[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: minutes for OASIS SSTC conf call, 2005-03-15
minutes for OASIS SSTC conf call, 2005-03-15 scribe: Jeff "JeffH" Hodges --- Summary: - SSTC is compelled by OASIS corporate's new IPR policy to pick one of the 3 IPR "modes" within next two years. - CD-status vote wrt draft-saml1x-metadata-05 passed. Spec still subject to minor revisions -- need to decide on "namespace extension uri". - CD-status vote wrt sstc-gross-sec-analysis-response-01 did not pass on roll-call vote. - Andy Moir (OASIS) is looking for review & feedback, by SSTC members, of the SAMLv1.1 "referral" certification program offered by PingID: http://lists.oasis-open.org/archives/security-services/200503/msg00054.html http://lists.oasis-open.org/archives/security-services/200503/msg00055.html Review period closes 11-Apr-2005. - Continue discussing "X509 Authn-based Attr Sharing Profile" and "Trust management and validation via metadata" threads on security-services list. - New action items: * Rob to send out some links to security-services@ list wrt OASIS IPR Policy stuff after he gets the samlv2 specs up. * co-chairs & Andy Moir -- look into what "track" is appropriate for sstc-gross-sec-analysis-response-01. * co-chairs to request from appropriate folks (eg co-authors and/or conference folks) wrt obtaining permission to publish the original paper on the SSTC website. * Eve to update SAML FAQ wrt SAMLv2. --- Minutes: [ agenda items are interspersed and quoted with "> " at line beginnings; "wrt" == "with respect to"; ] RAW NOTES --------- John Hughes changing jobs -- requests another leave of absence, LOA grabted from 22 Mar to 6 May prateek mishra wrote: > 1. Approve minutes from March 1, Conference Call > http://lists.oasis-open.org/archives/security-services/200503/msg00025.html approved by unanimous consent. > > 2. Approval of SAML v2.0 as an OASIS Standard > http://lists.oasis-open.org/archives/members/200503/msg00005.html > > [Sound of popping corks, applause...] was informational item only. > 3. OASIS IPR Transition Policy > http://www.oasis-open.org/who/ipr/ipr_transition_policy.php > > SSTC should begin discussion on proposed IPR status under the new policy info item. we, sstc, need to discuss this going forward. AI: Rob to send out some links after he gets the samlv2 specs up. hal: the whole thing starts 15-Apr, but then we need to get 50% of participating companies (?) to "sign" the agreement (?) Notes BEA will be signing it before 15-Apr. Must be signed upon oasis membership renewal after 15-Apr. Andy Moir: encouraging new members to sign it. conor: new agreement is perpetual where old one needed renewal hal: true eve: Eduardo Gutentag (Sun, OASIS Board Member) could/would join a focus call to explain the IPR policy if TC wished it. hal: ultimate deadline is 2 yrs from 15-Apr. Also, the oasis website is being modified, so in the roster, folks who've signed the agreement will be highlighted. conor: which 50% ? in TC? oasis-wide? hal: so 50% in TC, one vote per organization. if TC doesn't pick one of the 3 IPR modes within two years from 15-Apr-2005, then the TC must disband. so once TC chooses IPR mode, those who "communicate" within TC deliberations, then they are obligated wrt the IPR modes in force. conor: note that there's now a new "observer role" who cannot "communicate" [ie contribute ed.] > 4. Move to CD status (formal vote) > > a. http://www.oasis-open.org/apps/org/workgroup/security/download.php/11723/draft-saml1x-metadata-05.pdf > JeffH moved, conor 2nd scott had to come up with a namespace extension uri, if we come up with a resolution to that, then we should revise the doc eve: suggests that this doc is a "different package" and we could/should alter the URN and/or filename appropriately [group consensus is that docs/specs at CD status can be revised, so we can approve it so announcement can go out, and we can revise it as needed, then turn the proverbial crank again.] Spec approved at CD status by unanimous consent. > > b. http://www.oasis-open.org/apps/org/workgroup/security/download.php/11191/sstc-gross-sec-analysis-response-01.pdf > mary ann notes that IBM will provide no further response -- they have read the response doc and have no comment. eve moved, conor 2nd hal: notes that making this CD means that this is the TC's position, not an individual's position. eve: it's stable, been reviewed, feel confident about it prateek: called for objections tony: objects, doesn't understand the purpose of making it committee draft. [much discussion of issues of publishing this response to a conference paper] tony & maryann: wny can't it just be a "normal" document in the database and not vote to CD? tony: the orig conference paper could be ephermal, so would be best if the orig paper's availability is ensured along with this response paper if it is pub'd as CD. [issue of there being a lack in the OASIS process in terms of processing informational doc.] Eve: I call the question on the motion. [roll-call vote ensued, due to objectsions. (approval by 2/3 total TC membership is required in order to pass http://www.oasis-open.org/committees/process.php#committee_draft) 2/3 of 42 = 28 Voting tally... Conor P. Cahill AOL, Inc. y Hal Lockhart BEA Systems, Inc y Rebekah Metz Booz Allen Hamilton a Rick Randall Booz Allen Hamilton a Thomas Wisniewski Entrust a Carolina Canales-Valenzuela Ericsson y Irving Reid Hewlett-Packard Company a Heather Hinton IBM n Maryann Hondo IBM n Anthony Nadalin IBM n Nick Ragouzis Individual n Scott Cantor Internet2 y Bob Morgan Internet2 y Peter Davis NeuStar y Jeff Hodges NeuStar y Senthil Sengodan Nokia y Abbie Barbir Nortel y Scott Kiester Novell y Cameron Morris Novell a Steve Anderson OpenNetwork y Ari Kermaier Oracle a Vamsi Motukuru Oracle y Darren Platt Ping Identity a Prateek Mishra Principal Identity y John Linn RSA Security y Rob Philpott RSA Security y Eve Maler Sun Microsystems y Ron Monzillo Sun Microsystems y Emily Xu Sun Microsystems y Mike Beach The Boeing Company y 19 yes, 7 abstentions, 4 nays -- vote does not pass ] subsequent actions... *** AI: in terms of figuing out what track to put it on (co-chairs & Andy?) *** AI: co-chairs to request from appropriate folks (eg co-authors and/or conference folks) wrt obtaining permission to publish the original paper on the SSTC website. > > 5. SAML 2.0 Supporting Documents > > a. Executive Overview > http://www.oasis-open.org/apps/org/workgroup/security/download.php/11786/sstc-saml-exec-overview-2.0-draft-06.sxw > > b. Technical Overview > http://www.oasis-open.org/apps/org/workgroup/security/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf > eve: suggests that we should be prepared at next quorate call to vote on these two specs for CD status. prateek (pm): concurs eve: we can discuss these two docs in detail on next focus call next week. [general concurrance] > > 6. Recent threads > > a. Errata -- SLO and ID Federation Termination for SAML persistent > NameID formats > http://lists.oasis-open.org/archives/security-services/200503/msg00034.html > this is item for Jahan, he's not on call. punt. > b. *Trust management and validation via metadata* > * > http://lists.oasis-open.org/archives/security-services/200503/msg00029.html > > http://lists.oasis-open.org/archives/security-services/200503/msg00035.html > > http://lists.oasis-open.org/archives/security-services/200503/msg00053.html > pm: any action here? any proposed resolution? scott: more discussion necessary. pm: this item is active, continue to discuss on list > c. Question on X509 Authn-based Attr Sharing Profile > > http://lists.oasis-open.org/archives/security-services/200503/msg00037.html > > Also note message on comment list: > http://lists.oasis-open.org/archives/security-services-comment/200503/msg00000.html [discussion wrt threads on list wrt <ds:keyinfo> and X509 Authn-based Attr Sharing Profile, thus the below discussion applies also to some degree to item (b) above -- ed.] rick randall (rr): what's issue exactly? scott: how we specify use of keyinfo is vague. is a broad & complex issue. note questions from TomW on list. rr: [summary: his customers are discovering that diff impls are handling this stuff differently and thus not interop] scott: concurs, not surprised. ron monzillo (ronm): but profiles should specify the specifics and saml just needs to say what it says scott: disagrees cuz folks are doing it differently in profiles and even in impls of profiles. ronm: folks doing profiles shud figger out how to define their proofs scott: mebbe profiles should do it, but it's not working out very well. ronm: still doesn't understand how there's an issue here. scott: we don't have interop today because we don't have rules about "how to sign", and that was concious decision [ more impenetrable discussion.] scott cantor (sc): agrees with rick that this is a problem. ronm: well we have xmldsig, and if you sign a msg, what's the problem? rr: so the feedback is the STP guidance is vague sc: every profile that uses xml sig, is silent about "what that means" ie the scret sauce of key conveyance. [ more discussion ] sc: so yeah we want to get more rigorous wrt this stuff in profiles, but if we do, then other stuff starts to look underrspecified.... [no conclusion -- continue discussion