OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Draft Minutes 4 February 2014

SSTC Conference Call 
Tuesday 4 February 2014, 12:00pm ET

> 1. Roll Call & Agenda Review.

Quorum achieved. Hal Chaired.


Voting Members

Internet2 					Scott Cantor
Nokia Corporation 			Frederick Hirsch
Veterans Health Administration 	Mohammad Jafari
Covisint Corporation 			Chad La Joie
Oracle 					Hal Lockhart
Red Hat 					Anil Saldhana 


Open Identity Exchange 			John Bradley

> 2. Need a volunteer to take minutes.

Frederick Hirsch volunteered to take minutes

> 3. Approval of minutes from previous meeting(s):
>   - Minutes from SSTC Call on 21 January 2013:
> https://lists.oasis-open.org/archives/security-services/201401/msg00010.html

Minutes approved by unanimous consent.

> 4. AIs & progress update on current work-items:
>  (a) Current electronic ballots: None.
>  (b) Status/notes regarding past ballots: None.
>  (c) SAML 2.1 work (Chad)
>      - SAML2.1 wiki:
>        https://wiki.oasis-open.org/security/SAML2Revision
>      - Chad's list:
>        https://wiki.oasis-open.org/security/SAML21
>      - Sample ToC for an SSO Profile:
>        https://wiki.oasis-open.org/security/SAML21ExampleProtocol
>      - Thematic profiles from Chad:
> https://lists.oasis-open.org/archives/security-services/201312/msg00004.html

Chad has talked with Chet, sent message to list. Group needs to decide on open question - Should security considerations and conformance be left as separate document(s) or rolled into new drafts?

General agreement on call to rolling into profile documents for clarity and conformance to specific profile. 
Original idea was conformance to having families of related material, but this may not be appropriate going forward but could be a separate document if needed.

May need updates to security considerations.

ACTION: Chad will send out names for documents to list looking for agreement, then will ask Chet to regenerate templates.

NSTIC feedback indicates continuing interest in SAML and need for profiles for deployment.

>      - New templates for SAML2.1:
> https://lists.oasis-open.org/archives/security-services/201401/msg00011.html
>  (d) Conceptual/overview of Metadata (Rainer Hoerbe)
>      - Further Steps thread. Any updates?
> https://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=50362
>  (e) XSPA updates (Mohammad Jafari)
>     - Any updates?

No updates.

>  (f) Folding SAML.XML.ORG material into SAML/SSTC site.
>      - Scott has created updated front page.
>      - AI: Thomas to ping TC Admin folks.
> https://wiki.oasis-open.org/security/FrontPage

Thomas is checking on this, redirect has not been implemented yet.

ACTION: Thomas to check on SAML.XML.ORG update.

>  (g)  Usage of SAML in NSTIC-funded pilots (the Daon slides)
>      - Folks to review slides from Daon (via Colin Wallis & Jamie Clark).
>      - Any feedback for Daon and for SAML developers in NSTIC pilots?
> https://lists.oasis-open.org/archives/security-services/201401/msg00007.html

Hal noted Trust Elevation TC asked him to give overview on SAML support for step up authentication mechanism; will include some XACML as well. Should happen Thursday.
Will post slides on SAML archive, would appreciate any feedback Wednesday (before Thursday). Will give overview of SSO, authentication request, request initiation and LLO profile.
Will explain how XACML can return missing attributes.

Discussion of use cases, e.g. need to have stronger authentication during session after some point (SP initiated flow), 

John Bradley mentioned need for SP to be aware of changes in confidence and use case for social media identities to be used for government access, using step-up authentication by third party, to enable use of such identities. Use case of third party identity providers (in addition to initial IDP).

Discussion of Daon. Need more use case information. Question as to why client needs to ask for this information from SP rather than using client information, need better understanding. Using location as part of authentication. Geo XACML have defined types related to Daon. Scott noted used IETF syntax for data expression.

Question for everyone, are there areas to pursue as new work in SSTC? 

Scott asked whether adding some key pieces of Liberty to SAML would obtain adoption; OpenID/OAuth might need to deal with those issues.

Dealing with attribute functionality seems interesting but not many implementers providing attribute sources, need clarity on business case.

Hal noted there may be question about unifying different SAML and OIDC approaches by offering higher level profile. (slide 21, Example 1 - http://www.idecosystem.org/filedepot_download/1369/1039 )
John noted this is policy but not technical standards issue, so will depend on implementation support (possible with standard as written).

Hal asked regarding interest in TC providing summary feedback to NSTIC.  No immediate interest,  please indicate on list if interested. 

> 5. Assorted mail items:

No discussion

> 6. Other items:
>   - RSA conference coming up.

No discussion

> 7. Next SSTC Call:

Tuesday 18 February 2014


regards, Frederick

Frederick Hirsch

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]