[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Draft minutes for 25 November 2003 SSTC telecon
Attendance for the 25th November 2003 SSTC telecon: 21 out of 31 in attendance (quorum achieved) Attendees: Michael McIntosh IBM Scott Cantor Individual Bob Morgan Individual Greg Whitehead Individual Rebekah Lepro NASA Prateek Mishra Netegrity Senthil Sengodan Nokia Jim Lien RSA John Linn RSA Security Dipak Chopra SAP Jahan Moreh Sigaba Jeff Hodges Sun Eve Maler Sun Emily Xu Sun Mike Beach The Boeing Company Hal Lockhart BEA John Hughes Entegrity Solutions Tim Moses Entrust Irving Reid HP Jason Rouault HP Paula Austel IBM -----Original Message----- From: Eve L. Maler [mailto:eve.maler@sun.com] Sent: Tuesday, November 25, 2003 2:44 PM To: 'security-services@lists.oasis-open.org' Subject: [security-services] Draft minutes for 25 November 2003 SSTC telecon Mishra, Prateek wrote: Roll call: quorum achieved [Prateek, please provide details] We will add an agenda item on the IPR questions, as requested by Hal. > 1. Accept minutes from November 11 Conference Call > http://lists.oasis-open.org/archives/security-services/200311/msg00044.html ACCEPTED by unanimous consent. > 2. Charter Vote Status > http://www.oasis-open.org/apps/org/workgroup/security/ballot.php?id=268& > > Following the rules in > http://www.oasis-open.org/committees/process.php#charter > > the TC has voted to update its charter. We will continue to move forward > with the next steps as described in the OASIS rules. Prateek reiterated this information on the call. > 3. Proposed F2F Schedule > Recognizing that we have spent a certain amount of time on procedural > matters, the chairs have proposed the following dates for the next two F2F > meetings: The theory is that solution proposals should be prepared by F2F #3, and exact specification text should be prepared by F2F #4. > (a) Week of Februrary 2 (F2F #3 - East Coast) Hal/BEA was going to host this meeting when it was planned for January. As long as the new proposed date doesn't conflict with the March WS-I plenary (it doesn't), he can host. Conor is willing to host in the D.C. area. Eve suggested sticking with a Burlington, MA plan. Hal can easily accommodate 20-25 people without fuss, but needs to reserve the training room if we go over. ACTION: Prateek to set up ballots to nail down the specific days of this week. ACTION: Hal to take the appropriate measures to confirm availability and reserve a room, assuming a Tuesday through Thursday schedule. > (b) Week of March 29 (F2F#4 - West Coast) We'll work with this rough assumption for now. > 4. Proposed schedule for scoping and solution proposals > http://lists.oasis-open.org/archives/security-services/200311/msg00106.html The proposal is as follows: 1. agreement on use case/champion/rough scope: Dec 9, 2003 2. agreement on solution: Jan 20, 2004 3. TBD (document text and schema) at F2F #3 Hal noted that for simple items, people should feel free to propose normative material at stage #2. The idea with the #2/#3 split is to save work if we decide to go in a wholly different direction. The chairs plan to keep to this schedule; work item owners are put on notice to achieve it. > 5. Interoperability challenges > How to respond to commentary? > > http://lists.oasis-open.org/archives/security-services/200311/msg00027.html > > Proposal > (a): SAML 1.1 InterOp Event at RSA2004 > > http://lists.oasis-open.org/archives/security-services/200311/msg00031.html > > We need to identify an owner: Rob? The RSA event is February 23-27. We're hoping Rob will coordinate this. > (b): Identify vendor(s) or sites where SAML 1.1 test suite is available > > http://lists.oasis-open.org/archives/security-services/200311/msg00091.html > > We need to identify an owner: ? Hal: The suggestion seemed to be to simply publish sites where people might have test implementations available. There are security and other concerns with publishing addresses of test machines (e.g., they might be in front of a firewall and might not reliably be up and running). In addition, the Burton comments include a number of other ideas. Is there an OASIS policy issue around not doing conformance testing? He was also confused about the Burton comments around conformance; since we only have two profiles, life isn't that complicated. One idea is to mandate the browser/artifact profile, which we could consider but it may or may not be necessary. Finally, the cookbook idea seems a little nebulous. Eve: Some of the additional cookbook suggestions received privately go a little too far, in that some of the items would be more appropriate to a Burton report than an OASIS deliverable, but others will be incorporated into the editorial team's work as appropriate. Prateek: Maintaining a test suite are not really an OASIS issue, but perhaps are a vendor issue. Presumably this would not be strictly TC-driven. Eve: Suggested that we create a concrete action item for all individual TC members to pursue inquiries within their companies about whether to contribute to an aggregate test suite effort. Hal: Suggested checking with Karl and/or Jamie (OASIS staff) about what role OASIS can or should play in conformance testing. ACTION: Chairs to pursue OASIS staff inquiries on conformance testing limits. ACTION: All TC members to pursue inquiries within their own companies and contacting Prateek with their interest levels. Hal: Dan's comments on conformance testing go back and forth between on-network scenarios and self-tests. The latter may be logistically more convenient. Scott: