[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: conf call minutes 2004-11-09
OASIS SSTC -- Conference Call Minutes 11/9/2004 Minutes taker: Ari Kermaier Dial in info: +1 865 673 6950 #351-8396 Attendance of Voting Members Conor P. Cahill AOL, Inc. John Hughes Atos Origin Hal Lockhart BEA Rick Randall Booz Allen Hamilton Ronald Jacobson Computer Associates Paul Madsen Entrust Dana Kaufman Forum Systems Irving Reid Hewlett-Packard Company Paula Austel IBM Michael McIntosh IBM Nick Ragouzis Individual Scott Cantor Internet2 Bob Morgan Internet2 Prateek Mishra Netegrity Forest Yin Netegrity Peter Davis Neustar Frederick Hirsch Nokia Abbie Barbir Nortel Scott Kiester Novell Cameron Morris Novell Charles Knouse Oblix Steve Anderson OpenNetwork Ari Kermaier Oracle Vamsi Motukuru Oracle Jim Lien RSA Security John Linn RSA Security Rob Philpott RSA Security Dipak Chopra SAP Bhavna Bhatnagar Sun Microsystems Jeff Hodges Sun Microsystems Eve Maler Sun Microsystems Ron Monzillo Sun Microsystems Mike Beach The Boeing Company Greg Whitehead Trustgenix Attendance of Prospective Members or Observers Rebekah Metz Booz Allen Hamilton Emily Xu Sun Microsystems Gavenraj Sodhi Computer Associates Membership Status Changes Partha Panda Entrust - Requested membership on 10/27/2004 Alistair Young UHI Millennium Institute - Requested membership on 11/3/2004 Rebekah Metz Booz Allen Hamilton - Granted voting status after 11/9/2004 call Carolina Canales-Valenzuela Ericsson - Lost voting status after 11/9/2004 call Maryann Hondo IBM - Lost voting status after 11/9/2004 call Senthil Sengodan Nokia - Lost prospective status after 11/9/2004 call Makoto Hatakeyama NEC - Lost prospective status after 11/9/2004 call Yuzo Koga NTT - Lost prospective status after 11/9/2004 call Irving Reid Hewlett-Packard Company - LOA 11/10/2004 through 12/25/2004 1. Accept minutes from October 26 Conference Call http://lists.oasis-open.org/archives/security-services/200410/msg00083.html Prateek: Passed w/o objection. Eve: Motion to also accept minutes from 10/12/2004. Passed w/o objection. 1. SSTC plans CD and OASIS submission vote on December 7 If successful, SSTC plans to submit specification set to OASIS by December 15. Prateek: End of January when we can hope specs could move to OASIS Standard. 2. Reminder: We need three attestations before OASIS submission on December 15. http://lists.oasis-open.org/archives/security-services/200410/msg00026.html Rob: Acutally need attestation a few days before 12/15/2004 (but not necessarily by 12/07/2004). Paul: Attestations have in the past identified specific spec pieces used. Hal: We're treating spec as a unit this time. 3. Metadata thread (Rob, Scott) http://lists.oasis-open.org/archives/security-services/200411/msg00032.html Scott: Had phone discussion on spec ambiguity/confusion over how attribute consumer descriptor might apply to attribute queries. Not considered as possible use case, because queries can be explicit. Might be able to make cut-paste changes to spec to describe bindings of descriptors to bindings where they're intended to apply: 1 - Elimination of distinct role of attr consumer descriptor, by copying contents to SP role (and possibly reuse data structure for future needs outside of SSO SP role). 2 - Distinction between attribute authority (queries) and IdP (attribute push), so copy attribute information from attr authority descriptor to IdP descriptor to make it explicity available for IdP in a distinct matter. Hopefully this will not rise to level of substantive changes (no new roles or different processing rules), but rather just restructuring of schema elements. Prateek: No formal action to take right now. 4. Possible SAML 1.1 error http://lists.oasis-open.org/archives/security-services/200411/msg00025.html Prateek: Maybe good starting point for maintaining SAML 1.1 errata. Any volunteers for editor? Eve: I think it was Jahan that was agreed to be the keeper of errata in SAML 1.1 (not on call). Prateek: We'd affirmed that we'd maintain such a document, but haven't done any work on it yet. Rob: Play it by ear, based on adoption of 2.0, life-span of TC. Eve: SAML 1.1 will have wide deployment before 2.0 gets good adoption. Various: Discussion about USGov approval of 1.0 only; maybe 1.1 should supersede/withdraw 1.0 (currently doesn't); WSSTC just finishing 1.1-based profile. We need to decide how we're going to support errata for 1.x going forward. Prateek: Need to contact Jahan and see if he's ready to start mainting errata for 1.1, and need proposal for dealing with spec lifecycle issues. Jeff: Look at IETF RFC 2026 for supersecion pointers. (Prateek: Will defer discussion of normative references to