[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] minutes for OASIS SSTC 2004-12-21 conf call
Membership Status Changes: Thomas Schenkman Individual - Requested membership on 12/10/2004 Charles Knouse formerly Oblix - Withdrew 12/20/2004 Maryann Hondo IBM - Requested membership on 12/21/2004 Thomas Wisniewski Entrust - Requested membership on 12/21/2004 Senthil Sengodan Nokia - Granted voting status after 12/21/2004 call Carolina Canales-Valenzuela Ericsson - Granted voting status after 12/21/2004 call John Kemp Nokia - Lost voting status after 12/21/2004 call -- Steve Anderson OpenNetwork > -----Original Message----- > From: RL 'Bob' Morgan [mailto:rlmorgan@washington.edu] > Sent: Monday, January 03, 2005 2:49 PM > To: OASIS Security Services TC > Subject: [security-services] minutes for OASIS SSTC 2004-12-21 conf call > > > (Sorry for the delay ...) > > Minutes for SSTC conf call, 2004-12-21 > scribe: RL "Bob" Morgan > > --- > > Summary: > > - No votes taken. > - Discussion of many small clarifications. > > - Action item status changes: 0123 closed, 0204 closed > - New action items: > - GregW and Conor to propose text clarifying failure-handling > in logout > - Prateek to start thread on meaning of "support" in conformance > - Work on non-normative docs during ballot period, > discuss them on 2005-01-11 focus call > > --- > > > 0. Roll taken (attendee list below), quorum achieved. > > 1. minutes from 2004-12-07 call accepted > with clarification from TonyN's note: > > http://lists.oasis-open.org/archives/security- > services/200412/msg00030.html > > 2. CD-03 status > call for public review sent out 2004-12-15 > review period ends 2004-01-14 > ballots will begin 2004-01-07 to affirm CD, submit to OASIS > Rob: OK to start ballot prior to close of period > Hal: note comment may come in during ballot period > Conor: you can always change your vote > Hal: is there description of recent XML problem? > A: original problem report on saml-dev on 2004-12-12 is clear ... > > > 3. Message threads > > (a) IPR discussion (note from James Clark) > http://lists.oasis-open.org/archives/security- > services/200412/msg00040.html > > Conor: AOL will be sending statement saying reciprocal/royalty-free > > (b) NameID Policy Format discussion > http://lists.oasis-open.org/archives/security- > services/200412/msg00056.html > > Thomas: OK > > (c) Single Logout > http://lists.oasis-open.org/archives/security- > services/200412/msg00063.html > > Covered by proposals in (d) > > (d) Proposed clarifications > http://lists.oasis-open.org/archives/security- > services/200412/msg00069.html > > Scott: covers items raised at interop, etc > authn-context change pending (not in referenced note) > will be reviewed by others shortly, put into next draft > fix to confirmation method to indicate non-optionality > (/200412/msg00028.html) > make format optional on identifier-create request > reflecting change in default > nameIdMgmt protocol defaults considered problematic > clarifications to be made to say that params have to be filled in > nameQualifiers used with older v1 nameid formats > use not specified in spec, source of interop problems > RobP: but some are in use now, can't outlaw > Scott: recommend that nameQ's not be used with these going forward? > RobP: OK > clarify that ACSindex and ProtocolBinding are mutually exclusive > clarify uniqueness of all metadata indexes > clarify that RelayState param is omitted if no value > clarify that URL-encoding happens before signing > Q: is ordering of elements in URL required? > Scott: no, can't control what encoding/decoding may do > TomW: unsafe characters can be in relay state > Scott: no, have to replace them with entities, aka "html-encoding" > or "entity-encoding" > this is implementation guidance, not SAML spec > GregW: sending text with quotes is bad idea in the first place > due to info leakage > RobP: does length constraint include encoding characters? > need to clarify, will send note > single logout clarifications > Prateek: some things left out? > Scott: didn't repeat material from core ... > so should say: assume all rules in core apply > note that choices constrained by situation, eg presence of browser > have to use same binding to propagate as request came in via? no > failure-handling > Conor: main question is whether IdP considers it a logout > if so, propagate; if not, don't > Greg: not transactional ... > Scott: spec says that if any failure is observed by IdP > whole thing is a failure, that's what's returned to requester > Conor: just