OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Draft Minutes for SSTC Telecon (15 May 2012)

>1. Roll Call & Agenda Review.

Thomas Hardjono, MIT
Nate Klingenstein, Internet2
Scott Cantor, Internet2
Hal Lockhart, Oracle
Frederick Hirsch, Nokia
David Staggs, Jericho Systems

>2. Need a volunteer to take minutes.

Scott Cantor volunteers.

>3. Approval of minutes from previous meeting(s):
>   - Minutes from SSTC Call on 1 May 2012: (corrected version)

Nate moves to accept minutes, Hal seconds, motion passes.

>4. AIs & progress update on current work-items:
>  (a) Current electronic ballots: (none)
>  (b) Status/notes regarding past ballots: (none)
>  (e) SAML2.0 Approved Errata (Scott)
>      - Status: majority vote succeeded on 1 May 2012 telecon.
>      - AI: Scott to email TC-Admin to request publication.

AI done, it's in Jira.

>  (f) SAML 2.0.1 and Security Considerations doc
>      - Status: SSTC agrees to proceed on this in 2012.
>      - Issues: Should metadata and trust exchange frameworks
>                be made mandatory.
>      - Status: Scott has emailed a proposal to the list.
>      - AI:  Scott to start a "SAML2.x Planning Wiki Page" with
>             list of items and/or changes to go into SAML2.x

AI not yet completed.

>  (g)  SSTC Webinar:
>      - Proposed topic: scope of work for the 2.0.1 spec.
>      - AI: Thomas to email Dee to suggest dates (around the 1st week of
>            June on the planned work in 2.x).
>            Audience assumed to be SAML-knowledgeable.
>      - Status: need further group discussion & planning.

The Bochum paper on SAML signature vulnerabilities is being published at
the end of July at USENIX. It speaks of the signature wrapping issues in
the present tense, but acknowledges in various places that implementations
worked with them to understand and correct the bugs. Nevertheless, we
should expect some concerns and bad press.

As a result of the bugs, many XML Security implementations have evolved
toward more correct implementations of ID lookup that allow applications
to correctly work in concert with the libraries and verify that the ID of
a signed object matches the ID found by the library, which thwarts the
attack. DOM3 APIs are especially useful for this when streaming is not a

There could be useful material to add into a SAML revision that helps
implementers avoid these attacks.

>  (i) Presentation from David Staggs.

Brief discussion on upcoming presentation.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]