OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: minutes for OASIS SSTC conf call, 2005-03-15

minutes for OASIS SSTC conf call, 2005-03-15
scribe: Jeff "JeffH" Hodges



  - SSTC is compelled by OASIS corporate's new IPR policy to pick one of the
    3 IPR "modes" within next two years.

  - CD-status vote wrt  draft-saml1x-metadata-05 passed. Spec still subject to
    minor revisions -- need to decide on "namespace extension uri".

  - CD-status vote wrt sstc-gross-sec-analysis-response-01 did not pass on
    roll-call vote.

  - Andy Moir (OASIS) is looking for review & feedback, by SSTC members, of
    the SAMLv1.1 "referral" certification program offered by PingID:


    Review period closes 11-Apr-2005.

  - Continue discussing "X509 Authn-based Attr Sharing Profile" and
    "Trust management and validation via metadata" threads on
    security-services list.

  - New action items:

     * Rob to send out some links to security-services@ list wrt OASIS
       IPR Policy stuff after he gets the samlv2 specs up.

     * co-chairs & Andy Moir -- look into what "track" is appropriate for

     * co-chairs to request from appropriate folks (eg co-authors
       and/or conference folks) wrt obtaining permission to publish
       the original paper on the SSTC website.

     * Eve to update SAML FAQ wrt SAMLv2.



[ agenda items are interspersed and quoted with "> " at line beginnings;
   "wrt" == "with respect to";


John Hughes changing jobs -- requests another leave of absence, LOA grabted 
from 22 Mar to 6 May

prateek mishra wrote:
 > 1. Approve minutes from March 1, Conference Call
 > http://lists.oasis-open.org/archives/security-services/200503/msg00025.html

approved by unanimous consent.

 > 2. Approval of SAML v2.0 as an OASIS Standard
 > http://lists.oasis-open.org/archives/members/200503/msg00005.html
 > [Sound of popping corks, applause...]

was informational item only.

 > 3.  OASIS IPR Transition Policy
 > http://www.oasis-open.org/who/ipr/ipr_transition_policy.php
 > SSTC should begin discussion on proposed IPR status under the new policy

info item. we, sstc, need to discuss this going forward.

AI: Rob to send out some links after he gets the samlv2 specs up.

hal: the whole thing starts 15-Apr, but then we need to get 50% of 
participating companies (?) to "sign" the agreement (?)

Notes BEA will be signing it before 15-Apr. Must be signed upon oasis 
membership renewal after 15-Apr.

Andy Moir: encouraging new members to sign it.

conor: new agreement is perpetual where old one needed renewal

hal: true

eve: Eduardo Gutentag (Sun, OASIS Board Member) could/would join a focus call 
to explain the IPR policy if TC wished it.

hal: ultimate deadline is 2 yrs from 15-Apr.  Also, the oasis website is being 
modified, so in the roster, folks who've signed the agreement will be highlighted.

conor: which 50% ?  in TC? oasis-wide?

hal: so 50% in TC, one vote per organization. if TC doesn't pick one of the 3 
IPR modes within two years from 15-Apr-2005, then the TC must disband.

so once TC chooses IPR mode, those who "communicate" within TC deliberations, 
then they are obligated wrt the IPR modes in force.

conor: note that there's now a new "observer role" who cannot "communicate" [ie 
contribute ed.]

 > 4. Move to CD status (formal vote)
 > a. 

JeffH moved, conor 2nd

scott had to come up with a namespace extension uri, if we come up with a 
resolution to that, then we should revise the doc

eve: suggests that this doc is a "different package" and we could/should alter 
the URN and/or filename appropriately

[group consensus is that docs/specs at CD status can be revised, so we can 
approve it so announcement can go out, and we can revise it as needed, then 
turn the proverbial crank again.]

Spec approved at CD status by unanimous consent.

 > b. 


mary ann notes that IBM will provide no further response -- they have read the 
response doc and have no comment.

eve moved, conor 2nd

hal: notes that making this CD means that this is the TC's position, not an 
individual's position.

eve: it's stable, been reviewed, feel confident about it

prateek: called for objections

tony: objects, doesn't understand the purpose of making it committee draft.

[much discussion of issues of publishing this response to a conference paper]

tony & maryann: wny can't  it just be a "normal" document in the database and 
not vote to CD?

tony: the orig conference paper could be ephermal, so would be best if the orig 
paper's availability is ensured along with this response paper if it is pub'd 
as CD.

[issue of there being a lack in the OASIS process in terms of processing 
informational doc.]

Eve: I call the question on the motion.

[roll-call vote ensued, due to objectsions.

(approval by 2/3 total TC membership is required in order to pass

2/3 of 42 = 28

Voting tally...

