[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SSTC meeting minutes 2009-02-10
Proposed Agenda SSTC Conference Call February 10, 2009, 12:00pm ET Dial in info: +1 215 446 3648 Access code 270-9441# Roll Call & Agenda Review Secretary Anil Saldhana took roll: Voting Members --------------------------- Rob Philpott EMC Corporation John Bradley Individual Jeff Hodges Individual Scott Cantor Internet2 Nathan Klingenstein Internet2 Bob Morgan Internet2 Tom Scavo National Center for Supercomputing Applica... Frederick Hirsch Nokia Corporation Ari Kermaier Oracle Corporation Hal Lockhart Oracle Corporation Brian Campbell Ping Identity Corporation Anil Saldhana Red Hat Kent Spaulding Skyworth TTG Holdings Limited Duane DeCouteau Veterans Health Administration David Staggs Veterans Health Administration Members ----------------- Thomas Hardjono M.I.T. Joni Brennan Liberty Alliance Project Quorum: 15 out of 21 Voting Members (71%) Membership Status: Joni gained voting rights. Co-chair Brian Campbell reviewed the agenda. Brian calls for a volunteer to take minutes: Tom Scavo volunteers to take minutes for today's conference call. 1. Minutes 1.1 Minutes from SSTC/SAML conference call January 27, 2009 http://lists.oasis-open.org/archives/security-services/200901/msg00041.html Brian calls for objections or discussion regarding the above minutes? There being none, the minutes are unanimously approved. 2. Announcements 2.1 Call for Presentations | Two New Opportunities for OASIS Members http://lists.oasis-open.org/archives/security-services/200902/msg00020.html Given the current state of the economy, it is unlikely there will be many travelers to these European "Security" events, but SSTC members are encouraged to get involved if they do indeed plan on attending. 3. Document Status 3.1 SAML V2.0 Metadata Extension for Entity Attributes (CD 1) http://lists.oasis-open.org/archives/security-services/200902/msg00012.html http://wiki.oasis-open.org/security/SAML2MetadataAttr Committee Draft 01 of the SAML V2.0 Metadata Extension for Entity Attributes was uploaded by Scott Cantor on 6 Feb 2009. No comments have since been received. Scott is content to wait for the next "batch" of documents to be released for Public Review, assuming such documents are forthcoming. This seems to depend on the status of the holder-of-key family of specifications. Brian suggests this will be considered later in the call. 3.2 SAML V2.0 Metadata Interoperability Profile (draft 3) http://lists.oasis-open.org/archives/security-services/200902/msg00016.html http://wiki.oasis-open.org/security/SAML2MetadataIOP Draft 03 of the SAML V2.0 Metadata Interoperability Profile was uploaded by Scott Cantor on 6 Feb 2009. No additional comments have been received, but Scott expects another round of comments since the name of the specification is still open. Scott has considered adding the word "runtime" to the title but he's not satisfied with the result, so he hasn't yet posted a concrete suggestion to the list. SSTC members should send title suggestions and other comments regarding this profile to the list. Other than the title issue, Scott is not aware of any other open issues that remain with this specification. 3.3 SAML V2.0 Condition for Delegation Restriction (draft 1) http://lists.oasis-open.org/archives/security-services/200902/msg00018.html Rational http://lists.oasis-open.org/archives/security-services/200902/msg00000.html http://wiki.oasis-open.org/security/SAML2DelegationCondition Draft 01 of the SAML V2.0 Condition for Delegation Restriction was uploaded by Scott Cantor on 8 Feb 2009. There have been no comments regarding this specification as of yet. Please read the rationale behind this profile (referenced above) and send your comments to the list. Brian: This profile makes sense, but from a programmatic standpoint I wonder if SAML conditions are actually checked in practice? Scott: If true, that's a serious bug that needs to be fixed. If this specification serves to expose such bugs, then that is reason enough for its existence (besides the specific use case it happens to address). Brian: But unrecognized conditions may be ignored by the relying party, right? Scott: No, in that case the validity of the assertion is "Indeterminate" and MUST be rejected, as discussed in section 2.5.1.1 of Core. Scott: In retrospect, Liberty should have addressed this issue. Critical conditions MUST NOT be ignored. Conclusion: Implementers are strongly encouraged to check their implementations for the correct behavior with respect to SAML conditions. 