OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes for May 5 Meeting with Attendance


Voting Members

Rob Philpott  		EMC Corporation
John Bradley 		Individual
Jeff Hodges 		Individual
Scott Cantor 		Internet2
Nathan Klingenstein 	Internet2
Thomas Hardjono 		M.I.T.
Tom Scavo 			National Center for Supercomputing Applications
Peter Davis 		NeuStar, Inc.
Frederick Hirsch 		Nokia Corporation
Paul Madsen 		NTT Corporation
Ari Kermaier 		Oracle Corporation
Hal Lockhart 		Oracle Corporation
Anil Saldhana 		Red Hat
Kent Spaulding 		Skyworth TTG Holdings Limited
Emily Xu 			Sun Microsystems
David Staggs 		Veterans Health Administration

1 Minutes

1.1 Minutes from SSTC/SAML conference call April 7, 2009

Unanimously approved.

2 Announcements

2.1 Public spec review still under way
Review ends May 25th

Informal AI: Scott will talk to Mary about getting a Jira instance for SSTC.

2.2 Comment requested by W3C Signature WG on need for DTDs in ongoing specs
and on elliptic curve status.


Feedback encouraged.

2.3 Reminder, 4 week schedule, next call is June 2.

2.4 Next meeting Review planned work
During June 2 call, would like to discuss impending/future work plans, to
plan for future activity of TC. Not necessary to actually supply drafts of
new work at that time.

3 Discussion

3.1 Review of XSPA PR comments
Still outstanding by David et al to update spreadsheet with proposed

3.2 comment on saml-loa-authncontext-profile: remove 800-63 schemas  

Discussion with agreement on Bob's point. Paul agreed to remove specific
references to NIST LOA values in a new draft.

3.3 Assorted threads on saml-dev/comment list

Nate discusses degree to which HoK SSO profile is vulnerable to MitM
attacks. Current text claims its much harder, but doesn't detail when that's
actually prevented.

Suggests we make it explicit that the IdP should strongly establish PoP of
the key it puts into the HoK assertion. Still keeps it flexible, but it's
clearer that you give up MitM protection if you don't do this.

SP also gets AuthnContext information to help it decide whether the IdP did
something that's strong enough.

Tom notes the language we want is in the HoK Assertion profile, so if we can
make that reference more explicit, it would help.

Further discussions on the advanced use cases that can be achieved by
varying the certificates or keys on each leg. Tom notes these kinds of
things are already covered by the Assertion profile.

Concerns expressed over complexity or risk of getting implementations with
mistakes if we leave flexibility on certificates between legs, but agreement
that it's better to leave it flexible but provide recommendations to

Scott noted that interop might require enumerating specific authentication
approaches to IdP for conformance.

4 Other business

Scott will try and do an errata draft in time for next call.

5 Action items

None open.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]