OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Draft minutes from 5 May 2009 SSTC call

1 Minutes

1.1 Minutes from SSTC/SAML conference call April 7, 2009

Unanimously approved.

2 Announcements

2.1 Public spec review still under way
Review ends May 25th

Informal AI: Scott will talk to Mary about getting a Jira instance for SSTC.

2.2 Comment requested by W3C Signature WG on need for DTDs in ongoing specs
and on elliptic curve status.


Feedback encouraged.

2.3 Reminder, 4 week schedule, next call is June 2.

2.4 Next meeting Review planned work
During June 2 call, would like to discuss impending/future work plans, to
plan for future activity of TC. Not necessary to actually supply drafts of
new work at that time.

3 Discussion

3.1 Review of XSPA PR comments
Still outstanding by David et al to update spreadsheet with proposed

3.2 comment on saml-loa-authncontext-profile: remove 800-63 schemas  

Discussion with agreement on Bob's point. Paul agreed to remove specific
references to NIST LOA values in a new draft.

3.3 Assorted threads on saml-dev/comment list

Nate discusses degree to which HoK SSO profile is vulnerable to MitM
attacks. Current text claims its much harder, but doesn't detail when that's
actually prevented.

Suggests we make it explicit that the IdP should strongly establish PoP of
the key it puts into the HoK assertion. Still keeps it flexible, but it's
clearer that you give up MitM protection if you don't do this.

SP also gets AuthnContext information to help it decide whether the IdP did
something that's strong enough.

Tom notes the language we want is in the HoK Assertion profile, so if we can
make that reference more explicit, it would help.

Further discussions on the advanced use cases that can be achieved by
varying the certificates or keys on each leg. Tom notes these kinds of
things are already covered by the Assertion profile.

Concerns expressed over complexity or risk of getting implementations with
mistakes if we leave flexibility on certificates between legs, but agreement
that it's better to leave it flexible but provide recommendations to

Scott noted that interop might require enumerating specific authentication
approaches to IdP for conformance.

4 Other business

Scott will try and do an errata draft in time for next call.

5 Action items

None open.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]