OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Minutes: SSTC Conference Call (September 22nd, 2009)


> Proposed Agenda SSTC Conference Call
> September 22nd, 2009, 12:00pm ET

Thomas Hardjono presiding

> Dial in info: +1 408-774-4073
> Conference code: 4480739
> Password: 72657265 (SAMLSAML)
>
> 1. Roll Call & Agenda Review

Anil Saldhana took the Roll Call.

[insert Roll Call results here]

Aliases used below:

TS = Scavo, Tom
RP = Philpott, Rob
BM = Morgan, Mr Bob
AB = Barbir, Abbie
HL = Lockhart, Hal
DD = DeCouteau, Duane
SC = Cantor, Scott
NK = Klingenstein, Mr. Nathan
PM = Madsen, Paul
FH = Hirsch, Mr. Frederick
AS = Saldhana, Mr. Anil
TH = Hardjono, Mr. Thomas

New Action Items

- Port the SSTC Work Summary to the wiki [HL]
- Create new Working Drafts of the HoK Profiles [TS]
- Produce CD version of Identity Assurance profile and update the wiki [BM]
- Produce CD version of Condition for Delegation Restriction [SC]
- Investigate and report on CARML. [HL]
- Produce CS version of Text-based Challenge/Response profile [AS]
- Include the question whether or not to increase the frequency of meetings [TH]

> 2. Need a volunteer to take minutes

TS volunteered to take minutes

> 3. Approval of minutes from last meeting (25 August 2009):
> † http://www.oasis-open.org/apps/org/workgroup/security/email/archives/200908/msg00083.html

RP moves to accept the minutes, BM seconds. Motion carries unanimously.

> 4. AIs & progress update on current work-items:
>
> †(a) Current electronic ballots: none

SAML Status Presentation for the ITU-T

AB asked HL for a SAML update to be presented to the ITU-T. (There's a
formal arrangement between OASIS and ITU-T such that the latter
normally reviews and adopts OASIS Standards.) HL prepared a
presentation:

http://www.oasis-open.org/committees/download.php/34320/SAML%20Status%20for%20ITU-T.ppt

AB will actually make the presentation to ITU-T.

As a by-product, HL produced a work summary for the SSTC:

http://www.oasis-open.org/committees/download.php/34321/Post%20SAML%202.0%20Profiles.doc

Should this be included in the wiki? If so, at what level of visibility?

> †(b) Status of past (closed) ballots:
>
> † † † XSPA - spec has been submitted to OASIS for approval as Full Standard.

DD reports that the profile has been submitted to OASIS tc-admin for
OASIS Standard ballot. The familiarization period is anticipated to
begin on Oct 1, 2009.

DD also reports that both wikis have been updated.

> † † † SAML V2.0 Attribute Extensions Version 1.0
> † † † SAML V2.0 Metadata Extension for Entity Attributes Version 1.0
> † † † SAML V2.0 Metadata Interoperability Profile Version 1.0

Minor errata were incurred as these documents transitioned from CD to
CS. SC has no plans to bring these documents back to the Working Draft
stage to correct these non-substantive errata.

SC posted relevant attestations to the mailing list:

http://lists.oasis-open.org/archives/security-services/200909/msg00035.html

If there any other implementations of these (or any other CS) specs,
please submit a formal attestation so these documents can move
forward.

> † † † SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as a CS
> † † † SAML V2.0 Holder-of-Key Assertion Profile Version 1.0

Similar to the previous three documents, TS reports that these two
documents also incurred errata as they were transitioned from CD to
CS. This includes a normative reference from the Holder-of-Key Web
Browser SSO Profile (CS) to the Holder-of-Key Assertion Profile (CD).
The only way to correct this (and other) errata is to bring these
documents back to Working Draft. NK agrees we should do this.

Editors take note: In the future, OASIS tc-admin will transition
documents from CD to CS. This means that all modifications to the CS
version (apart from dates and version numbers) must be anticipated in
advance.

> †(c) 15-Day review of sstc-saml-approved-errata-2.0-draft-49 (action for Hal)

This document was previously ost, then found. An announcement is imminent.

> †(d) Progress on getting Jira instance for SSTC (Scott).

No update.

