[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SSTC Meeting Minutes - June 17, 2008 (With Roll Call)
Oasis SSTC Meeting - June 17, 2008 ==================================== Voting Members --------------- George Fletcher AOL Rob Philpott EMC Corporation Scott Cantor Internet2 Nathan Klingenstein Internet2 Bob Morgan Internet2 Eric Tiffany Liberty Alliance Project Tom Scavo NCSA Peter Davis NeuStar, Inc. Frederick Hirsch Nokia Corporation Srinath Godavarthi Nortel Paul Madsen NTT Corporation Ari Kermaier Oracle Corporation Hal Lockhart Oracle Corporation Brian Campbell Ping Identity Corporation Anil Saldhana Red Hat Eve Maler Sun Microsystems Emily Xu Sun Microsystems Kent Spaulding Tripod Technology Group, Inc. Members: -------- Brett Burley Veterans Health Administration Duane DeCouteau Veterans Health Administration Quorum achieved (18 out of 22 voting members) Membership Change: Prateek Mishra - lost voting status > 1. Approve minutes from June 3, 2008 > http://lists.oasis-open.org/archives/security-services/200806/msg00005.html APPROVED by unanimous consent. > 2. Administrative No items. > 3. Document Status > > 3.1 Subject-based Profiles for SAML V1.1 Assertions > 3.1.1 Public review started recently and ends Aug 12 > http://lists.oasis-open.org/archives/security-services/200806/msg00006.html We are all encouraged to review, and have our peers review, the draft. > 3.1.2 Call for disclosure > http://lists.oasis-open.org/archives/security-services/200806/msg00007.html Please make sure to review the call for disclosure and follow the instructions. > 4 Other business Nate uploaded a draft for SSTC comment: http://lists.oasis-open.org/archives/security-services/200806/msg00009.html (PDF) http://lists.oasis-open.org/archives/security-services/200806/msg00008.html (ODT) Scott sent comments already: http://lists.oasis-open.org/archives/security-services/200806/msg00011.html Nate has reviewed the comments and finds them useful. Nate is inclined to change the text to say that authentication requests SHOULD NOT be signed. Scott believes that there's no difference between this profile and the original profile regarding signed requests, so is not sure why anything should be changed. Is verifying the key too onerous? Nate asks for the primary use case for signing the request; Scott guesses auditing. The original browser SSO profile doesn't mandate encryption of the transport itself; perhaps this profile should do so. But several people don't see how this helps; Brian notes that it protects the integrity of the content but may alter the behavior of the IdP in terms of their authentication assertion issuance, and recalls that the SecConsider doc mentions this. Brian doubts the seriousness of the threat of DoS in this case; Scott echoes the doubt. Nate suggests leaving the text in but adding a note about its lack of effectiveness. Scott would prefer simplifying the profile. Jeff wants to capture the rationale somewhere, if not in this profile. Scott suggests creating a section or appendix specially for this explanation. Do applications ever treat the key in the subject confirmation as a relay state? This seems unrealistic. Nate had also made a couple of other changes to the draft, so please review and send comments to the list. He'll edit according to the advice noted above. > 5 Action Items > Report created 17 June 2008 10:03am EDT > > #0335: Add homepage content to wiki(s) as per > http://lists.oasis-open.org/archives/security-services/200805/msg00033.html > Owner: Tom Scavo > Status: Open > Assigned: 2008-05-30 > Due: --- Tom has reviewed Eve's suggestions, but the editing AI is still pending. > > > #0334: SSTC home page cleanup after and linking to content from AI#335 > Owner: Brian Campbell > Status: Open > Assigned: 2008-05-28 > Due: --- This is dependent on Tom's work. Still open. Eve notes that the SAML FAQ will need a close look once we're done with all this other editing, or maybe as the other edits are being done. > #0333: Publish a new revision of Profile for Use of DisplayName in OASIS > template > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- > > #0332: Revise Query Extension for SAML AuthnReq > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- Both still pending. (Sampo's not on the call and hasn't sent anything to the list.) > #0331: Revise Holder-of-Key Web Browser SSO Profile to make X.509 mandatory > to implement > Owner: Nathan Klingenstein > Status: Open > Assigned: 2008-05-19 > Due: --- > > #0330: Revise Holder-of-Key Web Browser SSO Profile to make clear what 'TLS' > means, i.e. SSL 3, TLS 1, or TLS 1.1 > Owner: Nathan Klingenstein > Status: Open > Assigned: 2008-05-19 > Due: --- > > #0329: Revise Holder-of-Key Web Browser SSO Profile WRT Authn Statements > Owner: Nathan Klingenstein > Status: Open > Assigned: 2008-05-19 > Due: --- All three of these are closed as of draft 03. Draft 04 should be done before the next call, unless a large volume of comments come in. > #0328: Revise SimpleSign > Owner: Jeff Hodges > Status: Open > Assigned: 2008-05-19 > Due: --- Still pending. Jeff will try to do this before the next call. AOB: Eve brings up an idea to do a "Call for Profile Intentions", so that we can plan our SSTC work on something like a quarterly basis, and make sure to review profiles in a cohesive (cross-profile) fashion as much as possible. This will help people manage their SSTC participation through the summer months, when vacations sometimes make a hash of coordination plans. We should try and conclude this planning exercise within about a month. People seem to think this is a reasonable idea. AI: Eve to coordinate with Brian to do a Call for Profile Intentions. -- -------------------------------------- Anil Saldhana Leader, JBoss Security & Identity Management Red Hat Inc URL: http://jboss.org/jbosssecurity BLOG: http://anil-identity.blogspot.com ---------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]