Re: [security-services] Re: Proposed Agenda for SSTC Call (10 August2010)

[Anil Saldhana <Anil.Saldhana@redhat.com>]

  On 08/10/2010 11:42 AM, Nate Klingenstein wrote:
>
>> 1. Roll Call&  Agenda Review.
> Quorum was achieved.

Voting Members:
John Bradley     Individual
Scott Cantor     Internet2
Nathan Klingenstein     Internet2
Thomas Hardjono     M.I.T.
Anthony Nadalin     Microsoft Corporation
Phil Hunt     Oracle Corporation
Hal Lockhart     Oracle Corporation
Anil Saldhana     Red Hat
David Staggs     Veterans Health Administration

Members:
Ari Kermaier     Oracle Corporation
Paul Madsen     NTT Corporation
George Fletcher      AOL

Quorum: 9 out of 13 voting members (69%)
Status:  Ari and George Fletcher regain voting status.

>> 2. Need a volunteer to take minutes.
> Nate volunteered.
>> 3. Approval of minutes from last meetings:
>> Minutes from SSTC Call on 27 July 2010:
>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201008/msg00009.html 
>>
> The approval of the minutes was delayed until the following call due 
> to errata in the attendee list.
>> 4. AIs&  progress update on current work-items:
>>
>>    (a) Current electronic ballots: HOK Web Browser SSO. Please vote.
> The ballot has closed with 10 of 12 votes in favor and none against.  
> The approval of the Holder-of-Key Web Browser SSO Profile as Committee 
> Specification was succeesful.
>>    (d)  SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>>         - Status: CS-01 version of this doc is on WiKi.
>>         - Status: Thomas to ask Mary.
> Thomas has not done this yet, so the action item remains outstanding.
>>    (e) Kerberos related items. [Josh/Thomas]
>>          - Kerberos Attribute Profile:
>>          - Status: Public review period closed on 15 June 2010.
>>          - Status: CMU Use-case discussions (sent to 
>> security-comments list).
>>          - AI: Josh/Thomas will suggest additions to Attribute Profile.
> Thomas, Josh, Scott, and Jeff from CMU have been discussing over email 
> how to amend the attribute profile.  CMU would like to be able to send 
> a decrypted KRB_CRED blob from a KDC in an assertion and deliver it 
> from an IdP to an SP.  The API exists, but RFC 4120 may prohibit this 
> implicitly because KRB_CREDs should not be sent around in plaintext.
>
> The other trouble may lie in the cipher suite used.  The IdP and SP do 
> have a public keypair that can be used to negotiate an encryption 
> method, but in XML encryption, the actual data would be encrypted with 
> the key using XML encryption, but in this case the data would be 
> encrypted as specified by Kerberos (ASN.1?) and the algorithm types 
> and other pieces of information may not align with the cipher suites 
> as named by Kerberos.  The mapping of algorithms from XML encryption 
> to Kerberos cipher suites is likely to be pretty obvious and easy to 
> profile, and Scott isn't suggesting some sort of new protocol be 
> invented.
>
> Because confidentiality and security are handled by the SAML layer, 
> it's not entirely important to have the encryption at the Kerberos 
> level, but they would like to be compliant with the RFC.  Scott would 
> also like to allow for an encrypted use case anyway, so he would like 
> to include something, but he doesn't exactly know what do to for 
> that.  Further input from CMU is being awaited.
>
> Thomas and Josh will provide an update and expanded edition of the 
> Attribute Profile and circulate it to Scott and CMU to determine 
> whether it's acceptable.  The cipher suite and encryption issues may 
> be beyond the scope of the Attribute Profile itself.
>
>>    (f) SAML V2.0 Identity Assurance Profiles, Version 1.0
>>          - Status: Public review period closed on 13 June 2010.
>>          - Status: Awaiting comments/resolutions.
>
> Scott believes that necessary revisions have been made and would like 
> to have this voted to 15 day public review.  The feedback has been 
> responded to, so we should be ready to move to CD.
>
> http://wiki.oasis-open.org/security/SAML2IDAssuranceProfile
