OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Resend - Oasis SSTC Meeting Minutes (Oct 7, 2008)


sstc/saml concall minutes Tue Oct 7 09:09:50 PDT 2008

co-chair Brian Campbell (bc) presiding.

Action Item Summary:

* AI -- Dave Staggs & Duane DeCouteau to revise XSPA SAML Profile doc,
ScottC's comments, and re-publish to list.

> > Note: Fixed link to 9/23 minutes and added several items to section 2.
> >
> > Proposed Agenda SSTC Conference Call
> > October 7, 2008, 12:00pm ET
> >
> > Dial in info: +1 215 446 3648
> > Access code 270-9441#
> >
> > Roll Call & Agenda Review
Roll call:
Voting Members:
Brian  Campbell   Ping Identity
Scott Cantor    Internet2
Jeff  Hodges    Individual
Ari Kermaier    Oracle
Hal Lockhart    BEA Systems, Inc
Paul Madsen   NTT Corporation
Frederick Hirsch Nokia
Tom  Scavo  NCSA 
David  Staggs  Veteran's Health Admin
Eric Tiffany  Liberty Alliance Project
George Fletcher    AOL
Srinath Godavarthi    Nortel 
John Bradley    Individual  
Duane DeCouteau     Veteran's Health Admin
Anil  Saldhana    Red Hat
Brett Burley    Veteran's Health Admin
Kent Spaulding    Tripod Technology Group

Bob Morgan    Internet2
Emily Xu    Sun Microsystems
Peter Davis    NeuStar   
Quorum Reached: 17 out of 20 Voting Members
Membership Status Changes:  Gained Voting Status (Emily Xu and Peter 
Davis). Lost Voting Status (Nate Klingenstein)      
> >
> > Need a volunteer to take minutes

=JeffH (jh) volunteered.

> > 1. Minutes from SSTC/SAML concall September 23, 2008
> > 
> http://lists.oasis-open.org/archives/security-services/200809/msg00052.html 

duly approved by unanimous consent.

> > 2. Document Status
> >
> > 2.1 Subject-based Profiles for SAML V1.1 Assertions
> > http://wiki.oasis-open.org/security/SamlSubjectProfiles
> > New CS ballot set to close end of 10/6 and currently has 74% 'yes'

ballot appears to be successful.

will do ballot for a CS version after we hear from Mary, yes Tom?

tom scavo (ts): yes

> > 2.2 SAML V2.0 Holder-of-Key Assertion Profile (draft 4)
> > 
> http://lists.oasis-open.org/archives/security-services/200810/msg00006.html 

bc: TS had too questions wrt this item... followup on list or now?

ts: scott brought up the encoding issue, consider this open, this is the 
important issue at this point.

Scott Cantor (sc): don't know if there's any parts of w3c sec group on this
call, but tried to relay on the list...seems the w3c folk want to keep it


bc: tend to agree with you that we should leave this unspec'd

sc: not that concerned about it, the w3c folk think it shd remain 
unspec'd, we
need to remember to profile this down in any future spec that touches on 

hl: thought it was unambiguously defined by algorithm identifiers..

sc: no, this is cert encoding -- so they left it as-is because there are 
cert encodings folks might want to use, but aren't in practice, but....

bc: ok, so this remains open for further discussion...

ts: so we'll leave this open for further comment

> > 2.3 Cross-Enterprise Security and Privacy Authorization (XSPA) 
> Profile of
> > SAML for Healthcare
> > 
> http://lists.oasis-open.org/archives/security-services/200809/msg00062.html 

bc: scott supplied longish comments, but no followups as yet

ds: got great comments from scott, detailed ones, don't want to change 
just yet, want to left folks think about making it a CD and then rolling in
the comments

fyi, actually parts of this profile were demonstrated in London last week
under the covers in XACML context. have folks digested it enough to make 
it a
CD at this point.

bc: think we probably want to roll changes and such into it before going 
to CD

sc: agree, going to CD then gets more formal

ds: ok, that makes sense to me, will take an AI to incorp scotts 
comments, put
it back on list and get more comments.

> > 2.4 SAML V2.0 Holder-of-Key Web Browser SSO Profile

bc: NateK not here today, so this is a reminder for folks to review, any
further comments?


> > 2.5 SAML V2.0 Information Card Token Profile

bc: john bradley (jb)? comments on this item?

jb: IMI TC <http://oasis-open.org/committees/imi/> had its firstmeeting in
London, discussed samlv2 infocard token profile..



