[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: minutes for OASIS SSTC 2004-12-21 conf call
(Sorry for the delay ...) Minutes for SSTC conf call, 2004-12-21 scribe: RL "Bob" Morgan --- Summary: - No votes taken. - Discussion of many small clarifications. - Action item status changes: 0123 closed, 0204 closed - New action items: - GregW and Conor to propose text clarifying failure-handling in logout - Prateek to start thread on meaning of "support" in conformance - Work on non-normative docs during ballot period, discuss them on 2005-01-11 focus call --- 0. Roll taken (attendee list below), quorum achieved. 1. minutes from 2004-12-07 call accepted with clarification from TonyN's note: http://lists.oasis-open.org/archives/security-services/200412/msg00030.html 2. CD-03 status call for public review sent out 2004-12-15 review period ends 2004-01-14 ballots will begin 2004-01-07 to affirm CD, submit to OASIS Rob: OK to start ballot prior to close of period Hal: note comment may come in during ballot period Conor: you can always change your vote Hal: is there description of recent XML problem? A: original problem report on saml-dev on 2004-12-12 is clear ... 3. Message threads (a) IPR discussion (note from James Clark) http://lists.oasis-open.org/archives/security-services/200412/msg00040.html Conor: AOL will be sending statement saying reciprocal/royalty-free (b) NameID Policy Format discussion http://lists.oasis-open.org/archives/security-services/200412/msg00056.html Thomas: OK (c) Single Logout http://lists.oasis-open.org/archives/security-services/200412/msg00063.html Covered by proposals in (d) (d) Proposed clarifications http://lists.oasis-open.org/archives/security-services/200412/msg00069.html Scott: covers items raised at interop, etc authn-context change pending (not in referenced note) will be reviewed by others shortly, put into next draft fix to confirmation method to indicate non-optionality (/200412/msg00028.html) make format optional on identifier-create request reflecting change in default nameIdMgmt protocol defaults considered problematic clarifications to be made to say that params have to be filled in nameQualifiers used with older v1 nameid formats use not specified in spec, source of interop problems RobP: but some are in use now, can't outlaw Scott: recommend that nameQ's not be used with these going forward? RobP: OK clarify that ACSindex and ProtocolBinding are mutually exclusive clarify uniqueness of all metadata indexes clarify that RelayState param is omitted if no value clarify that URL-encoding happens before signing Q: is ordering of elements in URL required? Scott: no, can't control what encoding/decoding may do TomW: unsafe characters can be in relay state Scott: no, have to replace them with entities, aka "html-encoding" or "entity-encoding" this is implementation guidance, not SAML spec GregW: sending text with quotes is bad idea in the first place due to info leakage RobP: does length constraint include encoding characters? need to clarify, will send note single logout clarifications Prateek: some things left out? Scott: didn't repeat material from core ... so should say: assume all rules in core apply note that choices constrained by situation, eg presence of browser have to use same binding to propagate as request came in via? no failure-handling Conor: main question is whether IdP considers it a logout if so, propagate; if not, don't Greg: not transactional ... Scott: spec says that if any failure is observed by IdP whole thing is a failure, that's what's returned to requester Conor: just want error response saying: logout happened as IdP, may not have happened somewhere Scott: doesn't work that way now or in ID-FF, no partial success Greg: agree with Conor that we want partial Scott: don't agree, if logout isn't successful it isn't ... Greg: what does SP do upon receiving failure indication? Scott: it's up to the SP, can end session or not Conor: don't agree, SP has to end session if it initiated Scott: need input from those who have implemented ... TomW: does IdP have to keep sending to others after first failures? Conor: yes, has to try with all, even though one fails can also keep trying after initial failure Greg: Conor and I will propose clarifying text Scott: in next week? Greg: will make best effort ... Tom: conformance says have to support all nameId formats? and consent formats? Prateek: should be able to configure IdP to generate/accept these Conor: should specify minimal set RobP: have to "deal with" them, not "support" them eg can respond with error GregW: distinguish not crashing from doing something useful? Scott: "support" means generate, handle, manage, ... RobP: so spec is ambiguous: either too weak or too string Scott: want to ensure interop, not have all products choosing to support different ones in particular want persistent and transient to be MTI/MTS Prateek: will start thread on how to resolve (e) "attesting entity" vs "confirming entity" http://lists.oasis-open.org/archives/security-services/200412/msg00052.html Scott: yes, will change 4. Open AIs #0204: Final text for subject and subject confirmation Owner: Bob Morgan Status: Open Assigned: 2004-11-23 06:20:46 RLBob: Closed, without submission. #0203: Analyze/correct usage of SAML entity terminology Owner: Eve Maler Status: Open Assigned: 2004-10-31 19:56:49 Eve: still open. #0183: Comment s solicited on John Linn response to Thomas Gross paper Owner: Prateek Mishra Status: Open Assigned: 2004-07-23 17:10:02 Prateek: still open. #0123: Obtain MIME type registration for HTTP lookup of SAML Owner: Jeff Hodges Status: Open Assigned: 2004-02-13 20:18:48 Jeff: done. will reformat as plain text for IANA update after final docs done. 5. Ancillary specs (When do we plan to vote on CD status?) (a) Paul Madsen draft-02 of exec overview http://lists.oasis-open.org/archives/security-services/200411/msg00002.html (b) SAML 1.x Metadata NOTE: draft is now available from http://www.oasis-open.org/apps/org/workgroup/security/download.php/9967/draf t-saml1x-metadata-01.pdf (c) Next steps with SAML 2.0 Technical Overview http://www.oasis-open.org/apps/org/workgroup/security/download.php/4150/sstc -saml-tech-overview-2.0-draft-00.pdf JohnH: newer draft floating around among authors will prepare XML samples when all is final Q: sample assertions, or protocol flows also? JohnH: flows would be good, traces are at hand note ECP flows are in its doc, maybe pull out and put in overview Scott: rather keep ECP examples in its doc, due to complexity Scott: can't give example of everything concern is that people will ignore things for which examples aren't provided ... Prateek: a good doc deadline will be when OASIS standardization happens Eve: maybe just have some editorial meetings during ballot period in particular have focus calls work on non-normative docs eg on 2004-01-11 and get drafts out for discussion during CD ballot period 6. Adjourned --- Attendance of Voting Members Conor P. Cahill AOL, Inc. John Hughes Atos Origin Hal Lockhart BEA Rick Randall Booz Allen Hamilton Ronald Jacobson Computer Associates Michael McIntosh IBM Anthony Nadalin IBM Scott Cantor Internet2 Bob Morgan Internet2 Peter Davis NeuStar Jeff Hodges NeuStar Frederick Hirsch Nokia Scott Kiester Novell Ari Kermaier Oracle Darren Platt Ping Identity Prateek Mishra Principal Identity Rob Philpott RSA Security Dipak Chopra SAP Jahan Moreh Sigaba Bhavna Bhatnagar Sun Microsystems Eve Maler Sun Microsystems Emily Xu Sun Microsystems Greg Whitehead Trustgenix Attendance of Prospective Members Maryann Hondo IBM Attendance of Observers (or those who lost status due to inactivity) Thomas Wisniewski Entrust
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]