>
> Paul moved that we approve WD-02 to CD status and move it to a 15 day 
> public review.  Nate seconds the motion, and there were no 
> objections.  Paul will do the CD edit and update the Wiki, and Thomas 
> will submit the public review package.
>
>>    (g) NSN Attribute Management proposal (Thinh/Phil) - any updates?
>
> Phil has no updates from his perspective on the proposal, but 
> continues to encourage people to read the document.  He is also happy 
> to address any background questions from individuals new to the 
> proposal.  His next goal is to finish the profiles.
>
> This is the fourth approach, now using notification messages, which he 
> likes because it doesn't oblige SAML endpoints to do things.  He wants 
> affirmation that others agree that the current proposal, relying on 
> notification messages, is the proper approach.
>
> http://www.oasis-open.org/committees/document.php?document_id=38737&wg_abbrev=security 
>
>
> Chuck Mortimore from Salesforce found it useful to perform this 
> notification in the SAML context, but believes that change propagation 
> might be performed using another protocol.  Part of the 
> proposal(section 2.4) involves the negotiation of the protocol that 
> would then be used.  For now, Phil will just profile the use of SAML 
> for the change propagation, but he will allow others to profile 
> additional protocols, such as STS, SPML, OpenID, PoCo, etc.
>
> NSN has identified another use case that Phil would like to sort out.  
> He thinks a normal AuthnRequest might be able to address the use case, 
> but NSN disagrees.  Section 2.7 includes a comment discussing this use 
> case.
>
>>    (h) SSO initiation CD (Scott) - any updates?
> Scott would like to take this document, along with the Algorithm 
> Support CD, to 60 day public review, because he doesn't believe there 
> are many other documents that will imminently need review as well.  He 
> made the motion and John Bradley seconded, to no objections.  Thomas 
> will handle the submission process.
>
> http://wiki.oasis-open.org/security/RequestInitProtProf
> http://wiki.oasis-open.org/security/SAML2MetadataAlgSupport
>
>>    (i) SOA-TEL Token Correlation Profile  (Federico/TI) - any updates?
> Federico was not on the call.
>> 5. New work items:
>>     - Project Moonshot (potential new work item)
>
> The Moonshot BoF was held at the recent IETF meeting and a new mailing 
> list has been established.  We anticipate that Josh will join an SSTC 
> call in the near future to provide more introductory information, and 
> draft documents are likely to follow.
>
> A parallel item at the IETF, a pair of SAML SASL mechanisms being 
> looked at in the Kitten working group, has led to discussion about how 
> or whether to bring each forward.  One proposed by Cisco requires a 
> web browser and one proposed by Scott uses a side channel.  There are 
> also proposals for OAuth and OpenID.  The Kitten working group will 
> need to resolve this pile of proposals and figure out what to carry 
> forward to the IETF.  Scott also wants to look at how to add 
> holder-of-key crypto to his proposal.
>
>> 6. Related work items:
>>     - SAML 2.0 Bearer Assertion Profile for OAuth 2.0 (IETF) - Brian 
>> Campbell.
> This is another proposal that is unrelated to the SASL work that may 
> be of interest to individuals who want to transport SAML tokens over 
> OAuth.  Scott and Brian have disagreements and we would like to 
> solicit input from other implementers who may have interest whether 
> the draft is overly restrictive or a good simplification.
>>     - IIW-East conference (in DC in September).
>
> Details have been uploaded and registration started this week.
>
>> 7. Propose an SSTC Face-to-Face meeting for September 2010:
>>     - Awaiting for room confirmation.
>
> Thomas will contact Jane, and then provide a poll using the OASIS 
> ballot mechanism to see who is available to attend the OASIS 
> conference itself, as well as to see who is interested in an SSTC 
> face-to-face, possibly on given dates.
>