[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Minutes for SSTC Telecon (19 Feb 2013)
Roll call for SSTC (19 Feb 2013): Roelands, Raymond La Joie, Chad Cantor, Scott Klingenstein, Nathan Hardjono, Thomas Hirsch, Frederick Hunt, Phil Lockhart, Hal Mishra, Prateek Saldhana, Anil Lambiase, Mark Jafari, Mohammad > -----Original Message----- > From: security-services@lists.oasis-open.org [mailto:security- > services@lists.oasis-open.org] On Behalf Of Mr. Mark Lambiase > Sent: Tuesday, February 19, 2013 5:35 PM > To: security-services@lists.oasis-open.org > Subject: [security-services] Minutes for SSTC Telecon (19 Feb 2013) > > 1. Roll Call & Agenda Review > > 2. Need a volunteer to take minutes. > Mark volunteers. > > 3. Aproval of minutes from previous meetings. > - Minutes from SSTC Call on 22 January 2013: > https://lists.oasis-open.org/archives/security- > services/201302/msg00006.html > - Minutes from SSTC Call on 5 February 2013: > https://www.oasis- > open.org/apps/org/workgroup/security/email/archives/201302/msg00014.htm > l > > Chad moves to approve minutes and Nate seconds. There were no > objections and the minutes were > > adopted. > > 4. AIs & progress update on current work-items: > > (a) Current electronic ballots: (none) There are no ballots so item > 4a was skipped. > > (b) Status/notes regarding past ballots: (none) There are no items at > this time so 4b was skipped. > > (c) SAML 2.1 work (Scott and Chad) > - SAML2.1 wiki: > https://wiki.oasis-open.org/security/SAML2Revision > > - Chad's list: > https://wiki.oasis-open.org/security/SAML21 > > - Sample ToC for an SSO Profile: > https://wiki.oasis-open.org/security/SAML21ExampleProtocol > No comments were received. > Chad has posted a high-level ToC for review. > Thomas suggested we can cut an paste from the previous ToC, where > appropriate, to expedite. > Chad suggested we break it down in to specific topics. The ToC he > posted was for SSO, and > > offered as an example of how other sections can be organized and > presented. > > > (d) Conceptual/overview of Metadata (Rainer Hoerbe) > - Apologies from Rainer. > http://files.hoerbe.at/daunlod/eadocx-quickdoc.pdf > Item 4d was skipped until Rainer can be present on a call for > discussion. > > > (e) SAML ECP (Scott) > - Any updates? > Scott: still receiving feedback, an update will be forthcoming at a > future date. > There was a call for questions for Scott, and there were no questions. > Thomas asked if anyone was waiting for ECP, and nobody knew of anyone > waiting for it. > Thomas asked if there is a notion of ECP being re-used like Oauth > tokens? > Scott: Yes. He also noted that a solution is needed for non-browser > clients, such as with SSH. > > Doubts about the security of Oauth were also raised, but recognized > others would debate the > > issue. Issues with the GSSAPI specification and implementation were > raised. > Anil asked how many implementations of ECP there are. > Scott said it was unknown, but would suspect that the original Liberty > Alliance members may > > have implemented it before adopting SAML 2.0, and noted the Cisco and > Office 365 have some of > > the specification incorporated, as an example. > A discussion of non-browser clients ensued, and it was noted that > cookies are not defined by > > the specification. > > > > (f) XPA updates (Mohammad Jafari) > - Any updates? > There were no updates to report at this time. > > > (g) IETF Drafts (Prateek) > - SAML 2.0 Bearer Assertion Profiles for OAuth 2.0. > - Assertion Framework for OAuth 2.0. > https://lists.oasis-open.org/archives/security- > services/201302/msg00010.html > Prateek said he is hoping for review and advice from SAML implementors. > The work cited refers to SAML assertions in bearer tokens. Slide 1 > describes Oauth flows and > > entities and the use of SAML assertions as an authorization grant in > Oauth. Oauth was > > described as a two-legged flow, as compared to the SAML three-legged > flow. The goal is to > > connect existing SAML and Oauth flows. This is summarized on slide 2, > which shows the exchange > > of an authorization grant for an access token. A case was described of > authenticating locall > > at an enterprise and exchanging it for an access token. > Prateek is looking for feedback. > Phil mentioned that the IETF general assertions framework is without > specification. > Scott asked about delegation. > Phil: it is loosely bound. > Scott: delegation vs impersonation? > Thomas said there is some jitter around whether the AuthN statement > needs to call Oauth. > A discussion ensued about Oauth scope vs SAML audience. > Scott: Audience in SAML is no less defined, scope in Oauth is no better > defined. > Thomas suggested that reading the framework doc would be valuable for > continuing this > > discussion. > > (h) Updating SAML.org > - Thomas to contact Robin Cover > Thomas will contact Robin Cover to get an update. > > > 5. Assorted mail items: > No items to discuss. > > > 6. Other items: > - RSA2013 coming up > - IETF in March > IETF is in Orlando, FL, in March. > > > 7. Next SSTC Call: > - Tuesday 5 March 2013. > No new items. > > Adjourned at 12:46pm (EST)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]