..decided it would be in scope for TC were there demand, so IMI will 
work with
SSTC, will take it if it wants to be contribed to IMI tc, init profile from
microsoft has only SAML 1.1 personal card, there are no managed cards at
moment, (folks scratch head), so there may be desire for a samlv1.1 managed
card profile. so the IMI TC is up and going now, so we can figure out 
how we
want to move that work forward

Hal Lockhart (hl): personally would like to see that profile go forward 
in the

jb: will have to work with jamie on how to do that..

hl: is simple, authors just submit it to the other TC, and if they have any
issues with that, then it gets more complex -- as long as TC/ipr 
processes are
followed and work is in scope than can proceed -- ie sub to other TC is 
act of

sc: don't care real stongly which tc takes up the doc

jb: sentiment was that there ought to be a samlv2 token profile, just a 
of figuring out who/how it will get done

bc: so just need some offline conv btwn you scott on how to contrib spec 

jb: yep

> > 2.6 SAML V2.0 Metadata Interoperability Profile

sc: reviewed most of responses, will edit & republish

> > 2.7 Level of Assurance Authentication Context Profiles for SAML 2.0

bc: this intersects with work of Giles from a few meetings ago

Eric Tiffany (et): 3 things: first, there's the LOA profile doc still out
there, not much change needs to be done to it to move it forward, 2nd 
thing is
Giles doc, that's much different approach, haven't gotten disc w/Giles 
as yet
wrt a simpler approach, [then there's an enigma document at ITU ?], 3d 
then I
need to make some changes to a doc, just sent it to the list, going to be
offline for two weeks, hopefully there'll be productive comments on it 
I'm away

Paul Madsen (pm): i could take over in interim

et: sure, should be voted on in some fashion by TC, then sent to NIST eg 
by TC
chairs, then some folks might want to jump on coattails, 
hipsi/NZ/Denmark etc
-- there may need to be a bit of corralling folks to keep them in loop

pm: ok i can contact you offline on that.

> > 3. Discussion Threads
> >
> > 3.1 SAML Cook Book
> > 
> http://lists.oasis-open.org/archives/security-services/200809/msg00057.html 

pm: started to collect content on saml.xml.org wiki, pulled info from tech
overview; collecting config data would be a good thing; SC thot that 
that sort of stuff upon wiki might be problematic

bc: do you mean prop prod config info? or metadata?

pm: eg how do you config prod X to work with prod Y; some of this info is
collected by liberty in conformance program, supplied by vendors, might 
not be

George Fletcher (gf): well, we could just link to such info; or keep it
generic and add best practices

pm: see that as distinct from the two classes already have there; does saml
best practices exist somewhere?

sc: got electrodes handy to hook up to everyones brains?

my concerns are answered in the thread...

if you want to outline what you want to provide material for, we
(shibb/opensaml) could flesh that out and maintain our stuff ourselves, 
template outlining topics, we've written some howtos, we haven't had 
time to
brainstorm others we might want to write, but you could stim ideas...

pm: interested in your howtos, just need a link from folks who want to 

> > 3.2 OAuth as a potential HTTP server-to-server binding for SAML
> > 
> http://lists.oasis-open.org/archives/security-services/200809/msg00056.html 

bc: lengthy msg w/ no followup

gf: i sent msg, but took silence as no interest

sc: am interested, but only in last week have had time to look at it; will
post questions on list; one of concerns is that it isn't clear that 
oauth spec
can make things separable...

gf: key that looking at it, is svr-to-svr msgs that aren't ident-bound, eg
manageId calls, in oauth spec just signing that with consumers secret and
spec'g consumerid....

sc: not sure comfortable spec'g a binding to oauth spec

gf: this two-legged flow is intended to be supported in a v2 spec

sc: it isn't easy to normatively ref into the spec the way spec is written;
its not that i'm thinking it can't be done

jb: eran is about to release a bunch of changes to that spec if we can get
that comment to him maybe he can incorp it

gf: what would make it easier

sc; if the conveyance stuff is sep from message construct....

jh: agree, not clean to build other specs "on top of" oauth

gf: ok, will convey back to oauth folks eg eran

rlbob: there will be bof on oauth at ietf, sep'g convey from msg const 
will be
a topic

jh: you'll convey back on the public oauth list, yes?

gf: yes, and you guys can followup if i mess up

> > 4. Other business

jh: have saml logo, done pro-bono by graphic artist, will post to 
wiki and announce to list

> > 5. Action Items (Report created 06 October 2008 02:57pm EDT)
> >
> > #0341: Draft text for SSTC submission to NIST
> > Owner: Eric Tiffany
> > Status: Open
> > Assigned: 2008-08-26
> > Due: 2008-10-07

bc: everyone read and resp to his latest msg

> > #0333: Publish a new revision of Profile for Use of DisplayName in 
> > template
> > Owner: Sampo Kellomki
> > Status: Open
> > Assigned: 2008-05-19
> > Due: --

open (sampo not here)

> > #0332: Revise Query Extension for SAML AuthnReq
> > Owner: Sampo Kellomki
> > Status: Open
> > Assigned: 2008-05-19
> > Due: ---

open (sampo not here)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]