SSL/TLS and Liberty PAOS, etc. till later discussion of ITUT.) 5. Paul Madsen draft-02 of exec overview http://lists.oasis-open.org/archives/security-services/200411/msg00002.html Paul: Looking for comments on level of detail, etc. but hasn't received any yet. 7. Greg W re: SAML 1.x Metadata http://lists.oasis-open.org/archives/security-services/200411/msg00012.html NOTE: draft is now available from http://www.oasis- open.org/apps/org/workgroup/security/download.php/9967/draft-saml1x-metadata-01.pdf Greg: Straightforward profile, overall. Possible controversies: Usage of URIs to define versions in metadata and identify SAML 2.0 profiles. Issuer string should be used as ID. Scott: Can spin new version based on above-discussed schema changes. Eve: Maybe mention in technical overview so people have a pointer to proposal. Prateek: May be valuable to advance proposal to Committee Draft. Scott: Need to think about how to identify spec versions in metadata other than just by namespace URI (problems for 1.0/1.1 and 2.0/2.1). Prateek: Call for comments by next quorate meeting, and soon after progress it CD. Scott: Not till after 2.0 metadata is baked/CD. Prateek: So comments by 12/21/2004 meeting. 8. Next steps with SAML 2.0 Technical Overview I cannot find the location of the most current draft; the only version I could find is: http://www.oasis-open.org/apps/org/workgroup/security/download.php/4150/sstc-saml-tech- overview-2.0-draft-00.pdf John Hughs: A more up-to-date version than 01 is available on his laptop. About 80%-90% done, but 4 areas of work: 1- Put in some SAML 2.0 XML samples (once we've got schema final). 2 - Describe relationship to other frameworks (Eve to do). 3 - Kerberos (maybe drop it for lack of input). 4 - Federation examples (John to do). Eve: Proposed timeframe for when specs released to OASIS standard. Prateek: Has some more content to contribute. 1. Open AIs (relevant to SAML 2.0) #0203: Analyze/correct usage of SAML entity terminology Owner: Eve Maler Status: Open Assigned: 31 Oct 2004 Due: --- Comments: Eve Maler 2004-10-31 19:56 GMT Rob Philpott sent a comment about the potentially confusing usage of the terms "principal", "subject", "user", and "identity" in the specs (see comment #6): http://lists.oasis-open.org/archives/security-services/200410/msg00058.html At the 26 Oct 2004 quorate call, Eve agreed to analyze the usage of these terms, make sure we're using terms correctly, and find the right place to put commentary around this. Eve Maler 2004-10-31 19:58 GMT Oops: Eve agreed to examine "entity" usage specifically; it was Scott who agreed to clean up the principal/subject/user distinction. Discussion: Eve: Basically completed. Found 1 instance of "assertion consumer" changed to "relying party". Everything else is pretty consistently "asserting party" and "relying party". Jeff: Added "confirming entity" to glossary today. Eve: Dramatic reading of added text. Scott: Suggest making reference to Authentication Request section. Eve: AI remains open, want to repeat exercise for other specs. Hoping to finish tonight and upload. #0199: Glossary updates Owner: Jeff Hodges Status: Open Assigned: 25 Oct 2004 Due: --- Comments: Prateek Mishra 2004-10-25 20:14 GMT http://lists.oasis-open.org/archives/security-services/200410/msg00025.html - Jeff to provide feedback to Prateek's Glossary tweak - Jeff to address Quadrasis comments on glossary Discussion: Still open - Jeff will complete today. #0163: Need process for submission of profiles/authn context classes, etc. Owner: Eve Maler Status: Open Assigned: 22 Jun 2004 Due: --- Comments: Rob Philpott 2004-06-22 16:29 GMT On the web site, we need to state what the process is for submitting and dealing with additional authn context classes, new profile documents, etc. Rob Philpott 2004-06-23 16:03 GMT Note that this is different from AI 164 for SCott and John K to propose text within the spec documents that points to the web site. Eve Maler 2004-10-12 16:27 GMT Add a lightweight registration/"linking-to" notice on the website. Discussion: Language done, but waiting for approval from OASIS. #0160: Separate Privacy concerns language from Element/Attribute descriptions Owner: Prateek Mishra Status: Open Assigned: 30 Apr 2004 Due: --- Comments: Discussion: Remains open (completed review, just need to publish notes). #0123: Obtain MIME type registration for HTTP lookup of SAML Owner: Jeff Hodges Status: Open Assigned: 13 Feb 2004 Due: --- Discussion: Waiting for final text to incorporate into appendices. (Update references, mostly.) Also, might have remove separate section for bibliography. Also, should insert as appendices rather than document sections. Adjourned 1:16pm EST.