[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: minutes for OASIS SSTC conf call, 2005-03-15
minutes for OASIS SSTC conf call, 2005-03-15
scribe: Jeff "JeffH" Hodges
---
Summary:
- SSTC is compelled by OASIS corporate's new IPR policy to pick one of the
3 IPR "modes" within next two years.
- CD-status vote wrt draft-saml1x-metadata-05 passed. Spec still subject to
minor revisions -- need to decide on "namespace extension uri".
- CD-status vote wrt sstc-gross-sec-analysis-response-01 did not pass on
roll-call vote.
- Andy Moir (OASIS) is looking for review & feedback, by SSTC members, of
the SAMLv1.1 "referral" certification program offered by PingID:
http://lists.oasis-open.org/archives/security-services/200503/msg00054.html
http://lists.oasis-open.org/archives/security-services/200503/msg00055.html
Review period closes 11-Apr-2005.
- Continue discussing "X509 Authn-based Attr Sharing Profile" and
"Trust management and validation via metadata" threads on
security-services list.
- New action items:
* Rob to send out some links to security-services@ list wrt OASIS
IPR Policy stuff after he gets the samlv2 specs up.
* co-chairs & Andy Moir -- look into what "track" is appropriate for
sstc-gross-sec-analysis-response-01.
* co-chairs to request from appropriate folks (eg co-authors
and/or conference folks) wrt obtaining permission to publish
the original paper on the SSTC website.
* Eve to update SAML FAQ wrt SAMLv2.
---
Minutes:
[ agenda items are interspersed and quoted with "> " at line beginnings;
"wrt" == "with respect to";
]
RAW NOTES
---------
John Hughes changing jobs -- requests another leave of absence, LOA grabted
from 22 Mar to 6 May
prateek mishra wrote:
> 1. Approve minutes from March 1, Conference Call
> http://lists.oasis-open.org/archives/security-services/200503/msg00025.html
approved by unanimous consent.
>
> 2. Approval of SAML v2.0 as an OASIS Standard
> http://lists.oasis-open.org/archives/members/200503/msg00005.html
>
> [Sound of popping corks, applause...]
was informational item only.
> 3. OASIS IPR Transition Policy
> http://www.oasis-open.org/who/ipr/ipr_transition_policy.php
>
> SSTC should begin discussion on proposed IPR status under the new policy
info item. we, sstc, need to discuss this going forward.
AI: Rob to send out some links after he gets the samlv2 specs up.
hal: the whole thing starts 15-Apr, but then we need to get 50% of
participating companies (?) to "sign" the agreement (?)
Notes BEA will be signing it before 15-Apr. Must be signed upon oasis
membership renewal after 15-Apr.
Andy Moir: encouraging new members to sign it.
conor: new agreement is perpetual where old one needed renewal
hal: true
eve: Eduardo Gutentag (Sun, OASIS Board Member) could/would join a focus call
to explain the IPR policy if TC wished it.
hal: ultimate deadline is 2 yrs from 15-Apr. Also, the oasis website is being
modified, so in the roster, folks who've signed the agreement will be highlighted.
conor: which 50% ? in TC? oasis-wide?
hal: so 50% in TC, one vote per organization. if TC doesn't pick one of the 3
IPR modes within two years from 15-Apr-2005, then the TC must disband.
so once TC chooses IPR mode, those who "communicate" within TC deliberations,
then they are obligated wrt the IPR modes in force.
conor: note that there's now a new "observer role" who cannot "communicate" [ie
contribute ed.]
> 4. Move to CD status (formal vote)
>
> a.
http://www.oasis-open.org/apps/org/workgroup/security/download.php/11723/draft-saml1x-metadata-05.pdf
>
JeffH moved, conor 2nd
scott had to come up with a namespace extension uri, if we come up with a
resolution to that, then we should revise the doc
eve: suggests that this doc is a "different package" and we could/should alter
the URN and/or filename appropriately
[group consensus is that docs/specs at CD status can be revised, so we can
approve it so announcement can go out, and we can revise it as needed, then
turn the proverbial crank again.]
Spec approved at CD status by unanimous consent.
>
> b.
http://www.oasis-open.org/apps/org/workgroup/security/download.php/11191/sstc-gross-sec-analysis-response-01.pdf
>
mary ann notes that IBM will provide no further response -- they have read the
response doc and have no comment.
eve moved, conor 2nd
hal: notes that making this CD means that this is the TC's position, not an
individual's position.
eve: it's stable, been reviewed, feel confident about it
prateek: called for objections
tony: objects, doesn't understand the purpose of making it committee draft.
[much discussion of issues of publishing this response to a conference paper]
tony & maryann: wny can't it just be a "normal" document in the database and
not vote to CD?
tony: the orig conference paper could be ephermal, so would be best if the orig
paper's availability is ensured along with this response paper if it is pub'd
as CD.
[issue of there being a lack in the OASIS process in terms of processing
informational doc.]
Eve: I call the question on the motion.
