[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: security-services minutes for con-call, August 16, 2005
August 16, 2005 OASIS Security Services (SAML) TC Tuesday, 16 August 2005, 12:00pm to 02:00pm ET 1. Attendance/call to order. Attendance list provided by Mr. Anderson is appended to
these notes. Note-taker selected be random selection is David Staggs 2. Approve minutes from August 2nd conference call. Prateek Mishra: We have quorum. I sent an agenda out last
evening to the group. The second item is the approval of the August 2
minutes. Are there any objections to approving the minutes of the August 2nd
call? No objections minutes approved. 3. Document updates a) X509 Authn eAttribute Profile Prateek Mishra: Eve Maler had some comments on the X509
AuthN attribute profile. Eve Maler: I have no substantive changes to the profile.
But now that we are drafting smaller documents, I want to create a helpful
template so that we do not start from a random document. Using a template will
eliminate old bibliographies and unused URLs taken from earlier documents. I
will be adding this template for use on any working committee drafts. [As to the X509 AuthN eAttribute Profile] no substantive
changes, I am just cleaning up and checking the references in the draft. No
official reference to SAML profile. Only the query request profile was
touched, but the only editing was done in the sub-profile. I made a few
changes there for clarity. Prateek Mishra: Are there any other discussions on 3A? No. (b) sstc-saml-2.0-xpath-attribute-profile-draft Prateek Mishra: The next item is the XPath attribute
profile. Cameron Morris: I released a new version a few weeks ago and
got some good feedback. I also added normative language (MUSTS and MAYS). Eve
and Anne Anderson had good comments on the draft. I think the most
"heavyweight" comment was by Eve on interoperability. Eve Maler: I have been increasingly worried about
interoperability because the way we phrase it, anyone could define XPath that
would be unique to them. This could create some conformance issues. My issue
is, how do make this more normative to prevent this from becoming a sub-profile
in a million unknown ways? Cameron Morris: I think we can offer a few use cases that
suggest how to implement XPath in SAML. Eve Maler: I am OK with this as long as there are required
implementations of certain XPath libraries. Cameron Morris: This profile is a way to create consistency,
not a way to require certain implementations of XPath. We are suggesting using
name attributes, it's a way to say if you are thinking of using XPath,
here is a way to do this to allow consistency between applications. The point
is, as in the X500 standard, we did not require certain attributes, we just
said this is the way we mapped attributes. Eve Maler: OK, you have convinced me. But the connection
between XPath syntax and URI is the important issue. Maybe we should give more
explanation, maybe by adding motivation sections. But I do not want to overdo
it. Cameron Morris: Anne Anderson had a question on XPATH but is
not on the call. Prateek Mishra: In term of next steps we will have another
version in the making and will try to fold this document into a group of
document to committee specification. Cameron Morris: This document has gone though CD vote but
has not made it though yet. Conner had an issue during the previous vote but I
believe we have reconciled that issue. Eve Maler: I can take an editorial pass to help your meet CD
review. Give me 24 hours once you ad ready, Cameron: I'll use your latest CD document as a
starting point. (c) Tech overview status Prateek Mishra: Next item is the tech overview, John Hughes
has published a new draft. John Hughes: The current state of the draft is on the
list. We need to state the differences between 1.1 and current draft. Eve Maler: I have reviewed the current changes with Nick. Nick Ragouzis: I want to update the tables concerning the
federated data - there could also be some change from a general SAML
responder to what the service is,. Since I am not the owner of the Visio file,
so I'll just ask John Hughes to check figures 26 -27 on the persistent
federation topic. Also, I would suggest changes to some of the pictures (3, 4,
6 and 10) to make color keying consistent. John Hughes: I've also noted the colors print oddly. Eve Maler: I agree, not constant across graphics in the document. John Hughes: I'll send copies to Nick and Eve before
leaving for vacation. Nick Ragouzis: I will offer to make changes and detail the
edits in the Visio file. I will also need folks feedback. Prateek Mishra: I encourage people to read this document. Eve Maler: I agree, people should set time aside to go
though this document. Maybe we should have a separate call to go thought the
document. I will offer to set this up. Heather (Hinton) is also interested in
walking through the document. If anyone wants to add their names I will
contact you with the details and try to arrange a convenient time. [Prateek,
Nick,. David, Steve, Jeff, Prateek Mishra: Are there any other comments on the new
documents? 4. Errata discussion Prateek Mishra: The next item on the agenda is the errata
draft 13, Jahan? Jahan Moreh: Item numbers 7 and 10 are still open. Items
23, 25 and 26 have been entered. Scott Cantor submitted 26. Nick Ragouzis has
resubmitted 25. Nick Ragouzis: To recap PE 25, this is a proposal to add to
the SAML document an option to support metadata in a consistent way and opens
the way to improve performance. In this proposal, we reviewed the SAML
metadata components and decided we needed a minimal way to discover and publish
metadata using a known method. The earlier way suggested was to elevate one
service over another. But the proposed way we can allow anyone to elect any
service using any prescribed method of publishing. A feature would be added to
the feature method in the core and requestor modes in addition to section 3.6.
