OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes for SSTC Telecon (Tuesday 7 June 2016)

1. Roll Call & Agenda Review.


Voting Members

Internet2 					Scott Cantor
Veterans Health Administration 	Mohammad Jafari
Oracle 					Hal Lockhart


Individual 					Rainer Hoerbe

Regrets from Thomas.

Quorum was achieved.

2. Need a volunteer to take minutes.


3. Approval of minutes from previous meeting(s):

   - Minutes from 24 November 2015:


-   Minutes from 22 December 2015


-   Minutes from 19 January 2016


-   Minutes from 16 Feb 2016


All four sets approved unanimously.

4. AIs & progress update on current work-items:

  (a) Current electronic ballots: None.

  (b) Status/notes regarding past ballots: None.

  (c) Proposal for attribute query and SSO (Scott)
     - Any updates?

No update. (Scott says this is not his item.)

  (d) XSPA updates (Mohammad Jafari)
     - Any updates.

Work continues to be on hold because of uncertainty about requirements.

5. Assorted mail items:

6. Other items:

Scott notes that the specs do not say that messages containing DTD's should be rejected. This can lead to severe denial of service attacks. SOAP does say to reject DTD's, but some flows do not use SOAP.

This obviously cannot be dealt with as Errata. It could be added to the new spec. The first step is to poll existing implementations and see how many already do this and if there would be negative implications to adding this ban.

Scott noted that Java now allows a secure processing mode to be enabled which among other things, rejects DTD's.

7. Next SSTC Call:
   - Tuesday 30 August 2016.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]