OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes minutes SSTC/SAML concall Tue 21-Oct-2008

comments/corrections/followups to the list please.


SSTC/SAML concall Tue Oct 21 09:03:19 PDT 2008

co-chair Hal Lockhart (hl) presiding.

Motions passed:

  Resolved to send a letter to NIST from SSTC-co-chairs, essentially based on..

  Draft note Comment to NIST regarding 800-63-1 prohibition ofassertions at 

  ..identifying authors other than co-chairs, describing specific issues with 
  NIST doc, proposing remedies.

Action Item Summary:

* AI: Eric Tiffany to shepherd the crafting of the letter to NIST

* AI: Hal to query OASIS staff wrt the SAML logo idea

* AI: Eric Tifany to query Liberty folk, eg Britta Glade, wrt any interest 
      they might have in a SAML logo


Roll Call:

Voting Members:
George Fletcher      AOL
Rob Philpott     EMC Corporation    
John Bradley     Individual    
Jeff Hodges     Individual    
Bob Morgan     Internet2    
Eric Tiffany     Liberty Alliance Project    
Tom Scavo     NCSA  
Frederick Hirsch     Nokia Corporation
Srinath Godavarthi     Nortel    
Hal Lockhart     Oracle Corporation    
Brian Campbell     Ping Identity Corporation
Anil Saldhana     Red Hat    
Eve Maler     Sun Microsystems    
Emily Xu     Sun Microsystems    
Kent Spaulding     Tripod Technology Group, Inc.    
Duane DeCouteau     Veterans Health Administration    
David Staggs     Veterans Health Administration    

Nathan Klingenstein     Internet2    

17 out of 22 voting members (Quorum Achieved)

Membership Status Change: None

detailed minutes:

> Proposed Agenda SSTC Conference Call
> October 21, 2008, 12:00pm ET
> Dial in info: +1 215 446 3648
> Access code 270-9441#
> Roll Call & Agenda Review
> Need a volunteer to take minutes

=JeffH volunteers.

hl: any other docs to add to agenda?

David Staggs (ds): XSPA doc becoming a CD?

hl: u had action item to put up new version, then we go from there

ds: ok will discuss down there?

> 1. Minutes from SSTC/SAML concall October 7, 2008
> http://lists.oasis-open.org/archives/security-services/200810/msg00023.html

hl: minutes approved with unanimous consent

> 2. Document Status
> 2.1 Subject-based Profiles for SAML V1.1 Assertions
> http://wiki.oasis-open.org/security/SamlSubjectProfiles
> Ballot for Committee Specification passed, docs have been marked accordingly and uploaded to repository
> http://lists.oasis-open.org/archives/security-services/200810/msg00020.html

hl: approved, in docs.oasis web site
  sstc wiki updated?

?: yes was updated

hl: ok, now need some attestations

> 2.2 SAML V2.0 Holder-of-Key Assertion Profile (draft 5) uploaded
> http://lists.oasis-open.org/archives/security-services/200810/msg00033.html

hl: no comments on new version posted last night? editor?

Tom Scavo(ts): this 5th draft cleans up issue wrt x.508 ski element, there is 
one open issue

hl: will take up in 3.4 below

> 3.  Discussion Threads
> 3.1 comments re draft-sstc-metadata-iop-02  
> http://lists.oasis-open.org/archives/security-services/200810/msg00010.html

hl: any more to be said about that?

ts: scott mentioned, he will respond, hasn't had time just yet

> 3.2 Draft note Comment to NIST regarding 800-63-1 prohibition of assertions at LOA 4
> http://lists.oasis-open.org/archives/security-services/200810/msg00012.html

Eric Tiffany (et): no comments as yet, expect there might need to be some 
wordsmithing, formatting and how delivered don't know, as noted in preface, am 
not sure what formal process is, it shud be approv by comm and sent by chairs.

hl: if there's no concerns about content, we should pass resolution to have 
chairs fwd to NIST on behalf of the TC

anyone have any issues with the proposal?

ts: in last para, HoK SSO profile is mentioned, we should provide detailed 
reference so can look up.[but ref'd spec is only a draft now]

et: sstc wiki available to non-members?  

hl: readonly, and it's linked-to from public SSTC page

et: good, helps with cite because one can more easily find particular docs and 
versions thereof

hl: ok, we'll add a link to the sstc wiki page for the profile doc in 
appropriate place

ts: will this doc [the letter to NIST] be uploaded to Kavi, etc, so others can 
find it

hl: probably should put in doc repository, cleaned up version

Jeff Hodges(jh): suggest in outreach section

et: there are Lib eGov folks who are interested in seeing this change also, so 
having this note in ref'able place will be good

jh: cf response to ibm research paper (a few years ago) for an example wrt 
formatting, content etc. ?

hl: so if TC concurs, get volunteer to clean up, put in repos, fwd to nist, 
and if there's group(s) to draw atten to it, then we can do that, but we 
shudn't wait on anyone else

so the chair will entertain a motion for a resolution to send a letter to NIST 
from SSTC-co-chairs, identifying authors other than co-chairs, describing 
specific issues with NIST doc, proposing remedies.

et: i make a motion to create such a doc
RL Bob Morgan(rl): 2nd'd

rl: have had conversations with nist folks, don't think need to have a big 
push to get them to do this, they want to, so proposed letter should have 
proposed changes, they might need to work with someone (from saml community) 
to get it right, will take a bit of work, dunno who that would be, not 

hl: could add something to letter from sstc chairs to the effect that if they 
need assistance they can contact sstc chairs

et: seems fine

hl: any object to unanimous consent to carry this resolution out?