> †(e) Dwayne to add a page for the XSPA page in the SAML wiki.
> † † http://www.oasis-open.org/apps/org/workgroup/security/ballots.php

DD reports this is done:

http://wiki.oasis-open.org/security/XSPASAML2Profile

> †(f) Kerberos related items (Josh):
> † † - Kerberos Attribute profile (draft-02):
> † † † http://www.oasis-open.org/apps/org/workgroup/security/download.php/34160/sstc-saml-attribute-kerberos-02.odt
>
> † † - Kerberos Subject Confirmation Method (draft-00):
> † † † http://www.oasis-open.org/apps/org/workgroup/security/download.php/34161/sstc-saml-kerberos-subject-confirmation-method%2000.odt

SC wonders if this new Confirmation Method (CM) is potentially
controversial. (The spec proposes a new CM rather than using the
existing holder-of-key CM.) It is likely WSS implementations may
break. Also we seem to be setting a precedent, which is not bad per
se, but we need to consider this proposal carefully.

For background information on issue, please consult the following
threads of discussion:

http://lists.oasis-open.org/archives/security-services/200906/msg00027.html
http://lists.oasis-open.org/archives/security-services/200907/msg00017.html
http://lists.oasis-open.org/archives/security-services/200908/msg00016.html

Further comments to the list, please.

> †(g) Expressing Identity Assurance profile for SAML2.0 (LOA) †(Bob Morgan)
> † † http://www.oasis-open.org/committees/download.php/34277/sstc-saml-assurance-profile-draft-01.pdf

BM uploaded a new version of this document (above). Some sections were
moved, an example was added, and other tweaks were made. No normative
changes were made, however. BM believes this document is ready for CD.
So moved (by BM). PM seconded. No objections. Motion caries
unanimously.

> †(h) Delegation Condition Extension Profile (Scott)

SC uploaded a new version of this document:

http://www.oasis-open.org/committees/download.php/34357/sstc-saml-delegation-cd-02.pdf

SC created a new introduction and included some new diagrams that
describe multiple actors. The goal was to motivate the use cases. SC
would like to get this document back out to public review. No
substantive changes were made, however. SC moves to take the document
to CD. BM seconds. No objections. Motion carries.

Next step is to request a CS ballot. Is the schema correct? Yes, all
schema fragments are valid. Are normative refs synchronized? There are
no xrefs, so this shouldn't be a problem. SC moves the SSTC request a
CS ballot. BM seconds. No objections. Motion carries.

PS. Don't forget to include the voting member list in the CD,
otherwise there won't be an opportunity to do this as the document is
automatically transitioned to CS.

> 5. New work items:
>
> †(i) SAML Attribute Management protocol proposal (Thinh Nguyenphu/NSN)
> † † http://www.oasis-open.org/committees/download.php/34222/SAML%20Attribute%20Mgt%20Protocol.ppt

Thinh Nguyenphu gave the above presentation. He reviewed the use cases
(slide 2) and proposed a new SAML Attribute Management Protocol (slide
4).

HL: In what sense is the account at the SP transient? Answer:
Basically, we have a stateless SP so we would like to save attributes
back to the IdP.

HL: Do the two use cases look the same to the IdP? Answer: Yes

SC: As a point of clarification, the SSTC won't modify the SAML Standards.

HL: Some comments were posted online:

http://lists.oasis-open.org/archives/security-services/200909/msg00016.html

HL: Recommends CARML (Liberty) for these use cases. Perhaps CARML
should be contributed to the SAML TC?

BM: All of CARML or just the relevant portions? (This of course would
be up to the SSTC.)

SC: ID-WSF solves these use cases as well.

SC: Are there IPR issues associated with these use cases?

FH: Can you solve this problem without the complexity of full ID-WSF?

General consensus of the SSTC is that update capability is useful, but
this isn't necessarily the job of this TC. We should leverage other
solutions (CARML, SPML, etc.) if indeed they are relevant.

> †(ii) SAML Name Identifier protocol proposal (Thinh Nguyenphu/NSN)
> † † http://www.oasis-open.org/committees/download.php/34221/SAML%20Name%20Identifier%20Protocol.ppt

Christian GŁnther from Munich, Germany gave the above presentation

SC: Why not just use federated login and persistent identifiers?

RP: We have customers who have requested bulk import of identifiers
from IdP to SP (and in one case, from SP to IdP).

SC: (re second bullet on slide 3) Not clear why you need anything more
than Web Browser SSO. Why does the SP send an identifier in this case?

At this point, we're taking it to the list for further discussion.

> 6. Assorted threads on saml-dev/comment list
> † - Oasis Identity Management 2009 (29-30 Sept, NIST, Gaithersburg, MD)
> † † http://events.oasis-open.org/home/forum/2009/registration

This is actually an OASIS event and OASIS members are encouraged to attend.

New business:

Scott uploaded a new errata draft:

http://www.oasis-open.org/committees/download.php/34096/sstc-saml-errata-2.0-draft-50.pdf

Next call four weeks from today: Tuesday, October 20, 2009


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]