[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Provisional Minutes for SSTC Telecon (Tue 10 January 2012)
On 01/20/2012 01:05 PM, Anil Saldhana wrote:
On 01/12/2012 12:07 PM, Nate Klingenstein wrote:SSTC,This is a provisional set of minutes for the last SSTC call as taken by Ari. Anil will add the attendance information later.Take care, Nate.1. Roll Call & Agenda Review.Open Identity Exchange John Bradley Member Internet2 Scott Cantor Secretary Ericsson Jonas Hogberg Observer Oracle Ari Kermaier Member Internet2 Nathan Klingenstein Chair Internet2 Chad La Joie Voting Member Oracle Hal Lockhart Secretary Red Hat Anil Saldhana Secretary
General Services Administration Anil John Observer
Quorum: 5 out of 8 voting members (62% - Achieved) Status: Thinh loses voting rights.[Ari Kermaier] John Bradley joined late.[Ari Kermaier] Chad moves to approve, Anil seconds, no objections, motion passes.2. Need a volunteer to take minutes. 3. Approval of minutes from last meetings: Minutes from SSTC Call on 13 December 2011: http://lists.oasis-open.org/archives/security- services/201112/msg00009.html[Ari Kermaier] Hal: We can take that off the agenda, as status is on hold waiting for implementations.4. AIs & progress update on current work-items: (a) Current electronic ballots: (none) (b) Status/notes regarding past ballots: (none) (c) Session Token Profile (Hal) - Status: Published as CS http://lists.oasis-open.org/archives/security- services/201112/msg00014.html(d) Attribute Predicate Profile (Gregory/Franz-Stefan) - Status: Published as CS. http://lists.oasis-open.org/archives/security- services/201112/msg00013.html[Ari Kermaier] AI: Ask Thomas to provisionally remove this from agenda.[Ari Kermaier] No comments received during PR. Thomas sent official email to that effect to the list. Next AI: Thomas to request new ballot for move to CS status.(e) Kerberos Web browser SSO Profile (Josh/Thomas) - Status: CSD and 15-day PR closed. - No comments received during 15-day PR. - AI: Request ballot creation for CS.[Ari Kermaier] Chad: Two months ago, comments received and addressed, current WD includes all that. Motion to move WD09 to CSD2 and open 15 day public review. Mandy seconds. No objections; motion passes. No additional discussion.(f) Metadata Extensions for Documentation/Registration (Chad) - Status: sstc-saml-metadata-rpi-v1.0-wd09.zip uploaded http://lists.oasis-open.org/archives/security- services/201112/msg00016.html[Ari Kermaier] Scott: All comments addressed in current draft. Motion to move WD10 to CSD3 and open 15 day PR. Chad seconds. No objections; motion passes. No additional discussion.(g) Metadata Extensions for Login and Discovery User (MDUI) (Scott) - Status: WD10 uploaded. - AI: Request a vote to CD and 15 day PR at the next meeting.[Ari Kermaier] Discussed on prior calls. Scott has proposed text to address section 6.2 in CORE, plus specific profile guidance. Scott also reviewed Security Consideration document, and will probably suggest improved text. In the meantime added new section as placeholder for these concerns, and summarized attack and CBC deficiencies. Scott thinks we need similar changes from XML Signature wrapping attack. Recent TLS attacks should have some further treatment as well, via Errata or republishing of the document. Scott sent a note to the chairs asking to add something to JIRA to track these SecConsider items. Added text to SHOULD items calling out non-repudiation aspects of signed-and-encrypted assertions. Hal notes we should discuss the issue that integrity protection over ciphertext only works if you know that the message is not from an attacker, because it's bound to the encryption key, which we assume comes from a tractably small universe of know legitimate IDP keys. Discussion between Hal and Scott follows about the existing normative text about "authenticated signature", which means trusted key-name binding, but does not imply that the encrypter of the data is the signer of the data. Scott agrees to add a paragraph that clarifies the limited ability to verify this type of integrity protection. Scott has proposed text to be sent. John B., Hal and Scott discuss possible remediation of vulnerability via HMAC over ciphertext with key derivation from asymmetric key. Scott moves to accept text as currently in the JIRA entry; John seconds; no objections, PE accepted for inclusion in next Approved Errata. Scott would like to publish Approved Errata before vulnerability paper is published.