*** motion passed with unanimous consent

Rob Philpott(rp): fyi it was in March of 2005 we did response to ibm research 

> 3.3 More on OAuth
> http://lists.oasis-open.org/archives/security-services/200810/msg00013.html

hl: in that thread there's a reference to interesting doc from google abt 
using oauth ... ?

"two legged oauth for opensocial restful apps"

George Fletcher(gf): opensocial uses oauth, so receiving server knows who sent 
msg, is another way to use oauth to send non-soap msgs, so is another point of 
reference wrt question of having oauth as another binding for svr-svr msgs. jh 
& sc have noted that present oauth spec is not really referencable, etc.

rl: got confirmation that there will be a BOF on oauth in ietf-73 Minneapolis 
in November, there is an I-D wrt oauth, I will be there at BOF:


hl: be good if you can represent "our interest" there and report back, eg in 
possibility to structuring oauth spec such that it can be more easily 
referenced as a binding.

> 3.4 specifying the <ds:X509SKI> element
> http://lists.oasis-open.org/archives/security-services/200810/msg00015.html

ts: it came up on last call, started from a comment Scott Cantor (sc)  made 
wrt previous version of profile, has to do with <ds: x509 cert> element -- 
what is format of such cert?  his comment had to do with encoding, spec says 
encoding should be DER, but perhaps it should be left unspecified. I didn't 
change it in this rev of the doc, because I don't see wisdom in that, not sure 
why someone would not specifiy it, it would make it difficult for RP to do 
confirmation w/o knowing what the encoding is, hoping someone can justify 
this, AFAIK that is only significant issue remaining in that profile

hl: both Ari & Scott are not here, anyone else?

ts: did Brian Campbell(bc) agree with sc?

bc: just in general, not as an expert wrt this topic

ts: did informal survey of two grids in US that use x509, the PEM encoding is 
used for certs, the underlying encoding is DER, couldn't find any non-DER 
encoding, so can anyone provide examples of anyone using something other than 

hl: doc now specifies DER, appropriate thing is to leave it until we get any 
further comment

Nate Klingenstein(nk): in favor of simplicity (ie leaving it)

hl: might want to ping Ari & SC explicitly about this

> 3.5 comments re sstc-saml-holder-of-key-browser-sso-draft-07
> http://lists.oasis-open.org/archives/security-services/200810/msg00029.html

hl: ts posted more comments on hok profile doc

nk: what to call renamed binding string in the metadata?  these are protocol 
  so "hokprotocolbinding" sounds ok to others, I can do that, tom?

if you go to set of comments tom had on mailing list, you can find it

sc suggested several different ones, this is one of them

ts: any of sc's suggestions are better than what's there

nk: ok. 

hl: just go with that then

nk: rest of TS comments are re-org and such, useful, will try to do fresh 
draft -08 by nxt call, do want to get doc to CD status

ts: really there are 3 docs that are at same level, this one, the one it 
depends on, and then (not dir related) metadata IOP profile, so all three shud 
go out at same time

hl: consult with sc wrt how soon can get metadata out? don't want two sep pub 
reviews at same time

> 3.6 draft-saml-logo-03.pdf uploaded
> http://lists.oasis-open.org/archives/security-services/200810/msg00035.html

nk: was at openid ux meeting yesterday, actually including openid logo on a 
login page was a detractor, so google is going to have no ref to openid on 
anything, this was from user testing, evaluated appealingness of various 
pages, lower response when included the openid brand

"facebook connect" has better response in end-user testing

so google msft y!  have taken position that promoting openid brand on consumer 
facing pages is not useful

George Fletcher (gf): not surprising, if see logo w/ no recog of, scares 
people off

Eve Maler(em): suggest we figure out specific usecases for where to use this, 
generally in favor

et: there are some questions wrt protection that might need to be answered, eg 
tradmark protection

hl: [AI] willing to take an action to go talk to OASIS staff if there's any 

if became propular, what's to prevent someone from sticking it on something 
that doesn't actually employ SAML ?

ts: fwd logo idea to jamie to see if can copyright it?

hl: can ET explore if there's any Liberty interop interest in this?

et: yes can explore that
fyi, the legal hoops to jump thru to get Liberty's own branding was really 
[AI] will float quesiton -- britta glade would be person to ask, will do so

> 4. Other business

wrt XSPA doc becoming a CD?

Duane DeCouteau(dc): suggested doc changes are relatively straightforward, we 
can add those changes in, goto CD vote (in meantime)?

hl: more straightforward process is that if you can get a rev out in next few 
days including updates, then do vote next meeting

ds: we should get the revs in, then ask for vote..

hl: particularly conf section, get those changes in, then move on a vote

dc: any other comments out there? would be good to get them now

> 5. Action Items (Report created 20 October 2008 10:55pm EDT)
> #0332: Revise Query Extension for SAML AuthnReq
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---


> #0333: Publish a new revision of Profile for Use of DisplayName in OASIS template
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---


> #0342: revise and re-publish XSPA SAML Profile doc
> Owner: David Staggs
> Status: Open
> Assigned: 2008-10-13
> Due: ---

open, see above.

meeting adjourned. 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]