[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Minutes 2010-11-16 (no attendance)
Tacking attendance on to the minutes: Hal Lockhart George Fletcher Rob Philpott Gregory Neven Franz-Stefan Preiss John Bradley Scott Cantor Nathan Klingenstein Chad La Joie Bob Morgan Anthony Nadalin Frederick Hirsch Phil Hunt Ari Kermaier Hal Lockhart Emily Xu David Staggs And, I forgot to thank George at the end of the call for taking these minutes, so I'll take the opportunity to do so now. Talk to you all on Nov. 30. On 2010-11-16 18:14, George Fletcher wrote: > Please review and send corrections. It very possible I got some of the > security/crypto semantics wrong:) > > Thanks, > George > > SSTC Call 16 Nov 2010 > > 1. Roll Call & Agenda Review. > > 2. Need a volunteer to take minutes. > -- George Fletcher > > 3. Approval of minutes from last meetings: > > - Minutes from SSTC Call on 2 Nov 2010: > > > http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201011/msg00011.html > > Motion: Hal moves, John seconds, motion passes to approve the minutes > > > 4. AIs & progress update on current work-items: > > (a) Current electronic ballots: none currently open. > > (b) Status/notes regarding past ballots: > > (i) Service Provider Request Initiation Protocol and > Profile V1.0 as a Committee Specification. > Status: 11 out of 16 Yes (69%). > > (ii) SAML V2.0 Identity Assurance Profiles Version 1.0 as > a Committee Specification. > Status: 11 out of 15 Yes (73%). > > > (c) Kerberos related items. [Josh/Thomas] > - Kerberos Attribute Profile: > - AI: Josh/Thomas will suggest additions to Attribute Profile. > - AI: Thomas to move ahead with Web SSO and Subj Confirmation > profiles. > > (d) SAML V2.0 Identity Assurance Profiles, Version 1.0 > - Status: 15-day review closed on 10 Sept. > - Status: Ballot passed 4 Nov. See above. > > Next steps: Mary to create a committee specification, Scott > helping to generate > the HTML. > Scott: some ambiguity around specs that references it's own > schema > -- Mary requesting a designated cross reference > -- not sure what is in the created package > -- something to watch for in the future > -- prefers a normative reference to the schema in the document > -- not concerned with fixing it for this spec > -- Mary accepted the HTML that Scott generated > > (e) SAML V2.0 Metadata Profile for Algorithm Support Version 1.0: > - Status: Thomas to ask Mary for (i) CSD version (from draft-03) > and > (ii) to Start new 15 day of CSD. > > Waiting on the the CSD from Mary > Will ask Thomas to update the public template once the CSD is > generated > > (f) Gregory Neven (IBM): Primelife Project (presentation) - 30 mins. > > Presentation: > http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201011/msg00034.html > > Identity Mixer and U-Prove > -- some technical differences > -- U-Prove -- can only show a token once (one-time-use) > -- Identity Mixer -- can generate as many tokens as you want > > Slide 8: Maybe ConditionStatement should be PredicateStatement > > Ask: Is defining predicates over attributes a good idea? > > Tom Lockhard will act as liason between XACML and SS TCs > > John Bradley: Proposing that SAML Assertions have ranges? > -- Is the SAML Assertion a signed IDMix token? or does the SAML > Assertion > contain signed IDMix tokens? > -- Greg: Not yet defined how to put IDMix tokens into SAML > Assertion > -- would need a new XMLDSig mechanism > -- could also support predicates over attributes in normal > SAML Assertions > -- just loses the anonymous token featurs of IDMix or > U-Prove > > What is the appeal of using SAML Assertions as a wrapper? > -- already defined standard in wide use > -- seems to be a natural extension > > Most of the challenges to define the full flow are on the XACML > side > > SAML work is standardization of the additional statement type > -- also needs an AssertionRequest to specify predicates over > attributes > > Do we need to support two issuers? > -- issuer of the attributes > -- issuer of the masked token > -- Greg: in the case of IDMix technology > -- the user is creating the SAML Assertion > -- John: looked at this in the "infocard" TC > -- called selective blinding > -- generally need a smart client to take advantage of this > -- may map ok to the existing SAML schema > > Scott: Does WS-Fed support any predicates over attributes > -- WS-Trust allows for ranges or member of a set > > Scott: +1 using a different statement name > -- how much of the XACML schema gets pulled in if we pull in the > predicate part? > -- Hal: simplist is to pull in all the XACML ConditionStatement > -- Hal: it's just more work to subset the full set, but may > be the better option > -- Greg: if not using IDMix, an online IDP could sign any > predicate so > recommending not doing too much sub-setting > -- Hal: concern is that deployers don't want to implement the > full set > -- Scott: maybe define a subset for at least conformance > purposes > -- Hal: One subset is the "target" functions > > Sufficient interest (based on conversation) to standardize this > in the SSTC > AI: Greg to propose a working draft for the SSTC to consider > -- focus on the "predicate statement", identify functions > -- not a finished draft, rather initial profile > > (g) Hal Lockhart: Session Token Profile (new work) > > Purpose: pass state information between > -- Assertion contain AuthenticationStatement and AttributeStatement > -- main state that will change frequently -- time of last activity > -- Mechanism (two options) > -- Assertion signed [encrypted] and passed in a cookie > -- Cookie contains unguessable "reference" that resolves to > the Assertion > > Some concern about cookie size and how store the Assertion in a > cookie > > Supporting RESTful transport for SAML protocols > -- outside the scope of this profile > > Describe the Cookie passing mechanism of a new binding (as an > option) > > Rob: Does the Assertion include an SSO Assertion? > -- managing the different validatiy periods is important > > A bit like creating a Session Assertion instead of an SSO Assertion > -- call it SessionToken > > Scott: may be able to reuse the URI binding (designed to be > unguessable) > -- need to make sure that if reusing the URI binding, the > non-collision > values also need to be unguessable > > Hal: proposed reusing the Artifact Protocol > -- Scott: the Artifact is a protocol message mechanism not an > unguessable > URI binding > > > (h) NSN Attribute Management proposal (Thinh/Phil) - any updates? > > Phil: Draft posted before the last meeting > -- no changes since the last posting > -- if no questions, would like to move to CD > > Research community is looking at this but don't have feedback > quite yet > -- Chad: doesn't know if they will have feedback or not > -- Tom: to provide Phil information by the end of the week as to > what the > scope of changes might be > > Plan to wait for CD vote till the next SSTC call (two weeks) > -- allow for more comments by those interested > > Scott: will try and do a schema pass before the next SSTC call > > > (i) Channel binding proposal (Scott) - any updates? > > Scott: no updates > -- some issues > -- interest in determining if it's possible to inject into web > browsers > > > (j) Metadata extension for Login/Discovery (Scott) - any updates? > > Scott: addition to add general searchable keywords > -- will be updating the draft > > > (k) Enhanced Client or Proxy Profile (Scott) - any updates? > > Scott: no updates > -- still has to do the holder-of-key work > -- resistence in the Kitten group about adopting two different > SAML proposals > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]