Conor P. Cahill AOL, Inc.             y
Hal Lockhart BEA Systems, Inc         y
Rebekah Metz Booz Allen Hamilton      a
Rick Randall Booz Allen Hamilton      a
Thomas Wisniewski Entrust             a
Carolina Canales-Valenzuela Ericsson  y
Irving Reid Hewlett-Packard Company   a
Heather Hinton IBM                    n
Maryann Hondo IBM                     n
Anthony Nadalin IBM                   n
Nick Ragouzis Individual              n
Scott Cantor Internet2                y
Bob Morgan Internet2                  y
Peter Davis NeuStar                   y
Jeff Hodges NeuStar                   y
Senthil Sengodan Nokia                y
Abbie Barbir Nortel                   y
Scott Kiester Novell                  y
Cameron Morris Novell                 a
Steve Anderson OpenNetwork            y
Ari Kermaier Oracle                   a
Vamsi Motukuru Oracle                 y
Darren Platt Ping Identity            a
Prateek Mishra Principal Identity     y
John Linn RSA Security                y
Rob Philpott RSA Security             y
Eve Maler Sun Microsystems            y
Ron Monzillo Sun Microsystems         y
Emily Xu Sun Microsystems             y
Mike Beach The Boeing Company         y

19 yes, 7 abstentions, 4 nays -- vote does not pass


  subsequent actions...

*** AI: in terms of figuing out what track to put it on (co-chairs & Andy?)

*** AI: co-chairs to request from appropriate folks (eg co-authors and/or 
conference folks) wrt obtaining permission to publish the original paper on the 
SSTC website.

 > 5. SAML 2.0 Supporting Documents
 > a. Executive Overview

 > b. Technical Overview


eve: suggests that we should be prepared at next quorate call to vote on these 
two specs for CD status.

prateek (pm): concurs

eve: we can discuss these two docs in detail on next focus call next week.

[general concurrance]

 > 6. Recent threads
 > a. Errata -- SLO and ID Federation Termination for SAML persistent
 > NameID formats
 > http://lists.oasis-open.org/archives/security-services/200503/msg00034.html

this is item for Jahan, he's not on call. punt.

 > b. *Trust management and validation via metadata*
 > *
 > http://lists.oasis-open.org/archives/security-services/200503/msg00029.html
 > http://lists.oasis-open.org/archives/security-services/200503/msg00035.html
 > http://lists.oasis-open.org/archives/security-services/200503/msg00053.html

pm: any action here? any proposed resolution?

scott: more discussion necessary.

pm: this item is active, continue to discuss on list

 > c. Question on X509 Authn-based Attr Sharing Profile
 > http://lists.oasis-open.org/archives/security-services/200503/msg00037.html
 > Also note message on comment list:

[discussion wrt threads on list wrt <ds:keyinfo> and X509 Authn-based Attr 
Sharing Profile, thus the below discussion applies also to some degree to item 
(b) above -- ed.]

rick randall (rr): what's issue exactly?

scott: how we specify use of keyinfo is vague. is a broad & complex issue. note 
questions from TomW on list.

rr: [summary: his customers are discovering that diff impls are handling this 
stuff differently and thus not interop]

scott: concurs, not surprised.

ron monzillo (ronm): but profiles should specify the specifics and saml just 
needs to say what it says

scott: disagrees cuz folks are doing it differently in profiles and even in 
impls of profiles.

ronm: folks doing profiles shud figger out how to define their proofs

scott: mebbe profiles should do it, but it's not working out very well.

ronm: still doesn't understand how there's an issue here.

scott: we don't have interop today because we don't have rules about "how to 
sign", and that was concious decision

[ more impenetrable discussion.]

scott cantor (sc): agrees with rick that this is a problem.

ronm: well we have xmldsig, and if you sign a msg, what's the problem?

rr: so the feedback is the STP guidance is vague

sc: every profile that uses xml sig, is silent about "what that means" ie the 
scret sauce of key conveyance.

[ more discussion ]

sc: so yeah we want to get more rigorous wrt this stuff in profiles, but if we 
do, then other stuff starts to look underrspecified....

[no conclusion -- continue discussion on list]

 > d. SAML 2.0 metadata extension draft
 > draft-saml-metadata-ext-01.pdf
 > http://lists.oasis-open.org/archives/security-services/200503/msg00050.html
 > draft-saml-metadata-ext.xsd
 > http://lists.oasis-open.org/archives/security-services/200503/msg00051.html

pm: folks should look at this & review.

