[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes minutes SSTC/SAML concall Tue 21-Oct-2008
comments/corrections/followups to the list please. =JeffH ============================================================================ SSTC/SAML concall Tue Oct 21 09:03:19 PDT 2008 ---------------------------------------------------------------------------- co-chair Hal Lockhart (hl) presiding. ---------------- Motions passed: Resolved to send a letter to NIST from SSTC-co-chairs, essentially based on.. Draft note Comment to NIST regarding 800-63-1 prohibition ofassertions at LOA 4 http://lists.oasis-open.org/archives/security-services/200810/msg00012.html ..identifying authors other than co-chairs, describing specific issues with NIST doc, proposing remedies. -------------- Action Item Summary: * AI: Eric Tiffany to shepherd the crafting of the letter to NIST * AI: Hal to query OASIS staff wrt the SAML logo idea * AI: Eric Tifany to query Liberty folk, eg Britta Glade, wrt any interest they might have in a SAML logo ----------------- Attendance: Roll Call: Voting Members: George Fletcher AOL Rob Philpott EMC Corporation John Bradley Individual Jeff Hodges Individual Bob Morgan Internet2 Eric Tiffany Liberty Alliance Project Tom Scavo NCSA Frederick Hirsch Nokia Corporation Srinath Godavarthi Nortel Hal Lockhart Oracle Corporation Brian Campbell Ping Identity Corporation Anil Saldhana Red Hat Eve Maler Sun Microsystems Emily Xu Sun Microsystems Kent Spaulding Tripod Technology Group, Inc. Duane DeCouteau Veterans Health Administration David Staggs Veterans Health Administration Members: Nathan Klingenstein Internet2 17 out of 22 voting members (Quorum Achieved) Membership Status Change: None -------------------- detailed minutes: > Proposed Agenda SSTC Conference Call > October 21, 2008, 12:00pm ET > > Dial in info: +1 215 446 3648 > Access code 270-9441# > > Roll Call & Agenda Review > > Need a volunteer to take minutes =JeffH volunteers. hl: any other docs to add to agenda? David Staggs (ds): XSPA doc becoming a CD? hl: u had action item to put up new version, then we go from there ds: ok will discuss down there? > > 1. Minutes from SSTC/SAML concall October 7, 2008 > http://lists.oasis-open.org/archives/security-services/200810/msg00023.html hl: minutes approved with unanimous consent > > > 2. Document Status > > 2.1 Subject-based Profiles for SAML V1.1 Assertions > http://wiki.oasis-open.org/security/SamlSubjectProfiles > Ballot for Committee Specification passed, docs have been marked accordingly and uploaded to repository > http://lists.oasis-open.org/archives/security-services/200810/msg00020.html hl: approved, in docs.oasis web site sstc wiki updated? ?: yes was updated hl: ok, now need some attestations > > 2.2 SAML V2.0 Holder-of-Key Assertion Profile (draft 5) uploaded > http://lists.oasis-open.org/archives/security-services/200810/msg00033.html hl: no comments on new version posted last night? editor? Tom Scavo(ts): this 5th draft cleans up issue wrt x.508 ski element, there is one open issue hl: will take up in 3.4 below > > > 3. Discussion Threads > > 3.1 comments re draft-sstc-metadata-iop-02 > http://lists.oasis-open.org/archives/security-services/200810/msg00010.html hl: any more to be said about that? ts: scott mentioned, he will respond, hasn't had time just yet > > 3.2 Draft note Comment to NIST regarding 800-63-1 prohibition of assertions at LOA 4 > http://lists.oasis-open.org/archives/security-services/200810/msg00012.html Eric Tiffany (et): no comments as yet, expect there might need to be some wordsmithing, formatting and how delivered don't know, as noted in preface, am not sure what formal process is, it shud be approv by comm and sent by chairs. hl: if there's no concerns about content, we should pass resolution to have chairs fwd to NIST on behalf of the TC anyone have any issues with the proposal? ts: in last para, HoK SSO profile is mentioned, we should provide detailed reference so can look up.[but ref'd spec is only a draft now] et: sstc wiki available to non-members? hl: readonly, and it's linked-to from public SSTC page et: good, helps with cite because one can more easily find particular docs and versions thereof hl: ok, we'll add a link to the sstc wiki page for the profile doc in appropriate place ts: will this doc [the letter to NIST] be uploaded to Kavi, etc, so others can find it hl: probably should put in doc repository, cleaned up version Jeff Hodges(jh): suggest in outreach section et: there are Lib eGov folks who are interested in seeing this change also, so having this note in ref'able place will be good jh: cf response to ibm research paper (a few years ago) for an example wrt formatting, content etc. ? hl: so if TC concurs, get volunteer to clean up, put in repos, fwd to nist, and if there's group(s) to draw atten to it, then we can do that, but we shudn't wait on anyone else so the chair will entertain a motion for a resolution to send a letter to NIST from SSTC-co-chairs, identifying authors other than co-chairs, describing specific issues with NIST doc, proposing remedies. et: i make a motion to create such a doc RL Bob Morgan(rl): 2nd'd rl: have had conversations with nist folks, don't think need to have a big push to get them to do this, they want to, so proposed letter should have proposed changes, they might need to work with someone (from saml community) to get it right, will take a bit of work, dunno who that would be, not volunteering hl: could add something to letter from sstc chairs to the effect that if they need assistance they can contact sstc chairs et: seems fine hl: any object to unanimous consent to carry this resolution out? *** motion passed with unanimous consent Rob