want error response saying: logout happened as IdP, > may not have happened somewhere > Scott: doesn't work that way now or in ID-FF, no partial success > Greg: agree with Conor that we want partial > Scott: don't agree, if logout isn't successful it isn't ... > Greg: what does SP do upon receiving failure indication? > Scott: it's up to the SP, can end session or not > Conor: don't agree, SP has to end session if it initiated > Scott: need input from those who have implemented ... > TomW: does IdP have to keep sending to others after first > failures? > Conor: yes, has to try with all, even though one fails > can also keep trying after initial failure > Greg: Conor and I will propose clarifying text > Scott: in next week? > Greg: will make best effort ... > Tom: conformance says have to support all nameId formats? > and consent formats? > Prateek: should be able to configure IdP to generate/accept these > Conor: should specify minimal set > RobP: have to "deal with" them, not "support" them > eg can respond with error > GregW: distinguish not crashing from doing something useful? > Scott: "support" means generate, handle, manage, ... > RobP: so spec is ambiguous: either too weak or too string > Scott: want to ensure interop, not have all products choosing > to support different ones > in particular want persistent and transient to be MTI/MTS > Prateek: will start thread on how to resolve > > (e) "attesting entity" vs "confirming entity" > http://lists.oasis-open.org/archives/security- > services/200412/msg00052.html > > Scott: yes, will change > > > 4. Open AIs > > #0204: Final text for subject and subject confirmation > Owner: Bob Morgan > Status: Open > Assigned: 2004-11-23 06:20:46 > > RLBob: Closed, without submission. > > #0203: Analyze/correct usage of SAML entity > terminology > Owner: Eve Maler > Status: Open > Assigned: 2004-10-31 19:56:49 > > Eve: still open. > > #0183: Comment s solicited on John Linn response to > Thomas Gross paper > Owner: Prateek Mishra > Status: Open > Assigned: 2004-07-23 17:10:02 > > Prateek: still open. > > > #0123: Obtain MIME type registration for HTTP lookup of SAML > Owner: Jeff Hodges > Status: Open > Assigned: 2004-02-13 20:18:48 > > Jeff: done. > will reformat as plain text for IANA update after final docs done. > > > 5. Ancillary specs (When do we plan to vote on CD status?) > > (a) Paul Madsen draft-02 of exec overview > http://lists.oasis-open.org/archives/security- > services/200411/msg00002.html > > (b) SAML 1.x Metadata > NOTE: draft is now available from > http://www.oasis- > open.org/apps/org/workgroup/security/download.php/9967/draf > t-saml1x-metadata-01.pdf > > (c) Next steps with SAML 2.0 Technical Overview > http://www.oasis- > open.org/apps/org/workgroup/security/download.php/4150/sstc > -saml-tech-overview-2.0-draft-00.pdf > > JohnH: newer draft floating around among authors > will prepare XML samples when all is final > Q: sample assertions, or protocol flows also? > JohnH: flows would be good, traces are at hand > note ECP flows are in its doc, maybe pull out and put in overview > Scott: rather keep ECP examples in its doc, due to complexity > Scott: can't give example of everything > concern is that people will ignore things for which examples > aren't provided ... > > Prateek: a good doc deadline will be when OASIS standardization happens > Eve: maybe just have some editorial meetings during ballot period > in particular have focus calls work on non-normative docs > eg on 2004-01-11 > and get drafts out for discussion during CD ballot period > > > 6. Adjourned > > > --- > > > Attendance of Voting Members > > Conor P. Cahill AOL, Inc. > John Hughes Atos Origin > Hal Lockhart BEA > Rick Randall Booz Allen Hamilton > Ronald Jacobson Computer Associates > Michael McIntosh IBM > Anthony Nadalin IBM > Scott Cantor Internet2 > Bob Morgan Internet2 > Peter Davis NeuStar > Jeff Hodges NeuStar > Frederick Hirsch Nokia > Scott Kiester Novell > Ari Kermaier Oracle > Darren Platt Ping Identity > Prateek Mishra Principal Identity > Rob Philpott RSA Security > Dipak Chopra SAP > Jahan Moreh Sigaba > Bhavna Bhatnagar Sun Microsystems > Eve Maler Sun Microsystems > Emily Xu Sun Microsystems > Greg Whitehead Trustgenix > > > Attendance of Prospective Members > > Maryann Hondo IBM > > > Attendance of Observers (or those who lost status due to inactivity) > > Thomas Wisniewski Entrust > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: security-services-help@lists.oasis- > open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]