OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Draft minutes, SSTC Telecon 7 August 2012

On 08/07/2012 12:02 PM, Frederick.Hirsch@nokia.com wrote:
Minutes for SSTC Telecon (7 August 2012)


1. Roll Call & Agenda Review.
Company     Name ascending     Role
Open Identity Exchange     John Bradley     Member
Internet2     Scott Cantor     Secretary
Veterans Health Administration     Duane DeCouteau     Voting Member
M.I.T.     Thomas Hardjono     Chair
Nokia Corporation     Frederick Hirsch     Voting Member
Internet2     Nathan Klingenstein     Chair
Oracle     Hal Lockhart     Secretary
Microsoft     Anthony Nadalin     Member
Red Hat     Anil Saldhana     Secretary

Quorum: 7 out of 9 (77%) Achieved.

Quorum achieved.

2. Need a volunteer to take minutes.
Frederick Hirsch volunteered to take minutes.
3. Approval of minutes from previous meeting(s):

   - Minutes from SSTC Call on 24 July 2012:


Nate moved, Anil seconded, Minutes from 24 July 2012 approved by unanimous consent.

4. AIs & progress update on current work-items:

  (a) Current electronic ballots: (none)
None, no discussion.

  (b) Status/notes regarding past ballots: (none)
No discussion.

  (c) SAML in JSON (Jamie Clark)

Jamie Clark sent message to list, summarizing information. please review this in conjunction with these minutes: https://www.oasis-open.org/apps/org/workgroup/security/email/archives/201208/msg00005.html

Jamie noted that some XML projects within OASIS are doing REST and JSON profiles, and that there is much discussion about REST,JSON and relationship to SAML in the blog communities.

Jamie asks TC if there is interest in the SSTC with producing a REST profile of SAML, noting that SSTC has huge user base, would like to reuse work in mobile etc, hence bringing potential work item for alternate serializations to TC attention.

A number of nations have projects to decide which identity management standards to be used in future, hence information on evolution of SAML important for communication to these discussions.

Anil noted that XML construct could be represented in JSON fairly simply due to clarity of XML, however using SAML semantics.

Scott not sure it is useful to compete with the existing IETF effort to replicate SAML as they increase functionality, JOSE is the security layer, no desire to replicate that. Not clear that there is a  necessary relationship between REST and JSON. SAML does not depend on SOAP, per se. so we might want to change that, so REST work might be possible. We should separate these two concerns.

Frederick asks if there is a concern about divergence of semantics with new efforts elsewhere, like IETF

Scott suggests that SAML folks participate in the IETF work to influence it and also that there are only so many ways to do things, and this work has been underway a long time. SAML got the extensibility right.

Tony Nadalin -  The Intent was not to reproduce SAML, but to make it simple, hence use of JSON. No point of attempting to reproduce the work, but to participate in the JWT work.

John Bradley welcomes more people participating in the IETF work.

Hal noted there is another subgroup working on holder of key mechanism.

Jamie asked if there is a need to formalize relationships and to be clear what the Security Services TC plans to do, as questions do come into OASIS. OASIS Staff will not have much to report if the TC gives no indications.

Hal gave an update related to XACML. He noted that the XACML is creating new profiles which include (1) a RESTful interaction to support querying decision point and policy repository and also a (2) decision request profile. The XACML TC wants functional parity with XML version. Interest in using REST transport to transfer XML. Separate effort to define JSON fo decision requests/responses as well as policy language. Hoping for interop by next RSA.

SAML and XACML are in different situations  - XACML is easier to add to existing system, adoption mostly by vendor products. SAML adoption is both open source and vendor products. The XACML TC wants to simplify to enhance adoption. A lot of JSON desires are driven to avoid using XML, to avoid having parser.

John Bradley: converting SAML to REST/JSON is probably  not necessary for enterprise use cases, already have XML parser, signing/encryption.

Hal - Having a lightweight implementation for an endpoint has value.  Suggests to Jamie if TC should do this work only if there are users that need this; want to avoid confusion and duplicate effort.

Scott - we might want to add JOSE linkages to SAML roadmap for replacement of XML Signature and XML Encryption, perhaps instead of working on simple sign.

John Bradley - Could use SAML as body of JOSE assertion, a possibility, but trying to reduce size.

Anil has use case, having a SAML stack, wants to provide JSON interface to it, but hearing JWT is future for web tokens, but not as rich as SAML. Looking for guidance.

Scott - I have no reason to switch to JSON, can continue using SAML. Expect that JWT may increase in complexity to meet use case needs.

Hal SAML has  a base specification and 30-40 profiles, so need to be specific regarding need for profiles going forward, need to be clear on use cases.

Tony - clarify, what is needed

Anil - serialization between formats

Scott - need to have a meaningful serialization, need to retain semantics, if JWT is not able to support use cases in the future, then perhaps work will be needed in SSTC ...

Tony - need to compare the feature set, some SAML features or not being moved to JWT - e.g. Authentication Context

Scott - need gap analysis of JWT and SAML,  personally think better to use that as starting point, not to attempt to replicate entire set of functionality

Hal - not including meta data in JWG as well...

John Bradley should focus on assertion format, probably will need meta data at higher level in protocol in order to scale

Group discussed politics and marketing related to use of SOAP, cloud etc.

Jamie asks if there is a real concern for the implementer community to have to rework their models.

Scott - we may  not want to only assume HTTP based approaches for work going forward, in general

Hal - if members bring work to the TC then we can consider it, however work should lead to implementations. Could also produce non-normative work outlining possible technical relationships.

Thomas - any actions here?

Jamie - should give people time to think about it.

Scott - I've noted items that we may wish to do as part of specification updates.

John Bradley - OAuth people want to look at the SAML Assertion Profile.

Jamie - a gap analysis seems useful. Can you post to the SAML list a link to the assertion profile?

Thomas thanks Jamie for raising topic.

Hal update on Webinar -  working on update to Webinar, has sent material to Dee

Thomas suggests remaining agenda is postponed to next call. No objection.

Next meeting in two weeks.

Meeting Adjourned.

  (d) SAML 2.X and Security Considerations doc
      - Status: SSTC agrees to proceed on this in 2012.
      - AIs:
        o Thomas to ask Admin about template doc

      - https://wiki.oasis-open.org/security/SAML2Revision

   (e)  SSTC Webinar:
      - Proposed topic: scope of work for the 2.0.1 spec.
      - AI: Decide webinar date.
      - AI: collect data on SAML2.0 deployments


   (f) Asynchronous Single Logout Protocol Extension (Chad)


   (g) XPA updates (David S. & Duane)

   (h) Issue tracker: SECURITY-21

5. Assorted mail items:

6. Other items:
   - Oasis sponsor at the International Cloud Symposium

7. Next SSTC Call:
   - Tuesday 21 August 2012.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]