Philpott(rp): fyi it was in March of 2005 we did response to ibm research paper > > 3.3 More on OAuth > http://lists.oasis-open.org/archives/security-services/200810/msg00013.html hl: in that thread there's a reference to interesting doc from google abt using oauth ... ? "two legged oauth for opensocial restful apps" George Fletcher(gf): opensocial uses oauth, so receiving server knows who sent msg, is another way to use oauth to send non-soap msgs, so is another point of reference wrt question of having oauth as another binding for svr-svr msgs. jh & sc have noted that present oauth spec is not really referencable, etc. rl: got confirmation that there will be a BOF on oauth in ietf-73 Minneapolis in November, there is an I-D wrt oauth, I will be there at BOF: http://www.ietf.org/internet-drafts/draft-hammer-oauth-00.txt hl: be good if you can represent "our interest" there and report back, eg in possibility to structuring oauth spec such that it can be more easily referenced as a binding. > > 3.4 specifying the <ds:X509SKI> element > http://lists.oasis-open.org/archives/security-services/200810/msg00015.html ts: it came up on last call, started from a comment Scott Cantor (sc) made wrt previous version of profile, has to do with <ds: x509 cert> element -- what is format of such cert? his comment had to do with encoding, spec says encoding should be DER, but perhaps it should be left unspecified. I didn't change it in this rev of the doc, because I don't see wisdom in that, not sure why someone would not specifiy it, it would make it difficult for RP to do confirmation w/o knowing what the encoding is, hoping someone can justify this, AFAIK that is only significant issue remaining in that profile hl: both Ari & Scott are not here, anyone else? ts: did Brian Campbell(bc) agree with sc? bc: just in general, not as an expert wrt this topic ts: did informal survey of two grids in US that use x509, the PEM encoding is used for certs, the underlying encoding is DER, couldn't find any non-DER encoding, so can anyone provide examples of anyone using something other than DER? hl: doc now specifies DER, appropriate thing is to leave it until we get any further comment Nate Klingenstein(nk): in favor of simplicity (ie leaving it) hl: might want to ping Ari & SC explicitly about this > > 3.5 comments re sstc-saml-holder-of-key-browser-sso-draft-07 > http://lists.oasis-open.org/archives/security-services/200810/msg00029.html hl: ts posted more comments on hok profile doc nk: what to call renamed binding string in the metadata? these are protocol bindings, so "hokprotocolbinding" sounds ok to others, I can do that, tom? if you go to set of comments tom had on mailing list, you can find it sc suggested several different ones, this is one of them ts: any of sc's suggestions are better than what's there nk: ok. hl: just go with that then nk: rest of TS comments are re-org and such, useful, will try to do fresh draft -08 by nxt call, do want to get doc to CD status ts: really there are 3 docs that are at same level, this one, the one it depends on, and then (not dir related) metadata IOP profile, so all three shud go out at same time hl: consult with sc wrt how soon can get metadata out? don't want two sep pub reviews at same time > 3.6 draft-saml-logo-03.pdf uploaded > http://lists.oasis-open.org/archives/security-services/200810/msg00035.html nk: was at openid ux meeting yesterday, actually including openid logo on a login page was a detractor, so google is going to have no ref to openid on anything, this was from user testing, evaluated appealingness of various pages, lower response when included the openid brand "facebook connect" has better response in end-user testing so google msft y! have taken position that promoting openid brand on consumer facing pages is not useful George Fletcher (gf): not surprising, if see logo w/ no recog of, scares people off Eve Maler(em): suggest we figure out specific usecases for where to use this, generally in favor et: there are some questions wrt protection that might need to be answered, eg tradmark protection hl: [AI] willing to take an action to go talk to OASIS staff if there's any issues if became propular, what's to prevent someone from sticking it on something that doesn't actually employ SAML ? ts: fwd logo idea to jamie to see if can copyright it? hl: can ET explore if there's any Liberty interop interest in this? et: yes can explore that fyi, the legal hoops to jump thru to get Liberty's own branding was really tedious... [AI] will float quesiton -- britta glade would be person to ask, will do so > 4. Other business wrt XSPA doc becoming a CD? Duane DeCouteau(dc): suggested doc changes are relatively straightforward, we can add those changes in, goto CD vote (in meantime)? hl: more straightforward process is that if you can get a rev out in next few days including updates, then do vote next meeting ds: we should get the revs in, then ask for vote.. hl: particularly conf section, get those changes in, then move on a vote dc: any other comments out there? would be good to get them now > 5. Action Items (Report created 20 October 2008 10:55pm EDT) > > #0332: Revise Query Extension for SAML AuthnReq > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- open > > #0333: Publish a new revision of Profile for Use of DisplayName in OASIS template > Owner: Sampo Kellomki > Status: Open > Assigned: 2008-05-19 > Due: --- open > > #0342: revise and re-publish XSPA SAML Profile doc > Owner: David Staggs > Status: Open > Assigned: 2008-10-13 > Due: --- open, see above. meeting adjourned. ============================================================================
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]