[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Resend - Oasis SSTC Meeting Minutes (Oct 7, 2008)
============================================================================ sstc/saml concall minutes Tue Oct 7 09:09:50 PDT 2008 ---------------------------------------------------------------------------- co-chair Brian Campbell (bc) presiding. ------------------- Action Item Summary: * AI -- Dave Staggs & Duane DeCouteau to revise XSPA SAML Profile doc, incorp'g ScottC's comments, and re-publish to list. > > Note: Fixed link to 9/23 minutes and added several items to section 2. > > > > Proposed Agenda SSTC Conference Call > > October 7, 2008, 12:00pm ET > > > > Dial in info: +1 215 446 3648 > > Access code 270-9441# > > > > Roll Call & Agenda Review Roll call: ======== Voting Members: Brian Campbell Ping Identity Scott Cantor Internet2 Jeff Hodges Individual Ari Kermaier Oracle Hal Lockhart BEA Systems, Inc Paul Madsen NTT Corporation Frederick Hirsch Nokia Tom Scavo NCSA David Staggs Veteran's Health Admin Eric Tiffany Liberty Alliance Project George Fletcher AOL Srinath Godavarthi Nortel John Bradley Individual Duane DeCouteau Veteran's Health Admin Anil Saldhana Red Hat Brett Burley Veteran's Health Admin Kent Spaulding Tripod Technology Group Members: Bob Morgan Internet2 Emily Xu Sun Microsystems Peter Davis NeuStar Quorum Reached: 17 out of 20 Voting Members Membership Status Changes: Gained Voting Status (Emily Xu and Peter Davis). Lost Voting Status (Nate Klingenstein) > > > > Need a volunteer to take minutes =JeffH (jh) volunteered. > > 1. Minutes from SSTC/SAML concall September 23, 2008 > > > http://lists.oasis-open.org/archives/security-services/200809/msg00052.html duly approved by unanimous consent. > > 2. Document Status > > > > 2.1 Subject-based Profiles for SAML V1.1 Assertions > > http://wiki.oasis-open.org/security/SamlSubjectProfiles > > New CS ballot set to close end of 10/6 and currently has 74% 'yes' ballot appears to be successful. will do ballot for a CS version after we hear from Mary, yes Tom? tom scavo (ts): yes > > 2.2 SAML V2.0 Holder-of-Key Assertion Profile (draft 4) > > > http://lists.oasis-open.org/archives/security-services/200810/msg00006.html bc: TS had too questions wrt this item... followup on list or now? ts: scott brought up the encoding issue, consider this open, this is the most important issue at this point. Scott Cantor (sc): don't know if there's any parts of w3c sec group on this call, but tried to relay on the list...seems the w3c folk want to keep it unspecified... [see http://lists.oasis-open.org/archives/security-services/200809/msg00063.htm l and http://lists.oasis-open.org/archives/security-services/200810/msg00001.html ] bc: tend to agree with you that we should leave this unspec'd sc: not that concerned about it, the w3c folk think it shd remain unspec'd, we need to remember to profile this down in any future spec that touches on this hl: thought it was unambiguously defined by algorithm identifiers.. sc: no, this is cert encoding -- so they left it as-is because there are other cert encodings folks might want to use, but aren't in practice, but.... bc: ok, so this remains open for further discussion... ts: so we'll leave this open for further comment > > 2.3 Cross-Enterprise Security and Privacy Authorization (XSPA) > Profile of > > SAML for Healthcare > > > http://lists.oasis-open.org/archives/security-services/200809/msg00062.html bc: scott supplied longish comments, but no followups as yet ds: got great comments from scott, detailed ones, don't want to change draft just yet, want to left folks think about making it a CD and then rolling in the comments fyi, actually parts of this profile were demonstrated in London last week under the covers in XACML context. have folks digested it enough to make it a CD at this point. bc: think we probably want to roll changes and such into it before going to CD sc: agree, going to CD then gets more formal ds: ok, that makes sense to me, will take an AI to incorp scotts comments, put it back on list and get more comments. > > 2.4 SAML V2.0 Holder-of-Key Web Browser SSO Profile bc: NateK not here today, so this is a reminder for folks to review, any further comments? [none] > > 2.5 SAML V2.0 Information Card Token Profile bc: john bradley (jb)? comments on this item? jb: IMI TC <http://oasis-open.org/committees/imi/> had its firstmeeting in London, discussed samlv2 infocard token profile.. http://www.oasis-open.org/committees/download.php/29019/draft-sstc-saml2-infoca rd-02.pdf ..decided it would be in scope for TC were there demand, so IMI will work with SSTC, will take it if it wants to be contribed to IMI tc, init profile from microsoft has only SAML 1.1 personal card, there are no managed cards at moment, (folks scratch head), so there may be desire for a samlv1.1 managed card profile. so the IMI TC is up and going now, so we can figure out how we want to move that work forward Hal Lockhart (hl): personally would like to see that profile go