[roll-call vote ensued, due to objectsions.
(approval by 2/3 total TC membership is required in order to pass
http://www.oasis-open.org/committees/process.php#committee_draft)
2/3 of 42 = 28
Voting tally...
Conor P. Cahill AOL, Inc. y
Hal Lockhart BEA Systems, Inc y
Rebekah Metz Booz Allen Hamilton a
Rick Randall Booz Allen Hamilton a
Thomas Wisniewski Entrust a
Carolina Canales-Valenzuela Ericsson y
Irving Reid Hewlett-Packard Company a
Heather Hinton IBM n
Maryann Hondo IBM n
Anthony Nadalin IBM n
Nick Ragouzis Individual n
Scott Cantor Internet2 y
Bob Morgan Internet2 y
Peter Davis NeuStar y
Jeff Hodges NeuStar y
Senthil Sengodan Nokia y
Abbie Barbir Nortel y
Scott Kiester Novell y
Cameron Morris Novell a
Steve Anderson OpenNetwork y
Ari Kermaier Oracle a
Vamsi Motukuru Oracle y
Darren Platt Ping Identity a
Prateek Mishra Principal Identity y
John Linn RSA Security y
Rob Philpott RSA Security y
Eve Maler Sun Microsystems y
Ron Monzillo Sun Microsystems y
Emily Xu Sun Microsystems y
Mike Beach The Boeing Company y
19 yes, 7 abstentions, 4 nays -- vote does not pass
]
subsequent actions...
*** AI: in terms of figuing out what track to put it on (co-chairs & Andy?)
*** AI: co-chairs to request from appropriate folks (eg co-authors and/or
conference folks) wrt obtaining permission to publish the original paper on the
SSTC website.
>
> 5. SAML 2.0 Supporting Documents
>
> a. Executive Overview
>
http://www.oasis-open.org/apps/org/workgroup/security/download.php/11786/sstc-saml-exec-overview-2.0-draft-06.sxw
>
> b. Technical Overview
>
http://www.oasis-open.org/apps/org/workgroup/security/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf
>
eve: suggests that we should be prepared at next quorate call to vote on these
two specs for CD status.
prateek (pm): concurs
eve: we can discuss these two docs in detail on next focus call next week.
[general concurrance]
>
> 6. Recent threads
>
> a. Errata -- SLO and ID Federation Termination for SAML persistent
> NameID formats
> http://lists.oasis-open.org/archives/security-services/200503/msg00034.html
>
this is item for Jahan, he's not on call. punt.
> b. *Trust management and validation via metadata*
> *
> http://lists.oasis-open.org/archives/security-services/200503/msg00029.html
>
> http://lists.oasis-open.org/archives/security-services/200503/msg00035.html
>
> http://lists.oasis-open.org/archives/security-services/200503/msg00053.html
>
pm: any action here? any proposed resolution?
scott: more discussion necessary.
pm: this item is active, continue to discuss on list
> c. Question on X509 Authn-based Attr Sharing Profile
>
> http://lists.oasis-open.org/archives/security-services/200503/msg00037.html
>
> Also note message on comment list:
>
http://lists.oasis-open.org/archives/security-services-comment/200503/msg00000.html
[discussion wrt threads on list wrt <ds:keyinfo> and X509 Authn-based Attr
Sharing Profile, thus the below discussion applies also to some degree to item
(b) above -- ed.]
rick randall (rr): what's issue exactly?
scott: how we specify use of keyinfo is vague. is a broad & complex issue. note
questions from TomW on list.
rr: [summary: his customers are discovering that diff impls are handling this
stuff differently and thus not interop]
scott: concurs, not surprised.
ron monzillo (ronm): but profiles should specify the specifics and saml just
needs to say what it says
scott: disagrees cuz folks are doing it differently in profiles and even in
impls of profiles.
ronm: folks doing profiles shud figger out how to define their proofs
scott: mebbe profiles should do it, but it's not working out very well.
ronm: still doesn't understand how there's an issue here.
scott: we don't have interop today because we don't have rules about "how to
sign", and that was concious decision
[ more impenetrable discussion.]
scott cantor (sc): agrees with rick that this is a problem.
ronm: well we have xmldsig, and if you sign a msg, what's the problem?
rr: so the feedback is the STP guidance is vague
sc: every profile that uses xml sig, is silent about "what that means" ie the
scret sauce of key conveyance.
[ more discussion ]
sc: so yeah we want to get more rigorous wrt this stuff in profiles, but if we
do, then other stuff starts to look underrspecified....
[no conclusion -- continue discussion on list]
>
> d. SAML 2.0 metadata extension draft
>
> draft-saml-metadata-ext-01.pdf
> http://lists.oasis-open.org/archives/security-services/200503/msg00050.html
>
> draft-saml-metadata-ext.xsd
> http://lists.oasis-open.org/archives/security-services/200503/msg00051.html
pm: folks should look at this & review.