(h) SAML2.0 Approved Errata - SECURITY-16 PE: Mitigation for XML Encryption CBC deficienciesScott calls for expert contributors to TLS security section; no takers.[Ari Kermaier] Hefty pile of errata accrued over the years, may be difficult for new implementers to reconcile various texts and errata, so as to properly reflect errata in total. Do not want to break wire compatibility. Security Considerations is thinner than Scott hoped, and needs updates. A new 2.0.1 release would be a benefit to implementers, but Hal notes that it may generate more work than anticipated, if for no other reason than the various new templates, process rules, etc. required now vs. 2005. Scott doesn't think that would not be so much work, but objects to the use of HTML as the reference format vs. PDF. Conformance sections will be the most difficult aspect. General discussion as to whether it's a good idea to add requirements; Nate and Scott agree that security enhancements and legibility of the specs should trump considerations of actual compliance among implementers, and it's worth taking up the SSTC's time in 2012.(i) SAML 2.0.1 and Security Considerations doc - Plans for 2012?[Ari Kermaier] Hal isn't ready to discuss on this call, but wants to leave it on the agenda for next call.5. Assorted mail items: - Privacy Preserving Attribute Verification (Prateek)6. Other items:[Ari Kermaier] No other business.7. Next SSTC Call: - Tue 24 January 2012.[Ari Kermaier] Meeting adjourned._______________________________________________________ **** You can forward this email invitation to attendees **** Hello , Thomas Hardjono invites you to attend this online meeting. Topic: SSTC OASIS Bi-Weekly Call Date: Every 2 weeks on Tuesday, from Tuesday, June 14, 2011 to no end date Time: 12:00 pm, Eastern Daylight Time (New York, GMT-04:00) Meeting Number: 649 646 419 # Meeting Password: samlsaml ------------------------------------------------------- To join the online meeting (Now from mobile devices!) ------------------------------------------------------- 1. Go tohttps://mitweb.webex.com/mitweb/j.php?ED=143928642&UID=0&PW=NMDk3NjgzMjBm&RT=MiMxMQ%3D%3D 2. If requested, enter your name and email address. 3. If a password is required, enter the meeting password: samlsaml 4. Click "Join". To view in other time zones or languages, please click the link:https://mitweb.webex.com/mitweb/j.php?ED=143928642&UID=0&PW=NMDk3NjgzMjBm&ORT=MiMxMQ%3D%3D ------------------------------------------------------- To join the audio conference only ------------------------------------------------------- To receive a call back, provide your phone number when you join the meeting, or call the number below and enter the access code. Call-in toll-free number (US/Canada): 1-866-699-3239 Call-in toll number (US/Canada): 1-408-792-6300 Global call-in numbers:https://mitweb.webex.com/mitweb/globalcallin.php?serviceType=MC&ED=143928642&tollFree=1 Toll-free dialing restrictions: http://www.webex.com/pdf/tollfree_restrictions.pdf Access code:649 646 419 ------------------------------------------------------- For assistance ------------------------------------------------------- 1. Go to https://mitweb.webex.com/mitweb/mc 2. On the left navigation bar, click "Support". You can contact me at: hardjono[AT]mit.edu 1-781-729-9559 (Best to SMS or Text me). To add this meeting to your calendar program (for example Microsoft Outlook), click this link:https://mitweb.webex.com/mitweb/j.php?ED=143928642&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=gLw7zIXct2Qk/TpEXCWYFK-- zW8NG3aNzuCc4tOjSIQ=&RT=MiMxMQ%3D%3D The playback of UCF (Universal Communications Format) rich media files requires appropriate players. To view this type of rich media files in the meeting, please check whether you have the players installed on your computer by going to https://mitweb.webex.com/mitweb/systemdiagnosis.php. Sign up for a free trial of WebEx http://www.webex.com/go/mcemfreetrial http://www.webex.com CCP:+14087926300x649646419# IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to discovery in the event of litigation. _______________________________________________________
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]