security-services message

Subject: draft sstc/saml concall minutes Tue 7-Oct-2008 (without attendance)
From: ' =JeffH ' <Jeff.Hodges@KingsMountain.com>
To: "OASIS SSTC" <security-services@lists.oasis-open.org>
Date: Tue, 07 Oct 2008 11:22:34 -0700
comments to the list please.

=JeffH


============================================================================
sstc/saml concall minutes Tue Oct  7 09:09:50 PDT 2008
----------------------------------------------------------------------------

co-chair Brian Campbell (bc) presiding.

-------------------
Action Item Summary: 

* AI -- Dave Staggs & Duane DeCouteau to revise XSPA SAML Profile doc, 
incorp'g
        ScottC's comments, and re-publish to list. 


> Note: Fixed link to 9/23 minutes and added several items to section 2.
> 
> Proposed Agenda SSTC Conference Call
> October 7, 2008, 12:00pm ET
> 
> Dial in info: +1 215 446 3648
> Access code 270-9441#
> 
> Roll Call & Agenda Review
> 
> Need a volunteer to take minutes

=JeffH (jh) volunteered. 


> 1. Minutes from SSTC/SAML concall September 23, 2008
> http://lists.oasis-open.org/archives/security-services/200809/msg00052.html

duly approved by unanimous consent.


> 2. Document Status
> 
> 2.1 Subject-based Profiles for SAML V1.1 Assertions
> http://wiki.oasis-open.org/security/SamlSubjectProfiles
> New CS ballot set to close end of 10/6 and currently has 74% 'yes'

ballot appears to be successful. 

will do ballot for a CS version after we hear from Mary, yes Tom?

tom scavo (ts): yes


> 2.2 SAML V2.0 Holder-of-Key Assertion Profile (draft 4)
> http://lists.oasis-open.org/archives/security-services/200810/msg00006.html

bc: TS had too questions wrt this item... followup on list or now?

ts: scott brought up the encoding issue, consider this open, this is the most 
important issue at this point.

Scott Cantor (sc): don't know if there's any parts of w3c sec group on this 
call, but tried to relay on the list...seems the w3c folk want to keep it 
unspecified...

[see http://lists.oasis-open.org/archives/security-services/200809/msg00063.htm
l
and http://lists.oasis-open.org/archives/security-services/200810/msg00001.html
 ]


bc: tend to agree with you that we should leave this unspec'd

sc: not that concerned about it, the w3c folk think it shd remain unspec'd, we 
need to remember to profile this down in any future spec that touches on this

hl: thought it was unambiguously defined by algorithm identifiers..

sc: no, this is cert encoding -- so they left it as-is because there are other 
cert encodings folks might want to use, but aren't in practice, but....

bc: ok, so this remains open for further discussion...

ts: so we'll leave this open for further comment


> 2.3 Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of
> SAML for Healthcare
> http://lists.oasis-open.org/archives/security-services/200809/msg00062.html

bc: scott supplied longish comments, but no followups as yet

ds: got great comments from scott, detailed ones, don't want to change draft 
just yet, want to left folks think about making it a CD and then rolling in 
the comments

fyi, actually parts of this profile were demonstrated in London last week 
under the covers in XACML context. have folks digested it enough to make it a 
CD at this point.

bc: think we probably want to roll changes and such into it before going to CD

sc: agree, going to CD then gets more formal

ds: ok, that makes sense to me, will take an AI to incorp scotts comments, put 
it back on list and get more comments.


> 2.4 SAML V2.0 Holder-of-Key Web Browser SSO Profile

bc: NateK not here today, so this is a reminder for folks to review, any 
further comments?

 [none]

> 2.5 SAML V2.0 Information Card Token Profile

bc: john bradley (jb)? comments on this item?

jb: IMI TC <http://oasis-open.org/committees/imi/> had its firstmeeting in 
London, discussed samlv2 infocard token profile..

http://www.oasis-open.org/committees/download.php/29019/draft-sstc-saml2-infoca
rd-02.pdf

..decided it would be in scope for TC were there demand, so IMI will work with 
SSTC, will take it if it wants to be contribed to IMI tc, init profile from 
microsoft has only SAML 1.1 personal card, there are no managed cards at 
moment, (folks scratch head), so there may be desire for a samlv1.1 managed 
card profile. so the IMI TC is up and going now, so we can figure out how we 
want to move that work forward

Hal Lockhart (hl): personally would like to see that profile go forward in the 
IMI TC

jb: will have to work with jamie on how to do that..

