OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: OASIS SSTC con call minutes 2009-02-24

SSTC Conference Call minutes
February 24, 2009, 12:00pm ET
Scribe:  RL "Bob" Morgan


  * The 2 holder-of-key drafts are accepted as Committee Drafts.

  * AI:  TomS will create CD versions of the 2 holder-of-key drafts.

Roll Call & Agenda Review

** Quorum achieved.

1. Minutes

1.1 Minutes from SSTC/SAML conference call February 10, 2009

** Approved without comment.

2. Announcements

2.1 SAML XML.org Forum: new posts

3. Document Status

3.1 SAML V2.0 Holder-of-Key Web Browser SSO Profile - Draft 11
Ready for Committee Draft vote?

TomS moves to accept as CD, NateK seconds.  Discussion:  none

**  Approved without objections.

3.2 SAML V2.0 Holder-of-Key Assertion Profile - Draft 9
Ready for Committee Draft vote?

ScottC moves to accept as CD, TomS seconds.  Discussion:
ScottC:  in section 2.4.1, line 255, constraints on KeyInfo "the current
   specification" refers to what?
TomS:  this doc, will make that clear
   will also make clear that second edition of XML Sig is basis

Scott:  would be good to have doc package for public review by next call.

**  Approved without objections.

4. Discussion

4.1 comments re draft-sstc-metadata-iop-03

ScottC:  intend to add text clarifying scope of spec in -04 rev
   note that PKI-oriented deployments may not find this profile useful
   doc name can be changed later if needed
HalL:  would be good to cast it as positive instead of negative
   ScottC:  will try

4.2 DAV issue with Redirect/Artifact bindings

ScottC:  Folks using Shib looking at situations where DAV (webdav/caldav)
   client coresides with browser and shares cookie store, so SAML might be
   used.  Desire to permit use of PROPFIND etc, which is what DAV clients
   do first when redirected.  Intent of SAML spec seems to be to permit
   idempotent methods rather than just GET.  Maybe implementation note in
   Errata would suffice, rather than overhead of new binding.
TomS:  are there impl notes in main spec?
ScottC:  a few.
HalL:  could loosening this create vulnerability?
ScottC:  doesn't change message flow, just permit new methods
ScottC:  taking this seriously with a binding would mean replacing old
   bindings, which would be big deal

5. Other business


6. Action Items (Report created 23 February 2009 09:52pm EST)

#0345: Propose wording for SessionNotOnOrAfter attribute errata for core
Owner: Scott Cantor
Status: Open
Assigned: 2009-02-09
Due: ---

Remains open.

Adjourned at 12:32 EST.


Voting Members
Rob Philpott   EMC Corporation
John Bradley  Individual
Jeff Hodges  Individual
Scott Cantor  Internet2
Nathan Klingenstein  Internet2
Bob Morgan   Internet2
Tom Scavo   NCSA
Frederick Hirsch   Nokia Corporation
Ari Kermaier    Oracle Corporation
Hal Lockhart    Oracle Corporation
Brian Campbell   Ping Identity Corporation
Anil Saldhana   Red Hat
Kent Spaulding   Skyworth TTG Holdings Limited
Emily Xu   Sun Microsystems
Duane DeCouteau  Veterans Health Administration

Quorum Achieved: 15 out of 21 voting members (71%)

Membership Status Change: Eve Maler,  Paul Madsen, Peter Davis and Srinath
   Godavarthy lost voting rights.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]