[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: sstc/saml concall minutes Tue 2-Dec-2008 (with attendance)
comments to the list please.
=JeffH
============================================================================
SSTC/SAML concall Tue Dec 2 09:03:19 PDT 2008
----------------------------------------------------------------------------
co-chair Brian Campbell (bc) presiding
----------------
Motions passed:
Resolved: PE74 is approved errata item now
Resolved: place xspa-saml-profile-cd-01 into 60-day public review.
--------------
Action Item Summary:
* AI: Duane DeCouteau (dd): will take AI to do packaging of
xspa-saml-profile-cd-01 for public review
* AI: SSTC co-chairs will notify TC admin once receive spec pkg from Duane.
-----------------
Attendance:
Voting Members
------------------------------
George Fletcher AOL
John Bradley Individual
Jeff Hodges Individual
Scott Cantor Internet2
Nathan Klingenstein Internet2
Bob Morgan Internet2
Tom Scavo NCSA
Frederick Hirsch Nokia Corporation
Srinath Godavarthi Nortel
Hal Lockhart Oracle Corporation
Brian Campbell Ping Identity Corporation
Anil Saldhana Red Hat
Eve Maler Sun Microsystems
Emily Xu Sun Microsystems
Duane DeCouteau Veterans Health Administration
David Staggs Veterans Health Administration
Members
---------------------
Peter Davis, Neustar
Rob Philpott, EMC
Observers
----------------
Greg Parsons Jericho Systems Corporation
Quorum: 16 out of 20 voting members (80%)
Membership Status: Ari Kermaier (Oracle) lost voting status.
--------------------
detailed minutes:
> Roll Call & Agenda Review
>
> Need a volunteer to take minutes
=JeffH (jh) volunteers
> 1. Minutes from SSTC/SAML conference call November 18, 2008
> http://lists.oasis-open.org/archives/security-services/200812/msg00000.html
bc: the minutes were just posted to the mailing list so we'll wait until next
call
to approve them.
> 2. Document Status
>
> 2.1 SAML 2.0 Errata draft 45/46 -> PE73, PE74, PE75, PE76, PE77 / PE78 added
> http://lists.oasis-open.org/archives/security-services/200811/msg00071.html
Scott Cantor (sc): am making motion to accept PE74 as proposed in errata 46
fh: 2nds the motion
discussion...
Rob Philpott (rp): xmldsig is also mentioned/ref conformance doc...
bc/sc: that's covered
rp: ok, as long as this updated spec doesn't change anything in conformance
spec
sc: all algs & references are not changed
do we norm ref the canonicalization specs?
<exclusive c14n is referenced>
rp: we say SHOULD use excl but don't say anthing about other c14n approach
ok, looks good to me, don't see need to postpone
bc: back to motion, any obj to unan consent of approving PE74 ?
none, motion passes.
Resolved: PE74 is approved errata item now
bc: moving on to PE75..
rp: the text shd be more specific with respect to 2nd level error codes
sc: 2nd level codes aren't something needing to be nailed down interop-wise --
this
is a abstract situation
rp: but there's various reasons subject may not match...
sc: it doesn't seem to be worth the amount of work it'd take to do it
tom scavo(ts): don't feel strongly, what sc has in the errata currently is fine
rp: are we going to allow implementors/deployers to stick in other 2nd level
error
code values?
sc/bc: yes
sc: this is a really abstract error condition, this is more discussion than
wanted to have, shd take this to the list not sugg we vote PE75 in today
anyway
pe76 -- wrt validity attrs, suggesting additional txt on that
folks shd read that one and see if you all agree
pe77 -- wrt adoption of saml assertions in ws-fed context -- but we can
make some constrained changes that would address the prob
e.g. if we remove word "saml" in various places it fixes it all it seems
pe78 -- want to discuss this...
persistent nameid format -- whether or not by definition if those ids can be
reassigned to other principals -- applicable in federation use cases
imho in no situation reassign opaque ids to other principals, i.e. "must not"
be done so suggest either "must not" or "should not", favors "must not",
modulo
what others think
Eve Maler (em): this is a bit of a stretch for an erratum
is there some usefulness in reassign opaq ids?
sc: absolutely not
em: totally breaks the traceablility of ids (which might be what someone
wants)...
sc; these are explicitly persistent ids not transient
em: oh, ok, but not sure we should do this at this point
ts: am bit surprised this is coming up as erratum, like eve,
there is something btwn "shd not" and "must not" eg "must not be reassigned
for
a year"....
jh: dont think this is good idea
[ detailed discussion ensued with rp equating persist ident reassignment with
notions of opaque identifier randomness, jh noting that those are seperate
notions, others chiming in ]
sc: in anycase these proposed changes are simple
always thought it is a "must not"
came up in Shib context via Tom (ts), then realized the saml spec doesn't
say anything
don't know of any reasons to reasign persist idents, my intent (when
originally
writing that language in the spec) is that it is a "must not", don't
believe it
is material change to make it that, but am fine with "should not"
bc: this is something that was intended but isn't really clear, a "shd not" is
easy
and nice but a "must not" might affect various impls/deployments
in any case we shd take this to the list...
sc: am not aware of any errata items that are not in the errata doc at this
time,
so if folks know of any they need to speak up.
