OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: SSTC Meeting Minutes 1/18/2005.

Title: FW: SSTC Meeting Minutes 1/18/2005.

Minutes compliments of Ron Jacobson.

Sorry for the delay getting these out - that was my [Rob] fault. Attendance is at the end…

Action Items:

·       [All] Ask your voting rep's to respond to the XACML 2.0 Standardization ballot.
·       [Chairs] Future agenda item - Determine need for future face to face meeting.
·       [Jahan] Add potential errata for 2 issues in Nicolas Williams/John Linn discussion thread.
·       [Hal L] Provide Tech Overview comments to John H.
·       [Paul M] Update/Republish Exec Overview with recent comments.
·       [Scott] Provide implementation guideline info for Exec Overview

1. Accept minutes from January 4, Conference Call


Accept Minutes from January 4th

Minutes accepted.


2.  SAML 2.0 submitted to OASIS!


Note that CD-04 is available from the OASIS home page.

Eve M. encouraged everyone to Direct Customer and Colleagues to home page.

Hal L. added that XACML 2.0 is now in voting. Please ask your organization's voting reps to vote.

Rob P. - Question on the fact that there were only 90 votes possible.

Hal L. – Officially there are 350…351 organizations.

Prateek M. – Any other comments on the SAML 2.0 submission?

Hal L. – voting commences on the 16th of February.


3. F2F opportunities (informational) - is the TC interested?

a. OASIS Symposium, New Orleans, April 24-29


b. Digital ID World 2005, San Francisco, May 9-12


Prateek M. - A number of people would like us to have an SSTC face to face at their venue.

OASIS has a meeting scheduled at the end of April.

The email links were just FYI.

Rob P. has responded saying that we have to first figure out if we need a face to face.

Prateek M. - We need to discuss this.  I am not sure if we have enough business to warrant a face to face.


4. Recent discussion thread

i. John Linn comments


ii. Original comment from Nicolas Williams


John Linn - Thoughtful set of comments.

Maybe there are some things we should consider updating in the future.

On the first one as I read the text on security considerations.

Prateek M. – Much of that material is in SAML bindings.

That material is partly in conformance.

The information is scattered somewhat.

Security considerations are broad in scope.

John – I am not sure we can find the answer in any one place

Rob P. – We have disjoint that are disjoint… but not really.

That there is this WSI document with this other information may be a reasonable thing to do.

Prateek M. – John would that be adequate or do you think we must change the security consideration documents?

John – It is certainly a good and right step to take, however, I am not sure what is contained in the other documents.

Prateek M. – We can keep this open.

First part of John’s concerns…

Assisting on signing denial of service attacks.

John – Good solution for attackers hoping to penetrate… not good protection from individuals attempting to swamp…

Prateek M. – Should this be picked up in errata?

It is not a counter measure against denial of service.

Hal L. – This is a big fight at WSI… If you feel that you are under attack you are allowed to silently discard.

Rob P. – Let’s make this another item on the errata list.

Two errata’s have been identified:

Errata issue with regard to the second part of John’s concerns.  There is an error in the text that makes a reference to denial of service attacks.

Errata issue in the text on how responders should deal with perceived attacks.

Rob P. – Do we want to do something similar to what WSI did?

Hal L. – Maybe.  We need to give some thought to this.

Prateek M. - TC is calling for comments on these documents by end of January with the intention of advancing them to CD status thereafter.


5. Supporting documents, status and next steps

i. Executive Overview


ii. Technical Overview


iii. Implementation Guidelines


These are supporting documents… The idea would be to release these simultaneously with the standardization announcement.

Rob P. – They are not part of the standards doc set.  We would just announce that they are out there.

Exec Overview - Is Paul on the call?

Two objectives modifications to the docs remain.

Prateek M. supplied recommended text for his.

Eve M. if you have text for yours please send it.

Prateek M. – Paul you will update and republish?

Paul – Yes.

Technical Overview - John H:

Hal L. – I had promised to provide some text around SAML and XACML and web services security.

Who should I send this too?

Eve M. – Maybe I should pass the token to you.

John Hughes – I may have some time this week.  Hal L. if you want to send this to me.

Action Item - Hal Lockhart - I will email John Hughes word text.

Action Item - John Hughes – I will update this by the end of the week.  


6. Other documents on CD track 

i. Response to T. Gross analysis of SAML 1.1 artifact



John Linn has put together a response to Thomas Gross paper.

Action Item - Prateek M. – Has an action item to comment on this.

ii. SAML 1.1 Metadata Profile


John Hughes - The schema file is a bit more solid.

Scott – Some set of overarching issues that we want to put into an outline. [RSP which document is this referring to?]

Prateek M. – Should we push this out beyond 2.0 release?

Scott – I had a lot of different thoughts that need to get into the implementation guideline.

