OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes Aug 12 SSTC Conference Call

On Mon, Aug 11, 2008 at 9:50 PM, Hal Lockhart <hal.lockhart@oracle.com> wrote:
> Proposed Agenda SSTC Conference Call
> August 12, 2008, 12:00pm ET
> Dial in info: +1 215 446 3648
> Access code 270-9441#
> Roll Call & Agenda Review

Anil Saldhana has formally applied for leave of absence from August
6th to August 27th.  Brian Campbell will substitute for Anil today.

Voting Members Present
George Fletcher      AOL*
Rob Philpott         EMC Corporation
Scott Cantor         Internet2
Nathan Klingenstein  Internet2
Eric Tiffany         Liberty Alliance Project
Tom Scavo            National Center for Supercomputing...
Frederick Hirsch     Nokia Corporation*
Srinath Godavarthi   Nortel
Paul Madsen          NTT Corporation*
Hal Lockhart         Oracle Corporation
Brian Campbell       Ping Identity Corporation*
Eve Maler            Sun Microsystems
Emily Xu             Sun Microsystems
David Staggs         Veterans Health Administration
John Bradley         Individual

Members Present
Peter Davis          NeuStar, Inc.*
Kent Spaulding       Tripod Technology Group, Inc.
Duane DeCouteau      Veterans Health Administration

Brian Campbell

> Need a volunteer to take minutes

Tom Scavo volunteered to take minutes.

> 1. Approve minutes from July 1, 2008
> http://lists.oasis-open.org/archives/security-services/200807/msg00029.html
>   Approve minutes from July 15, 2008
> http://lists.oasis-open.org/archives/security-services/200807/msg00032.html

Both sets of minutes unanimously approved as given.

> 2. Document Status
> 2.1 Subject-based Profiles for SAML V1.1 Assertions:  Public review ends Aug
> 12

Public review ends today.  No comments have been received thus far.

> 2.2 Holder of Key Browser SSO Profile Draft-05 was posted
> http://lists.oasis-open.org/archives/security-services/200808/msg00001.html

This draft addresses recent comments made in the mailing list. Most
significantly, a "Use of Metadata" section has been added.  Basically,
the draft proposes to overload the Binding attribute on the
SingleSignOnService and AssertionConsumerService elements to indicate
the desired profile.  A future version will specify how to convey
keying preferences in one or both of metadata and AuthnRequest.

Comments re draft-05 have been submitted:


> 2.3 SAML2 Holder-of-Key Subject Confirmation Profile was posted
> http://lists.oasis-open.org/archives/security-services/200808/msg00021.html

Tom gives the following introduction to this profile:


Eve wonders if this is really an "Assertion Profile" (a term
previously proposed by Jeff Hodges)?  Nate wonders if metadata should
be rolled into this profile.

> 2.4 SAML V2.0 Metadata Interoperability Profile was posted
> http://lists.oasis-open.org/archives/security-services/200808/msg00029.html

This profile outlines a common set of considerations across
deployments that leverage metadata.  The experience gleaned from a
number of solution providers gave rise to this profile, which allows
greater scalability and interfederation.  There is overlap with this
profile and the Subject Confirmation Profile because of use of

Hal asks if some of these concepts or profiles that have been
submitted recently can be combined.  It's probably best to do things
once in one place.

Scott notes that interoperability is limited by the use of
<ds:KeyInfo>, which is the key element in this profile.  In that
sense, yes, it would be beneficial to derive a common set of
requirements around the <ds:KeyInfo>.

Eric reports that some interoperability experience regarding
<ds:KeyInfo> might be forthcoming.

> 3.  Discussion Threads
> 3.1 NIST 800-63 draft doc refs related to assertions and Level 4
> http://lists.oasis-open.org/archives/security-services/200807/msg00031.html

Eric provided the above summary.  Bob posted a summary of a related
discussion he had with Tim Polk (NIST):


Hal notes two issues:

1. NIST's definition of "assertion" needs some work
2. From Bob's comments, the Holder-of-Key Browser SSO Profile might be
relevant (i.e., it may be used as a basis for redefining "assertion")

What's the best way to proceed?  Sounds like someone from SSTC needs
to prepare some text to submit to NIST.  Eric's text is a good start.
Eric will write something up.  Scott and/or Nate will provide
technical assistance, if needed.

> 3.2 Overloading Endpoints
> http://lists.oasis-open.org/archives/security-services/200807/msg00033.html

Scott notes the following issues: 1) how do we extend metadata, and 2)
do overload endpoints or provide separate endpoints.  Extensions are
optional, so an entity that doesn't know about the extension will not
be aware that an endpoint is overloaded (which may lead to problems).