The requirement is to provide to a requestor using structures described in
metadata. You must make available as in SAML metadata document. This is an
alternative to doing it anyway you want to. Eric Tiffany: From a practical point we require people to
publish metadata to make it feasible to make it testable. We require metadata
but I have not seen the DNS method tested. If you use the DNS method you get a
way to get the metadata but the key is the MTI for the well known location so
you can get well-formed data. Scott Cantor: It's one thing to say if it's
optional but if it's MTI it's more difficult. Prateek Mishra: But leaving this open to ether will cause
problems: Scott Cantor: From an interoperability standpoint it
doesn't matter but the lack of interest in the DNS way suggests that the
well know point method is good enough. Steve Anderson: DNS is not used, regardless of the
interoperability groups. Nick Ragouzis: Any other comments? Prateek Mishra: Just to understand, if I'm a producer
of metadata, you require an optional choice for me to produce metadata in some
way, and I should be able to consume it using some well known location. Nick Ragouzis: Yes, the DNS location, in theory, does not
necessarily resolve. To same is true for well known location method within a
single deployment. The DNS approach allows multiple ways in the same
environment to resolve different URIs, so its reasonable simple to support SAML
structures would not be able to show compliance by mirroring data everywhere
- that's not well know location implementation. Nick Ragouzis: In case of the sneaker-net metaphor, if one
duplicates the metadata everywhere, they would not be compliance. Metadata
would transfer to each node out of band rather that fetching it, data could
become stale. Scott Cantor: Also, there are lots of deployment issues
resulting in publishing not being turned on. But this is not directly a performance
standpoint. Nick Ragouzis: Not just in passing conformance but what you
can declare. You could declare conformance but could not be taking to task to
meet conformance. We must be clear, the use of out-of-band one time
investments could be declared in conformance. It's just something to
consider. Prateek Mishra: Nick if I have an IdPLite product
implementing that and it's all my product does. I may not be able to
generate a valid instant metadata schema given I am just implementing an IdPLite. Nick Ragouzis: I think you could. You would not have to
populate the schema with something you are not providing. Prateek Mishra: Right, just want to verify that you can
generate a valid instance with a lot of gaps in the schema. Scott Cantor: What matters is that you can generate it on
the fly Prateek Mishra: So on the generation side, I have to have
someway to generate this. On the consumption side, I grab it after I alter my
configuration. Scott Cantor: True, on the production side you could hand
craft - on the consumer side it is cleaner. Thinking about consumption
is easier than production. Nick Ragouzis: The upshot is we can not vote on this now,
but would like to change the last line of proposed PE to must support the Well
Know Location in addition to any other way. We should make that change and
vote on it. Are there any objections? (b) PE text for SSO profile ambiguities Jahan Moreh: Now to Scott on SSO profile. [PE26] Scott Cantor: I submitted set of revisions to main profile for
SSO to clean up multiple assertions in various aspects as well as subject
confirmations. We talked about at the last meeting. We discussed if we should
eliminate multiple assertions. When I did the action items my feeling is it
would be confusing to add a second profile. The hard issues are in the
behaviors found in the in the main profile. So would be better to have one
interoperable profile. Brian Campbell: I agree, a second SSO profile would be a
mistake here. I read thought Scott's changes and its better I have not
done an implementation to it yet so have not looked closely enough. I have one
comment on assertions concerning separate subject conformation assertions Scott Cantor: You may be including data from additional
profiles. I will take a look on exact text. Brian Campbell: The changes Scott made are a big improvement Scott Cantor: I found there was strange wording in original
profile. I made some changes but did not add any new restriction. Jahan Moreh: Do we want to schedule a vote for next time? Scott Cantor: I encourage implementers to compare the
profiles. This is a major activity and want to mess it up. (c) Missing PAOS Reference Jahan Moreh: That is it for errata. Errata 4 c on the
agenda was closed earlier. 5. Discussion Threads (a) SAML Conformance SSL/TLS requirements Prateek Mishra: Eric has a thread about SSL/TLS
requirements. Eric Tiffany: My comments were about sections 5.1 and 5.2
of the SAML 2 conformance document. Prateek Mishra: The question is: are there open issues that
we can classify in a couple of buckets. Such as [1] SSL implementations and
[2] why are we doing this. Eric Tiffany: This may be a bit outside the boundaries of
what we are doing. Prateek Mishra: The challenge is that SSL is embedded in
the specification. We repeatedly say SSL 3.0 or TLS is recommended, so there
is pressure to say more about that. Eric Tiffany: I do not really care either way. The reason
it came up is due to our performance testing; we could not decrypt AES, so we
tell tem to use RC4 so it's a practical issue. If you are a vendor you
have code that you put into a servlet engine or whatever to run your SAML
implementation. The way that interfaces to SSL is out of your hands, so
that's where I am. Scott Cantor: There are things you can support and things
you can not. It must be possible to require a certain number of cipher suites.
