OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Draft Minutes for June 30 2009 SSTC Call

Draft Minutes, Frederick Hirsch
SSTC Conference Call
June 30, 2009, 12:00pm ET

1. Roll Call & Agenda Review

Role taken and quorum established.

2. Need a volunteer to take minutes

Frederick Hirsch volunteered to take minutes.

3. Approval of minutes from last meeting (2 June 2009)

Motion: Approve minutes from 2 June 2009
Moved by Eve, seconded by Nate.
Motion passed - Minutes approved without objection.

4. AIs & progress on current work-items:

(a) Request TC Admin to launch an electronic ballot.

All documents are now in CD format. In progress, open action for  
chairs.  Hal Lockhart took action item on this.

(b) 15-Day review of revised XSPA profile.

David Staggs will put comments into spreadsheet for committee, for  
discussion on next teleconference.

(c) 15-Day review of sstc-saml-approved-errata-2.0-draft-49.

Hal Lockhart will take action to start formal review.
Scott Cantor has action to produce redline drafts, but this is not in  
critical path for starting public review. He noted the document for  
review is ready.

(d) Progress on getting Jira instance for SSTC (Scott).

Scott Cantor will contact Mary McRae again, this item was deferred  

(e) Dwayne to add a page for the XSPA page in the SAML wiki.

This remains open.

(f) SAML V2.0 Holder-of-Key Assertion Request Profiles.

Tom Scavo noted draft uploaded to Kavi. Some comments received on SAML  
dev list. Considering comment regarding need for TLS.
Planning to produce a  third draft.

(g) SAML LOA Assurance profile.

Bob Morgan is working on this document with regards to authentication  
context, how to express certified assurance levels to metadata. Still  
working on this, planning to provide before the next teleconference.

(i) Discuss comments received on HoK Profile (Tom/Nate):




a) SAML V2.0 Holder-of-Key Web Browser SSO Profile

Tom Scavo noted thread initiated by Mark Stern during public review,  
leading to a number of significant comments, also comment by Scott  
Cantor, producing four comments. He has documented these comments in  
the wiki ( http://wiki.oasis-open.org/security/PublicComments20090326-20090525 

Reverted the document back to draft, draft 12. Lines 416-421 in diff  
show the most important changes in response to the comments,  
emphasizing dependency on assertion profile to address man in middle  
concerns. Relaxing TLS requirement not easy to do so did not address  
comment #2, all others have been addressed.

Scott Cantor noted that if hard to do then could leave it as is,  
noting it is a web browser profile, so therefore it is reasonable to  
keep. Bob Morgan agreed.

Hal Lockhart asked if commenter had a suggestion for alternative  
approach, answer was to allow alternate secure channels.

Tom Scavo noted draft 12 is not substantive change, since changes were  
only clarifications, since TLS change not made.

b) Holder of Key Assertion profile had comments


Some were requests for clarification. Question of SAML NameID was not  
clear, so added paragraph in lines 258-260 draft 10 diff to clarify by  
referencing constrained delegation profile. Draft 10 had minor changes  
and has been uploaded to Kavi.

Hal Lockhart suggested committee respond to commenters with  
resolutions of actions (link to wiki) indicating no action on  
suggested TLS change.

Hal Lockhart noted that if the changes are non-substantive no  
additional public review needed.

Tom Scavo noted that the latest drafts include all changes.

Motion: Draft 12 of  Holder -of-Key Web Browser SSO Profile and  Draft  
10 of HOK assertion profile be moved to Committee Draft
Moved by Tom Scavo, Second by Bob Morgan
Motion passed -No objection to unanimous consent

Action: to Tom Scavo to produce CDs of Holder -of-Key Web Browser SS  
Profile and Holder of Key Assertion Profile

Motion:  Hold electronic ballot of Holder -of-Key Web Browser SSO  
Profile and Holder of Key Assertion Profile
Moved by Scott Cantor
Second by Bob Morgan
Motion passed - No objection to unanimous consent.

5. New work items:

(i) Kerberos HOK profile  (Josh/thomas):


Josh Howlett gave some background on Kerberos Holder of key and  
attribute query profiles, noted that shared proposals by email. Also  
noted that shared high level architecture document on list (PDF).

Three protocols proposed for (i) encapsulating Kerberos service  
ticket, (ii) how to use attribute query to ask for attribute, and  
(iii) use holder of key assertion protocol to obtain confirmation  
using Kerberos. Plan to define fourth protocol for composition of  
these for SSO.

Request for comment, some questions are also noted in the documents  

Scott Cantor suggested combining two profiles into one single  
attribute profile. Scott Cantor has additional comment on the XML,  
such as requests for multiple attributes (e.g. tickets). He will send  
message to list with details.

Josh Howlett plans to have update before the next teleconference. He  
asks committee that if Kerberos HoK Assertion Profile is based on X. 
509 HoK profile would it be confusing due to duplicate material.  Tom  
Scavo asked if X.509 and Kerberos profiles could be unified, in a  
clear manner. He also noted that this would need to happen if Web  
Browser SSO Profile is not unnecessarily delayed. Tom, Josh and Nate  
agreed it would be good to unify the documents into a single document.  
The committee noted this would be a substantive change, requiring a  
new CD.

Hal Lockhart suggested editors work offline to produce a combined  
document.  The editors noted this will probably not be ready for the  
next call.

Hal Lockhart will delay request for Committee Specification  ballot  
for Holder of Key Assertion Profile and not have one if decision is  
reached on email list to have combined document ( to avoid confusion).

ii) Attribute Query profile (Josh/thomas):


Josh Howlett asked question of whether to support requests for  
multiple service tickets at one time. Not clear if use cases exist.

iii) Encapsulating service ticket document

Josh Howlett noted this is a very simple profile that defines  
attribute - will wait for comments from Scott Cantor.

Meeting adjourned.

regards, Frederick

Frederick Hirsch

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]