[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes minutes SSTC/SAML concall Tue 21-Oct-2008
comments/corrections/followups to the list please.
=JeffH
============================================================================
SSTC/SAML concall Tue Oct 21 09:03:19 PDT 2008
----------------------------------------------------------------------------
co-chair Hal Lockhart (hl) presiding.
----------------
Motions passed:
Resolved to send a letter to NIST from SSTC-co-chairs, essentially based on..
Draft note Comment to NIST regarding 800-63-1 prohibition ofassertions at
LOA 4
http://lists.oasis-open.org/archives/security-services/200810/msg00012.html
..identifying authors other than co-chairs, describing specific issues with
NIST doc, proposing remedies.
--------------
Action Item Summary:
* AI: Eric Tiffany to shepherd the crafting of the letter to NIST
* AI: Hal to query OASIS staff wrt the SAML logo idea
* AI: Eric Tifany to query Liberty folk, eg Britta Glade, wrt any interest
they might have in a SAML logo
-----------------
Attendance:
Roll Call:
Voting Members:
George Fletcher AOL
Rob Philpott EMC Corporation
John Bradley Individual
Jeff Hodges Individual
Bob Morgan Internet2
Eric Tiffany Liberty Alliance Project
Tom Scavo NCSA
Frederick Hirsch Nokia Corporation
Srinath Godavarthi Nortel
Hal Lockhart Oracle Corporation
Brian Campbell Ping Identity Corporation
Anil Saldhana Red Hat
Eve Maler Sun Microsystems
Emily Xu Sun Microsystems
Kent Spaulding Tripod Technology Group, Inc.
Duane DeCouteau Veterans Health Administration
David Staggs Veterans Health Administration
Members:
Nathan Klingenstein Internet2
17 out of 22 voting members (Quorum Achieved)
Membership Status Change: None
--------------------
detailed minutes:
> Proposed Agenda SSTC Conference Call
> October 21, 2008, 12:00pm ET
>
> Dial in info: +1 215 446 3648
> Access code 270-9441#
>
> Roll Call & Agenda Review
>
> Need a volunteer to take minutes
=JeffH volunteers.
hl: any other docs to add to agenda?
David Staggs (ds): XSPA doc becoming a CD?
hl: u had action item to put up new version, then we go from there
ds: ok will discuss down there?
>
> 1. Minutes from SSTC/SAML concall October 7, 2008
> http://lists.oasis-open.org/archives/security-services/200810/msg00023.html
hl: minutes approved with unanimous consent
>
>
> 2. Document Status
>
> 2.1 Subject-based Profiles for SAML V1.1 Assertions
> http://wiki.oasis-open.org/security/SamlSubjectProfiles
> Ballot for Committee Specification passed, docs have been marked accordingly and uploaded to repository
> http://lists.oasis-open.org/archives/security-services/200810/msg00020.html
hl: approved, in docs.oasis web site
sstc wiki updated?
?: yes was updated
hl: ok, now need some attestations
>
> 2.2 SAML V2.0 Holder-of-Key Assertion Profile (draft 5) uploaded
> http://lists.oasis-open.org/archives/security-services/200810/msg00033.html
hl: no comments on new version posted last night? editor?
Tom Scavo(ts): this 5th draft cleans up issue wrt x.508 ski element, there is
one open issue
hl: will take up in 3.4 below
>
>
> 3. Discussion Threads
>
> 3.1 comments re draft-sstc-metadata-iop-02
> http://lists.oasis-open.org/archives/security-services/200810/msg00010.html
hl: any more to be said about that?
ts: scott mentioned, he will respond, hasn't had time just yet
>
> 3.2 Draft note Comment to NIST regarding 800-63-1 prohibition of assertions at LOA 4
> http://lists.oasis-open.org/archives/security-services/200810/msg00012.html
Eric Tiffany (et): no comments as yet, expect there might need to be some
wordsmithing, formatting and how delivered don't know, as noted in preface, am
not sure what formal process is, it shud be approv by comm and sent by chairs.
hl: if there's no concerns about content, we should pass resolution to have
chairs fwd to NIST on behalf of the TC
anyone have any issues with the proposal?
ts: in last para, HoK SSO profile is mentioned, we should provide detailed
reference so can look up.[but ref'd spec is only a draft now]
et: sstc wiki available to non-members?
hl: readonly, and it's linked-to from public SSTC page
et: good, helps with cite because one can more easily find particular docs and
versions thereof
hl: ok, we'll add a link to the sstc wiki page for the profile doc in
appropriate place
ts: will this doc [the letter to NIST] be uploaded to Kavi, etc, so others can
find it
hl: probably should put in doc repository, cleaned up version
Jeff Hodges(jh): suggest in outreach section
et: there are Lib eGov folks who are interested in seeing this change also, so
having this note in ref'able place will be good
jh: cf response to ibm research paper (a few years ago) for an example wrt
formatting, content etc. ?
hl: so if TC concurs, get volunteer to clean up, put in repos, fwd to nist,
and if there's group(s) to draw atten to it, then we can do that, but we
shudn't wait on anyone else
so the chair will entertain a motion for a resolution to send a letter to NIST
from SSTC-co-chairs, identifying authors other than co-chairs, describing
specific issues with NIST doc, proposing remedies.
et: i make a motion to create such a doc
RL Bob Morgan(rl): 2nd'd
rl: have had conversations with nist folks, don't think need to have a big
push to get them to do this, they want to, so proposed letter should have
proposed changes, they might need to work with someone (from saml community)
to get it right, will take a bit of work, dunno who that would be, not
volunteering
hl: could add something to letter from sstc chairs to the effect that if they
need assistance they can contact sstc chairs
et: seems fine
hl: any object to unanimous consent to carry this resolution out?
