OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Proposed Agenda for SSTC Call (Tue 10 July 2012)


1. Roll Call & Agenda Review.

Quorum was achieved.

2. Need a volunteer to take minutes.

Nate volunteered to take minutes.

3. Approval of minutes from previous meeting(s):

  - Minutes from SSTC Call on 26 June 2012:

https://lists.oasis-open.org/archives/security-services/201206/msg00017.html

Anil moved to approve the minutes, and Scott seconded. Nobody objected to the minutes' approval, and the motion passed with the adoption of the minutes.

4. AIs & progress update on current work-items:

 (a) Current electronic ballots: (none)

 (b) Status/notes regarding past ballots: (none)

 (c) SAML 2.X and Security Considerations doc
     - Status: SSTC agrees to proceed on this in 2012.
     - AIs:
       o Check NAPTR metadata (Scott -- done).
       o Scott will send proposals to the list for schema cleanup.

https://wiki.oasis-open.org/security/SAML2Revision

Neustar is indeed using the NAPTR support in metadata and would like to keep it in as normative material and part of the specification suite as a result. The question as to whether to migrate it to an independent document or an appendix is open. The main goal is to improve the readability and usability of the specifications for new adopters and readers. The downside to separate documents is the boilerplate and maintenance burden.

Scott's going to specifically try to draft some statements with metadata verbiage for the next edition of the specification, but hasn't found the time to do so yet.

  (d)  SSTC Webinar:
     - Proposed topic: scope of work for the 2.0.1 spec.
     - Status: group is close having enough to present.
     - Status: Hal offers to work on first-cut slides for this.

Hal was not able to attend the call today. There is no fixed date for the webinar yet, so Nate suggested that the review of the slides be postponed until the next call so that Hal would be able to participate and respond to any feedback.

  (e) Asynchronous Single Logout Protocol Extension (Chad)

https://lists.oasis-open.org/archives/security-services/201207/msg00001.html

https://lists.oasis-open.org/archives/security-services/201206/msg00019.html

Scott and Chad have, for a number of years, noted the challenges of accomplishing federated single-logout within the R&E community, but the need to implement "something" has been increasing. This extension just relaxes one of the rules in the existing SLO protocol and should allow for the implementation of something that we believe will work at scale but still nearly comply with the existing standard.

The extension also addresses a lingering interop issue around logout in that, in front channel logout, there's no way to signal which party maintains control of the user interface during the logout sequence. If the protocol offered the SP to indicate their expectations in terms of the interface, it would be more explicit what should happen and better interoperability would result. The protocol will allow the SP to signal that it doesn't want to be a part of the logout sequence after sending the logout request.

Committee members are asked to review this document and bring questions to the next call.

 (f) XSPA - any updates?  (David S. & Duane)

David was traveling today, so Duane offered an update. He had a conversation with the voting members of the XSPA TC about advancing the current document that's been progressing within the XSPA TC to a working draft that can proceed through the OASIS SSTC. This will be version 2 of the XSPA profile for SAML. He's still working on assembling a high-level overview of what is changing within the profile.

He's migrating some of the vocabulary from some older references to more authoritative references, e.g. HL-7. They'll also be adding attributes to the standard that will allow for the enforcement and signaling of policies such as non-redisclosure, and so forth. There will also be stronger typing of the attribute values.

The goal is to try to accommodate some of the requirements for data segmentation of patient clinical records in support of US privacy laws, Title 38, CFR42Part2, that require more controls over sensitive health care data. These requirements are being reviewed, tested, demonstrated as part of pilot project by ONC S&I Framework Data Segmentation for Privacy (DS4P) workgroup members. Eventually, Duane anticipates this will be migrated towards a committee specification.

Duane will try to track all the significant changes that have been made in a spreadsheet. Right now, revision tracking in the document itself is being used and that's resulted in document that's difficult to read. The wiki will also need to be updated at some point.

6. Other items:
  - IETF in July.

Kitten won't be meeting at this IETF, so Scott won't be attending.

There will be a revision of the new ECP profile soon, and there may be revisions to the Channel Binding document. He has a reference to XML Encryption 1.1, which isn't done yet, and that may force the delay of these documents. Worse yet, the IETF drafts depend on the SSTC drafts having proceeded beyond draft. There are many hold-ups and interdependencies and the TC salutes Scott's willingness to brave several standards processes in parallel.

7. Next SSTC Call:
  - Tuesday 24 July 2012.

We look forward to speaking with you then.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]