OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: security-services minutes for con-call, August 16, 2005


August 16, 2005

 

OASIS Security Services (SAML) TC

Tuesday, 16 August 2005, 12:00pm to 02:00pm ET

 

1. Attendance/call to order.

Attendance list provided by Mr. Anderson is appended to these notes.

 

Note-taker selected be random selection is David Staggs

 

2. Approve minutes from August 2nd conference call.

Prateek Mishra: We have quorum. I sent an agenda out last evening to the group.  The second item is the approval of the August 2 minutes.  Are there any objections to approving the minutes of the August 2nd call?  No objections minutes approved.

 

3. Document updates

a) X509 Authn eAttribute Profile

Prateek Mishra:  Eve Maler had some comments on the X509 AuthN attribute profile.

 

Eve Maler: I have no substantive changes to the profile.  But now that we are drafting smaller documents, I want to create a helpful template so that we do not start from a random document.  Using a template will eliminate old bibliographies and unused URLs taken from earlier documents.  I will be adding this template for use on any working committee drafts.

 

[As to the X509 AuthN eAttribute Profile] no substantive changes, I am just cleaning up and checking the references in the draft.  No official reference to SAML profile.  Only the query request profile was touched, but the only editing was done in the sub-profile.  I made a few changes there for clarity.

 

Prateek Mishra: Are there any other discussions on 3A? No.

 

(b) sstc-saml-2.0-xpath-attribute-profile-draft

Prateek Mishra: The next item is the XPath attribute profile. 

 

Cameron Morris: I released a new version a few weeks ago and got some good feedback.  I also added normative language (MUSTS and MAYS). Eve and Anne Anderson had good comments on the draft.  I think the most "heavyweight" comment was by Eve on interoperability.

 

Eve Maler: I have been increasingly worried about interoperability because the way we phrase it, anyone could define XPath that would be unique to them.  This could create some conformance issues.  My issue is, how do make this more normative to prevent this from becoming a sub-profile in a million unknown ways?

 

Cameron Morris: I think we can offer a few use cases that suggest how to implement XPath in SAML. 

 

Eve Maler: I am OK with this as long as there are required implementations of certain XPath libraries.

 

Cameron Morris: This profile is a way to create consistency, not a way to require certain implementations of XPath.  We are suggesting using name attributes, it's a way to say if you are thinking of using XPath, here is a way to do this to allow consistency between applications.  The point is, as in the X500 standard, we did not require certain attributes, we just said this is the way we mapped attributes.

 

Eve Maler: OK, you have convinced me.  But the connection between XPath syntax and URI is the important issue.  Maybe we should give more explanation, maybe by adding motivation sections.  But I do not want to overdo it.

 

Cameron Morris: Anne Anderson had a question on XPATH but is not on the call.

 

Prateek Mishra: In term of next steps we will have another version in the making and will try to fold this document into a group of document to committee specification. 

 

Cameron Morris: This document has gone though CD vote but has not made it though yet. Conner had an issue during the previous vote but I believe we have reconciled that issue.

 

Eve Maler: I can take an editorial pass to help your meet CD review.  Give me 24 hours once you ad ready,

 

Cameron: I'll use your latest CD document as a starting point.

 

(c) Tech overview status

Prateek Mishra: Next item is the tech overview, John Hughes has published a new draft.

 

John Hughes:  The current state of the draft is on the list.  We need to state the differences between 1.1 and current draft.

 

Eve Maler:  I have reviewed the current changes with Nick.

 

Nick Ragouzis: I want to update the tables concerning the federated data - there could also be some change from a general SAML responder to what the service is,.  Since I am not the owner of the Visio file, so I'll just ask John Hughes to check figures 26 -27 on the persistent federation topic.  Also, I would suggest changes to some of the pictures (3, 4, 6 and 10) to make color keying consistent.

 

John Hughes: I've also noted the colors print oddly.

 

Eve Maler:  I agree, not constant across graphics in the document.

 

John Hughes: I'll send copies to Nick and Eve before leaving for vacation.

 

Nick Ragouzis: I will offer to make changes and detail the edits in the Visio file.  I will also need folks feedback.

 

Prateek Mishra: I encourage people to read this document.

 

Eve Maler:  I agree, people should set time aside to go though this document.  Maybe we should have a separate call to go thought the document.  I will offer to set this up.  Heather (Hinton) is also interested in walking through the document.  If anyone wants to add their names I will contact you with the details and try to arrange a convenient time. [Prateek, Nick,. David, Steve, Jeff, Frederick, are interested.]  The walk-through should take about two hours.

 

Prateek Mishra: Are there any other comments on the new documents?

 

4. Errata discussion

Prateek Mishra: The next item on the agenda is the errata draft 13, Jahan?

 

Jahan Moreh: Item numbers 7 and 10 are still open.  Items 23, 25 and 26 have been entered.  Scott Cantor submitted 26.  Nick Ragouzis has resubmitted 25.

