OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: minutes for OASIS SSTC 2004-12-21 conf call

(Sorry for the delay ...)

Minutes for SSTC conf call, 2004-12-21
scribe:  RL "Bob" Morgan



  - No votes taken.
  - Discussion of many small clarifications.

  - Action item status changes:  0123 closed, 0204 closed
  - New action items:
     - GregW and Conor to propose text clarifying failure-handling
         in logout
     - Prateek to start thread on meaning of "support" in conformance
  - Work on non-normative docs during ballot period,
      discuss them on 2005-01-11 focus call


0.  Roll taken (attendee list below), quorum achieved.

1.  minutes from 2004-12-07 call accepted
       with clarification from TonyN's note:


2.  CD-03 status
   call for public review sent out 2004-12-15
     review period ends 2004-01-14
   ballots will begin 2004-01-07 to affirm CD, submit to OASIS
     Rob:  OK to start ballot prior to close of period
     Hal:  note comment may come in during ballot period
     Conor:  you can always change your vote
     Hal:  is there description of recent XML problem?
       A:  original problem report on saml-dev on 2004-12-12 is clear ...

3.  Message threads

(a) IPR discussion (note from James Clark)

Conor:  AOL will be sending statement saying reciprocal/royalty-free

(b) NameID Policy Format discussion

Thomas:  OK

(c) Single Logout

Covered by proposals in (d)

(d) Proposed clarifications

Scott:  covers items raised at interop, etc
   authn-context change pending (not in referenced note)
     will be reviewed by others shortly, put into next draft
   fix to confirmation method to indicate non-optionality
   make format optional on identifier-create request
     reflecting change in default
   nameIdMgmt protocol defaults considered problematic
     clarifications to be made to say that params have to be filled in
   nameQualifiers used with older v1 nameid formats
     use not specified in spec, source of interop problems
     RobP:  but some are in use now, can't outlaw
     Scott:  recommend that nameQ's not be used with these going forward?
     RobP:  OK
   clarify that ACSindex and ProtocolBinding are mutually exclusive
   clarify uniqueness of all metadata indexes
   clarify that RelayState param is omitted if no value
   clarify that URL-encoding happens before signing
     Q:  is ordering of elements in URL required?
     Scott:  no, can't control what encoding/decoding may do
     TomW:  unsafe characters can be in relay state
     Scott:  no, have to replace them with entities, aka "html-encoding"
       or "entity-encoding"
       this is implementation guidance, not SAML spec
     GregW:  sending text with quotes is bad idea in the first place
       due to info leakage
     RobP:  does length constraint include encoding characters?
       need to clarify, will send note
   single logout clarifications
     Prateek:  some things left out?
     Scott:  didn't repeat material from core ...
       so should say:  assume all rules in core apply
       note that choices constrained by situation, eg presence of browser
     have to use same binding to propagate as request came in via?  no
       Conor:  main question is whether IdP considers it a logout
         if so, propagate; if not, don't
       Greg:  not transactional ...
       Scott:  spec says that if any failure is observed by IdP
         whole thing is a failure, that's what's returned to requester
       Conor:  just want error response saying:  logout happened as IdP,
         may not have happened somewhere
       Scott:  doesn't work that way now or in ID-FF, no partial success
       Greg:  agree with Conor that we want partial
       Scott:  don't agree, if logout isn't successful it isn't ...
       Greg:  what does SP do upon receiving failure indication?
       Scott:  it's up to the SP, can end session or not
       Conor:  don't agree, SP has to end session if it initiated
       Scott:  need input from those who have implemented ...
       TomW:  does IdP have to keep sending to others after first failures?
       Conor:  yes, has to try with all, even though one fails
         can also keep trying after initial failure
       Greg:  Conor and I will propose clarifying text
       Scott:  in next week?
       Greg:  will make best effort ...
   Tom:  conformance says have to support all nameId formats?
       and consent formats?
     Prateek:  should be able to configure IdP to generate/accept these
     Conor:  should specify minimal set
     RobP:  have to "deal with" them, not "support" them
       eg can respond with error
     GregW:  distinguish not crashing from doing something useful?
     Scott:  "support" means generate, handle, manage, ...
     RobP:  so spec is ambiguous:  either too weak or too string
     Scott:  want to ensure interop, not have all products choosing
       to support different ones
       in particular want persistent and transient to be MTI/MTS
     Prateek:  will start thread on how to resolve

(e) "attesting entity" vs "confirming entity"

Scott:  yes, will change

4. Open AIs

#0204: Final text for subject and subject confirmation
Owner: Bob Morgan
Status: Open
Assigned: 2004-11-23 06:20:46

RLBob:  Closed, without submission.

#0203: Analyze/correct usage of SAML entity
Owner: Eve Maler
Status: Open
Assigned: 2004-10-31 19:56:49

Eve:  still open.

#0183: Comment s solicited on John Linn response to
Thomas Gross paper
Owner: Prateek Mishra
Status: Open
Assigned: 2004-07-23 17:10:02

Prateek:  still open.

#0123: Obtain MIME type registration for HTTP lookup of SAML
Owner: Jeff Hodges
Status: Open
Assigned: 2004-02-13 20:18:48

Jeff:  done.
   will reformat as plain text for IANA update after final docs done.

5. Ancillary specs (When do we plan to vote on CD status?)

(a)  Paul Madsen draft-02 of exec overview

(b)  SAML 1.x Metadata
NOTE: draft is now available from

(c)  Next steps with SAML 2.0 Technical Overview

JohnH:  newer draft floating around among authors
   will prepare XML samples when all is final
   Q:  sample assertions, or protocol flows also?
   JohnH:  flows would be good, traces are at hand
   note ECP flows are in its doc, maybe pull out and put in overview
     Scott:  rather keep ECP examples in its doc, due to complexity
   Scott:  can't give example of everything
     concern is that people will ignore things for which examples
       aren't provided ...

Prateek:  a good doc deadline will be when OASIS standardization happens
Eve:  maybe just have some editorial meetings during ballot period
   in particular have focus calls work on non-normative docs
     eg on 2004-01-11
   and get drafts out for discussion during CD ballot period

6.  Adjourned


Attendance of Voting Members

Conor P. Cahill          AOL, Inc.
John Hughes              Atos Origin
Hal Lockhart             BEA
Rick Randall             Booz Allen Hamilton
Ronald Jacobson          Computer Associates
Michael McIntosh         IBM
Anthony Nadalin          IBM
Scott Cantor             Internet2
Bob Morgan               Internet2
Peter Davis              NeuStar
Jeff Hodges              NeuStar
Frederick Hirsch         Nokia
Scott Kiester            Novell
Ari Kermaier             Oracle
Darren Platt             Ping Identity
Prateek Mishra           Principal Identity
Rob Philpott             RSA Security
Dipak Chopra             SAP
Jahan Moreh              Sigaba
Bhavna Bhatnagar         Sun Microsystems
Eve Maler                Sun Microsystems
Emily Xu                 Sun Microsystems
Greg Whitehead           Trustgenix

Attendance of Prospective Members

Maryann Hondo            IBM

Attendance of Observers (or those who lost status due to inactivity)

Thomas Wisniewski        Entrust

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]