[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: minutes for OASIS SSTC 2004-12-21 conf call
(Sorry for the delay ...)
Minutes for SSTC conf call, 2004-12-21
scribe: RL "Bob" Morgan
---
Summary:
- No votes taken.
- Discussion of many small clarifications.
- Action item status changes: 0123 closed, 0204 closed
- New action items:
- GregW and Conor to propose text clarifying failure-handling
in logout
- Prateek to start thread on meaning of "support" in conformance
- Work on non-normative docs during ballot period,
discuss them on 2005-01-11 focus call
---
0. Roll taken (attendee list below), quorum achieved.
1. minutes from 2004-12-07 call accepted
with clarification from TonyN's note:
http://lists.oasis-open.org/archives/security-services/200412/msg00030.html
2. CD-03 status
call for public review sent out 2004-12-15
review period ends 2004-01-14
ballots will begin 2004-01-07 to affirm CD, submit to OASIS
Rob: OK to start ballot prior to close of period
Hal: note comment may come in during ballot period
Conor: you can always change your vote
Hal: is there description of recent XML problem?
A: original problem report on saml-dev on 2004-12-12 is clear ...
3. Message threads
(a) IPR discussion (note from James Clark)
http://lists.oasis-open.org/archives/security-services/200412/msg00040.html
Conor: AOL will be sending statement saying reciprocal/royalty-free
(b) NameID Policy Format discussion
http://lists.oasis-open.org/archives/security-services/200412/msg00056.html
Thomas: OK
(c) Single Logout
http://lists.oasis-open.org/archives/security-services/200412/msg00063.html
Covered by proposals in (d)
(d) Proposed clarifications
http://lists.oasis-open.org/archives/security-services/200412/msg00069.html
Scott: covers items raised at interop, etc
authn-context change pending (not in referenced note)
will be reviewed by others shortly, put into next draft
fix to confirmation method to indicate non-optionality
(/200412/msg00028.html)
make format optional on identifier-create request
reflecting change in default
nameIdMgmt protocol defaults considered problematic
clarifications to be made to say that params have to be filled in
nameQualifiers used with older v1 nameid formats
use not specified in spec, source of interop problems
RobP: but some are in use now, can't outlaw
Scott: recommend that nameQ's not be used with these going forward?
RobP: OK
clarify that ACSindex and ProtocolBinding are mutually exclusive
clarify uniqueness of all metadata indexes
clarify that RelayState param is omitted if no value
clarify that URL-encoding happens before signing
Q: is ordering of elements in URL required?
Scott: no, can't control what encoding/decoding may do
TomW: unsafe characters can be in relay state
Scott: no, have to replace them with entities, aka "html-encoding"
or "entity-encoding"
this is implementation guidance, not SAML spec
GregW: sending text with quotes is bad idea in the first place
due to info leakage
RobP: does length constraint include encoding characters?
need to clarify, will send note
single logout clarifications
Prateek: some things left out?
Scott: didn't repeat material from core ...
so should say: assume all rules in core apply
note that choices constrained by situation, eg presence of browser
have to use same binding to propagate as request came in via? no
failure-handling
Conor: main question is whether IdP considers it a logout
if so, propagate; if not, don't
Greg: not transactional ...
Scott: spec says that if any failure is observed by IdP
whole thing is a failure, that's what's returned to requester
Conor: just want error response saying: logout happened as IdP,
may not have happened somewhere
Scott: doesn't work that way now or in ID-FF, no partial success
Greg: agree with Conor that we want partial
Scott: don't agree, if logout isn't successful it isn't ...
Greg: what does SP do upon receiving failure indication?
Scott: it's up to the SP, can end session or not
Conor: don't agree, SP has to end session if it initiated
Scott: need input from those who have implemented ...
TomW: does IdP have to keep sending to others after first failures?
Conor: yes, has to try with all, even though one fails
can also keep trying after initial failure
Greg: Conor and I will propose clarifying text
Scott: in next week?
Greg: will make best effort ...
Tom: conformance says have to support all nameId formats?
and consent formats?
Prateek: should be able to configure IdP to generate/accept these
Conor: should specify minimal set
RobP: have to "deal with" them, not "support" them
eg can respond with error
GregW: distinguish not crashing from doing something useful?
Scott: "support" means generate, handle, manage, ...
RobP: so spec is ambiguous: either too weak or too string
Scott: want to ensure interop, not have all products choosing
to support different ones
in particular want persistent and transient to be MTI/MTS
Prateek: will start thread on how to resolve
(e) "attesting entity" vs "confirming entity"
http://lists.oasis-open.org/archives/security-services/200412/msg00052.html
Scott: yes, will change
4. Open AIs
#0204: Final text for subject and subject confirmation
Owner: Bob Morgan
Status: Open
Assigned: 2004-11-23 06:20:46
RLBob: Closed, without submission.
#0203: Analyze/correct usage of SAML entity
terminology
Owner: Eve Maler
Status: Open
Assigned: 2004-10-31 19:56:49
Eve: still open.
#0183: Comment s solicited on John Linn response to
Thomas Gross paper
Owner: Prateek Mishra
Status: Open
Assigned: 2004-07-23 17:10:02
Prateek: still open.
#0123: Obtain MIME type registration for HTTP lookup of SAML
Owner: Jeff Hodges
Status: Open
Assigned: 2004-02-13 20:18:48
Jeff: done.
will reformat as plain text for IANA update after final docs done.
5. Ancillary specs (When do we plan to vote on CD status?)
(a) Paul Madsen draft-02 of exec overview
http://lists.oasis-open.org/archives/security-services/200411/msg00002.html
(b) SAML 1.x Metadata
NOTE: draft is now available from
http://www.oasis-open.org/apps/org/workgroup/security/download.php/9967/draf
t-saml1x-metadata-01.pdf
(c) Next steps with SAML 2.0 Technical Overview
http://www.oasis-open.org/apps/org/workgroup/security/download.php/4150/sstc
-saml-tech-overview-2.0-draft-00.pdf
JohnH: newer draft floating around among authors
will prepare XML samples when all is final
Q: sample assertions, or protocol flows also?
JohnH: flows would be good, traces are at hand
note ECP flows are in its doc, maybe pull out and put in overview
Scott: rather keep ECP examples in its doc, due to complexity
Scott: can't give example of everything
concern is that people will ignore things for which examples
aren't provided ...
Prateek: a good doc deadline will be when OASIS standardization happens
Eve: maybe just have some editorial meetings during ballot period
in particular have focus calls work on non-normative docs
eg on 2004-01-11
and get drafts out for discussion during CD ballot period
6. Adjourned
---
Attendance of Voting Members
Conor P. Cahill AOL, Inc.
John Hughes Atos Origin
Hal Lockhart BEA
Rick Randall Booz Allen Hamilton
Ronald Jacobson Computer Associates
Michael McIntosh IBM
Anthony Nadalin IBM
Scott Cantor Internet2
Bob Morgan Internet2
Peter Davis NeuStar
Jeff Hodges NeuStar
Frederick Hirsch Nokia
Scott Kiester Novell
Ari Kermaier Oracle
Darren Platt Ping Identity
Prateek Mishra Principal Identity
Rob Philpott RSA Security
Dipak Chopra SAP
Jahan Moreh Sigaba
Bhavna Bhatnagar Sun Microsystems
Eve Maler Sun Microsystems
Emily Xu Sun Microsystems
Greg Whitehead Trustgenix
Attendance of Prospective Members
Maryann Hondo IBM
Attendance of Observers (or those who lost status due to inactivity)
Thomas Wisniewski Entrust
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]