OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes, SSTC Concall, September 25, 2007

On 9/25/07, Hal Lockhart <hlockhar@bea.com> wrote:
> Proposed Agenda SSTC Concall, September 25, 2007
> Dial in info: +1 865 673 6950
> Access code: 270-9441#
> Roll Call & Agenda Review

Attendance data provided by Steve Anderson, BMC Software

Attendance of Voting Members

  Steve Anderson BMC Software
  Brian Campbell Ping Identity
  Scott Cantor Internet2
  Jeff Hodges NeuStar
  Ari Kermaier Oracle
  Hal Lockhart BEA Systems, Inc
  Paul Madsen NTT Corporation
  Eve Maler Sun Microsystems
  Anthony Nadalin IBM
  Rob Philpott EMC Corporation
  Anil Saldhana Red Hat
  Tom Scavo National Center for Supercomputing Applications
  Kent Spaulding Tripod Technology Group
  David Staggs Veteran's Health Admin
  Eric Tiffany IEEE Industry Standards
  Emily Xu Sun Microsystems

Attendance of Non-Voting Members

  Peter Davis NeuStar

Attendance of Observers

  Giles Hogben ENISA

Membership Status Changes

  Charles Knouse HP - Granted membership 9/6/2007
  Jeff Hodges NeuStar - Granted voting status after 9/11/2007 call
  Ari Kermaier Oracle - Granted voting status after 9/11/2007 call
  Prateek Mishra Oracle - Lost voting status after 9/11/2007 call
  Peter Davis NeuStar - Lost voting status after 9/11/2007 call
  George Fletcher AOL - Lost voting status after 9/11/2007 call
  Abbie Barbir Nortel - Lost voting status after 9/25/2007 call
  Carolina Canales-Valenzuela Ericsson - Lost voting status after 9/25/2007 call

> Need a volunteer to take minutes

Tom Scavo volunteered to take minutes.

> 1. Approve minutes from September 11
> http://lists.oasis-open.org/archives/security-services/200709/msg00020.html

Minutes unanimously approved with the modification noted in the above message.

> 2. Administrative
> 2.1 ESOE Beta 1 -- Enterprise Sign On Engine
> http://lists.oasis-open.org/archives/security-services/200709/msg00025.html

The above announcement is FYI.  Note that ESOE is not an Internet2 project:


> 3. Document Status
> 3.1 Docs on their way to OS
> Metadata Profile for the OASIS Security Assertion Markup Language (SAML)
> V1.x
> & Metadata Extension for SAML V2.0 and V1.x Query Requesters
> Will go for OASIS vote in October

There will be a 15-day review period after which voting by
institutional representatives will commence.

Brian: How does one determine who is the institutional representative?
Hal: I don't know if there's an easy way to determine this, so contact
me offline and I will find out for you.

> 3.2 Docs pending public review
> Pending 15 Day Review
> *SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based
> Systems (CD 04)
> *SAMLv2.0 HTTP POST "SimpleSign" Binding (CD 02)
> The following are needed.
> 1. The dates of the original 60-day review, including a link to the
> announcement
> 2. The comment resolution log of any reported issues
> 3. A change-marked copy of the spec noting the differences from the
> version submitted for the 60-day public review.

These items will be discussed in the mailing list.

Should we instead request a 60-day review of these two documents?
(This, too, will be discussed in the mailing list.)

AIs: Tom and Scott own these two documents (resp.).

> Pending 60 Day Review
> *SAML V2.0 Deployment Profiles for X.509 Subjects (CD 02)
> *Identity Provider Discovery Service Protocol and Profile (CD 02)
> Need work on conformance sections:
> SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based
> Systems - contains no conformance section
> SAMLv2.0 HTTP POST "SimpleSign" Binding - contains an inadequate
> conformance
> section:
> "A specification that is approved by the TC at the Public Review Draft,
> Committee Specification or OASIS Standard level must include a separate
> section, listing a set of numbered conformance clauses, to which any
> implementation of the specification must adhere in order to claim
> conformance to the specification (or any optional portion thereof)."

Note that the above two items refer to the previous documents awaiting
15-day public review, not the documents awaiting 60-day public review
(as mistakenly noted above).

These additional items will be discussed in the mailing list.