>
> e. conformance discussion
> http://lists.oasis-open.org/archives/security-services/200503/msg00054.html
>
> http://lists.oasis-open.org/archives/security-services/200503/msg00055.html
prateek: above is posting by Andy, can he explain?
andy: oasis is not going to have an oasis-branded cert pgm for saml, but in the
short term there's a "referral" by OASIS for accomplishing such with PingID. so
this is wrt SAMLv1.1. SAMLv2 is an open question at this point. Would/will
re-do this selection process for SAMLv2 as the need arises.
prateek: has posted a msg to list, posing question as to what role tc has wrt
conformance, and wether members were innarested in maintaing a detailed
conformance matrix, for samlv1.1 and subseq samlv2.0, and whetgher any
companies were innarested in doing that work.
nickr: some ping's docs were confidential, what's the status?
andy: ping folks were aware that the docs were being posted to the list.
nickr: wondering if the oasis program has considered the copyright
provisions/implications wrt pingids stuff?
hal: any submission to the tc falls under the tc's ipr policy, which is
extending copyright for pub, patents are different, so he assumes pingid is
aware of all this - they are oasis members after all.
andy: looking for feedback on the referral program as it stands.
[discussion of above]
andy: 30-day review period closes on 11-Apr, so get those comments in!
>
> 7. Open AIs
>
> *#0210*: Links to new IPR policy to be sent to SSTC
> *Owner*: Rob Philpott
> *Status*: Open
> *Assigned*: 2005-03-14
> *Due*: ---
remains open
> *#0209*: Update X.509 Authentication-based Profile
> *Owner*: Rick Randall
> *Status*: Open
> *Assigned*: 2005-03-14
> *Due*: ---
remains open
> *#0208*: Run additional tests to check issues with deflate encoding and
> rfc1951 (java libraries)
> *Owner*: Scott Cantor
> *Status*: Open
> *Assigned*: 2005-03-01
> *Due*: ---
remains open
> *#0207*: Provide [Want]AuthnRequestsSigned metadata setting comments to
> Jahan for Potential Errata
> *Owner*: Scott Cantor
> *Status*: Open
> *Assigned*: 2005-03-01
> *Due*: ---
done.
> *#0205*: MIME type registrations: Jeff will reformat as plain text for
> IANA update after final docs done.
> *Owner*: Jeff Hodges
> *Status*: Open
> *Assigned*: 2005-01-03
> *Due*: ---
remains open
> *#0180*: Need to update SAML server trust document
> *Owner*: Jeff Hodges
> *Status*: Open
> *Assigned*: 2004-07-12
> *Due*: ---
remains open
> *#0166*: Investigate use of Wiki from the web site
> *Owner*: Scott Cantor
> *Status*: Open
> *Assigned*: 2004-06-22
> *Due*: ---
closed.
based on fact that oasis is going to offer a wiki facility for tc's (in
forseeable future it is said), will do his own stuff in his shib wiki, and let
oasis do it for SSTC.
eve: has ai for herself to update SAML FAQ.
---
Attendance (taken by Steve Anderson):
Attendance of Voting Members - 33 present out of 42, quorum attained
Conor P. Cahill AOL, Inc.
Hal Lockhart BEA Systems, Inc
Rebekah Metz Booz Allen Hamilton
Rick Randall Booz Allen Hamilton
Thomas Wisniewski Entrust
Carolina Canales-Valenzuela Ericsson
Irving Reid Hewlett-Packard Company
Guy Denton IBM
Heather Hinton IBM
Maryann Hondo IBM
Anthony Nadalin IBM
Nick Ragouzis Individual
Scott Cantor Internet2
Bob Morgan Internet2
Peter Davis NeuStar
Jeff Hodges NeuStar
Frederick Hirsch Nokia
Senthil Sengodan Nokia
Abbie Barbir Nortel
Scott Kiester Novell
Cameron Morris Novell
Paul Madsen NTT USA
Steve Anderson OpenNetwork
Ari Kermaier Oracle
Vamsi Motukuru Oracle
Darren Platt Ping Identity
Prateek Mishra Principal Identity
John Linn RSA Security
Rob Philpott RSA Security
Eve Maler Sun Microsystems
Ron Monzillo Sun Microsystems
Emily Xu Sun Microsystems
Mike Beach The Boeing Company
Attendance of Prospective Members or Observers
Wendy Gray JPMorganChase
Davis McPherson Epok
Scott Tomilson Entrust
Andy Moir OASIS
Membership Status Changes
Bhavna Bhatnagar Sun Microsystems - Withdrew 3/7/2005
Wendy Gray JPMorganChase - Granted voting status after 3/15/2005 call
Gavenraj Sodhi Computer Associates - Lost voting status after 3/15/2005 call
Michael McIntosh IBM - Lost voting status after 3/15/2005 call
Hans Granqvist VeriSign - Lost prospective status after 3/15/2005 call
John Hughes (FORMERLY Atos Origin) - LOA from 22 Mar to 6 May
---
end
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]