Subject: Draft minutes for 17 Jun 2008 SSTC call
[roll call to be added] Quorum achieved. > 1. Approve minutes from June 3, 2008 > http://lists.oasis-open.org/archives/security-services/200806/msg00005.html APPROVED by unanimous consent. > 2. Administrative No items. > 3. Document Status > > 3.1 Subject-based Profiles for SAML V1.1 Assertions > 3.1.1 Public review started recently and ends Aug 12 > http://lists.oasis-open.org/archives/security-services/200806/msg00006.html We are all encouraged to review, and have our peers review, the draft. > 3.1.2 Call for disclosure > http://lists.oasis-open.org/archives/security-services/200806/msg00007.html Please make sure to review the call for disclosure and follow the instructions. > 4 Other business Nate uploaded a draft for SSTC comment: http://lists.oasis-open.org/archives/security-services/200806/msg00009.html (PDF) http://lists.oasis-open.org/archives/security-services/200806/msg00008.html (ODT) Scott sent comments already: http://lists.oasis-open.org/archives/security-services/200806/msg00011.html Nate has reviewed the comments and finds them useful. Nate is inclined to change the text to say that authentication requests SHOULD NOT be signed. Scott believes that there's no difference between this profile and the original profile regarding signed requests, so is not sure why anything should be changed. Is verifying the key too onerous? Nate asks for the primary use case for signing the request; Scott guesses auditing. The original browser SSO profile doesn't mandate encryption of the transport itself; perhaps this profile should do so. But several people don't see how this helps; Brian notes that it protects the integrity of the content but may alter the behavior of the IdP in terms of their authentication assertion issuance, and recalls that the SecConsider doc mentions this. Brian doubts the seriousness of the threat of DoS in this case; Scott echoes the doubt. Nate suggests leaving the text in but adding a note about its lack of effectiveness. Scott would prefer simplifying the profile. Jeff wants to capture the rationale somewhere, if not in this profile. Scott suggests creating a section or appendix specially for this explanation. Do applications ever treat the key in the subject confirmation as a relay state? This seems unrealistic. Nate had also made a couple of other changes to the draft, so please review and send comments to the list. He'll edit according to the advice noted above. > 5 Action Items > Report created 17 June 2008 10:03am EDT > > #0335: Add homepage content to wiki(s) as per > http://lists.oasis-open.org/archives/security-services/200805/msg00033.html > Owner: Tom Scavo > Status: Open > Assigned: 2008-05-30 > Due: --- Tom has reviewed Eve's suggestions, but the editing AI is still pending. > > > #0334: SSTC home page cleanup after and linking to content from AI#335 > Owner: Brian Campbell > Status: Open > Assigned: 2008-05-28 > Due: --- This is dependent on Tom's work. Still open. Eve notes that the SAML FAQ will need a close look once we're done with all this other editing, or maybe as the other edits are being done. > #0333: Publish a new revision of Profile for Use of DisplayName in > OASIS > template > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- > > #0332: Revise Query Extension for SAML AuthnReq > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- Both still pending. (Sampo's not on the call and hasn't sent anything to the list.) > #0331: Revise Holder-of-Key Web Browser SSO Profile to make X.509 > mandatory > to implement > Owner: Nathan Klingenstein > Status: Open > Assigned: 2008-05-19 > Due: --- > > #0330: Revise Holder-of-Key Web Browser SSO Profile to make clear > what 'TLS' > means, i.e. SSL 3, TLS 1, or TLS 1.1 > Owner: Nathan Klingenstein > Status: Open > Assigned: 2008-05-19 > Due: --- > > #0329: Revise Holder-of-Key Web Browser SSO Profile WRT Authn > Statements > Owner: Nathan Klingenstein > Status: Open > Assigned: 2008-05-19 > Due: --- All three of these are closed as of draft 03. Draft 04 should be done before the next call, unless a large volume of comments come in. > #0328: Revise SimpleSign > Owner: Jeff Hodges > Status: Open > Assigned: 2008-05-19 > Due: --- Still pending. Jeff will try to do this before the next call. AOB: Eve brings up an idea to do a "Call for Profile Intentions", so that we can plan our SSTC work on something like a quarterly basis, and make sure to review profiles in a cohesive (cross-profile) fashion as much as possible. This will help people manage their SSTC participation through the summer months, when vacations sometimes make a hash of coordination plans. We should try and conclude this planning exercise within about a month. People seem to think this is a reasonable idea. AI: Eve to coordinate with Brian to do a Call for Profile Intentions. Eve Maler +1 425 947 4522 Principal Engineer eve.maler @ sun.com Business Alliances group Sun Microsystems, Inc.