OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Draft minutes for 17 Jun 2008 SSTC call

[roll call to be added]

Quorum achieved.

> 1. Approve minutes from June 3, 2008
> http://lists.oasis-open.org/archives/security-services/200806/msg00005.html

APPROVED by unanimous consent.

> 2. Administrative

No items.

> 3. Document Status
> 3.1 Subject-based Profiles for SAML V1.1 Assertions
> 3.1.1 Public review started recently and ends Aug 12
> http://lists.oasis-open.org/archives/security-services/200806/msg00006.html

We are all encouraged to review, and have our peers review, the draft.

> 3.1.2 Call for disclosure
> http://lists.oasis-open.org/archives/security-services/200806/msg00007.html

Please make sure to review the call for disclosure and follow the  

> 4 Other business

Nate uploaded a draft for SSTC comment:


Scott sent comments already:


Nate has reviewed the comments and finds them useful.

Nate is inclined to change the text to say that authentication  
requests SHOULD NOT be signed.  Scott believes that there's no  
difference between this profile and the original profile regarding  
signed requests, so is not sure why anything should be changed.  Is  
verifying the key too onerous?

Nate asks for the primary use case for signing the request; Scott  
guesses auditing.  The original browser SSO profile doesn't mandate  
encryption of the transport itself; perhaps this profile should do  
so.  But several people don't see how this helps; Brian notes that it  
protects the integrity of the content but may alter the behavior of  
the IdP in terms of their authentication assertion issuance, and  
recalls that the SecConsider doc mentions this.

Brian doubts the seriousness of the threat of DoS in this case; Scott  
echoes the doubt.

Nate suggests leaving the text in but adding a note about its lack of  
effectiveness.  Scott would prefer simplifying the profile.  Jeff  
wants to capture the rationale somewhere, if not in this profile.   
Scott suggests creating a section or appendix specially for this  

Do applications ever treat the key in the subject confirmation as a  
relay state?  This seems unrealistic.

Nate had also made a couple of other changes to the draft, so please  
review and send comments to the list.  He'll edit according to the  
advice noted above.

> 5 Action Items
> Report created 17 June 2008 10:03am EDT
> #0335: Add homepage content to wiki(s) as per
> http://lists.oasis-open.org/archives/security-services/200805/msg00033.html
> Owner: Tom Scavo
> Status: Open
> Assigned: 2008-05-30
> Due: ---

Tom has reviewed Eve's suggestions, but the editing AI is still pending.

> #0334: SSTC home page cleanup after and linking to content from AI#335
> Owner: Brian Campbell
> Status: Open
> Assigned: 2008-05-28
> Due: ---

This is dependent on Tom's work.  Still open.

Eve notes that the SAML FAQ will need a close look once we're done  
with all this other editing, or maybe as the other edits are being done.

> #0333: Publish a new revision of Profile for Use of DisplayName in  
> template
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---
> #0332: Revise Query Extension for SAML AuthnReq
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---

Both still pending.  (Sampo's not on the call and hasn't sent anything  
to the list.)

> #0331: Revise Holder-of-Key Web Browser SSO Profile to make X.509  
> mandatory
> to implement
> Owner: Nathan Klingenstein
> Status: Open
> Assigned: 2008-05-19
> Due: ---
> #0330: Revise Holder-of-Key Web Browser SSO Profile to make clear  
> what 'TLS'
> means, i.e. SSL 3, TLS 1, or TLS 1.1
> Owner: Nathan Klingenstein
> Status: Open
> Assigned: 2008-05-19
> Due: ---
> #0329: Revise Holder-of-Key Web Browser SSO Profile WRT Authn  
> Statements
> Owner: Nathan Klingenstein
> Status: Open
> Assigned: 2008-05-19
> Due: ---

All three of these are closed as of draft 03.  Draft 04 should be done  
before the next call, unless a large volume of comments come in.

> #0328: Revise SimpleSign
> Owner: Jeff Hodges
> Status: Open
> Assigned: 2008-05-19
> Due: ---

Still pending.  Jeff will try to do this before the next call.


Eve brings up an idea to do a "Call for Profile Intentions", so that  
we can plan our SSTC work on something like a quarterly basis, and  
make sure to review profiles in a cohesive (cross-profile) fashion as  
much as possible.  This will help people manage their SSTC  
participation through the summer months, when vacations sometimes make  
a hash of coordination plans.  We should try and conclude this  
planning exercise within about a month.  People seem to think this is  
a reasonable idea.

AI: Eve to coordinate with Brian to do a Call for Profile Intentions.

Eve Maler                                         +1 425 947 4522
Principal Engineer                            eve.maler @ sun.com
Business Alliances group                    Sun Microsystems, Inc.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]