OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: NIST prohibits use of SAML assertions at LOA 4


NIST representatives pointed out that the new NIST Draft SP800-63-1
prohibits the use of SAML assertions at level of assurance 4.

Is this an issue that the TC should address?  Is there a problem in
using SAML for high assurance communications?  I have been told NIST is
still accepting comment on the draft although the official comment
period is over.


David Staggs, JD, CISSP (SAIC)
Veterans Health Administration
Chief Health Informatics Office
Emerging Health Technologies

-----Original Message-----
From: Anil Saldhana [mailto:Anil.Saldhana@redhat.com] 
Sent: Tuesday, June 17, 2008 9:35 PM
Subject: [security-services] SSTC Meeting Minutes - June 17, 2008 (With
Roll Call)

Oasis SSTC Meeting - June 17, 2008

Voting Members
George Fletcher        AOL
Rob Philpott           EMC Corporation
Scott Cantor           Internet2
Nathan Klingenstein    Internet2
Bob Morgan             Internet2
Eric Tiffany           Liberty Alliance Project
Tom Scavo              NCSA
Peter Davis            NeuStar, Inc.
Frederick Hirsch       Nokia Corporation
Srinath Godavarthi     Nortel
Paul Madsen            NTT Corporation
Ari Kermaier           Oracle Corporation
Hal Lockhart           Oracle Corporation
Brian Campbell         Ping Identity Corporation
Anil Saldhana          Red Hat
Eve Maler              Sun Microsystems
Emily Xu               Sun Microsystems
Kent Spaulding         Tripod Technology Group, Inc.

Brett Burley           Veterans Health Administration
Duane DeCouteau        Veterans Health Administration

Quorum achieved (18 out of 22 voting members)

Membership Change: Prateek Mishra - lost voting status

 > 1. Approve minutes from June 3, 2008

APPROVED by unanimous consent.

 > 2. Administrative

No items.

 > 3. Document Status
 > 3.1 Subject-based Profiles for SAML V1.1 Assertions
 > 3.1.1 Public review started recently and ends Aug 12

We are all encouraged to review, and have our peers review, the draft.

 > 3.1.2 Call for disclosure

Please make sure to review the call for disclosure and follow the 

 > 4 Other business

Nate uploaded a draft for SSTC comment:


Scott sent comments already:


Nate has reviewed the comments and finds them useful.

Nate is inclined to change the text to say that authentication requests 
SHOULD NOT be signed.  Scott believes that there's no difference between

this profile and the original profile regarding signed requests, so is 
not sure why anything should be changed.  Is verifying the key too

Nate asks for the primary use case for signing the request; Scott 
guesses auditing.  The original browser SSO profile doesn't mandate 
encryption of the transport itself; perhaps this profile should do so. 
But several people don't see how this helps; Brian notes that it 
protects the integrity of the content but may alter the behavior of the 
IdP in terms of their authentication assertion issuance, and recalls 
that the SecConsider doc mentions this.

Brian doubts the seriousness of the threat of DoS in this case; Scott 
echoes the doubt.

Nate suggests leaving the text in but adding a note about its lack of 
effectiveness.  Scott would prefer simplifying the profile.  Jeff wants 
to capture the rationale somewhere, if not in this profile.  Scott 
suggests creating a section or appendix specially for this explanation.

Do applications ever treat the key in the subject confirmation as a 
relay state?  This seems unrealistic.

Nate had also made a couple of other changes to the draft, so please 
review and send comments to the list.  He'll edit according to the 
advice noted above.

 > 5 Action Items
 > Report created 17 June 2008 10:03am EDT
 > #0335: Add homepage content to wiki(s) as per
 > Owner: Tom Scavo
 > Status: Open
 > Assigned: 2008-05-30
 > Due: ---

Tom has reviewed Eve's suggestions, but the editing AI is still pending.

 > #0334: SSTC home page cleanup after and linking to content from
 > Owner: Brian Campbell
 > Status: Open
 > Assigned: 2008-05-28
 > Due: ---

This is dependent on Tom's work.  Still open.

Eve notes that the SAML FAQ will need a close look once we're done with 
all this other editing, or maybe as the other edits are being done.

 > #0333: Publish a new revision of Profile for Use of DisplayName in
 > template
 > Owner: Sampo Kellomki
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---
 > #0332: Revise Query Extension for SAML AuthnReq
 > Owner: Sampo Kellomki
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---

Both still pending.  (Sampo's not on the call and hasn't sent anything 
to the list.)

 > #0331: Revise Holder-of-Key Web Browser SSO Profile to make X.509 
 > to implement
 > Owner: Nathan Klingenstein
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---
 > #0330: Revise Holder-of-Key Web Browser SSO Profile to make clear 
what 'TLS'
 > means, i.e. SSL 3, TLS 1, or TLS 1.1
 > Owner: Nathan Klingenstein
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---
 > #0329: Revise Holder-of-Key Web Browser SSO Profile WRT Authn
 > Owner: Nathan Klingenstein
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---

All three of these are closed as of draft 03.  Draft 04 should be done 
before the next call, unless a large volume of comments come in.

 > #0328: Revise SimpleSign
 > Owner: Jeff Hodges
 > Status: Open
 > Assigned: 2008-05-19
 > Due: ---

Still pending.  Jeff will try to do this before the next call.


Eve brings up an idea to do a "Call for Profile Intentions", so that we 
can plan our SSTC work on something like a quarterly basis, and make 
sure to review profiles in a cohesive (cross-profile) fashion as much as

possible.  This will help people manage their SSTC participation through

the summer months, when vacations sometimes make a hash of coordination 
plans.  We should try and conclude this planning exercise within about a

month.  People seem to think this is a reasonable idea.

AI: Eve to coordinate with Brian to do a Call for Profile Intentions.

Anil Saldhana
Leader, JBoss Security & Identity Management
Red Hat Inc
URL: http://jboss.org/jbosssecurity
BLOG: http://anil-identity.blogspot.com

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]