3.4 AuthnContext LOA profile (Paul taking over Eric T's work) http://lists.oasis-open.org/archives/security-services/200902/msg00021.html http://wiki.oasis-open.org/security/SAML2LOAAuthnCtxProfile There's nothing new content-wise with respect to this profile. Paul Madsen is the new editor for this document. [Scribe's note: The following agenda item was added just-in-time in response to the question posed in the discussion surrounding agenda item 3.1 above.] 3.5 Holder-of-key family of specifications http://wiki.oasis-open.org/security/SAMLHoKSubjectConfirmation http://wiki.oasis-open.org/security/SamlHoKWebSSOProfile Nate Klingenstein has reviewed draft 11 of the SAML V2.0 Holder-of-Key Web Browser SSO Profile but has no comments. Tom Scavo claims draft 09 of the SAML V2.0 Holder-of-Key Assertion Profile is fully baked and ready to go. It is expected that both specifications will be considered for CD status at the next meeting. Folks are encouraged to review the drafts before the next call. Send comments to the SSTC mailing list as always. 4. Discussion 4.1 MIT Kerb http://lists.oasis-open.org/archives/security-services/200902/msg00007.html Jeff Hodges gives the following introduction: The above white paper was sponsored by the MIT Kerberos Consortium (http://www.kerberos.org/), and is therefore kerberos-centric. The document contains a strategic analysis, gap analysis, and recommendations regarding kerberos in a web context. It addresses the question how to leverage kerberos (using SAML) in a web context. This document seems to be of interest to a number of people. For instance, Microsoft deployments are kerberos-based in disguise. From a SAML point of view, one question is do we want to bind SAML assertions to kerberos tickets (for authorization purposes). One possible path forward is to develop a SAML profile for conveying kerberos tickets via SAML protocols. Note that we already have the WS-Security Kerberos Token Profile. A future rev of this spec is desirable. SAML metadata could be leveraged in a cross-realm kerberos environment for the web. What if kerberos authentication is used at the identity provider? Can the kerberos authentication context be better leveraged down the line, by relying parties? currently, we find deployments that solve this problem using proprietary methods. The goal is to standardize the use of kerberos in a web context. Hence, this issue may be of interest to the SSTC. Note that there is a new mailing list devoted to this topic. (Read the above announcement for details.) Please join in the discussion. SSTC input, in particular, is welcome. Thomas Hardjono: Thanks to Jeff for the fine introduction. Kerberos on the web is a project that is just beginning at the MIT Kerberos Consortium. We are looking for strategic directions, specifically how to use kerberos as a web authentication mechanism. The above white paper does a good job of identifying relevant work items. SAML plays a potentially big role, which is why I have recently joined the SSTC. 4.2 OpenID Mobile Profile http://lists.oasis-open.org/archives/security-services/200902/msg00005.html See the above reference for relevant discussion. Any further discussion? Brian agrees with Scott that mobile devices already have the required technology (e.g., JavaScript). Nate: There is a mobile provider in Japan that is already heavily invested in OpenId on mobile devices. Scott: Doesn't understand why the usual SAML flow wouldn't work in the case of mobile devices. If there's a question pertaining to artifact, he doesn't really understand what that is. This doesn't seem applicable to OpenId, in any event. John Bradley: The mobile providers don't really want to pass messages through the handset. Scott: The RP can contact the OP, but not vice versa. Is that the issue? John: Well, one issue is that the mobile providers would rather maintain a familiar flow. Brian: As far as I can tell, there doesn't seem to be anything for the SSTC to do at this point. 5. Other business Brian has none. Anyone else? No. 6. Action Items (Report created 09 February 2009 01:17pm EST) #0345: Propose wording for SessionNotOnOrAfter attribute errata for core Owner: Scott Cantor Status: Open Assigned: 2009-02-09 Due: --- Still open. Meeting adjourned. Next meeting scheduled for Tuesday, February 24, 2009. -Brian Campbell Minutes respectfully submitted by Tom Scavo (2009-02-10)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]