OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SSTC call notes - 2004-10-26

Minutes for OASIS SSTC conference call Tuesday 2004-10-26
Minute taker:  John Kemp


  -- factor out type for NameID, Issuer, allowing consistent use of 
different format defaults for each

  Extended discussion:
  -- (none)

  New action items:
  -- Eve to explain extension of Attribute (see discussion in notes)
  -- Scott to respond to question about unqualified vs qualified in 
schema defaults (that we're not going to anything)
  -- Scott to respond to query about encryption ciphertext being unique, 
affirming decision to require this
  -- Eve to analyze/correct usage of SAML entity terminology
  -- Scott to analyze/correct usage of terms regarding principal, 
subject, user et al

  Current action items:
  -- 197: closed
  -- 160: Prateek almost done
  -- 123: Jeff has prompted IESG, should be done by early next week
  -- 199: ongoing, contains multiple actions, Eve will add official APs 
for these

Raw notes:

roll-call determines that we have a quorate call (participant list to 
follow under separate cover)

eve: agenda notes review period ends on Halloween, with focus call next 
week to tie up loose ends. Eve reminds group about various important 
issues regarding attestations, votes, asks for questions.
hal asks about agreed-upon granularity for attestations
discussion about attestations
scott: discussions were had about attestations being related to pieces 
of core spec. not outlying functionality
gregw: When's IOP?
rob: If we don't get attestations, we have to delay the vote
(discussion about requirements for attestations)
eve: vote to accept changes to cd-02a drafts
rob: had comments on core, not included in the 02a drafts
peter: did you incorp Dave McAlpin's input?
scott: if agreed with Dave, I incorporated changes
scott: took out some MAYs particularly in proxy restriction
eve: changes improve the clarity
scott: outstanding issue around whether a particular condition is truly 
binding (ie. MUST)
eve: emphasize review of changes, discuss outstanding items
scott: made schema changes that corrected mistakes, also added consent 
attribute to Response message
scott: didn't do much to profiles
scott: fixed examples in bindings - especially the URL/gzip-encoding
scott: noted that metadata spec is not authoritative, made other small 
scott: gregw noted that URI namespaces were an issue when versionining - 
when profiling metadata spec. this is the URI you should put in this 
attribute to indicate the version. This is clarified in 02a

eve: comment about "friendly name" needing a 'lang' attribute.
(discussion about internationalizing between Eve and Scott)
scott: if we think he's right about internationalizing, we should "pull it"
RLBob, Rick Randall join
rlbob: FriendlyName is of questionable value, thus further describing it 
seems unnecessary
rob: maybe consider this for a future release?
scott: why can't you (some external org) extend, and xsi:type this with 
a 'lang' attribute into their document?
eve: perhaps just explain how to extend Attribute to do this?

AP: Eve to explain this

(discuss general editorial comments from 
scott: received comments on schema defaults. qualified vs unqualified
eve: consensus seems to be that we do nothing about 'unqualified'

AP: Scott to respond

scott: (explains issue regarding contradictory use of 'format' default 
in Issuer. Factor out the type, to allow this?)
rob: (comments further about clarification around source ID)


scott: moves that we factor out the XML type of NameID, Issuer, allowing 
them to have different default values.
gregw seconds
any discussion? nope
unanimous consent, vote carries

scott: encryption algorithm MUST result in unique ciphertext - comment 
received that this should be SHOULD
(resolve to re-affirm this in email)

AP: Scott to re-affirm in email

scott: we say what constitutes an invalid assertion, but don't say what 
to do if it is invalid - so why make it a MUST to evaluate whether the 
assertion is invalid?
rlbob: profiles can decide this
eve: Can we make this a SHOULD?
hal: can we go the other direction, and say what one should do when the 
assertion is determined invalid? So, should we say that you shouldn't 
depend on the assertion?
rlbob: intent is that condition MUST be evaluated
hal: tests can't determine whether a condition was "taken into account"
johnk: his point is exactly that - that you can't test this for conformance
nick: even though you can't test, the normative rule has a role in 
scott: suggest that we change Core to say that you shouldn't depend on 
the contents of the assertion if invalid
hal: historical argument was about Audience restrictions
rlbob: this is a loose evaluation of the condition
eve: what to do?
rlbob: we need text about general processing of assertions and what you 
should do if invalid
eve: can we add something about evaluation?
scott: can we get the rules straight, do implementation guidelines for 
now, and then add to the spec. in the correct places later?
scott: evaluation of signature, conditions, evaluation of issuer - all 
of these are in the spec. - tighten up conditions language, and if 
result is invalid or indeterminate the assertion MUST be discarded.
eve: instruction to the editor to make this change
scott: line 561 comment - change the MAY to may
scott; SubjectConf data line 682, 687 comments. More consistent 
definitions requested - this is reasonable. Will work to do this
scott: line 790 - 808 comments explain that rules for evaluation of 
conditions are inconsistent and contradictory.
scott: will add text from 818 to third bullet of  814, 815
scott: line 1000 - the MUST NOT is inconsistent
eve: perhaps should be SHOULD NOT, with text to explain - the reason 
being that privacy is not important to your implementation?
scott: will formulate text, distribute.

eve: change to definition of "identity federation"
prateek: respun based on Scott's comments

back to agenda item 4 (c) and (d)

(c) Question about XML-ENC use of XMLDSIG namespace vs. SAML use


(d) Editorial input on profiles document


(d) Scott will respond
(c) Scott: a tool issue. Shouldn't change the URI reference. (No action)

eve: let's address Rob's concerns

Numbers below reference email: 


scott: rob's comment - SLO - should partial logout roll-back successful 
logouts? No, partial success is fine
gregw: (agrees)


scott: discussed before, will remind Rob of previous decision

3. ? (minute-taker missed this apparently)

scott: put some forward references to the extension section

5. terms for SAML entities are confusing - rob suggests that we make 
sure our terminology is correct in each place it appears, and note that 
terms overlap -

eve: will attempt to analyze usage of terms, make sure we're using terms 
correctly, and find the right place to put commentary around this.

AP: Eve to analyze/correct usage of SAML entity terminology

6. Sloppy language around principal, user, subject - Scott will take this on

AP: Scott to analyze/correct usage of said terms

7. Editorial issue around sections in the introduction - create a 
section 1.3 that includes schema datatype interpretations etc. etc.

Review current APs

197: closed
160: Prateek almost done
123: Jeff has prompted IESG, should be done by early next week
199:  ongoing, contains multiple actions, Eve will add official APs for 

eve: AOB?
gregw: been testing metadata between SAML 1.1, SAML 2 - is there 
interest in documenting a common profile of metadata for SAML 1.0, SAML 
1.1 implementations using the SAML 2.0 metadata?
eve: create a whitepaper?
gregw: volunteers to write up a profile, discuss on a focus call.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]