OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Submission of SAML & XACML updates to ITU: questions

The material was presented to the ITU
The ITU sent an LS asking for material to be submitted back to them in an
effort to synch as much as possible between the 2 versions.


-----Original Message-----
From: Harold Lockhart [mailto:hal.lockhart@oracle.com] 
Sent: December-17-09 11:43 AM
To: James Bryce Clark; security-services; xacml@lists.oasis-open.org
Cc: hardjono; laurent.liscia; mary.mcrae; abbie barbir; bill@parducci.net
Subject: RE: [security-services] Submission of SAML & XACML updates to ITU:


As the result of Abbie's (persistent) urging last summer, I developed
reports of both SAML and XACML addressing this issue.

The reports were posted to the archives of the respective TCs in September.



A copy was also provided to Abbie for presentation to ITU-T.

The last slide of each presentation predicts what material will be
appropriate for submission to ITU-T by an unspecified date in the Spring of

As far as I can see the predictions I made are still correct. In summary:


Only the XSPA profile has reached OS status and in my opinion is likely to
due so by this Spring. We are working on a batch of 8 documents which I hope
will reach CS status by around the end of January, but there are no
immediate prospects of getting 3 attestations of use for any of them, much
less the whole set.

I would like very much to process approved Errata for XACML and submit it to
ITU-T, however for historical reasons a substantial amount of editing work
is required to create a document in the form required by the OASIS process
and I have neither found the time to do it myself or a volunteer to take it


Metadata Profile for SAML 1.x,
Metadata Extension for SAML V2.0 and V1.x Query Requesters, and
XSPA Profile

have all reached OS and should be submitted to ITU-T. We have some other
documents which are at CS, but are awaiting attestations of use. I have no
reason to believe we will get any in the next month or two.

The SS TC has processed Errata several times. The latest cumulative Errata
was just approved recently and should be submitted to ITU-T. It will not be
the last one issued by the SS TC, but it represents the currently approved


I have never received a firm cutoff date for the materials or any other
information back from the ITU-T. I don't know if my reports were presented
to ITU-T or whether there are any questions or other feedback to the TCs.

Let me know if I can further assist in this effort.


-----Original Message-----
From: James Bryce Clark [mailto:jamie.clark@oasis-open.org]
Sent: Wednesday, December 16, 2009 1:20 PM
To: security-services
Cc: hardjono; Harold Lockhart; laurent.liscia; mary.mcrae
Subject: [security-services] Submission of SAML updates to ITU:

Summary:  We must pass on some estimates to ITU about likely
availability of updated SAML related/profile material.  See questions
(a) & (b) below.

As you know, SAML v2 was submitted to and approved by ITU-T in 2006 as
ITU Recommendation X.1141.  (See
 This included all elements then part of the 2005 OASIS Standard.

ITU-T's Study Group 17 on Security, the host panel for the 2006
submission who now has reorganized for its next multi-year study
period, formally has asked us to submit relevant updates of SAML, for
similar transposition.  OASIS' Liaison Policy
suggests that we consult with the TC about this.

As you probably know, generally we send only artifacts approved under
the TC Process at the "OASIS Standard" and "Approved Errata" levels up
to the global de-jure SSOs.  Currently, I am aware of a number of SAML
items which may be the basis for a submission to ITU, but have not yet
reached those approval levels:

1.  Errata to SAML core v2, Oct 2009. See
 (Was this given OASIS "Approved Errata" status under the TC Process?)

2.  Subject Based Profiles for SAML v1.1 assertions from June 2008,
see http://lists.oasis-open.org/archives/tc-announce/200806/msg00009.html

3.  SAMLv2.0 HTTP POST "SimpleSign" Binding from Dec 2008, see

4.  The Mar 2009 set of SAML v2 profiles, see
(Includes Holder-of-Key Web Browser SSO Profile, Attribute Extensions,
Condition for Delegation Restriction, Holder-of-Key Assertion Profile,
Metadata Extension for Entity Attributes & Metadata Interoperability

(Other related work is not mentioned here becauea it is hosted by
other TCs:  the SAML Profile of XACML by the XACML TC, and the XSPA
profiles by the XSPA TC.)

In responding to ITU, we would like to:

(a) explain whether the recent v2 errata are at a level that ought to
be Approved Errata (and thus automatically sent to ITU), or why not,
and if so, propose a schedule;  and
(b) offer a comment on the likelihood of the post-2005 SAML profiles
and ancillary material, and any other contemplated maintenance
activity, being rolled up into a submission.

Giving the ITU panel a reasonable view into our plans and timing,
based on the TC's expected progress, is a necessary part of our
interorganizational collaboration.

When and if we make formal submissions, they can be done at the
request of the TC, under Section 1(d) of our Liaison Policy, by a
Special Majority Vote of the TC.  Alternatively, if we have committed
to ITU to send future major versions (as often is requested, and I
believe we did in the 2006 submission), Section 5(b) of the Liaison
Policy also permits the OASIS executive to direct the submission,
subject to appeal.  Errata also are subject to a special expedited
rule, once finalized.

For now, though, our need is to compose an answer to the two questions
(a) and (b)  above, with the help of this TC's experts.  Feedback
welcome on this list or individually.

Thanks for your attention and happy holidays.

~ James Bryce Clark
~ General Counsel, OASIS
~ http://www.oasis-open.org/who/staff.php#clark

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.716 / Virus Database: 270.14.111/2569 - Release Date: 12/17/09

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]