> 3.3 SAML v2.0 Errata
> http://lists.oasis-open.org/archives/security-services/200708/msg00030.h
> tml (AI#305)

Eve has determined the latest rev to the "working errata" document is 40:


> Abbie was to discuss work with Eve.

Eve talked to Abbie about adding outstanding errata to the working
errata doc.  Abbie has agreed to do this.  Eve will work with Abbie to
make this happen.

Eve requests that we consider the "approved errata" document at this
time.  No comments were received during public review period.  We are
at the point where the SSTC can vote to move the approved errata doc
to the next level.

Eve makes the following motion: The SSTC requests a ballot to approve
moving the errata document to its final state (know as Approved
Jeff H seconds this motion.
No further discussion.
Motion unanimously approved.

> 4 Discussions
> 4.1 SAML metadata lifecycle issues
> Anyone prepared to discuss this?

AI: Scott will propose some errata related to metadata.

These errata are separate from the previously discussed metadata
lifecycle issues, so the two items (errata and metadata lifecycle
issues) can proceed independently of one another.

> 4.2 Proposal for extensions to Authentication Context
> Giles to attend the call for discussion

No SSTC member present voiced an objection to allow Giles to
participate in today's call.

> Hal posted some previous off-list discussion


Last time we discussed the issue of AuthnContext (AC), Giles presented
a number of use cases.  This time around he proposes adding a number
of extensions to AC:


Briefly (see the above wiki link for more detail), there are five AC
extensions being proposed:

1. Privacy features of credentials (e.g., pseudonyms)
2. Issuance and registration mechanisms (e.g., documentation lists)
3. Assurance levels (LoA)
4. User friendly abstractions
5. Reputation of the subject (e.g., number of signing on a PGP key)

Discussion highlights:

Hal: AC is intended to be used as run-time information in support of
SSO.  In practice, it should not be necessary to propagate all the
details of the authentication process, just those bits of information
immediately useful to the relying party.  In other words, we should
try to keep the AC as lightweight as possible.

Ari: For instance, in the case of password-protected transport, it
should not be necessary to communicate key length.

Eric: GSA E-authentication uses attributes, not AC, to communicate
LoA.  An open question is: How to translate LoA attributes to AC?

Giles: There are numerous LoA models (worldwide) that need to be considered.

Paul: AC schema need to be defined, and semantics need to be well
understood and documented.

Eve: An AC URI might indicate what schema and/or specification is
being asserted.

Giles: What about dynamic AC?

Eve: There isn't much support for dynamic AC in the current AC model.

Jeff: Assurance levels need to be baked, not parsed at runtime.

Hal: We should try to keep the SP's job simple, otherwise SPs will
choose to do their own authentication.

Hal: The previous distinction regarding AC and attributes is
important.  Attributes are a property of the subject.  AC is a
property of the authentication process (independent of the subject).

Eve: Reputation of the issuer (as opposed to reputation of the
subject) may be important as well

Giles personal goal (over the next couple of months): Map the EU LoA
model to SAML AC.

> 5 Other business

No new business.

> 6 Action Items (Report created 25 September 2007 12:38am EDT)
> #0283: Change final arrows to solid in Tech Overview diagrams
> throughout.
> Owner: Paul Madsen
> Status: Open
> Assigned: 2007-03-27
> Due: ---

Paul reports that the arrows have been fixed and a ZIP file has been
uploaded to Kavi.  Paul will upload a new version of the Tech Overview
asap.  This AI will remain open.

> #0304: Incorporate appropriate use of LDAP language tags in new LDAP
> attr profile
> Owner: Scott Cantor
> Status: Open
> Assigned: 2007-08-23
> Due: ---

This AI will remain open.

> #0305: Prepare final version(s) of the SAML v2.0 Errata document
> Owner: Abbie Barbir
> Status: Open
> Assigned: 2007-08-23
> Due: ---

This AI will remain open.

> #0308: Recommend wording on potential erratum on metadata and DNSSEC
> Owner: Peter Davis
> Status: Open
> Assigned: 2007-09-18
> Due: ---

This AI will remain open.

> #0309: Locate the link to the current "working errata" document and
> follow up with Abbie Barbir (who we think volunteered) about getting the
> new crop of errata recorded.
> Owner: Eve Maler
> Status: Open
> Assigned: 2007-09-18
> Due: ---

This item was discussed earlier on the call. This AI will remain open.

Next regular meeting is scheduled for Tue, Oct 9, 2007

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]