forward in the IMI TC jb: will have to work with jamie on how to do that.. hl: is simple, authors just submit it to the other TC, and if they have any issues with that, then it gets more complex -- as long as TC/ipr processes are followed and work is in scope than can proceed -- ie sub to other TC is act of individual sc: don't care real stongly which tc takes up the doc jb: sentiment was that there ought to be a samlv2 token profile, just a matter of figuring out who/how it will get done bc: so just need some offline conv btwn you scott on how to contrib spec draft? jb: yep > > 2.6 SAML V2.0 Metadata Interoperability Profile sc: reviewed most of responses, will edit & republish > > 2.7 Level of Assurance Authentication Context Profiles for SAML 2.0 bc: this intersects with work of Giles from a few meetings ago Eric Tiffany (et): 3 things: first, there's the LOA profile doc still out there, not much change needs to be done to it to move it forward, 2nd thing is Giles doc, that's much different approach, haven't gotten disc w/Giles as yet wrt a simpler approach, [then there's an enigma document at ITU ?], 3d then I need to make some changes to a doc, just sent it to the list, going to be offline for two weeks, hopefully there'll be productive comments on it while I'm away Paul Madsen (pm): i could take over in interim et: sure, should be voted on in some fashion by TC, then sent to NIST eg by TC chairs, then some folks might want to jump on coattails, hipsi/NZ/Denmark etc -- there may need to be a bit of corralling folks to keep them in loop pm: ok i can contact you offline on that. > > 3. Discussion Threads > > > > 3.1 SAML Cook Book > > > http://lists.oasis-open.org/archives/security-services/200809/msg00057.html pm: started to collect content on saml.xml.org wiki, pulled info from tech overview; collecting config data would be a good thing; SC thot that putting that sort of stuff upon wiki might be problematic bc: do you mean prop prod config info? or metadata? pm: eg how do you config prod X to work with prod Y; some of this info is collected by liberty in conformance program, supplied by vendors, might not be useful George Fletcher (gf): well, we could just link to such info; or keep it generic and add best practices pm: see that as distinct from the two classes already have there; does saml best practices exist somewhere? sc: got electrodes handy to hook up to everyones brains? my concerns are answered in the thread... if you want to outline what you want to provide material for, we (shibb/opensaml) could flesh that out and maintain our stuff ourselves, e.g. template outlining topics, we've written some howtos, we haven't had time to brainstorm others we might want to write, but you could stim ideas... pm: interested in your howtos, just need a link from folks who want to provide theirs... > > 3.2 OAuth as a potential HTTP server-to-server binding for SAML > > > http://lists.oasis-open.org/archives/security-services/200809/msg00056.html bc: lengthy msg w/ no followup gf: i sent msg, but took silence as no interest sc: am interested, but only in last week have had time to look at it; will post questions on list; one of concerns is that it isn't clear that oauth spec can make things separable... gf: key that looking at it, is svr-to-svr msgs that aren't ident-bound, eg manageId calls, in oauth spec just signing that with consumers secret and spec'g consumerid.... sc: not sure comfortable spec'g a binding to oauth spec gf: this two-legged flow is intended to be supported in a v2 spec sc: it isn't easy to normatively ref into the spec the way spec is written; its not that i'm thinking it can't be done jb: eran is about to release a bunch of changes to that spec if we can get that comment to him maybe he can incorp it gf: what would make it easier sc; if the conveyance stuff is sep from message construct.... jh: agree, not clean to build other specs "on top of" oauth gf: ok, will convey back to oauth folks eg eran rlbob: there will be bof on oauth at ietf, sep'g convey from msg const will be a topic jh: you'll convey back on the public oauth list, yes? gf: yes, and you guys can followup if i mess up > > 4. Other business jh: have saml logo, done pro-bono by graphic artist, will post to saml.xml.org wiki and announce to list > > 5. Action Items (Report created 06 October 2008 02:57pm EDT) > > > > #0341: Draft text for SSTC submission to NIST > > Owner: Eric Tiffany > > Status: Open > > Assigned: 2008-08-26 > > Due: 2008-10-07 bc: everyone read and resp to his latest msg > > #0333: Publish a new revision of Profile for Use of DisplayName in > OASIS > > template > > Owner: Sampo Kellomki > > Status: Open > > Assigned: 2008-05-19 > > Due: -- open (sampo not here) > > #0332: Revise Query Extension for SAML AuthnReq > > Owner: Sampo Kellomki > > Status: Open > > Assigned: 2008-05-19 > > Due: --- open (sampo not here) ============================================================================
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]