[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Draft minutes for SSTC Conference Call July 18, 2006 - V2,with roll call data and corrections
> > 1. Roll Call & Agenda Review Attendance of Voting Members Steve Anderson BMC Software Abbie Barbir Nortel Bhavna Bhatnagar Sun Microsystems Brian Campbell Ping Identity Scott Cantor Internet2 Peter Davis NeuStar Frederick Hirsch Nokia Jeff Hodges NeuStar John Hughes PA Consulting Hal Lockhart BEA Systems, Inc Paul Madsen NTT Corporation Eve Maler Sun Microsystems Prateek Mishra Oracle Jahan Moreh Sigaba Bob Morgan Internet2 Anthony Nadalin IBM Ashish Patel France Telecom Rob Philpott RSA Security David Staggs Veteran's Health Admin Greg Whitehead Hewlett-Packard Company Thomas Wisniewski Entrust Emily Xu Sun Microsystems Attendance of Non-Voting Members Ari Kermaier Oracle Tom Scavo National Center for Supercomputing Applications Membership Status Changes Heather Hinton IBM - Granted voting status after 6/20/2006 call Ari Kermaier Oracle - Lost voting status after 6/20/2006 call Tom Scavo National Center for Supercomputing Applications - Granted membership 6/22/2006 Rick Randall Booz Allen Hamilton - Member account deactivated 6/26/2006 Toshihiro Nishimura Fujitsu - Granted membership 6/22/2006 Dana Kaufman Forum Systems - Lost voting status after 7/18/2006 call Nick Ragouzis Enosis Group - Lost voting status after 7/18/2006 call > > 2. Approve minutes from June 20 con-call > > http://lists.oasis-open.org/archives/security-services/200606/msg00028.html APPROVED by unanimous consent. > > 3. Informational > > > > a. Update from Chairs on SSTC IPR Transition Planning > > http://lists.oasis-open.org/archives/security-services/200606/msg00049.html Hal: We are polling people about willingness to sign up to the various IPR modes. People should be consulting with their own organizations. Currently there's at least one organization that would oppose the IPR transition without a tightening up of the charter. We are discussing the matter with the OASIS staff. There are three ways forward: - A charter clarification could be done if it's a reduction in scope. - If there are additions, we could do a charter change vote, which has a higher bar. - We could charter a brand-new TC that goes by default under the new IPR policy, and the "old" SSTC would go away entirely. It has been proposed, separately, that this TC could take up security policy, which would constitute a "charter change". Rob: But the current charter is open-ended as to the creation of new profiles. Frederick: What work is on the docket going forward besides, potentially, the policy item? It's helpful to understand the options a little more deeply before sending us to our lawyers. Prateek: We're at the point where we want to collect the questions, but not try to answer them yet. Jamie: Agree that it's important to have the discussion about the work docket before knowing how to answer the questions. Abbie: What are the deadlines? Jamie: The SSTC is fine for now, unless someone votes to end it. If we don't transition to the new IPR policy somehow, the TC will close by April 2007. To transition, you have to vote, and that takes maybe 4 weeks elapsed. The vote must be unanimous, so if there's a holdup, you need to build in more time. Prateek: Let's take this to the list. Eve: Would like to dedicate a future call to the topic of future SSTC work. > > b. SAML IPR statements have been revised to explicit "defensive suspension" > > http://lists.oasis-open.org/archives/security-services/200606/msg00032.html > > > > c. new drafts - draft-hodges-saml-binding-noxmldsig-02.pdf > > http://www.oasis-open.org/apps/org/workgroup/security/download.php/18954/draft-hodges-saml-binding-noxmldsig-02.pdf Jeff: Comments are welcome. He and Scott have been discussing rev 03 changes, possibly coming in mid-August. This would involve conveying key info, currently not supported. Also, they've been toying with a more "positive" name, something like "simple sign"? They have also been working on a lightweight SSO profile that uses this binding. Jeff had previously sent a note to the list about this I-D, we think. > > d. yet another SAML-based effort > > http://lists.oasis-open.org/archives/security-services/200607/msg00037.html > > > > > > 4. Public Review of SAML Profiles and Extensions is now CLOSED > > > > a. Public Review period ends July 10 > > http://lists.oasis-open.org/archives/members/200605/msg00004.html > > > > The TC must track the comments received as well as the disposition of each comment. This included a whole stack of profiles and extensions. Prateek is looking for champions to address the comments, as linked below. Eve suggests this should be the primary author of each spec, unless they can't for some reason. > > b. Comments upon sstc-saml1x-metadata-cd-01 Scott is the comment champion. > > i. Tom Scavo > > http://lists.oasis-open.org/archives/security-services/200606/msg00061.html > > > > ii. Tom Scavo > > http://lists.oasis-open.org/archives/security-services/200607/msg00024.html Tom notes that these comments are about sstc-saml-metadata-ext-query-cd-01, not sstc-saml1x-metadata-cd-01. > > > > c. Comments upon SAML Attribute Sharing Profile for X.509 Authentication-Based Systems Ari Kermaier is the comment champion. Rob has agreed to review the response. > > i. Tom Scavo > > http://lists.oasis-open.org/archives/security-services/200606/msg00054.html > > > > ii. Tom Scavo > > http://lists.oasis-open.org/archives/security-services/200607/msg00001.html > > > > iii. Tom Scavo > > http://www.oasis-open.org/apps/org/workgroup/security/download.php/19050/sstc-saml-x509-authn-attrib-profile-draft-09-diff.pdf > > > > iv. Tom Scavo > > http://www.oasis-open.org/apps/org/workgroup/security/download.php/19053/sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf > > > > v. Tom Wisniewski > > Comments on Attribute Sharing Profile for X.509 Authentication-Based