 

Nick Ragouzis: To recap PE 25, this is a proposal to add to the SAML document an option to support metadata in a consistent way and opens the way to improve performance.  In this proposal, we reviewed the SAML metadata components and decided we needed a minimal way to discover and publish metadata using a known method.  The earlier way suggested was to elevate one service over another.  But the proposed way we can allow anyone to elect any service using any prescribed method of publishing.  A feature would be added to the feature method in the core and requestor modes in addition to section 3.6.  The requirement is to provide to a requestor using structures described in metadata.  You must make available as in SAML metadata document. This is an alternative to doing it anyway you want to.

 

Eric Tiffany:  From a practical point we require people to publish metadata to make it feasible to make it testable.  We require metadata but I have not seen the DNS method tested.  If you use the DNS method you get a way to get the metadata but the key is the MTI for the well known location so you can get well-formed data.

 

Scott Cantor: It's one thing to say if it's optional but if it's MTI it's more difficult.

 

Prateek Mishra: But leaving this open to ether will cause problems:

 

Scott Cantor: From an interoperability standpoint it doesn't matter but the lack of interest in the DNS way suggests that the well know point method is good enough.

 

Steve Anderson: DNS is not used, regardless of the interoperability groups.

 

Nick Ragouzis: Any other comments?

 

Prateek Mishra:  Just to understand, if I'm a producer of metadata, you require an optional choice for me to produce metadata in some way, and I should be able to consume it using some well known location.

 

Nick Ragouzis: Yes, the DNS location, in theory, does not necessarily resolve. To same is true for well known location method within a single deployment.  The DNS approach allows multiple ways in the same environment to resolve different URIs, so its reasonable simple to support SAML structures would not be able to show compliance by mirroring data everywhere - that's not well know location implementation.

 

Nick Ragouzis: In case of the sneaker-net metaphor, if one duplicates the metadata everywhere, they would not be compliance.  Metadata would transfer to each node out of band rather that fetching it, data could become stale.

 

Scott Cantor:  Also, there are lots of deployment issues resulting in publishing not being turned on.  But this is not directly a performance standpoint.

 

Nick Ragouzis: Not just in passing conformance but what you can declare.  You could declare conformance but could not be taking to task to meet conformance.  We must be clear, the use of out-of-band one time investments could be declared in conformance.  It's just something to consider.

 

Prateek Mishra: Nick if I have an IdPLite product implementing that and it's all my product does.  I may not be able to generate a valid instant metadata schema given I am just implementing an IdPLite.

 

Nick Ragouzis: I think you could.  You would not have to populate the schema with something you are not providing.

 

Prateek Mishra:  Right, just want to verify that you can generate a valid instance with a lot of gaps in the schema.

 

Scott Cantor:  What matters is that you can generate it on the fly

 

Prateek Mishra: So on the generation side, I have to have someway to generate this.  On the consumption side, I grab it after I alter my configuration.

 

Scott Cantor:  True, on the production side you could hand craft - on the consumer side it is cleaner.  Thinking about consumption is easier than production.

 

Nick Ragouzis:  The upshot is we can not vote on this now, but would like to change the last line of proposed PE to must support the Well Know Location in addition to any other way.  We should make that change and vote on it.  Are there any objections?

 

(b) PE text for SSO profile ambiguities

Jahan Moreh:  Now to Scott on SSO profile.  [PE26]

 

Scott Cantor:  I submitted set of revisions to main profile for SSO to clean up multiple assertions in various aspects as well as subject confirmations.  We talked about at the last meeting.  We discussed if we should eliminate multiple assertions.  When I did the action items my feeling is it would be confusing to add a second profile.  The hard issues are in the behaviors found in the in the main profile.  So would be better to have one interoperable profile. 

 

Brian Campbell: I agree, a second SSO profile would be a mistake here.  I read thought Scott's changes and its better I have not done an implementation to it yet so have not looked closely enough.  I have one comment on assertions concerning separate subject conformation assertions

 

Scott Cantor:  You may be including data from additional profiles.  I will take a look on exact text.

 

Brian Campbell: The changes Scott made are a big improvement

 

Scott Cantor:  I found there was strange wording in original profile.  I made some changes but did not add any new restriction. 

 

Jahan Moreh:  Do we want to schedule a vote for next time?

 

Scott Cantor:  I encourage implementers to compare the profiles.  This is a major activity and want to mess it up.

 

(c) Missing PAOS Reference

Jahan Moreh:  That is it for errata.  Errata 4 c on the agenda was closed earlier.

 

5. Discussion Threads

(a) SAML Conformance SSL/TLS requirements

Prateek Mishra:  Eric has a thread about SSL/TLS requirements.

 

Eric Tiffany:  My comments were about sections 5.1 and 5.2 of the SAML 2 conformance document. 

 

Prateek Mishra:  The question is: are there open issues that we can classify in a couple of buckets.  Such as [1] SSL implementations and [2] why are we doing this.

