[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Minutes for May 5 Meeting with Attendance
Adding membership related changes. Harold Lockhart wrote: > Attendance > > Voting Members > > Rob Philpott EMC Corporation > John Bradley Individual > Jeff Hodges Individual > Scott Cantor Internet2 > Nathan Klingenstein Internet2 > Tom Scavo National Center for Supercomputing Applications > Peter Davis NeuStar, Inc. > Frederick Hirsch Nokia Corporation > Paul Madsen NTT Corporation > Ari Kermaier Oracle Corporation > Hal Lockhart Oracle Corporation > Anil Saldhana Red Hat > Kent Spaulding Skyworth TTG Holdings Limited > Emily Xu Sun Microsystems > David Staggs Veterans Health Administration > Members: Brian Campbell Ping Identity Srinath Godavarthi Nortel Thomas Hardjono MIT Quorum: 14 out of 18 voting members. Quorum achieved. Membership Status Changes: - Joni Brennan (Liberty) lost voting Rights. - Srinath and Brian Campbell regained voting rights. - Thomas Hardjono became a voting member. > 1 Minutes > > 1.1 Minutes from SSTC/SAML conference call April 7, 2009 > http://lists.oasis-open.org/archives/security-services/200904/msg00011.html > > Unanimously approved. > > 2 Announcements > > 2.1 Public spec review still under way > http://lists.oasis-open.org/archives/security-services/200903/msg00062.html > Review ends May 25th > > Informal AI: Scott will talk to Mary about getting a Jira instance for SSTC. > > 2.2 Comment requested by W3C Signature WG on need for DTDs in ongoing specs > and on elliptic curve status. > > http://lists.oasis-open.org/archives/security-services/200904/msg00012.html > > Feedback encouraged. > > 2.3 Reminder, 4 week schedule, next call is June 2. > > 2.4 Next meeting Review planned work > During June 2 call, would like to discuss impending/future work plans, to > plan for future activity of TC. Not necessary to actually supply drafts of > new work at that time. > > 3 Discussion > > 3.1 Review of XSPA PR comments > Still outstanding by David et al to update spreadsheet with proposed > changes. > > 3.2 comment on saml-loa-authncontext-profile: remove 800-63 schemas > http://lists.oasis-open.org/archives/security-services/200904/msg00013.html > > Discussion with agreement on Bob's point. Paul agreed to remove specific > references to NIST LOA values in a new draft. > > 3.3 Assorted threads on saml-dev/comment list > > Nate discusses degree to which HoK SSO profile is vulnerable to MitM > attacks. Current text claims its much harder, but doesn't detail when that's > actually prevented. > > Suggests we make it explicit that the IdP should strongly establish PoP of > the key it puts into the HoK assertion. Still keeps it flexible, but it's > clearer that you give up MitM protection if you don't do this. > > SP also gets AuthnContext information to help it decide whether the IdP did > something that's strong enough. > > Tom notes the language we want is in the HoK Assertion profile, so if we can > make that reference more explicit, it would help. > > Further discussions on the advanced use cases that can be achieved by > varying the certificates or keys on each leg. Tom notes these kinds of > things are already covered by the Assertion profile. > > Concerns expressed over complexity or risk of getting implementations with > mistakes if we leave flexibility on certificates between legs, but agreement > that it's better to leave it flexible but provide recommendations to > implementers. > > Scott noted that interop might require enumerating specific authentication > approaches to IdP for conformance. > > 4 Other business > > Scott will try and do an errata draft in time for next call. > > 5 Action items > > None open. > > Adjourned.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]