RE: [security-services] Re: Proposed Agenda for SSTC Call (10August 2010)

[Thomas Hardjono <hardjono@MIT.EDU>]

Will do.

(Yes, I did hear your voice on the call:)

cheers,

/thomas/


________________________________________
From: Frederick.Hirsch@nokia.com [Frederick.Hirsch@nokia.com]
Sent: Thursday, August 12, 2010 9:49 AM
To: Anil.Saldhana@redhat.com
Cc: Frederick.Hirsch@nokia.com; security-services@lists.oasis-open.org
Subject: Re: [security-services] Re: Proposed Agenda for SSTC Call (10 August 2010)

I was on this call, but joined late - can you please add me to the list of attendees?

Thanks

regards, Frederick

Frederick Hirsch
Nokia



On Aug 11, 2010, at 3:29 PM, ext Anil Saldhana wrote:

>
>  On 08/10/2010 11:42 AM, Nate Klingenstein wrote:
>>
>>> 1. Roll Call&  Agenda Review.
>> Quorum was achieved.
>
> Voting Members:
> John Bradley     Individual
> Scott Cantor     Internet2
> Nathan Klingenstein     Internet2
> Thomas Hardjono     M.I.T.
> Anthony Nadalin     Microsoft Corporation
> Phil Hunt     Oracle Corporation
> Hal Lockhart     Oracle Corporation
> Anil Saldhana     Red Hat
> David Staggs     Veterans Health Administration
>
> Members:
> Ari Kermaier     Oracle Corporation
> Paul Madsen     NTT Corporation
> George Fletcher      AOL
>
> Quorum: 9 out of 13 voting members (69%)
> Status:  Ari and George Fletcher regain voting status.
>
>>> 2. Need a volunteer to take minutes.
>> Nate volunteered.
>>> 3. Approval of minutes from last meetings:
>>> Minutes from SSTC Call on 27 July 2010:
>>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201008/msg00009.html
>>>
>> The approval of the minutes was delayed until the following call due
>> to errata in the attendee list.
>>> 4. AIs&  progress update on current work-items:
>>>
>>>   (a) Current electronic ballots: HOK Web Browser SSO. Please vote.
>> The ballot has closed with 10 of 12 votes in favor and none against.
>> The approval of the Holder-of-Key Web Browser SSO Profile as Committee
>> Specification was succeesful.
>>>   (d)  SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>>>        - Status: CS-01 version of this doc is on WiKi.
>>>        - Status: Thomas to ask Mary.
>> Thomas has not done this yet, so the action item remains outstanding.
>>>   (e) Kerberos related items. [Josh/Thomas]
>>>         - Kerberos Attribute Profile:
>>>         - Status: Public review period closed on 15 June 2010.
>>>         - Status: CMU Use-case discussions (sent to
>>> security-comments list).
>>>         - AI: Josh/Thomas will suggest additions to Attribute Profile.
>> Thomas, Josh, Scott, and Jeff from CMU have been discussing over email
>> how to amend the attribute profile.  CMU would like to be able to send
>> a decrypted KRB_CRED blob from a KDC in an assertion and deliver it
>> from an IdP to an SP.  The API exists, but RFC 4120 may prohibit this
>> implicitly because KRB_CREDs should not be sent around in plaintext.
>>
>> The other trouble may lie in the cipher suite used.  The IdP and SP do
>> have a public keypair that can be used to negotiate an encryption
>> method, but in XML encryption, the actual data would be encrypted with
>> the key using XML encryption, but in this case the data would be
>> encrypted as specified by Kerberos (ASN.1?) and the algorithm types
>> and other pieces of information may not align with the cipher suites
>> as named by Kerberos.  The mapping of algorithms from XML encryption
>> to Kerberos cipher suites is likely to be pretty obvious and easy to
>> profile, and Scott isn't suggesting some sort of new protocol be
>> invented.
>>
>> Because confidentiality and security are handled by the SAML layer,
>> it's not entirely important to have the encryption at the Kerberos
>> level, but they would like to be compliant with the RFC.  Scott would
>> also like to allow for an encrypted use case anyway, so he would like
>> to include something, but he doesn't exactly know what do to for
>> that.  Further input from CMU is being awaited.
>>
>> Thomas and Josh will provide an update and expanded edition of the
>> Attribute Profile and circulate it to Scott and CMU to determine
>> whether it's acceptable.  The cipher suite and encryption issues may
>> be beyond the scope of the Attribute Profile itself.
>>
>>>   (f) SAML V2.0 Identity Assurance Profiles, Version 1.0
>>>         - Status: Public review period closed on 13 June 2010.
>>>         - Status: Awaiting comments/resolutions.