 

Eric Tiffany:  This may be a bit outside the boundaries of what we are doing.

 

Prateek Mishra:  The challenge is that SSL is embedded in the specification.  We repeatedly say SSL 3.0 or TLS is recommended, so there is pressure to say more about that.

 

Eric Tiffany:  I do not really care either way.  The reason it came up is due to our performance testing; we could not decrypt AES, so we tell tem to use RC4 so it's a practical issue.  If you are a vendor you have code that you put into a servlet engine or whatever to run your SAML implementation.  The way that interfaces to SSL is out of your hands, so that's where I am.

 

Scott Cantor:  There are things you can support and things you can not. It must be possible to require a certain number of cipher suites.  The responsibilities are on you to implement the required cipher suites.  Obviously your product works with the interfaces to SSL and will need to have installation and documentation too product a conformant deployment.  However, on the SP side you may not have control

 

Irving Reid: At that point we are discussing mandatory to implement v. mandatory to deploy issues.  Vendors responsible for the container should document that a compliant deployment must be able to deploy in this way.

 

Eric Tiffany:  I'll take another read of the document

 

Prateek Mishra:  That's the open discussion thread.

 

6.  Merritt Maxim: SAML Adoption Subcommittee Status (deferred from last call):

Prateek Mishra:  Is Merritt still on the call?  If not, we will come back to 6.

 

7. Open AIs

Prateek Mishra:  Now to item 7, open action items.  These are things we are carrying forward.  One is new: path names and URL references in WLS SAML profiles.  Connor assigned this to Ron.  I will take this to WSS as a discussion, summarizing the requirement to help move it.

 

Scott Cantor:  This was a chance as to where the new profile supports this and will generate a message to WSS after reading the SAML STP document.

 

Prateek Mishra:  Other action items: Third-party AuthnRequest use case (#0225) and  #0225 (Proposal for subcommittee to address enhancing SAML Adoption).  It this we must rework the profile to address SSCP comments (by Rick and Ralph).  The major issue in getting document into CD format and some security considerations.  This is still open.

 

Prateek Mishra:  Number 223 is a proposal for sub-committee to address SAML adoption.  I will assign Merritt to this action item.

 

Prateek Mishra:  Number 216: formulate text to Jahan.

 

Jahan Moreh:  Action item 216 should be PE10 and remains open.

 

Prateek Mishra:  Number 210 (Links to new IPR policy to be sent to SSTC) Rob is away.  And 110 need to update SAML server from Jeff.

 

Jahan Moreh:  There is an Item on PE 7 for Rob to review text

 

Prateek Mishra:  And another action item for Rob on PE 10.

 

Scott Cantor:  We are potentially moving SAML metadata from CD to public review.

 

Prateek Mishra:  We will work for mid-august to package up another of these drafts and take to the next step.

 

Nick Ragouzis: There is a change in TC process and change in rules.  Miss two consecutive meetings and lose voting status miss two more and lose membership status.  I think this is to stress the difference between voting to non-voting status.

 

Prateek Mishra: That's it, meeting adjourned.

 

Summary of New Action Items:

 

(#0229)- Prateek Mishra take over "support for passing SAML URI Reference to WSS" and will take this to WSS as a discussion, summarizing the requirement to help move it.

(#0223)- Merritt Maxim gets action item "Subcommittee to address enhancing SAML Adoption."

 

 

Attendance of Voting Members

 

  Abbie Barbir Nortel

  Mike Beach The Boeing Company

  Brian Campbell Ping Identity

  Scott Cantor Internet2

  Guy Denton IBM

  Heather Hinton IBM

  Frederick Hirsch Nokia

  John Hughes Individual

  Ari Kermaier Oracle

  Hal Lockhart BEA Systems, Inc

  Eve Maler Sun Microsystems

  Prateek Mishra Principal Identity

  Jahan Moreh Sigaba

  Bob Morgan Internet2

  Cameron Morris Novell

  Vamsi Motukuru Oracle

  Anthony Nadalin IBM

  Nick Ragouzis Individual

  Irving Reid Hewlett-Packard Company

  David Staggs Veteran's Health Administration (SAIC)

  Greg Whitehead Trustgenix

  Thomas Wisniewski Entrust

  Emily Xu Sun Microsystems

   

 

Attendance of Non-Voting Members

 

  Steve Anderson BMC Software

  Sharon Boeyen Entrust

  Carolina Canales-Valenzuela Ericsson

  Peter Davis NeuStar

  Jeff Hodges NeuStar

  Dana Kaufman Forum Systems

  Ashish Patel France Telecom

  Gilbert Pilz BEA Systems, Inc.

  Eric Tiffany IEEE Industry Standards

 

 

Membership Status Changes

 

  Ashish Patel France Telecom - Granted Membership 8/3/2005

  Merritt Maxim CA - Granted Membership 8/8/2005

  Alberto Squassabia (formerly) Ping Identity - Lost TC Membership



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]