Subject: Draft minutes from 5 May 2009 SSTC call
1 Minutes 1.1 Minutes from SSTC/SAML conference call April 7, 2009 http://lists.oasis-open.org/archives/security-services/200904/msg00011.html Unanimously approved. 2 Announcements 2.1 Public spec review still under way http://lists.oasis-open.org/archives/security-services/200903/msg00062.html Review ends May 25th Informal AI: Scott will talk to Mary about getting a Jira instance for SSTC. 2.2 Comment requested by W3C Signature WG on need for DTDs in ongoing specs and on elliptic curve status. http://lists.oasis-open.org/archives/security-services/200904/msg00012.html Feedback encouraged. 2.3 Reminder, 4 week schedule, next call is June 2. 2.4 Next meeting Review planned work During June 2 call, would like to discuss impending/future work plans, to plan for future activity of TC. Not necessary to actually supply drafts of new work at that time. 3 Discussion 3.1 Review of XSPA PR comments Still outstanding by David et al to update spreadsheet with proposed changes. 3.2 comment on saml-loa-authncontext-profile: remove 800-63 schemas http://lists.oasis-open.org/archives/security-services/200904/msg00013.html Discussion with agreement on Bob's point. Paul agreed to remove specific references to NIST LOA values in a new draft. 3.3 Assorted threads on saml-dev/comment list Nate discusses degree to which HoK SSO profile is vulnerable to MitM attacks. Current text claims its much harder, but doesn't detail when that's actually prevented. Suggests we make it explicit that the IdP should strongly establish PoP of the key it puts into the HoK assertion. Still keeps it flexible, but it's clearer that you give up MitM protection if you don't do this. SP also gets AuthnContext information to help it decide whether the IdP did something that's strong enough. Tom notes the language we want is in the HoK Assertion profile, so if we can make that reference more explicit, it would help. Further discussions on the advanced use cases that can be achieved by varying the certificates or keys on each leg. Tom notes these kinds of things are already covered by the Assertion profile. Concerns expressed over complexity or risk of getting implementations with mistakes if we leave flexibility on certificates between legs, but agreement that it's better to leave it flexible but provide recommendations to implementers. Scott noted that interop might require enumerating specific authentication approaches to IdP for conformance. 4 Other business Scott will try and do an errata draft in time for next call. 5 Action items None open. Adjourned.