OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Draft Minutes for Sep 23rd SSTC Conference Call

Minutes for Sep 23rd SSTC Conference Call


Voting Members:
Rob Philpott      	EMC Corporation
Jeff Hodges       	Individual
Scott Cantor      	Internet2
Eric Tiffany      	Liberty Alliance Project
Tom Scavo         	NCSA
Frederick Hirsch  	Nokia Corporation
Srinath Godavarthi     	Nortel
Paul Madsen    		NTT Corporation
Ari Kermaier     		Oracle Corporation
Hal Lockhart     		Oracle Corporation
Anil Saldhana     	Red Hat
Eve Maler     		Sun Microsystems
Duane DeCouteau     	Veterans Health Administration
David Staggs     		Veterans Health Administration

Peter Davis     		NeuStar, Inc.
Kent Spaulding     	Tripod Technology Group, Inc.
Emily Xu     		Sun Microsystems

Quorum Achieved:
14 out of 20 voting members (70%)

Membership Status Change:
Kent Spaulding (Gained Voting Status) and Bob Morgan (Lost Voting Status)

> 1. draft minutes SSTC/SAML concall Tue 9-Sep-2008
> http://lists.oasis-open.org/archives/security-services/200809/msg00042.html

Approved without objection.

> 2. Document Status
> 2.1 Subject-based Profiles for SAML V1.1 Assertions
> http://wiki.oasis-open.org/security/SamlSubjectProfiles
> Ballot for CS closed September 19
> Appears not to have achieved the necessary 2/3 of voting members

hl: suggests that ballot be renewed.  Do people want to run longer?

Have other ballots been run longer?

hl: don't know.

sc: if you have a 2 week ballot then that makes it hard to assign work items

Tom Scavo: moves to send document "Subject-based Profiles for SAML V1.1
Assertions" for CS ballot

Eve Maler: seconds

Approved without objection

> 2.2 Cross-Enterprise Security and Privacy Authorization (XSPA) Profileof
> Security Assertion Markup Language (SAML) for Healthcare
> http://lists.oasis-open.org/archives/security-services/200809/msg00025.html

ds: will be used at HIMSS show, would like to move forward as a CD status

duane: still needs work on authorization piece, but it is good for

Ds: moves to move doc to CD

duane: seconds

ts: haven't had a chance to review since it wasn't uploaded to kavi until

Sc: notes that there seems to be additional clarification needed in the

jh: agrees that we should have further review

hl: cut to the chase: is there any objection to defer the motion to move
document to CD

ds: notes that this document has been before the committee for a few months,
so it would be great to have a review.  This doc is important for other work
going forward.

em: suggest that we have a discussion on call

hl: are there specific items people are willing to discuss?

sc: yes

Hl: added to the end of call

> 2.3 ENISA report on SAML Authentication Context and IDABC LOA
> http://lists.oasis-open.org/archives/security-services/200809/msg00029.html

hl: what is the doc status [giles not on call]

et: the approach in the IDABC is to explicitly enumerate the authn methods
for each level, while the LOA profile draft simple makes reference to the
defining document.  Hope to work with giles to reconcile the two approaches.

> 3.  Discussion Threads
> 3.1 FW: SAML 2.0 and Man in the Middle attacks
> http://lists.oasis-open.org/archives/security-services/200809/msg00020.html

hl: work going on in Belgium.  Is there someone on the call familiar with
HOK profile that can engage further?


hl: notes that the Belgium reqs are similar to existing SAML profiles

jh: are the email addresses available in the messages?  Could respond

hl: don't forget to cc the list

> 3.2 Flaw identified (and apparently fixed) in Google's SAML implementation
> http://lists.oasis-open.org/archives/security-services/200809/msg00024.html

hl: anything that we should follow up?

sc: no, just that it was the longest paper ever written to show that
audience matters

> 3.3 Re: [security-services] Simple Sign not so simple
> http://lists.oasis-open.org/archives/security-services/200809/msg00027.html

jh: has posted, and received responses from 3 implementers that they take
the same approach.  Agrees that Sampo's comment was correct, and Jeff has
made the changes.  Suggests that people should review, and doc can be reved

ak: is that the only change (clarification of the encoding)

jh: yes
> 4. Other business

XSPA discussion

sc: how is this related to the Authorization issues? Is this Authorization
Decision stuff?

ds: Authz stuff is handled via XACML, so this builds on that.  HITSP SPI,
Transaction Package 20 covers the authorization.  Figure in document depicts
the relationship.  Transaction Package 30 is the Privacy piece.  This is an
attempt to standardize on a certain vocabular (SNOMED) that describes
objects for Access Control decision.  Allows you to describe a rich
collection of objects.

Have vocabulary in mind, and then there is the exchange of the attributes.
The privacy aspects (purpose of use) are represented in XPSA

sc: what is the protocol being profiled? Is this a SOAP message request?  Is
this an assertion profile.

duane: definitely an assertion profile

sc: but the protocol for obtaining the assertion is not defined

hl: described elsewhere, but probably WS-Trust

sc: suggests that the protocol should be discussed, also describe how the
attributes are constained.  Will try to write up some comments.

ts: seems that there is an attribute profile.

duane: yes

sc: is there value of the SSTC backing this profile, given there's no
connection to the other bits?

ds: doc is pretty generic, and hope to move the document through SSTC as

sc: some profiles in SSTC are also pretty specific.

ds: focused on HL7 privacy patient consent codes, other HL7 specs for

ts: if this is XACML under the covers, why isn't the XACML SAML profile

ds: trying to define this XACML exchange, but it's not proper for a gov
agency to specify a specific policy engine.  So they are bridging that so
that various approaches can be used.

ts: so is the XSPA compatibile with XACML profile, in the same way as the
LDAP and attribute profiles can be rolled together?

DS: yes, they have plans for an interop demo to show that these are

hl: goal is to design approaches that can be used independently, but work
when they are used together.

> 5. Action Items (Report created 22 September 2008 09:53pm EDT)
> #0328: Revise SimpleSign
> Owner: Jeff Hodges
> Status: Open
> Assigned: 2008-05-19
> Due: ---


> #0332: Revise Query Extension for SAML AuthnReq
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---
> #0333: Publish a new revision of Profile for Use of DisplayName in OASIS
> template
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---


> #0341: Draft text for SSTC submission to NIST
> Owner: Eric Tiffany
> Status: Open
> Assigned: 2008-08-26
> Due: ---


Eric  Tiffany             |  eric@projectliberty.org
Interop Tech  Lead        |  +1 413-458-3743
Liberty Alliance          |  +1 413-627-1778 mobile

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]