Action Item – Scott will review the implementation guideline.

Scott – My goal would be to produce a committee draft end of February or March.

Rob P. – End of February for comments.

Rick – There is a new version of the profile document he posted.


7. Errata Status





Start documenting based on the messages that are on the list.  We would start whenever it was appropriate.

Prateek M. - In a couple of weeks you will have a draft.

A couple more will be coming out of Ron Williams notes.

8. Open AIs


#0205: MIME type registrations: Jeff will reformat as

plain text for IANA update after final docs done.

Owner: Jeff Hodges

Status: Open

Assigned: 2005-01-04 00:30:40


Rob P. – Finalize that text in the two specifications.

Jeff – After the vote passes (assuming) the spec set is approved (SAML v2.0) we will edit the spec set for final publication.  This means updating front matter and back matter.  While we are doing this I will need to update the MIME type registration.

Rob P. – After the vote closes we need to submit the specifications.

Jeff – I will work with you guys and we can do this.  This is just a few hours of work.

Prateek M. – This stays open.

Jeff - After approval and during the publication process I need to work with Eve M. or Rob P..


#0203: Analyze/correct usage of SAML entity terminology

Owner: Eve Maler

Status: Open

Assigned: 2004-10-31 19:56:49


Prateek M. - For Eve M....

Prateek M. - This is closed.



#0183: Comments solicited on John Linn response to

Thomas Gross paper

Owner: Prateek Mishra

Status: Open

Assigned: 2004-07-23 17:10:02


Prateek M. – I agreed to provide a response to the SAML artifect work.

Prateek M. – I will complete this by this week.



#0180: Need to update SAML server trust document

Owner: Jeff Hodges

Status: Open

Assigned: 2004-07-12 21:49:08


Prateek M. – This issue will stay open.


#0166: Investigate use of Wiki from the web site

Owner: Scott Cantor

Status: Open

Assigned: 2004-06-22 16:40:19

Hal L. – I see issues with respect to the new OASIS IPR policy.  Asking people who make comments on a comment list/Wiki to sign a document on IPR is not feasible.

Using the Wiki to what goes on the SAML dev issue it is not an issue, however, if contributions are going to be included in the specification this is an issue.

Rob – If someone has a Wiki site then the comments must be brought into the TC using normal process if they are going to be including in the specs.

Hal L. – It is an issue.  There have been some lawsuits.  The standards org in question did not have a good enough process or audit trail on where contributions came from.

Rob P. – We must follow standard OASIS process.

Hal L. – Be aware that there can be potential IP issues.

Scott – It’s up to the TC whether they would like to link up to something like that.

I don’t think it is any different then posting an inventory of profiles.

Bob – Policy is an issue about linking.  

Rob P. – We will deal with this if we want to link from this from our site.

Eve M. – We can cross that bridge when we come to it.

Prateek M. – Do we need to talk to some one about this Wiki.

Rob P. – This doesn't seem any different than saml-dev. Whatever applies to saml-dev should apply to this.

Hal L. – Jamie is well aware of the issues around the public comment issue.

Prateek M. – We leave this open and perhaps a Wiki will be started at some point.

Prateek M. – Are there other items that people would like to discuss?


Meeting adjourned.



Voting members:

Conor P. Cahill AOL, Inc.

John Hughes             Atos Origin

Hal Lockhart    BEA Systems, Inc

Rebekah Metz    Booz Allen Hamilton

Rick Randall    Booz Allen Hamilton

Ronald Jacobson Computer Associates

Carolina Canales-Valenzuela     Ericsson

Dana    Kaufman Forum Systems

Irving Reid             Hewlett-Packard Company

Michael McIntosh        IBM

Anthony Nadalin IBM

Nick Ragouzis   Individual

Scott Cantor    Internet2

Bob Morgan              Internet2

Peter Davis             NeuStar

Jeff Hodges             NeuStar

Frederick Hirsch        Nokia

Senthil Sengodan        Nokia

Abbie Barbir    Nortel

Scott Kiester   Novell

Cameron Morris  Novell

Paul Madsen             NTT USA

Ari Kermaier    Oracle

Vamsi Motukuru  Oracle

Prateek Mishra  Principal Identity

Jim Lien                RSA Security

John Linn               RSA Security

Rob Philpott    RSA Security

Dipak Chopra    SAP

Jahan Moreh     Sigaba

Eve Maler               Sun Microsystems

Ron Monzillo    Sun Microsystems

Emily Xu                Sun Microsystems

Mike Beach              The Boeing Company

Greg Whitehead  Trustgenix

Prospective members (as of 18-Jan):

Guy Denton              IBM

Maryann Hondo   IBM

Thomas Wisniewski       Entrust


James Vanderbeek        Vodafone

Gavenraj Sodhi  Computer Associates

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]