*** motion passed with unanimous consent
Rob Philpott(rp): fyi it was in March of 2005 we did response to ibm research
paper
>
> 3.3 More on OAuth
> http://lists.oasis-open.org/archives/security-services/200810/msg00013.html
hl: in that thread there's a reference to interesting doc from google abt
using oauth ... ?
"two legged oauth for opensocial restful apps"
George Fletcher(gf): opensocial uses oauth, so receiving server knows who sent
msg, is another way to use oauth to send non-soap msgs, so is another point of
reference wrt question of having oauth as another binding for svr-svr msgs. jh
& sc have noted that present oauth spec is not really referencable, etc.
rl: got confirmation that there will be a BOF on oauth in ietf-73 Minneapolis
in November, there is an I-D wrt oauth, I will be there at BOF:
http://www.ietf.org/internet-drafts/draft-hammer-oauth-00.txt
hl: be good if you can represent "our interest" there and report back, eg in
possibility to structuring oauth spec such that it can be more easily
referenced as a binding.
>
> 3.4 specifying the <ds:X509SKI> element
> http://lists.oasis-open.org/archives/security-services/200810/msg00015.html
ts: it came up on last call, started from a comment Scott Cantor (sc) made
wrt previous version of profile, has to do with <ds: x509 cert> element --
what is format of such cert? his comment had to do with encoding, spec says
encoding should be DER, but perhaps it should be left unspecified. I didn't
change it in this rev of the doc, because I don't see wisdom in that, not sure
why someone would not specifiy it, it would make it difficult for RP to do
confirmation w/o knowing what the encoding is, hoping someone can justify
this, AFAIK that is only significant issue remaining in that profile
hl: both Ari & Scott are not here, anyone else?
ts: did Brian Campbell(bc) agree with sc?
bc: just in general, not as an expert wrt this topic
ts: did informal survey of two grids in US that use x509, the PEM encoding is
used for certs, the underlying encoding is DER, couldn't find any non-DER
encoding, so can anyone provide examples of anyone using something other than
DER?
hl: doc now specifies DER, appropriate thing is to leave it until we get any
further comment
Nate Klingenstein(nk): in favor of simplicity (ie leaving it)
hl: might want to ping Ari & SC explicitly about this
>
> 3.5 comments re sstc-saml-holder-of-key-browser-sso-draft-07
> http://lists.oasis-open.org/archives/security-services/200810/msg00029.html
hl: ts posted more comments on hok profile doc
nk: what to call renamed binding string in the metadata? these are protocol
bindings,
so "hokprotocolbinding" sounds ok to others, I can do that, tom?
if you go to set of comments tom had on mailing list, you can find it
sc suggested several different ones, this is one of them
ts: any of sc's suggestions are better than what's there
nk: ok.
hl: just go with that then
nk: rest of TS comments are re-org and such, useful, will try to do fresh
draft -08 by nxt call, do want to get doc to CD status
ts: really there are 3 docs that are at same level, this one, the one it
depends on, and then (not dir related) metadata IOP profile, so all three shud
go out at same time
hl: consult with sc wrt how soon can get metadata out? don't want two sep pub
reviews at same time
> 3.6 draft-saml-logo-03.pdf uploaded
> http://lists.oasis-open.org/archives/security-services/200810/msg00035.html
nk: was at openid ux meeting yesterday, actually including openid logo on a
login page was a detractor, so google is going to have no ref to openid on
anything, this was from user testing, evaluated appealingness of various
pages, lower response when included the openid brand
"facebook connect" has better response in end-user testing
so google msft y! have taken position that promoting openid brand on consumer
facing pages is not useful
George Fletcher (gf): not surprising, if see logo w/ no recog of, scares
people off
Eve Maler(em): suggest we figure out specific usecases for where to use this,
generally in favor
et: there are some questions wrt protection that might need to be answered, eg
tradmark protection
hl: [AI] willing to take an action to go talk to OASIS staff if there's any
issues
if became propular, what's to prevent someone from sticking it on something
that doesn't actually employ SAML ?
ts: fwd logo idea to jamie to see if can copyright it?
hl: can ET explore if there's any Liberty interop interest in this?
et: yes can explore that
fyi, the legal hoops to jump thru to get Liberty's own branding was really
tedious...
[AI] will float quesiton -- britta glade would be person to ask, will do so
> 4. Other business
wrt XSPA doc becoming a CD?
Duane DeCouteau(dc): suggested doc changes are relatively straightforward, we
can add those changes in, goto CD vote (in meantime)?
hl: more straightforward process is that if you can get a rev out in next few
days including updates, then do vote next meeting
ds: we should get the revs in, then ask for vote..
hl: particularly conf section, get those changes in, then move on a vote
dc: any other comments out there? would be good to get them now
> 5. Action Items (Report created 20 October 2008 10:55pm EDT)
>
> #0332: Revise Query Extension for SAML AuthnReq
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---
open
>
> #0333: Publish a new revision of Profile for Use of DisplayName in OASIS template
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---
open
>
> #0342: revise and re-publish XSPA SAML Profile doc
> Owner: David Staggs
> Status: Open
> Assigned: 2008-10-13
> Due: ---
open, see above.
meeting adjourned.
============================================================================
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]