The responsibilities are on you to implement the required cipher suites.
Obviously your product works with the interfaces to SSL and will need to have
installation and documentation too product a conformant deployment. However,
on the SP side you may not have control Irving Reid: At that point we are discussing mandatory to
implement v. mandatory to deploy issues. Vendors responsible for the container
should document that a compliant deployment must be able to deploy in this way. Eric Tiffany: I'll take another read of the document Prateek Mishra: That's the open discussion thread. 6. Merritt Maxim: SAML Adoption Subcommittee Status
(deferred from last call): Prateek Mishra: Is Merritt still on the call? If not, we
will come back to 6. 7. Open AIs Prateek Mishra: Now to item 7, open action items. These
are things we are carrying forward. One is new: path names and URL references
in WLS SAML profiles. Connor assigned this to Ron. I will take this to WSS as
a discussion, summarizing the requirement to help move it. Scott Cantor: This was a chance as to where the new profile
supports this and will generate a message to WSS after reading the SAML STP
document. Prateek Mishra: Other action items: Third-party
AuthnRequest use case (#0225) and #0225 (Proposal for subcommittee to address
enhancing SAML Adoption). It this we must rework the profile to address SSCP
comments (by Rick and Ralph). The major issue in getting document into CD
format and some security considerations. This is still open. Prateek Mishra: Number 223 is a proposal for sub-committee
to address SAML adoption. I will assign Merritt to this action item. Prateek Mishra: Number 216: formulate text to Jahan. Jahan Moreh: Action item 216 should be PE10 and remains
open. Prateek Mishra: Number 210 (Links to new IPR policy to be
sent to SSTC) Rob is away. And 110 need to update SAML server from Jeff. Jahan Moreh: There is an Item on PE 7 for Rob to review
text Prateek Mishra: And another action item for Rob on PE 10. Scott Cantor: We are potentially moving SAML metadata from
CD to public review. Prateek Mishra: We will work for mid-august to package up
another of these drafts and take to the next step. Nick Ragouzis: There is a change in TC process and change in
rules. Miss two consecutive meetings and lose voting status miss two more and
lose membership status. I think this is to stress the difference between
voting to non-voting status. Prateek Mishra: That's it, meeting adjourned. Summary of New Action Items: (#0229)- Prateek Mishra take over "support for
passing SAML URI Reference to WSS" and will take this to WSS as a
discussion, summarizing the requirement to help move it. (#0223)- Merritt Maxim gets action item
"Subcommittee to address enhancing SAML Adoption." Attendance of Voting Members Abbie Barbir Nortel Mike Beach The Boeing Company Brian Campbell Scott Cantor Internet2 Guy Denton IBM Heather Hinton IBM Frederick Hirsch Nokia John Hughes Individual Ari Kermaier Oracle Hal Lockhart BEA Systems, Inc Eve Maler Sun Microsystems Prateek Mishra Principal Identity Jahan Moreh Sigaba Bob Morgan Internet2 Cameron Morris Novell Vamsi Motukuru Oracle Anthony Nadalin IBM Nick Ragouzis Individual Irving Reid Hewlett-Packard Company David Staggs Veteran's Health Administration (SAIC) Greg Whitehead Trustgenix Thomas Wisniewski Entrust Emily Xu Sun Microsystems Attendance of Non-Voting Members Steve Anderson BMC Software Sharon Boeyen Entrust Peter Davis NeuStar Jeff Hodges NeuStar Dana Kaufman Forum Systems Ashish Patel Gilbert Pilz BEA Systems, Inc. Eric Tiffany IEEE Industry Standards Membership Status Changes Ashish Patel Merritt Maxim CA - Granted Membership 8/8/2005 Alberto Squassabia (formerly) Ping Identity - Lost TC
Membership |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]