OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [security-services] Minutes: SSTC Conference Call, July 5

Title: Message


 Minutes of SSTC Conference Call, July 5


1. Accept minutes from June 21 conference call




--- Minutes accepted with no objections.


2. Errata Update and Review




n      Added two more items.

n      Scott sent some feedback to the list

n      PE 17 and 18 are still open

n      Looking at PE 17 as documented in draft 10 of the errata (No objections, passed)

n      Moving on to PE 18 (Came from discussions from Nick, hold on the vote until July 19th)


3. Edit status of CD documents

(NOTE: new OASIS rules also require HTML versions of CD documents)


i. sstc-saml1x-metadata (AI #213)


available from



--- Eve this should be done

ii. SAML 2.0 meta-data extension (AI #213)


 -- In progress, also the overview document.


iii. SSTC Response to "Security Analysis of SAML SSO Browser/Artifact Profile"




Please e-mail SSTC list if you wish to have your name listed as a contributor.


iv. .509 Authn attribute protocol


Needs post-CD edits as described in AI #224. Action is Rob and Rick are to update with required edits. Wait to next SSTC call


-- Eve, did a lot of cut and paste (on i-iii), fixed name spaces, hopefully i-iii are ok. Need to check about HTML versions. Will do more testing and work on HTML


4. Technical Overview Status (John Hughes)

 -- John, progress has been slow, 70/80 percent done. Eve will do the 1.0/2.0 comparison stuff after they hand her the document. Expect a draft before the next call.


5. SAML Adoption Subcommittee Status (Merritt Maxim)


--- Waiting for more info/status. Better feedback on next call.


6. Recent Threads


--- Need to confirm if both cases will lead to no action.


i. Rejecting SAML Requests (SOAP Binding) - Thomas Wisniewski



--- There is a statement ion SOAP bing about when to fault. Need to make sure where it applies (whether we know the issuer or not). Up to the implementer to determine the kind of response to generate (SOAP fault vs SAML error).


--Eve, it may be at the SAML level not the SOAP level.

-- XXX: What if we do not know the sender.

-- If we can logically process the message then we should send SAML fault, if we can not then SOAP fault.


n      If we can not verify the signature, we should do a silent drop (no response). Thye situation also depend if we have validated the sender or not. Properly might send a response if we choose to.

n      Hal: Generating a SOAP fault may not mean sending a message (Terminology may be vague). Configuration determines if a message is sent.

n      XXX: WSA allow the fault to be sent into a different location.

n      SOAP fault says sending it in a massage. ( Many discussions)

n      Eve: we may need to provide more info such as an implementation guideline.

n      XXX: AT least we should say if you respond, you should do it this way.

n      AI: Conner is assigned the above action. (Look at Thomas thread and propose a solution based on your comments)


ii. ECP SSO Profile and Metadata - Greg Whitehead



n      Worked on it for some time. Greg any action that need to be taken.

n      XXX: Need to  propose an ERRATA for this (end point is SOAP, should point to consumer data, when processing at the SOAP level ………..)

n      Action item on Thomas to propose a solution. 




Need a thread on ensuring that we follow the proper process for publishing the profiles (what we are trying to do with profiles, public reviews etc..). Scott will post a message to the list.




8. Open AIs


#0228: Adding Metadata to SAMLConf?

Owner: Nick Ragouzis

Status: Open

Assigned: 2005-07-04

Due: ---

#0227: Potential Errata, HTTPS in URI Binding

Owner: Nick Ragouzis

Status: Open

Assigned: 2005-07-04

Due: ---

#0226: PE2 and ArtifactResolutionService

Owner: Nick Ragouzis

Status: Open

Assigned: 2005-07-04

Due: ---

#0225: Third-party AuthnRequest use case

Owner: Scott Cantor

Status: Open

Assigned: 2005-07-04

Due: ---

#0224: Re-work X.509 Authn attribute protocol profile to address SSTC comments.

Owner: Rick Randall

Status: Open

Assigned: 2005-06-20

Due: ---

#0223: Proposal for subcommittee to address enhancing SAML Adoption.


Status: Open

Assigned: 2005-06-20

Due: ---

#0216: Formulate some suggested redline text for E7 for review.

Owner: Jahan Moreh

Status: Open

Assigned: 2005-03-30

Due: ---

#0213: Prepare final CD draft of metadata-1x document and submit it to OASIS

Owner: Eve Maler

Status: Open

Assigned: 2005-03-29

Due: ---

#0210: Links to new IPR policy to be sent to SSTC

Owner: Rob Philpott

Status: Open

Assigned: 2005-03-15

Due: ---

#0180: Need to update SAML server trust document

Owner: Jeff Hodges

Status: Open

Assigned: 2004-07-12

Due: ---


-->This is the Way  --> This is Nortel

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]