[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Draft Minutes for Sep 23rd SSTC Conference Call
Minutes for Sep 23rd SSTC Conference Call Attendance: Voting Members: Rob Philpott EMC Corporation Jeff Hodges Individual Scott Cantor Internet2 Eric Tiffany Liberty Alliance Project Tom Scavo NCSA Frederick Hirsch Nokia Corporation Srinath Godavarthi Nortel Paul Madsen NTT Corporation Ari Kermaier Oracle Corporation Hal Lockhart Oracle Corporation Anil Saldhana Red Hat Eve Maler Sun Microsystems Duane DeCouteau Veterans Health Administration David Staggs Veterans Health Administration Members: Peter Davis NeuStar, Inc. Kent Spaulding Tripod Technology Group, Inc. Emily Xu Sun Microsystems Quorum Achieved: 14 out of 20 voting members (70%) Membership Status Change: Kent Spaulding (Gained Voting Status) and Bob Morgan (Lost Voting Status) > > 1. draft minutes SSTC/SAML concall Tue 9-Sep-2008 > http://lists.oasis-open.org/archives/security-services/200809/msg00042.html Approved without objection. > > > 2. Document Status > > 2.1 Subject-based Profiles for SAML V1.1 Assertions > http://wiki.oasis-open.org/security/SamlSubjectProfiles > > Ballot for CS closed September 19 > Appears not to have achieved the necessary 2/3 of voting members hl: suggests that ballot be renewed. Do people want to run longer? Have other ballots been run longer? hl: don't know. sc: if you have a 2 week ballot then that makes it hard to assign work items Tom Scavo: moves to send document "Subject-based Profiles for SAML V1.1 Assertions" for CS ballot Eve Maler: seconds Approved without objection > > 2.2 Cross-Enterprise Security and Privacy Authorization (XSPA) Profileof > Security Assertion Markup Language (SAML) for Healthcare > http://lists.oasis-open.org/archives/security-services/200809/msg00025.html ds: will be used at HIMSS show, would like to move forward as a CD status duane: still needs work on authorization piece, but it is good for Ds: moves to move doc to CD duane: seconds ts: haven't had a chance to review since it wasn't uploaded to kavi until recently. Sc: notes that there seems to be additional clarification needed in the document. jh: agrees that we should have further review hl: cut to the chase: is there any objection to defer the motion to move document to CD ds: notes that this document has been before the committee for a few months, so it would be great to have a review. This doc is important for other work going forward. em: suggest that we have a discussion on call hl: are there specific items people are willing to discuss? sc: yes Hl: added to the end of call > > 2.3 ENISA report on SAML Authentication Context and IDABC LOA > http://lists.oasis-open.org/archives/security-services/200809/msg00029.html hl: what is the doc status [giles not on call] et: the approach in the IDABC is to explicitly enumerate the authn methods for each level, while the LOA profile draft simple makes reference to the defining document. Hope to work with giles to reconcile the two approaches. > > > 3. Discussion Threads > > 3.1 FW: SAML 2.0 and Man in the Middle attacks > http://lists.oasis-open.org/archives/security-services/200809/msg00020.html hl: work going on in Belgium. Is there someone on the call familiar with HOK profile that can engage further? [silence] hl: notes that the Belgium reqs are similar to existing SAML profiles jh: are the email addresses available in the messages? Could respond directly hl: don't forget to cc the list > > > 3.2 Flaw identified (and apparently fixed) in Google's SAML implementation > http://lists.oasis-open.org/archives/security-services/200809/msg00024.html hl: anything that we should follow up? sc: no, just that it was the longest paper ever written to show that audience matters > > 3.3 Re: [security-services] Simple Sign not so simple > http://lists.oasis-open.org/archives/security-services/200809/msg00027.html jh: has posted, and received responses from 3 implementers that they take the same approach. Agrees that Sampo's comment was correct, and Jeff has made the changes. Suggests that people should review, and doc can be reved ak: is that the only change (clarification of the encoding) jh: yes > > > 4. Other business XSPA discussion sc: how is this related to the Authorization issues? Is this Authorization Decision stuff? ds: Authz stuff is handled via XACML, so this builds on that. HITSP SPI, Transaction Package 20 covers the authorization. Figure in document depicts the relationship. Transaction Package 30 is the Privacy piece. This is an attempt to standardize on a certain vocabular (SNOMED) that describes objects for Access Control decision. Allows you to describe a rich collection of objects. Have vocabulary in mind, and then there is the exchange of the attributes. The privacy aspects (purpose of use) are represented in XPSA sc: what is the protocol being profiled? Is this a SOAP message request? Is this an assertion profile. duane: definitely an assertion profile sc: but the protocol for obtaining the assertion is not defined hl: described elsewhere, but probably WS-Trust sc: suggests that the protocol should be discussed, also describe how the attributes are constained. Will try to write up some comments. ts: seems that there is an attribute profile. duane: yes sc: is there value of the SSTC backing this profile, given there's no connection to the other bits? ds: doc is pretty generic, and hope to move the document through SSTC as authoritative. sc: some profiles in SSTC are also pretty specific. ds: focused on HL7 privacy patient consent codes, other HL7 specs for ts: if this is XACML under the covers, why isn't the XACML SAML profile adequate ds: trying to define this XACML exchange, but it's not proper for a gov agency to specify a specific policy engine. So they are bridging that so that various approaches can be used. ts: so is the XSPA compatibile with XACML profile, in the same way as the LDAP and attribute profiles can be rolled together? DS: yes, they have plans for an interop demo to show that these are compatible hl: goal is to design approaches that can be used independently, but work when they are used together. > > > 5. Action Items (Report created 22 September 2008 09:53pm EDT) > > #0328: Revise SimpleSign > Owner: Jeff Hodges > Status: Open > Assigned: 2008-05-19 > Due: --- Done > > #0332: Revise Query Extension for SAML AuthnReq > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- > > #0333: Publish a new revision of Profile for Use of DisplayName in OASIS > template > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- Open > > #0341: Draft text for SSTC submission to NIST > Owner: Eric Tiffany > Status: Open > Assigned: 2008-08-26 > Due: --- Open -- ____________________________________________________ Eric Tiffany | eric@projectliberty.org Interop Tech Lead | +1 413-458-3743 Liberty Alliance | +1 413-627-1778 mobile
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]