Systems (draft 10) > > http://lists.oasis-open.org/archives/security-services/200607/msg00023.html > > > > d. sstc-saml-protocol-ext-thirdparty-cd-01 Scott is the comment champion. > > i. Tom Scavo > > http://lists.oasis-open.org/archives/security-services/200607/msg00032.html We'll continue to look for further comment on the lists. Tom notes public comment from <hmadhavanpillai@rsasecurity.com> regarding sstc-saml-x509-authn-attrib-profile-cd-02: http://lists.oasis-open.org/archives/security-services-comment/200607/msg00006.html Eve puts in a plea for document uploaders to ensure that they check the box that allows for public access to the documents. > > 5. Errata Review > > > > http://www.oasis-open.org/apps/org/workgroup/security/download.php/19182 /sstc-saml-errata-2.0-draft-32.pdf PE49: Clarification on attribute name format: Greg being happy with Scott's commentary is good enough for Scott! MOTION: Greg moves we accept the change. APPROVED by unanimous consent. PE52: Clarification on <NotOnOrAfter> attribute: AI: Rob to review PE52. PE55: Various Language Cleanups: Ideally the people who did the Liberty conformance dry-runs should weigh in on whether Scott's proposed changes make sense. Scott will broach this with Liberty folks this week. PE56: Typo in Profiles: (Note that errata-32 has a typo in the section heading, saying "PE55" instead!) This looks like a simple editorial change. MOTION: Jahan moves to accept the proposed change for PE56. APPROVED by unanimous consent. PE57: [SAMLmime] reference in saml-bindings: This is a simple change, since the old I-D expired. MOTION: Eve moves to accept the proposed change for PE57. APPROVED by unanimous consent. PE58: Potential errata in Metadata: There are some dozen small items making up this comment. There's been some discussion back and forth. This doesn't belong as a SAML V2.0 PE, since the comments are on a draft profile. > > 6. Active Threads > > > > a. Probability text in core section 1.3.4 > > http://lists.oasis-open.org/archives/security-services/200606/msg00027.h tml Scott: The issue has generally been overblown in terms of interop consequences. Prateek: If Greg proposes a change, we can formally consider it. Eve: It would make a dandy informal wiki entry. > > b. NameID and the use of SPProvidedID > > http://lists.oasis-open.org/archives/security-services/200606/msg00037.h tml Tom W.: You can send the NameID as is or using the SPProvidedID. He reads the spec as saying that the latter is required, though currently they're supporting both methods. Scott: It's ambiguous, though not through strong feelings one way or the other. AI: Tom W. to propose clearer text. Rob: What are the interop implications? Greg: We need to clarify the interpretation towards the more-interoperable scenario, according to the Liberty interop work. I have expressed this on the list many times. Scott: So the clarification is that the SP may send the SPProvidedID, but it's not required. (The IdP has to sent it, of course, since that's the point of the attribute.) So, "Be liberal in what you accept." This allows all current implementations to be counted as doing the right thing. AI Tom W. to propose clarifying text. Greg's message 42 from June 2006 can contribute to this proposal. > > c. superseding prior spec set versions? (was:Re:[security-services]FW: SAML 1.0 or 1.1) > > http://lists.oasis-open.org/archives/security-services/200606/msg00051.h tml Jeff: We're blazing a trail in doing this within OASIS, but some other organizations already have processes in place for this. AI: Prateek (and everyone) to comment on superseding of prior spec versions. > > d. SAML Authn Ctx Combination Spec > > http://lists.oasis-open.org/archives/security-services/200607/msg00003.h tml Ashish: There was some confusion in processing rules about nesting. They have modified the extension proposal to take this into account and will submit the draft again for comment. AI: Ashish and Paul to update the Authn Context combination spec. > > e. SAML References > > http://lists.oasis-open.org/archives/security-services/200607/msg00033.h tml AI: Eve to create a SAML-specific spec template to help people create bibliographic entries with consistent SAML V2.0 "spec artifact" references. > > 7. Open AIs > > 0263: NameID and the use of SPProvidedID > > Owner: Jahan Moreh > > Status: Open > > Assigned: 2006-07-18 > > Due: --- Still open. > > > > ------------------------------------------------------------------------ -------- > > > > #0262: Creation of the ?new? LDAP/X.500 profile > > Owner: Scott Cantor > > Status: Open > > Assigned: 2006-07-18 > > Due: --- Still open. > > > > ------------------------------------------------------------------------ -------- > > > > #0261: Chairs to contact GUIDE for follow-up > > Owner: > > Status: Open > > Assigned: 2006-07-18 > > Due: --- Still open. Prateek will look into it. > > > > ------------------------------------------------------------------------ -------- > > > > #0240: Status of SAML 2.0 submission to ITU T > > Owner: Abbie Barbir > > Status: Open > > Assigned: 2005-11-08 > > Due: --- Still open. SAML and XACML appear to have official ITU-T standards numbers, but maybe they're just provisional. Eve can put notice of their final standards status on the SSTC site. AI: Abbie to update the TC and provide any relevant links. > > > > ------------------------------------------------------------------------ -------- > > > > #0238: Plan for red-line versions of SAML 2.0 > > Owner: Eve Maler > > Status: Open > > Assigned: 2005-11-08 > > Due: --- Still open. ------------------------------------------------------------------------ -------- Other news: Eve/Rob/Nick hope to publish rev 09 of the Technical Overview this week. ADJOURNED. -- Eve Maler +1 425 947 4522 Technology Director eve.maler @ sun.com CTO Business Alliances group Sun Microsystems, Inc.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]