As an example of an overloaded endpoint, consider ordinary Browser SSO
and Holder-of-Key Browser SSO.  Such an endpoint works fine for an SP
looking for a Holder-of-Key Browser SSO endpoint, but the same
endpoint doesn't work so well for an SP looking for ordinary Browser
SSO.  This could lead to some difficulties, especially for the browser

In general, a metadata profile shouldn't force deployers to run a new
profile at an existing endpoint, but this should be allowed at least.

There are three ways to extend metadata: 1) the Extensions element, 2)
add an XML attribute to an existing endpoint (like Nate proposed in
the Holder-of-Key Browser SSO Profile), or 3) define a new role (e.g.,
by extending an existing role or defining a new RoleDescriptorType).

Hal suggested something more detailed could written in the wiki about
extending metadata.

> 3.3 Request for clarification regarding simple-sign spec
> http://lists.oasis-open.org/archives/security-services/200807/msg00039.html

Scott answered George's question but this didn't really solve his
problem.  The basic problem is the use of HTTP as a synchronous
binding mechanism.  If using SOAP, the issue of Destination doesn't
come up.

REMARK: A point-to-point HTTP binding might be useful if one wanted to
avoid full XML signature. Hal suggests George should document this in
a separate profile (i.e., the use of HTTP point-to-point binding in
conjunction with SimpleSign).  George may follow up on this, which is
as easy as sending e-mail to the list.

> 3.4 SLO behavior with MNI
> http://lists.oasis-open.org/archives/security-services/200807/msg00041.html

Scott replied to Ari's query, nobody disagreed.  Ari is not on the
call to comment further.  Open question: Does Ari think errata is

> 3.5 comments re draft-sstc-saml2-infocard-01
> http://lists.oasis-open.org/archives/security-services/200808/msg00003.html

Scott very recently uploaded a new draft of this profile:


Please feel free to comment further on the mailing list.

By the way, a new version of the Identity Selector Interoperability
Profile has been released.  This will have to be referenced ultimately
in draft-sstc-saml2-infocard.

> 3.6 Proposal made to WSFED TC involving SAML metadata
> http://lists.oasis-open.org/archives/security-services/200808/msg00005.html

Eve submitted this proposal and asks that people take a look at it.
The WSFED TC may profile SAML metadata to use in WSFED.  The proposal
does not use all of the SAML metadata specification, but it is

Scott described the three ways to extend metadata (above) to Don
Schmidt (WSFED).  They may define a new RoleDescriptorType with new
EndpointTypes.  Is this the best and/or easiest approach?  This is
still an open issue.

Two issues have come up in the WSFED TC: 1) there is some messy text
in the metadata specification that requires errata, 2) the WSFED TC
wonders if the SAML TC is amenable to the emerging WSFED metadata

Hal asks that TC members look at this proposal.  Don Schmidt (WSFED)
may be invited to a subsequent SSTC call to discuss the proposal.

Emily notes the WSFED TC is proposing a new attribute that identifies
the relevant circle-of-trust (i.e., federation).

> 3.7 comments re sstc-saml-holder-of-key-browser-sso-draft-05
> http://lists.oasis-open.org/archives/security-services/200808/msg00013.html

Tom made some comments on the list:


Nate hasn't yet responded to these comments.  All further comments
should be sent to the mailing list.

> 4. Other business

David Staggs will submit a new version of the "Cross-Enterprise
Security and Privacy Authorization (XSPA) Profile of Security
Assertion Markup Language (SAML)".  Hal suggests that David simply
submit the profile to the mailing list (instead of initiating an
action item) and then update the wiki.

> 5. Action Items (port created 11 August 2008 09:47pm EDT)
> #0328: Revise SimpleSign
> Owner: Jeff Hodges
> Status: Open
> Assigned: 2008-05-19
> Due: ---

still open

> #0332: Revise Query Extension for SAML AuthnReq
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---

still open (chairs will try to contact Sampo)

> #0333: Publish a new revision of Profile for Use of DisplayName in OASIS template
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---

still open (chairs will try to contact Sampo)

> #0334: SSTC home page cleanup after and linking to content from AI#335
> Owner: Brian Campbell
> Status: Open
> Assigned: 2008-05-28
> Due: ---

still open

> #0337: Organize Profile Intentions Wiki
> Owner: Eve Maler
> Status: Open
> Assigned: 2008-07-08
> Due: 2008-07-15


> #0338: Circulate Infocard Profile for review
> Owner: Eve Maler
> Status: Open
> Assigned: 2008-07-08
> Due: ---


> #0340: Circulate Infocard Profile for review
> Owner: John Bradley
> Status: Open
> Assigned: 2008-07-08
> Due: ---


> Hal
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

The next SSTC concall is scheduled for 26 Aug 2008.

Respectfully submitted,

Tom Scavo

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]