[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Minutes for SSTC Conference Call (November17th, 2009)
On 11/17/2009 01:51 PM, Anil Saldhana wrote: > On 11/17/2009 12:08 PM, ARI KERMAIER wrote: >> Proposed Agenda SSTC Conference Call >> November 17, 2009, 12:00pm ET >> >> Dial in info: +1 408-774-4073 >> Conference code: 4480739 >> Password: 72657265 (SAMLSAML) >> >> >> 1. Roll Call& Agenda Review > Voting Members :- > ============== > Rob Philpott EMC Corporation > John Bradley Individual > Scott Cantor Internet2 > Thomas Hardjono M.I.T. > Frederick Hirsch Nokia Corporation > Thinh Nguyenphu Nokia Siemens Networks GmbH & Co. KG > Paul Madsen NTT Corporation > Ari Kermaier Oracle Corporation > Anil Saldhana Red Hat > David Staggs Veterans Health Administration Emily Xu, Sun Microsystems > > Members :- > ======== > George Fletcher AOL > Joshua Howlett Individual > Bob Morgan Internet2 > Peter Davis Neustar, Inc. > Joerg Abendroth Nokia Siemens Networks GmbH & Co. KG > > Quorum: Achieved: 11 out of 18 Members (61%) > Status: Lost Voting Status: Kyle Meadors (Drummond Group) > Gained Voting Status: None > >> 2. Need a volunteer to take minutes >> >> 3. Approval of minutes from last meeting (Nov 3, 2009): >> >> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/200911/msg00022.html >> >> >> Rob moved to accept minutes. Ari seconded the motion. >> >> 4. AIs& progress update on current work-items: >> >> (a) Current electronic ballots: >> - Condition Delegation Restriction (1.0) as Committee Spec. >> (Ballot closes Nov 14th) >> >> http://www.oasis-open.org/apps/org/workgroup/security/ballot.php?id=1798 >> >> Announcement that the ballot measure had passed. No comment from >> attendees. >> >> (b) Status/notes regarding past ballots: >> >> (i) SAML V2.0 Holder-of-Key Web Browser SSO Profile Version >> 1.0 as a CS >> SAML V2.0 Holder-of-Key Assertion Profile Version 1.0 >> - AI: Create CD in three forms [Tom/Nate] >> - AI: Chairs to request ballot to make into CS status. >> [Hal/Thomas] >> >> Hal and Nate absent, no comment on AI status. >> >> (c) sstc-saml-approved-errata-2.0-draft-49: >> - AI: Scott/Bob to provide text changes for the Errata >> doc [Scott/Bob] >> >> Scott needs to talk to Bob about what must be done to get IANA >> registration changed. Scott knows little about the process, and it >> may not even be possible to change the existing registration. Bob >> doesn't know either, but guesses a new registration would be needed. >> >> Scott also needs to produce new draft errata document; no progress on >> PEs. >> >> (d) Progress on getting Jira instance for SSTC: >> - AI: chairs to get accounts on JIRA [Hal/Thomas] >> >> Issue creation permissions for accounts still outstanding. Hal's AI. >> >> (e) Kerberos related items. [Josh/Thomas] >> - AI: Josh/Thomas to prepare CD version in three formats. >> >> [Ari's call was dropped - need notes from Thomas.] >> >> Josh has worked through data model ambiguities, and will produce new >> versions soon. Josh's AI. >> >> - AI : Look into updating XML signatures 1.1 (in W3C) to >> include Kerberos-mechanism. [Scott/Thomas/Josh] >> >> Josh thinks this is the right thing to do in the long term. In the >> shorter term, if we were to have a Kerberos/XML-DSIG dependent spec, >> we'd be waiting for a while. >> >> Scott says 1.1 is pretty much closed, so we'd have to wait for 2.0 in >> any case. But isn't this just an HMAC signature, anyway? Then we >> don't really need to update XML-DSIG to support Kerberos signatures. >> >> Josh is thinking about encoding rules for principal names and the >> like for Kerberos XML signatures. >> >> Scott doesn't think specifying that is very important for the spec. >> >> (f) Expressing Identity Assurance profile for SAML2.0 (LOA) [Bob >> Morgan] >> - AI: Produce CD version of Identity Assurance profile and >> update the wiki. >> >> Bob still hasn't produced the CD version yet. Will try to produce in >> the next couple weeks. >> >> (g) Delegation Condition Extension Profile (Scott) >> - AI: Hal to check on progress of request to make electronic >> ballot (for CD to go to CS). >> >> Scott isn't sure if 13/19 on the ballot meets the required >> super-majority for passage. >> Rob will look up the process rules and report. Done: 2/3 majority >> passes, which was reached. >> AI is on chairs to notify Mary to finalize publication. >> (Scott will add an attestation if needed.) >> >> (h) Port the SSTC Work Summary to the wiki [Hal] >> >> Hal absent; no report. >> >> (i) CS version of Text-based Challenge/Response profile [Anil] >> >> Anil has uploaded ODT, PDF, HTML formats. No change to schema, but >> still needs to be uploaded. Anil's AI. >> >> Ballot for CS was completed in April, so once the docs are uploaded >> the TC needs to review and notify Mary, who will do formal publication. >> >> 5. New work items: >> >> N/A >> >> 6. Assorted threads on saml-dev/comment list >> - IIW event >> >> Paul M.: Sent email to list about developments in that community on >> MS OpenID selector. May drive effort to develop multi-protocol >> selector, though current focus is on OpenID. Question for SSTC is >> whether we want to ensure SAML requirements are addressed from the >> start. Is such a selector of interest to the SAML community? >> >> Bob: How to include MS in discussions about how to handle RPs cleanly? >> >> Discussion seems to agree that SSTC is interested in selector as a >> WAYF substitute for SAML. If MS will do a selector that supports both >> IMI and OpenID, maybe it can handle SAML as well. But until an >> appropriate venue materializes for discussion with the requisite >> parties, we'll just wait and see. >> >> - OAUTH and SAML (consent& authentication discussion) - from >> Paul Madsen >> >> Paul: At IIW had discussion on how SAML could work with OAuth. How >> are SAML/OAuth roles distributed, how to extend/profile SAML, etc. >> Welcome participation by anyone who's interested. >> Consent: Surprising number of IdP deployments that ask for consent in >> practice. What does consent mean in the OAuth and OpenID flows? >> MS Web Resource Authorization Profile - alternative to OAuth >> protocol, submitted to IETF OAuth WG for harmonization. >> [Bulk of discussion not recorded intelligibly.] >> >> 7. Next Call: Tue 1 December, 2009 >> >> 8. Other: Plans for SSTC calls during Holiday season (mid-December >> and early January) >> >> Thomas: Must decide on next call. >> >> Thomas adjourned the call at 1:05pm EST.