Minutes for SSTC Telecon (Tuesday 7 June 2016)

[Hal Lockhart <hal.lockhart@oracle.com>]

AGENDA:
1. Roll Call & Agenda Review.

Attendance

Voting Members

Internet2 					Scott Cantor
Veterans Health Administration 	Mohammad Jafari
Oracle 					Hal Lockhart

Members

Individual 					Rainer Hoerbe

Regrets from Thomas.


Quorum was achieved.

2. Need a volunteer to take minutes.

Hal

3. Approval of minutes from previous meeting(s):

   - Minutes from 24 November 2015:

https://lists.oasis-open.org/archives/security-services/201511/msg00002.html

-   Minutes from 22 December 2015

https://lists.oasis-open.org/archives/security-services/201512/msg00001.html

-   Minutes from 19 January 2016

https://lists.oasis-open.org/archives/security-services/201601/msg00005.html

-   Minutes from 16 Feb 2016

https://lists.oasis-open.org/archives/security-services/201602/msg00002.html

All four sets approved unanimously.

4. AIs & progress update on current work-items:

  (a) Current electronic ballots: None.

  (b) Status/notes regarding past ballots: None.

  (c) Proposal for attribute query and SSO (Scott)
     - Any updates?

No update. (Scott says this is not his item.)

  (d) XSPA updates (Mohammad Jafari)
     - Any updates.

Work continues to be on hold because of uncertainty about requirements.


5. Assorted mail items:

6. Other items:

Scott notes that the specs do not say that messages containing DTD's should be rejected. This can lead to severe denial of service attacks. SOAP does say to reject DTD's, but some flows do not use SOAP.

This obviously cannot be dealt with as Errata. It could be added to the new spec. The first step is to poll existing implementations and see how many already do this and if there would be negative implications to adding this ban.

Scott noted that Java now allows a secure processing mode to be enabled which among other things, rejects DTD's.


7. Next SSTC Call:
   - Tuesday 30 August 2016.

--------------------------------