 > e. conformance discussion
 > http://lists.oasis-open.org/archives/security-services/200503/msg00054.html
 > http://lists.oasis-open.org/archives/security-services/200503/msg00055.html

prateek: above is posting by Andy, can he explain?

andy: oasis is not going to have an oasis-branded cert pgm for saml, but in the 
short term there's a "referral" by OASIS for accomplishing such with PingID. so 
this is wrt SAMLv1.1. SAMLv2 is an open question at this point. Would/will 
re-do this selection process for SAMLv2 as the need arises.

prateek: has posted a msg to list, posing question as to what role tc has wrt 
conformance, and wether members were innarested in maintaing a detailed 
conformance matrix, for samlv1.1 and subseq samlv2.0, and whetgher any 
companies were innarested in doing that work.

nickr: some ping's docs were confidential, what's the status?

andy: ping folks were aware that the docs were being posted to the list.

nickr: wondering if the oasis program has considered the copyright 
provisions/implications wrt pingids stuff?

hal: any submission to the tc falls under the tc's ipr policy, which is 
extending copyright for pub, patents are different, so he assumes pingid is 
aware of all this - they are oasis members after all.

andy: looking for feedback on the referral program as it stands.

[discussion of above]

andy: 30-day review period closes on 11-Apr, so get those comments in!

 > 7. Open AIs
 > *#0210*: Links to new IPR policy to be sent to SSTC
 > *Owner*: Rob Philpott
 > *Status*: Open
 > *Assigned*: 2005-03-14
 > *Due*: ---

remains open

 > *#0209*: Update X.509 Authentication-based Profile
 > *Owner*: Rick Randall
 > *Status*: Open
 > *Assigned*: 2005-03-14
 > *Due*: ---

remains open

 > *#0208*: Run additional tests to check issues with deflate encoding and
 > rfc1951 (java libraries)
 > *Owner*: Scott Cantor
 > *Status*: Open
 > *Assigned*: 2005-03-01
 > *Due*: ---

remains open

 > *#0207*: Provide [Want]AuthnRequestsSigned metadata setting comments to
 > Jahan for Potential Errata
 > *Owner*: Scott Cantor
 > *Status*: Open
 > *Assigned*: 2005-03-01
 > *Due*: ---


 > *#0205*: MIME type registrations: Jeff will reformat as plain text for
 > IANA update after final docs done.
 > *Owner*: Jeff Hodges
 > *Status*: Open
 > *Assigned*: 2005-01-03
 > *Due*: ---

remains open

 > *#0180*: Need to update SAML server trust document
 > *Owner*: Jeff Hodges
 > *Status*: Open
 > *Assigned*: 2004-07-12
 > *Due*: ---

remains open

 > *#0166*: Investigate use of Wiki from the web site
 > *Owner*: Scott Cantor
 > *Status*: Open
 > *Assigned*: 2004-06-22
 > *Due*: ---


based on fact that oasis is going to offer a wiki facility for tc's (in 
forseeable future it is said), will do his own stuff in his shib wiki, and let 
oasis do it for SSTC.

eve: has ai for herself to update SAML FAQ.


Attendance (taken by Steve Anderson):

  Attendance of Voting Members - 33 present out of 42, quorum attained

   Conor P. Cahill AOL, Inc.
   Hal Lockhart BEA Systems, Inc
   Rebekah Metz Booz Allen Hamilton
   Rick Randall Booz Allen Hamilton
   Thomas Wisniewski Entrust
   Carolina Canales-Valenzuela Ericsson
   Irving Reid Hewlett-Packard Company
   Guy Denton IBM
   Heather Hinton IBM
   Maryann Hondo IBM
   Anthony Nadalin IBM
   Nick Ragouzis Individual
   Scott Cantor Internet2
   Bob Morgan Internet2
   Peter Davis NeuStar
   Jeff Hodges NeuStar
   Frederick Hirsch Nokia
   Senthil Sengodan Nokia
   Abbie Barbir Nortel
   Scott Kiester Novell
   Cameron Morris Novell
   Paul Madsen NTT USA
   Steve Anderson OpenNetwork
   Ari Kermaier Oracle
   Vamsi Motukuru Oracle
   Darren Platt Ping Identity
   Prateek Mishra Principal Identity
   John Linn RSA Security
   Rob Philpott RSA Security
   Eve Maler Sun Microsystems
   Ron Monzillo Sun Microsystems
   Emily Xu Sun Microsystems
   Mike Beach The Boeing Company

Attendance of Prospective Members or Observers

   Wendy Gray JPMorganChase
   Davis   McPherson Epok
   Scott  Tomilson Entrust
   Andy Moir OASIS

Membership Status Changes

   Bhavna Bhatnagar Sun Microsystems - Withdrew 3/7/2005
   Wendy Gray JPMorganChase - Granted voting status after 3/15/2005 call
   Gavenraj Sodhi Computer Associates - Lost voting status after 3/15/2005 call
Michael McIntosh IBM - Lost voting status after 3/15/2005 call
Hans Granqvist VeriSign - Lost prospective status after 3/15/2005 call
John Hughes (FORMERLY Atos Origin) - LOA from 22 Mar to 6 May


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]