Minutes: SSTC Conference Call, July 5 (with attendance)

[prateek mishra <pmishra@principalidentity.com>]

Members: (quorum achieved; 25 out of 44 present)

-------------

Conor P. Cahill
Hal Lockhart
Thomas Wisniewski
Irving Reid
Guy Denton
Heather Hinton
Anthony Nadalin
Maryann Hondo
John Hughes
Scott Cantor
Bob Morgan
Ari Kermaier
Brian Campbell
Darren Platt
Alberto S.
Prateek Mishra
Jahan Moreh
Greg Whitehead
Mike Beach
EVe Maler
Abbie Barbir
Peter Davis
Cameron Morris
Jeff Hodges
Vamsi Motukuru

Prospective
-----------------
Gil Pilz
Senthil Sengodan
Merrit Maxim
Dave Stagg

Abbie Barbir <abbieb@nortel.com> wrote:

 

 Minutes of SSTC Conference Call, July 5

 

1. Accept minutes from June 21 conference call

 

http://lists.oasis-open.org/archives/security-services/200506/msg00149.html

 

--- Minutes accepted with no objections.

 

2. Errata Update and Review

 

http://www.oasis-open.org/apps/org/workgroup/security/download.php/13379/sstc-saml-errata-2.0-draft-10.pdf

 

n      Added two more items.

n      Scott sent some feedback to the list

n      PE 17 and 18 are still open

n      Looking at PE 17 as documented in draft 10 of the errata (No objections, passed)

n      Moving on to PE 18 (Came from discussions from Nick, hold on the vote until July 19^th)

 

3. Edit status of CD documents

(NOTE: new OASIS rules also require HTML versions of CD documents)

 

i. sstc-saml1x-metadata (AI #213)

 

available from

http://www.oasis-open.org/apps/org/workgroup/security/documents.php?close_folder_id=1348#folder_1348

 

--- Eve this should be done

ii. SAML 2.0 meta-data extension (AI #213)

 

 -- In progress, also the overview document.

 

iii. SSTC Response to "Security Analysis of SAML SSO Browser/Artifact Profile"

 

http://www.oasis-open.org/apps/org/workgroup/security/download.php/13348/sstc-gross-sec-analysis-response-02.pdf

 

Please e-mail SSTC list if you wish to have your name listed as a contributor.

 

iv. .509 Authn attribute protocol

 

Needs post-CD edits as described in AI #224. Action is Rob and Rick are to update with required edits. Wait to next SSTC call

 

-- Eve, did a lot of cut and paste (on i-iii), fixed name spaces, hopefully i-iii are ok. Need to check about HTML versions. Will do more testing and work on HTML

 

4. Technical Overview Status (John Hughes)

 -- John, progress has been slow, 70/80 percent done. Eve will do the 1.0/2.0 comparison stuff after they hand her the document. Expect a draft before the next call.

 

5. SAML Adoption Subcommittee Status (Merritt Maxim)
http://lists.oasis-open.org/archives/security-services/200506/msg00117.html

 

--- Waiting for more info/status. Better feedback on next call.

 

6. Recent Threads

 

--- Need to confirm if both cases will lead to no action.

 

i. Rejecting SAML Requests (SOAP Binding) - Thomas Wisniewski

http://lists.oasis-open.org/archives/security-services/200506/msg00121.html

 

--- There is a statement ion SOAP bing about when to fault. Need to make sure where it applies (whether we know the issuer or not). Up to the implementer to determine the kind of response to generate (SOAP fault vs SAML error).

 

--Eve, it may be at the SAML level not the SOAP level.

-- XXX: What if we do not know the sender.

-- If we can logically process the message then we should send SAML fault, if we can not then SOAP fault.

 

n      If we can not verify the signature, we should do a silent drop (no response). Thye situation also depend if we have validated the sender or not. Properly might send a response if we choose to.

n      Hal: Generating a SOAP fault may not mean sending a message (Terminology may be vague). Configuration determines if a message is sent.

n      XXX: WSA allow the fault to be sent into a different location.

n      SOAP fault says sending it in a massage. ( Many discussions)

n      Eve: we may need to provide more info such as an implementation guideline.

n      XXX: AT least we should say if you respond, you should do it this way.

n      AI: Conner is assigned the above action. (Look at Thomas thread and propose a solution based on your comments)

 

ii. ECP SSO Profile and Metadata - Greg Whitehead

http://lists.oasis-open.org/archives/security-services/200506/msg00131.html

 

n      Worked on it for some time. Greg any action that need to be taken.

n      XXX: Need to  propose an ERRATA for this (end point is SOAP, should point to consumer data, when processing at the SOAP level ………..)

n      Action item on Thomas to propose a solution. 

 

 

7:

Need a thread on ensuring that we follow the proper process for publishing the profiles (what we are trying to do with profiles, public reviews etc..). Scott will post a message to the list.

 

 

 

8. Open AIs

 

#0228: Adding Metadata to SAMLConf?

Owner: Nick Ragouzis

Status: Open

Assigned: 2005-07-04

Due: ---

---

#0227: Potential Errata, HTTPS in URI Binding

Owner: Nick Ragouzis

Status: Open

Assigned: 2005-07-04

Due: ---

---

#0226: PE2 and ArtifactResolutionService

Owner: Nick Ragouzis

Status: Open

Assigned: 2005-07-04

Due: ---

---

#0225: Third-party AuthnRequest use case

Owner: Scott Cantor

Status: Open

Assigned: 2005-07-04

Due: ---

---

#0224: Re-work X.509 Authn attribute protocol profile to address SSTC comments.

Owner: Rick Randall

Status: Open

Assigned: 2005-06-20

Due: ---

---

#0223: Proposal for subcommittee to address enhancing SAML Adoption.

Owner:

Status: Open

Assigned: 2005-06-20

Due: ---

---

#0216: Formulate some suggested redline text for E7 for review.

Owner: Jahan Moreh

Status: Open

Assigned: 2005-03-30

Due: ---

---

#0213: Prepare final CD draft of metadata-1x document and submit it to OASIS

Owner: Eve Maler

Status: Open

Assigned: 2005-03-29

Due: ---

---

#0210: Links to new IPR policy to be sent to SSTC

Owner: Rob Philpott

Status: Open

Assigned: 2005-03-15

Due: ---

---

#0180: Need to update SAML server trust document

Owner: Jeff Hodges

Status: Open

Assigned: 2004-07-12

Due: ---