OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Proposed Minutes for SSTC telecon (6 March 2012)


On 03/06/2012 11:27 AM, Nate Klingenstein wrote:

2. Need a volunteer to take minutes.

Company     Name ascending     Role
M.I.T.     Thomas Hardjono     Chair
Nokia Corporation     Frederick Hirsch     Voting Member
Oracle     Ari Kermaier     Member
Internet2     Nathan Klingenstein     Chair
Internet2     Chad La Joie     Voting Member
Red Hat     Anil Saldhana     Secretary

Status Changes: John Bradley lost voting rights.
Quorum Achieved: 4 out of 5 voting members. (80%)

Nate volunteered to take minutes as a form of penance for having lost voting rights.

3. Approval of minutes from previous meeting(s):

    - Minutes from SSTC Call on 21 Feb 2012:

http://lists.oasis-open.org/archives/security-services/201202/msg00022.html


Minutes including attendance were posted by Anil shortly before this meeting. If the minute taker's counting is correct, the message should become available at:

http://lists.oasis-open.org/archives/security-services/201202/msg00025.html

Anil moved to approve the minutes, and Chad seconded.  Nobody objected.

4. AIs&  progress update on current work-items:

   (a) Current electronic ballots: (none)

   (b) Status/notes regarding past ballots: (none)

   (c) Kerberos Web browser SSO Profile (Josh/Thomas)
       - Status: CS Ballot passed. Thank you all.
       - Status: Waiting for TC Admin.

Still waiting for TC Admin to take action; it was included on the weekly report that Chet sends out, so he hopes it will be done in the next couple weeks.

   (d) Metadata Extensions for Registration&  Publication Info (Chad)
- Status: 15-day PR started, from 16 February 2012 to 2 March 2012.
       - Status: Any PR comments received?

http://lists.oasis-open.org/archives/security-services/201202/msg00018.html

No comments were received through the formal comment channels. There were out of band messages noting that in this document there was a capitalized SHOULD -- RFC 2119 SHOULD -- that should have been a common language "should". Nobody was sure whether it could be easily fixed, and Chet and Paul said that could not be trivially fixed. Another PR would be required. This fix would not make a real difference to the interpretation of the specification, so it's unlikely that it will be corrected due to the procedural burden.

Chad anticipates that this document will be moved towards committee specification on the next call.

(e) Metadata Extensions for Login and Discovery User Interface (MDUI) (Scott) - Status: 15-day PR started, from 16 February 2012 to 2 March 2012.
       - Status: Any PR comments received?

http://lists.oasis-open.org/archives/security-services/201202/msg00018.html

Scott mentioned via email that TC Admin had detected a space in a URL in one of the references, which would require another public review if it were corrected. This too will probably not be corrected.

Chad anticipates that this document will be moved towards committee specification on the next call.

   (f) SAML2.0 Approved Errata (Scott)
        - Status: wd56 uploaded.
- Status: WD56 was approved for CSD and 15-day PR on Feb 21 meeting.
        - AI: Scott to make request to TC Admin.

Scott has submitted the errata to TC Admin for publication.

   (g) SAML 2.0.1 and Security Considerations doc
       - Status: SSTC agrees to proceed on this in 2012.
- Issues: Should metadata and trust exchange frameworks be made mandatory.
       - Status: Continue discussion. Scott to email a proposal.

   (h) Security-18 (Scott)
       - Updated by Scott.

http://lists.oasis-open.org/archives/security-services/201202/msg00021.html

Waiting for further developments on both G and H.


There was some more discussion surrounding fixes for the XML(and more) encryption vulnerabilities that have been discussed recently. Frederick said that AES-GCM for authenticated encryption and some strong keylength requirements would be the primary recommendations in the next XML Encryption draft.

John is particularly concerned about proposing a fix that would preclude the use of improved encryption in the JSON world. He agrees that GCM is the best solution, but they're working on a compromise that would enhance CBC security because of concerns about a slow implementation of GCM support in SSL stacks such as OpenSSL. There have been patches submitted by IBM that would enable GCM in OpenSSL, but the IPR under which it was submitted and the code status were not clear, and at any rate, the patches had not been accepted.

Frederick believes there is a critical mass of awareness of the problem, and he believes that this may encourage more rapid implementation of good solutions.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]