on list] > > d. SAML 2.0 metadata extension draft > > draft-saml-metadata-ext-01.pdf > http://lists.oasis-open.org/archives/security-services/200503/msg00050.html > > draft-saml-metadata-ext.xsd > http://lists.oasis-open.org/archives/security-services/200503/msg00051.html pm: folks should look at this & review. > > e. conformance discussion > http://lists.oasis-open.org/archives/security-services/200503/msg00054.html > > http://lists.oasis-open.org/archives/security-services/200503/msg00055.html prateek: above is posting by Andy, can he explain? andy: oasis is not going to have an oasis-branded cert pgm for saml, but in the short term there's a "referral" by OASIS for accomplishing such with PingID. so this is wrt SAMLv1.1. SAMLv2 is an open question at this point. Would/will re-do this selection process for SAMLv2 as the need arises. prateek: has posted a msg to list, posing question as to what role tc has wrt conformance, and wether members were innarested in maintaing a detailed conformance matrix, for samlv1.1 and subseq samlv2.0, and whetgher any companies were innarested in doing that work. nickr: some ping's docs were confidential, what's the status? andy: ping folks were aware that the docs were being posted to the list. nickr: wondering if the oasis program has considered the copyright provisions/implications wrt pingids stuff? hal: any submission to the tc falls under the tc's ipr policy, which is extending copyright for pub, patents are different, so he assumes pingid is aware of all this - they are oasis members after all. andy: looking for feedback on the referral program as it stands. [discussion of above] andy: 30-day review period closes on 11-Apr, so get those comments in! > > 7. Open AIs > > *#0210*: Links to new IPR policy to be sent to SSTC > *Owner*: Rob Philpott > *Status*: Open > *Assigned*: 2005-03-14 > *Due*: --- remains open > *#0209*: Update X.509 Authentication-based Profile > *Owner*: Rick Randall > *Status*: Open > *Assigned*: 2005-03-14 > *Due*: --- remains open > *#0208*: Run additional tests to check issues with deflate encoding and > rfc1951 (java libraries) > *Owner*: Scott Cantor > *Status*: Open > *Assigned*: 2005-03-01 > *Due*: --- remains open > *#0207*: Provide [Want]AuthnRequestsSigned metadata setting comments to > Jahan for Potential Errata > *Owner*: Scott Cantor > *Status*: Open > *Assigned*: 2005-03-01 > *Due*: --- done. > *#0205*: MIME type registrations: Jeff will reformat as plain text for > IANA update after final docs done. > *Owner*: Jeff Hodges > *Status*: Open > *Assigned*: 2005-01-03 > *Due*: --- remains open > *#0180*: Need to update SAML server trust document > *Owner*: Jeff Hodges > *Status*: Open > *Assigned*: 2004-07-12 > *Due*: --- remains open > *#0166*: Investigate use of Wiki from the web site > *Owner*: Scott Cantor > *Status*: Open > *Assigned*: 2004-06-22 > *Due*: --- closed. based on fact that oasis is going to offer a wiki facility for tc's (in forseeable future it is said), will do his own stuff in his shib wiki, and let oasis do it for SSTC. eve: has ai for herself to update SAML FAQ. --- Attendance (taken by Steve Anderson): Attendance of Voting Members - 33 present out of 42, quorum attained Conor P. Cahill AOL, Inc. Hal Lockhart BEA Systems, Inc Rebekah Metz Booz Allen Hamilton Rick Randall Booz Allen Hamilton Thomas Wisniewski Entrust Carolina Canales-Valenzuela Ericsson Irving Reid Hewlett-Packard Company Guy Denton IBM Heather Hinton IBM Maryann Hondo IBM Anthony Nadalin IBM Nick Ragouzis Individual Scott Cantor Internet2 Bob Morgan Internet2 Peter Davis NeuStar Jeff Hodges NeuStar Frederick Hirsch Nokia Senthil Sengodan Nokia Abbie Barbir Nortel Scott Kiester Novell Cameron Morris Novell Paul Madsen NTT USA Steve Anderson OpenNetwork Ari Kermaier Oracle Vamsi Motukuru Oracle Darren Platt Ping Identity Prateek Mishra Principal Identity John Linn RSA Security Rob Philpott RSA Security Eve Maler Sun Microsystems Ron Monzillo Sun Microsystems Emily Xu Sun Microsystems Mike Beach The Boeing Company Attendance of Prospective Members or Observers Wendy Gray JPMorganChase Davis McPherson Epok Scott Tomilson Entrust Andy Moir OASIS Membership Status Changes Bhavna Bhatnagar Sun Microsystems - Withdrew 3/7/2005 Wendy Gray JPMorganChase - Granted voting status after 3/15/2005 call Gavenraj Sodhi Computer Associates - Lost voting status after 3/15/2005 call Michael McIntosh IBM - Lost voting status after 3/15/2005 call Hans Granqvist VeriSign - Lost prospective status after 3/15/2005 call John Hughes (FORMERLY Atos Origin) - LOA from 22 Mar to 6 May --- end
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]