> 2.2 SAML V2.0 Metadata Extension for Entity Attributes (draft 2)
> http://lists.oasis-open.org/archives/security-services/200811/msg00079.html
sc: wrt attaching tagging info to entities that they admit into a federation,
have done some draft work on this notion, but now am proposing a formalization
of it
[from draft spec abstract:
This profile defines an extension element for use in attaching SAML
attributes
to an <md:EntityDescriptor> or <md:EntitiesDescriptor> element, to
communicate
an arbitrary set of additional information about an entity in its metadata. ]
bc: am confused about details
sc: orig proposal is wrt saml attributes, they aren't self-describing wrt
signature
over metadata, there is a sense in our community that folks will do it non
interoperably
if asking "why not use assertions?" -- that's hard
did try to come up with assn profile that's constrained but it's difficult,
see the
draft spec.
bc: is there a way to take the attr part out and simplify assn portion so it
meets your needs?
sc: don't know. if you take the attr fork out, you don't make it easier to
impl, the
assn part is hard to impl -- if there's enuff interest in this to make > 1
prof
of it, am happy to discuss/investigate.
bc: let's take discussion to the list
> 2.3 SAMLv2.0 HTTP POST ³SimpleSign² Binding
> http://lists.oasis-open.org/archives/security-services/200812/msg00005.html
jh: summarizes the delta between this draft spec and the present Committee
Spec (CS) edition.
[discuss whether want to update the CS version, jh: that's the intention]
[discuss wrt pub review. HL notes there's an escape clause to allow for 15-day
pub review.]
ts: did a diff on the docs, will send to jh
bc: we will endeavor to vote to pub rev next call
> 2.4 XSPA Profile of SAML for Healthcare
> To public review?
http://www.oasis-open.org/committees/download.php/29921/xspa-saml-profile-cd-01
.doc
ds: HITSP/HIMSS folks have noted to ds that they'd like to see public
review of this profile before the HIMSS demo in Apr
ds: moves that we take the xspa profile from cd and take it to 60day pub
review.
hl: 2nds
discussion...
hl: what's the rel of the xspa profile(s) to other stds ?
ds: there's 2 -- one for international, another for US realm
the US realm one is more specific as to the use of certain vocabs that
allow
interop btwn health care entities
there's another profile that's xacml-based
haven't gotten feed back on ws-trust profile from ws-sx TC
hl: does the overall one ref the other ones (3 of them?) ?
ds: the overall one refs the underlying one
to know whole story need all 4 docs
ws-trust and xacml are optional
saml profile is really required one
"overall one" -- is in xspa tc and hasn't been publicly released yet
need to join xspa tc to see docs, encourage folks to do so
bc: does it make sense for sstc to be doing this considering that there is a
xspa tc?
ds: guidance from jamie clark et al was that the saml profile should be done
where
there is saml expertise
bc: back to motion, any further discuss? (none)
bc: any obj to unanimous consent to moving
profile to initial 60 day pub review? hearing none, motion passes.
Resolved: place xspa-saml-profile-cd-01 into 60-day public review.
need AIs to ensure pkg is prepared and send it off to TC admins.
AI: Duane DeCouteau (dd): will take AI to do packaging of
xspa-saml-profile-cd-01 for public review
ds: they will state other orgs that shud be notified of this pub rev, e.g.
HITSP
AI bc: co-chairs will take AI to notify TC admin once receive pkg
> 3. Discussion Threads
>
> 3.1 Comments on HoK Web Browser & Assertion Profiles
> http://lists.oasis-open.org/archives/security-services-comment/200811/mailli
> st.html
bc: seems to be on-going disc on this, do we need broader disc?
Nate Klingenstein (nk): will incorp feedback into another rev of the spec --
hopefully
in next 3/4 days will be draft -11
ts: will take a pass on it once it arrives
> 3.2 New SAML profiles for XRI
> http://lists.oasis-open.org/archives/security-services/200811/msg00056.html
bc: re-remind folks about these.
Peter Davis (pd): is info heads-up. are going to be worked on in XRI tc.
> 3.3 XAdES support in SAML?
> http://lists.oasis-open.org/archives/security-services/200811/msg00074.html
bc: msg scott sent a bit ago, no responses
sc: it came up in IMI tc (icard) -- it may come up as an issues that sstc may
want
to make a stmt about in the future -- coming up on part of cardspace
deployers
bc: if anyone has bkgrnd/time to look into this, please do so.
> 4. Other business
none.
> 5. Action Items (Report created 01 December 2008 01:05pm EST)
>
> #0333: Publish a new revision of Profile for Use of DisplayName in OASIS
> template
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---
remains open
> #0332: Revise Query Extension for SAML AuthnReq
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---
remains open
============================================================================
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]