hl: is simple, authors just submit it to the other TC, and if they have any 
issues with that, then it gets more complex -- as long as TC/ipr processes are 
followed and work is in scope than can proceed -- ie sub to other TC is act of 
individual

sc: don't care real stongly which tc takes up the doc

jb: sentiment was that there ought to be a samlv2 token profile, just a matter 
of figuring out who/how it will get done

bc: so just need some offline conv btwn you scott on how to contrib spec draft?

jb: yep


> 2.6 SAML V2.0 Metadata Interoperability Profile

sc: reviewed most of responses, will edit & republish




> 2.7 Level of Assurance Authentication Context Profiles for SAML 2.0

bc: this intersects with work of Giles from a few meetings ago

Eric Tiffany (et): 3 things: first, there's the LOA profile doc still out 
there, not much change needs to be done to it to move it forward, 2nd thing is 
Giles doc, that's much different approach, haven't gotten disc w/Giles as yet 
wrt a simpler approach, [then there's an enigma document at ITU ?], 3d then I 
need to make some changes to a doc, just sent it to the list, going to be 
offline for two weeks, hopefully there'll be productive comments on it while 
I'm away

Paul Madsen (pm): i could take over in interim

et: sure, should be voted on in some fashion by TC, then sent to NIST eg by TC 
chairs, then some folks might want to jump on coattails, hipsi/NZ/Denmark etc 
-- there may need to be a bit of corralling folks to keep them in loop

pm: ok i can contact you offline on that. 



> 3.  Discussion Threads
> 
> 3.1 SAML Cook Book
> http://lists.oasis-open.org/archives/security-services/200809/msg00057.html

pm: started to collect content on saml.xml.org wiki, pulled info from tech 
overview; collecting config data would be a good thing; SC thot that putting 
that sort of stuff upon wiki might be problematic

bc: do you mean  prop prod config info? or metadata?

pm: eg how do you config prod X  to work with prod Y; some of this info is 
collected by liberty in conformance program, supplied by vendors, might not be 
useful

George Fletcher (gf): well, we could just link to such info; or keep it 
generic and add best practices

pm: see that as distinct from the two classes already have there;  does saml 
best practices exist somewhere?

sc: got electrodes handy to hook up to everyones brains?

my concerns are answered in the thread...

if you want to outline what you want to provide material for, we 
(shibb/opensaml) could flesh that out  and maintain our stuff ourselves, e.g. 
template outlining topics, we've written some howtos, we haven't had time to 
brainstorm others we might want to write, but you could stim ideas...

pm: interested in your howtos, just need a link from folks who want to provide 
theirs...



> 3.2 OAuth as a potential HTTP server-to-server binding for SAML
> http://lists.oasis-open.org/archives/security-services/200809/msg00056.html

bc: lengthy msg w/ no followup

gf: i sent msg, but took silence as no interest

sc: am interested, but only in last week have had time to look at it; will 
post questions on list; one of concerns is that it isn't clear that oauth spec 
can make things separable...

gf: key that looking at it, is svr-to-svr msgs that aren't ident-bound, eg 
manageId calls, in oauth spec just signing that with consumers secret and 
spec'g consumerid....

sc: not sure comfortable spec'g a binding to oauth spec

gf: this two-legged flow is intended to be supported in a v2 spec

sc: it isn't easy to normatively ref into the spec the way spec is written; 
its not that i'm thinking it can't be done

jb: eran is about to release a bunch of changes to that spec if we can get 
that comment to him maybe he can incorp it

gf: what would make it easier

sc; if the conveyance stuff is sep from message construct....

jh: agree, not clean to build other specs "on top of" oauth

gf: ok, will convey back to oauth folks eg eran

rlbob: there will be bof on oauth at ietf, sep'g convey from msg const will be 
a topic

jh: you'll convey back on the public oauth list, yes?

gf: yes, and you guys can followup if i mess up



> 4. Other business

jh: have saml logo, done pro-bono by graphic artist, will post to saml.xml.org 
wiki and announce to list



> 5. Action Items (Report created 06 October 2008 02:57pm EDT)
>  
> #0341: Draft text for SSTC submission to NIST
> Owner: Eric Tiffany
> Status: Open
> Assigned: 2008-08-26
> Due: 2008-10-07

bc: everyone read and resp to his latest msg


> #0333: Publish a new revision of Profile for Use of DisplayName in OASIS
> template
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: --

open (sampo not here)



> #0332: Revise Query Extension for SAML AuthnReq
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---

open (sampo not here)




============================================================================