OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: SSTC meeting minutes 2009-02-10


Proposed Agenda SSTC Conference Call
February 10, 2009, 12:00pm ET

Dial in info: +1 215 446 3648
Access code 270-9441#

Roll Call & Agenda Review

Secretary Anil Saldhana took roll:

Voting Members
---------------------------
Rob Philpott     EMC Corporation
John Bradley    Individual
Jeff Hodges    Individual
Scott Cantor    Internet2
Nathan Klingenstein    Internet2
Bob Morgan    Internet2
Tom Scavo    National Center for Supercomputing Applica...
Frederick Hirsch    Nokia Corporation
Ari Kermaier    Oracle Corporation
Hal Lockhart    Oracle Corporation
Brian Campbell    Ping Identity Corporation
Anil Saldhana    Red Hat
Kent Spaulding    Skyworth TTG Holdings Limited
Duane DeCouteau   Veterans Health Administration
David Staggs Veterans Health Administration

Members
-----------------
Thomas Hardjono    M.I.T.
Joni Brennan    Liberty Alliance Project

Quorum:  15 out of 21 Voting Members (71%)

Membership Status: Joni gained voting rights.

Co-chair Brian Campbell reviewed the agenda.

Brian calls for a volunteer to take minutes:

Tom Scavo volunteers to take minutes for today's conference call.

1. Minutes

1.1 Minutes from SSTC/SAML conference call January 27, 2009
http://lists.oasis-open.org/archives/security-services/200901/msg00041.html

Brian calls for objections or discussion regarding the above minutes?
There being none, the minutes are unanimously approved.

2. Announcements

2.1 Call for Presentations | Two New Opportunities for OASIS Members
http://lists.oasis-open.org/archives/security-services/200902/msg00020.html

Given the current state of the economy, it is unlikely there will be
many travelers to these European "Security" events, but SSTC members
are encouraged to get involved if they do indeed plan on attending.

3. Document Status

3.1 SAML V2.0 Metadata Extension for Entity Attributes (CD 1)
http://lists.oasis-open.org/archives/security-services/200902/msg00012.html

http://wiki.oasis-open.org/security/SAML2MetadataAttr

Committee Draft 01 of the SAML V2.0 Metadata Extension for Entity
Attributes was uploaded by Scott Cantor on 6 Feb 2009.  No comments
have since been received.

Scott is content to wait for the next "batch" of documents to be
released for Public Review, assuming such documents are forthcoming.
This seems to depend on the status of the holder-of-key family of
specifications.  Brian suggests this will be considered later in the
call.

3.2 SAML V2.0 Metadata Interoperability Profile (draft 3)
http://lists.oasis-open.org/archives/security-services/200902/msg00016.html

http://wiki.oasis-open.org/security/SAML2MetadataIOP

Draft 03 of the SAML V2.0 Metadata Interoperability Profile was
uploaded by Scott Cantor on 6 Feb 2009.  No additional comments have
been received, but Scott expects another round of comments since the
name of the specification is still open.  Scott has considered adding
the word "runtime" to the title but he's not satisfied with the
result, so he hasn't yet posted a concrete suggestion to the list.
SSTC members should send title suggestions and other comments
regarding this profile to the list.

Other than the title issue, Scott is not aware of any other open
issues that remain with this specification.

3.3 SAML V2.0 Condition for Delegation Restriction (draft 1)
http://lists.oasis-open.org/archives/security-services/200902/msg00018.html
Rational
http://lists.oasis-open.org/archives/security-services/200902/msg00000.html

http://wiki.oasis-open.org/security/SAML2DelegationCondition

Draft 01 of the SAML V2.0 Condition for Delegation Restriction was
uploaded by Scott Cantor on 8 Feb 2009.  There have been no comments
regarding this specification as of yet.  Please read the rationale
behind this profile (referenced above) and send your comments to the
list.

Brian: This profile makes sense, but from a programmatic standpoint I
wonder if SAML conditions are actually checked in practice?

Scott: If true, that's a serious bug that needs to be fixed.  If this
specification serves to expose such bugs, then that is reason enough
for its existence (besides the specific use case it happens to
address).

Brian: But unrecognized conditions may be ignored by the relying party, right?

Scott: No, in that case the validity of the assertion is
"Indeterminate" and MUST be rejected, as discussed in section 2.5.1.1
of Core.

Scott:  In retrospect, Liberty should have addressed this issue.
Critical conditions MUST NOT be ignored.

