Re: [security-services] FW: Draft minutes SSTC 2010-07-27

[Anil Saldhana <Anil.Saldhana@redhat.com>]

  Meeting attendance corrected.

On 08/10/2010 09:49 AM, Anil Saldhana wrote:
>  On 08/06/2010 12:21 PM, Thomas Hardjono wrote:
>> FYI. Minutes from last meeting on 27 July 2010.
>>
>> Big thank you to George.
>>
>> /thomas/
>> __________________________________________
>>
>> -From: George Fletcher [mailto:george.fletcher@teamaol.com]
>> -Sent: Tuesday, July 27, 2010 1:07 PM
>> To: Anil Saldhana; Thomas Hardjono
>> Subject: Draft minutes SSTC 2010-07-27
>>
>> Hi,
>>
>> Was wondering if you would mind taking a look at these and seeing if 
>> they pass muster:) I can try and summarize if this is too wordy.
>>
>> Thanks,
>> George
>>
>>
>>
>> SAML meeting 2010-07-27
>>
>> Attendees
> Voting Members:
> ----------------------
> Rob Philpott      EMC Corporation
> Scott Cantor     Internet2
> Thomas Hardjono     M.I.T.
> Anthony Nadalin     Microsoft Corporation
> Thinh Nguyenphu     Nokia Siemens Networks GmbH & Co. KG
> Phil Hunt     Oracle Corporation
> Anil Saldhana     Red Hat
> David Staggs     Veterans Health Administration
>
> Members:
George Fletcher      AOL*      Group Member
Frederick Hirsch     Nokia Corporation*     Group Member
> Ari Kermaier     Oracle Corporation
>
> Quorum:  Achieved: 8 out of 13 voting members (62%)
>
>> Minutes Approval
>> * Motion: Rob Philpot
>> * Second: Tony Nadalin(?)
>> * Approved by unanimous consent
>>
>> Item 4.a:
>> * No current electronic ballots
>>
>> Item 4.b:
>> * No status/notes regarding past ballots
>>
>> Item 4.c:
>> * Waiting for Mary to set up Holder-of-Key web browser profile.
>> * AI: Thomas to contact Mary
>>
>> Item 4.d:
>> * Thomas asked Mary to copy data into the doc tree
>>
>> Item 4.e:
>> * Can accommodate the request with the attribute profile
>> * Use the attribute request to return the kerb cred blob
>>    - cred structure needs to contain a ticket for the subject to 
>> access a different service
>>    - asking the SP for a ticket access a further downstream service 
>> (e.g. IMAP ticket)
>> * More information on the security-service-comments mailing list
>> * Thomas can forward for those interested
>> * Request for detail regarding the original use case.
>>    - original use case is that the SP is querying the IdP for a 
>> ticket for itself
>>    - in the CMU use case, the SP is querying the IdP for a ticket 
>> (app-rec) for a different downstream service
>> * How to protect the credentials (determining keys for encryption) is 
>> left out of scope
>>    - may need to push a session key inside the attribute structure
>>    - desire is to not use the attribute request as a way to do key 
>> negotiation
>>    - important to know if the key has to be determined outside the 
>> kerberos cred structure
>> * The SP will use the received creds to talk to the kerberos service 
>> "natively"
>> * Not part of the browser SSO flows
>> * Flow: front-channel through attribute-push
>>
>> Item 4.f:
>> * Scott uploaded a new working draft
>> * Substantial changes have been made to this document
>> * A new review cycle will be required
>> * Maybe go to CD at next call
>>
>> Item 4.g:
>> * Updated new draft uploaded: Notify protocol
>>    - follows on previous discussion (add/modify)
>>    - to address subject managment
>> * Similar use cases in "cloud" environments
>> * Notification model where a change is "identified" and services that 
>> care can come get the change
>> * Provisioning can be done via SAML msgs or SPML (for large changes)
>> * SSO Profile is not sufficient for all needs
>>    - data exchanged at a provisioning event is different from a SSO 
>> event
>> * Issues from the document
>>    1. Top of page 16: NSN wanting to insert a change notification in 
>> the middle of an SSO event
>>       - SP identifies subject (Tim) in the auth request and the IdP 
>> returns a different subject (Tom)
>>       - may not need anything more than the existing web SSO profile
>>    2. SP needs to introduce a new subject to the IdP (e.g. SP 
>> provides imei(?) number to IdP)
>>       - change notify makes sense in this case
>> * Protocol is simple: data is just subject identifiers for 
>> notification messages
>> * Section 4 covers application to the SSO profile
>>    - change notify message allows the IdP to inform the SP as to 
>> which attributes will be returned
>>    - allows a smaller set of attributes to be returned for report SSO 
>> events
>> * NSN walked through the current use case in the document
>> * Looking for feedback from the TC
>>    - revisit in a couple of weeks
>>
>> Item 4.h:
>> * No updates. Holding at CD.
>>
>> Item 4.i:
>> * Use case deals with delegation
>> * Scott followed up offline
>> * No other updates
>>
>> Item 5:
>> * IETF BOF (update from Scott)
>>    - gave use case presentations
>>    - presented some solutions
>>    - discussion of working group charter
>>    - two proposed SAML mechanisms for SASL
>>    - some concern of Moonshot being proposed as the only solution
>>      - need to be clear in the charter as to what's up for discussion
>>    - a way to adapt radia/aaa infrastructure to application security
>>    - next step is to define working group charter
>>
>> Item 6:
>> * By end of Aug. need to determine if a face-to-face should be held 
>> at the Sept. OASIS conf
>>
>> CCOW -- Clinical (didn't get the rest)
>> - hl7 -- international Standard
>>    - leverages SAML