>>
>> Scott believes that necessary revisions have been made and would like
>> to have this voted to 15 day public review.  The feedback has been
>> responded to, so we should be ready to move to CD.
>>
>> http://wiki.oasis-open.org/security/SAML2IDAssuranceProfile
>>
>> Paul moved that we approve WD-02 to CD status and move it to a 15 day
>> public review.  Nate seconds the motion, and there were no
>> objections.  Paul will do the CD edit and update the Wiki, and Thomas
>> will submit the public review package.
>>
>>>   (g) NSN Attribute Management proposal (Thinh/Phil) - any updates?
>>
>> Phil has no updates from his perspective on the proposal, but
>> continues to encourage people to read the document.  He is also happy
>> to address any background questions from individuals new to the
>> proposal.  His next goal is to finish the profiles.
>>
>> This is the fourth approach, now using notification messages, which he
>> likes because it doesn't oblige SAML endpoints to do things.  He wants
>> affirmation that others agree that the current proposal, relying on
>> notification messages, is the proper approach.
>>
>> http://www.oasis-open.org/committees/document.php?document_id=38737&wg_abbrev=security
>>
>>
>> Chuck Mortimore from Salesforce found it useful to perform this
>> notification in the SAML context, but believes that change propagation
>> might be performed using another protocol.  Part of the
>> proposal(section 2.4) involves the negotiation of the protocol that
>> would then be used.  For now, Phil will just profile the use of SAML
>> for the change propagation, but he will allow others to profile
>> additional protocols, such as STS, SPML, OpenID, PoCo, etc.
>>
>> NSN has identified another use case that Phil would like to sort out.
>> He thinks a normal AuthnRequest might be able to address the use case,
>> but NSN disagrees.  Section 2.7 includes a comment discussing this use
>> case.
>>
>>>   (h) SSO initiation CD (Scott) - any updates?
>> Scott would like to take this document, along with the Algorithm
>> Support CD, to 60 day public review, because he doesn't believe there
>> are many other documents that will imminently need review as well.  He
>> made the motion and John Bradley seconded, to no objections.  Thomas
>> will handle the submission process.
>>
>> http://wiki.oasis-open.org/security/RequestInitProtProf
>> http://wiki.oasis-open.org/security/SAML2MetadataAlgSupport
>>
>>>   (i) SOA-TEL Token Correlation Profile  (Federico/TI) - any updates?
>> Federico was not on the call.
>>> 5. New work items:
>>>    - Project Moonshot (potential new work item)
>>
>> The Moonshot BoF was held at the recent IETF meeting and a new mailing
>> list has been established.  We anticipate that Josh will join an SSTC
>> call in the near future to provide more introductory information, and
>> draft documents are likely to follow.
>>
>> A parallel item at the IETF, a pair of SAML SASL mechanisms being
>> looked at in the Kitten working group, has led to discussion about how
>> or whether to bring each forward.  One proposed by Cisco requires a
>> web browser and one proposed by Scott uses a side channel.  There are
>> also proposals for OAuth and OpenID.  The Kitten working group will
>> need to resolve this pile of proposals and figure out what to carry
>> forward to the IETF.  Scott also wants to look at how to add
>> holder-of-key crypto to his proposal.
>>
>>> 6. Related work items:
>>>    - SAML 2.0 Bearer Assertion Profile for OAuth 2.0 (IETF) - Brian
>>> Campbell.
>> This is another proposal that is unrelated to the SASL work that may
>> be of interest to individuals who want to transport SAML tokens over
>> OAuth.  Scott and Brian have disagreements and we would like to
>> solicit input from other implementers who may have interest whether
>> the draft is overly restrictive or a good simplification.
>>>    - IIW-East conference (in DC in September).
>>
>> Details have been uploaded and registration started this week.
>>
>>> 7. Propose an SSTC Face-to-Face meeting for September 2010:
>>>    - Awaiting for room confirmation.
>>
>> Thomas will contact Jane, and then provide a poll using the OASIS
>> ballot mechanism to see who is available to attend the OASIS
>> conference itself, as well as to see who is interested in an SSTC
>> face-to-face, possibly on given dates.
>>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php