OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Proposed Minutes for SSTC Telecon (Tue 4 September 2012)

1. Roll Call & Agenda Review.

2. Need a volunteer to take minutes.

Nate volunteered.

3. Approval of minutes from previous meeting(s):

  - Minutes from SSTC Call on 21 August 2012: (adding Rainer Hoerbe)


Rainer's name didn't make it onto the posted minutes, but his name was included in the approval process. John Bradley moved for the approval of the minutes and Nate Klingenstein seconded. With no objections, the motion passed and the minutes were adopted.

 (c) SAML 2.1 work:
     - Status: SSTC agrees to proceed on this in 2012.
     - AIs:
       o Scott to request new document name & will transfer
         boilerplate and properties into the old docs, etc.

     - https://wiki.oasis-open.org/security/SAML2Revision

Scott has been on and off vacation throughout much of August. He had put a bunch of metadata material in the Wiki and continues to want to see some sort of consensus achieved so that it can be moved to the "agreement" section from the "close to consensus", and the more agreement the better in preparation for the webinar.

The metadata specification specifically needs to be updated to break apart trust and autoconfiguration use cases, both in terms of the specification and in terms of conformance. DDDS, normative material around third party hosting of metadata, stronger profile language for improved interop for conforming implementations, different conformance levels, and so forth have all been discussed. Many metadata extensions that have been used widely in deployment have also been moved towards the core specification.

Scott moved to move the metadata requirements to the approved category, and John Bradley seconded. No objections were registered and the motion passed.

Scott also wanted to solicit input on addition of new element types to the XML schema, tightening a few fields. He doesn't think it would be contentious to publish a second edition of the schema, not changing a namespace, but adding constraints that are in the prose into the published schema. He realizes people are sensitive about revising published and widely used schema.

The schema version attribute would be changed to 2.1 in order to reflect these changes, and the URL's where the schemas lived would also presumably change.

John's initial reaction is, if this is clearly a different schema and implementations could clearly decide which schema they want to be conforming with and validating against, then that's good, but the old schema should be published as well.

Hal's initial reaction was, "sure, but I need to investigate this."

In practice, this sort of schema revision is unlikely to cause any problems in existing implementations because the existing schema would still be usable.

The only interop change would occur is that someone who didn't fully implement the specification could send something that would be rejected by a provider using the 2.1 schema. While that may actually be the intention, Hal mentioned that when something that was functioning seems to break arbitrarily, customers are not usually thrilled.

This would possibly lead to the publication of a new namespace as well, making it a one-for-one change on schemas.

Scott will hold back on any schema revisions until we get more feedback -- feedback encouraged -- but he thinks it's reasonable to start down this path. He sent a message on the 14th of August entitled, "suggested schema tightening for 2.1".

 (d)  SSTC Webinar:
     - Proposed topic: scope of work for the 2.0.1 spec.
     - Status: date planned is 27 September 2012.
     - Status:
       o Data from NASA posted by Thomas.
       o Rainer posted link to data from Kantara BTCF



The Webinar will be entitled "SAML: Right Here, Right Now". Hal wrote a blurb and he hoped that Dee would have posted a notice about this by now. He'll ping Dee to make sure they're not waiting on Hal.

 (e) Asynchronous Single Logout Protocol Extension (Chad)
- Status: Scott will post a new WD after getting latest files from Chad.

 (f) XPA updates (David S. & Duane)


Neither David nor Duane was in attendance, so this discussion item was delayed.

 (g)  SAML in JSON
    - Continue discussion from last telecon.

The only thing discussed that might lead to action would be a defined mapping between SAML and the proposed JWT spec happening in the OAuth TC and/or some version of JOSE to be used in a fashion like SAML simple sign was proposed to be used. Since there wasn't a lot of appetite for making either an action item yet, there's probably not much more to discuss about this topic until such time this work becomes more necessary.

If this is brought up again as a work item in the future, the SSTC hopes to have a concrete proposal on which to deliberate.

We look forward to speaking to you in 2 weeks.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]