Conclusion:  Implementers are strongly encouraged to check their
implementations for the correct behavior with respect to SAML
conditions.

3.4 AuthnContext LOA profile (Paul taking over Eric T's work)
http://lists.oasis-open.org/archives/security-services/200902/msg00021.html

http://wiki.oasis-open.org/security/SAML2LOAAuthnCtxProfile

There's nothing new content-wise with respect to this profile.  Paul
Madsen is the new editor for this document.

[Scribe's note:  The following agenda item was added just-in-time in
response to the question posed in the discussion surrounding agenda
item 3.1 above.]

3.5 Holder-of-key family of specifications

http://wiki.oasis-open.org/security/SAMLHoKSubjectConfirmation
http://wiki.oasis-open.org/security/SamlHoKWebSSOProfile

Nate Klingenstein has reviewed draft 11 of the SAML V2.0 Holder-of-Key
Web Browser SSO Profile but has no comments.  Tom Scavo claims draft
09 of the SAML V2.0 Holder-of-Key Assertion Profile is fully baked and
ready to go.  It is expected that both specifications will be
considered for CD status at the next meeting.  Folks are encouraged to
review the drafts before the next call.  Send comments to the SSTC
mailing list as always.

4. Discussion

4.1 MIT Kerb
http://lists.oasis-open.org/archives/security-services/200902/msg00007.html

Jeff Hodges gives the following introduction:

The above white paper was sponsored by the MIT Kerberos Consortium
(http://www.kerberos.org/), and is therefore kerberos-centric.  The
document contains a strategic analysis, gap analysis, and
recommendations regarding kerberos in a web context.  It addresses the
question how to leverage kerberos (using SAML) in a web context.

This document seems to be of interest to a number of people.  For
instance, Microsoft deployments are kerberos-based in disguise.  From
a SAML point of view, one question is do we want to bind SAML
assertions to kerberos tickets (for authorization purposes).  One
possible path forward is to develop a SAML profile for conveying
kerberos tickets via SAML protocols.

Note that we already have the WS-Security Kerberos Token Profile.  A
future rev of this spec is desirable.

SAML metadata could be leveraged in a cross-realm kerberos environment
for the web.

What if kerberos authentication is used at the identity provider?  Can
the kerberos authentication context be better leveraged down the line,
by relying parties?  currently, we find deployments that solve this
problem using proprietary methods.  The goal is to standardize the use
of kerberos in a web context.  Hence, this issue may be of interest to
the SSTC.

Note that there is a new mailing list devoted to this topic.  (Read
the above announcement for details.)  Please join in the discussion.
SSTC input, in particular, is welcome.

Thomas Hardjono: Thanks to Jeff for the fine introduction.  Kerberos
on the web is a project that is just beginning at the MIT Kerberos
Consortium.  We are looking for strategic directions, specifically how
to use kerberos as a web authentication mechanism.  The above white
paper does a good job of identifying relevant work items.  SAML plays
a potentially big role, which is why I have recently joined the SSTC.

4.2 OpenID Mobile Profile
http://lists.oasis-open.org/archives/security-services/200902/msg00005.html

See the above reference for relevant discussion.  Any further
discussion?  Brian agrees with Scott that mobile devices already have
the required technology (e.g., JavaScript).

Nate: There is a mobile provider in Japan that is already heavily
invested in OpenId on mobile devices.

Scott: Doesn't understand why the usual SAML flow wouldn't work in the
case of mobile devices.  If there's a question pertaining to artifact,
he doesn't really understand what that is.  This doesn't seem
applicable to OpenId, in any event.

John Bradley: The mobile providers don't really want to pass messages
through the handset.

Scott: The RP can contact the OP, but not vice versa.  Is that the issue?

John: Well, one issue is that the mobile providers would rather
maintain a familiar flow.

Brian: As far as I can tell, there doesn't seem to be anything for the
SSTC to do at this point.

5. Other business

Brian has none.

Anyone else?  No.

6. Action Items (Report created 09 February 2009 01:17pm EST)

#0345: Propose wording for SessionNotOnOrAfter attribute errata for core
Owner: Scott Cantor
Status: Open
Assigned: 2009-02-09
Due: ---

Still open.

Meeting adjourned.  Next meeting scheduled for Tuesday, February 24, 2009.

-Brian Campbell

Minutes respectfully submitted by Tom Scavo (2009-02-10)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]