION] Scott will review minutes of F2F regarding SessionIndex and

make proposal addressing Paul and Conor's comments

> (d) Conformance requirements - SSL/TLS issues

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00216.html >

- Frederick: we should add comment citing FIPS equivalents

- also, could add a common ciphersuite

- Scott: would should move all this out of bindings and into conformance

- Prateek: thinks this is editorial

> (e) Comments on profiles-2.0-cd-01

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00235.html >

- Paul: the only non-editorial issue is within SLO profile

- we give very little guidance to IDP regarding aggregating error info

with other SPs, and propagating to initiating SP

- Scott: JohnK, in ID-FF, don't you (as proxying IDP) stop on single

failure?

- JohnK: would have to look, but thinks so

- Scott: probably need to tighten up our language

- so, you would only get 1 error

> (f) Others?

- Frederick sent msg Thursday on encryption

< http://lists.oasis-open.org/archives/security-services/

200408/msg00228.html >

- Frederick: point was there wasn't anything to say in these areas

- need to review Tony's mention of a posting to WSS

- everyone needs to review this, particularly those w/ experience

implementing XML-Enc

- would like Tony to explain his thoughts on this

- [ACTION] Rob to contact Tony regarding XML-Encryption thoughts

- Rob: Charles has posted drafts of Implementation Guide

- need everyone to review

- Prateek sent out solicitation for virtual interop

> 7. Open AIs

> #0193: Minor fix for Schema Encoding

> Owner: Scott Cantor

> Status: Open

> Assigned: 31 Aug 2004

> Due: ---

> Comments:

> UTF-8 vs. US ASCII encoding

> Scott Cantor to make proposal.

- [MOTION] Change declarations in schema files from UTF-8 and US ASCII

- Irving: resists

- Scott: would rather remove the declaration, but if not, would prefer

more efficient form of US ASCII

- Eve: resists also, as UTF-8 is more 'normal'

- Scott: withdraws motion

- Rob: need to fix schema dce files, so they can be viewed in browsers

- CLOSED

> #0192: Propose changes to X.500/LDAP Attribute Profile

> Owner: Bob Morgan

> Status: Open

> Assigned: 31 Aug 2004

> Due: ---

> Comments:

> < http://lists.oasis-open.org/archives/security-services/

> 200408/msg00180.html >

- RLBob: in process

> #0160: Separate Privacy concerns language from Element/Attribute

> descriptions

> Owner: Prateek Mishra

> Status: Open

> Assigned: 30 Apr 2004

- no update

> #0158: Propose changes to definition of Federation in glossary

> Owner: Prateek Mishra

> Status: Open

> Assigned: 30 Apr 2004

- no update

> #0176: Provide sequence diagrams for profiles

> Owner: Jeff Hodges

> Status: Open

> Assigned: 23 Jun 2004

- CLOSED

> #0123: Obtain MIME type registration for HTTP lookup of SAML

> Owner: Jeff Hodges

> Status: Open

> Assigned: 13 Feb 2004

- Jeff: in progress

- should have done in time for 2nd CD

> 8. Any other business

- Rob: Next week's call is a focus call

- planning to return to weekly formal calls after that

- in posting doc changes, need to keep all change history relative to

CD 01, so they can be all visible in CD 02

> 9. Adjourn

- Adjourned

----------------------------------------------------------------------

Attendance of Voting Members:

Hal Lockhart BEA

Rick Randall Booz Allen Hamilton

Gavenraj Sodhi Computer Associates

Paul Madsen Entrust

Carolina Canales-Valenzuela Ericsson

Dana Kaufman Forum Systems

Irving Reid Hewlett-Packard Company

Paula Austel IBM

Maryann Hondo IBM

Michael McIntosh IBM

Nick Ragouzis Individual

Scott Cantor Internet2

Bob Morgan Internet2

Prateek Mishra Netegrity

Forest Yin Netegrity

Frederick Hirsch Nokia

John Kemp Nokia

Senthil Sengodan Nokia

Cameron Morris Novell

Scott Kiester Novell

Steve Anderson OpenNetwork

Ari Kermaier Oracle

Vamsi Motukuru Oracle

Darren Platt Ping Identity

Jim Lien RSA Security

John Linn RSA Security

Rob Philpott RSA Security

Bhavna Bhatnagar Sun Microsystems

Jeff Hodges Sun Microsystems

Eve Maler Sun Microsystems

Emily Xu Sun Microsystems

Mike Beach The Boeing Company

Attendance of Observers or Prospective Members:

Abbie Barbir Nortel

John Hughes

Membership Status Changes:

none

Steve Anderson

OpenNetwork

security-services message