SAML V2.0 is increasing the "granularity" of the spec (making it finer) so that more of people's business process is covered. This should help interoperability even if Dan's other suggestions aren't implemented. Hal: We had decided that, for example, actual attributes are not specified, so some things will be outside our scope. Scott: But we're talking about bringing X.500 attributes into SAML in a way that's more interoperable, so we're not just doing nothing here. Hal: Fair enough. Hal: The interop event is more of a public demonstration on interoperability of certain products, and not so much a definitive test. Irving: Though it would behoove us to demonstrate more interop than we did last time. Eve: I added issue CORE-9 regarding whether to make some profiles mandatory to implement. We need an owner for that before we discuss further. Prateek: Agreed. New agenda item 3': focus group meetings on the off-weeks: http://lists.oasis-open.org/archives/security-services/200311/msg00105.html Prateek had proposed on November 23 that we start having focus group meetings on the off-weeks, starting Wednesday, December 2. We agreed to start doing this, though next week's meeting may be short because people hadn't planned ahead for it. "The first focus group meeting would take place on December 2 from 12:00-1:30 and every other week thereafter." New agenda item 3'': Hal's questions about licensing: Conor: It might be profitable to get a statement from the specific Liberty contributors about claims related specifically to what was submitted (which is not the whole set of Liberty specs). [Bill Smith joins call] Hal: Does OASIS require *all* OASIS members to weigh in on their claims on contributed material? Bill: The answer is no. There is no obligation of any kind on anyone to go beyond what the contributors have already done. (Bill is a former OASIS president and knows the IPR policy and its history well.) Bill: Speaking as a Sun representative and as the secretary of the Liberty Alliance and its management board (the "steward" of the contributed specifications): The board took a vote and approved the contribution of a certain set of specs. All Liberty members are bound by a participation agreement that obligates all participants to grant a license. The default is royalty-free. Members may file an "NCDN" and optionally change to RAND. Liberty has received five NCDNs. Three are on already-issued patents. Two are on patents pending. For the former, the terms are royalty-free. For the pending applications (which may never issue, and Liberty-related claims could still be struck) of Citigroup and Catavault, they have offered RAND terms. Eve: Her recent message provides essentially this information, with all relevant links: http://lists.oasis-open.org/archives/security-services/200311/msg00117.html Bill: Sony is one of the five that submitted an NCDN. Bill: Liberty is working through what's appropriate to publish on the site, based on confidentiality provisions. Mike: Do these terms apply to derivative works? Bill: They apply to anyone who implements the Liberty specifications. Prateek: Can people send out email in order to frame any additional questions? When it comes to legal things, we wouldn't want to miss any subtleties. Hal: I just want this information to be publicly available. As long as it's in the minutes and Eve's message, I'm comfortable moving forward. [Bill Smith drops off] > 6. Eve has published revised work item list > http://lists.oasis-open.org/archives/security-services/200311/msg00098.html > which includes discussion of use-case scoping for several work items. > > We should begin voting on scope on each of the work items as soon as > use-cases are available or adequately defined. As agreed above, we need to close the use case questions by December 9. > W-1: decide whether to accept advanced use case in addition to base Mike: The work items document doesn't seem to include Tony's submitted use cases. Prateek: The referenced mail message (200310/doc00001.doc) is Tony's submission. John K.: He and Tony have been conferring on this. Prateek: So that question is: Do we want to include the advanced use cases? John K.: His plan is to at least think about what's required to address the more advanced requirements, and could put forward a proposal that addresses both Liberty-style sessions and also the more advanced requirements. But that would be a lot of work. RLBob and Scott: There are dependencies on how we do the single sign-on stuff. John K.: The "easy" proposal is to just adopt Liberty-style sessions, which will give you single logout (though not with 100% assurance). Hal: Doing sessions depend on SSO, so to do the former, you'd have to implement the latter. Conor: If you're going to do multiple simultaneous sessions, you'll still need bidirectional IdP<->SP communication to have simple logout. Hal: Agreed that there may be other complicated interdependencies. Prateek: The ID-FF model does involve needing SSO to start a session. Hal: Can we agree to go with "complex" use cases without being too specific about what functionality is in vs. out? Mike B.: Would we be excluding timeout? Timeouts are everywhere in business. Hal: You can't do distributed timeout measurement without everyone agreeing how to do it. Conor: It also gets tricker when there are different idle timeout requirements at different sites. If you do idle timeout, you need standard protocols for reporting "idleness". John K.: And then you'd have to define the entity receiving these. John K.: Mike B.'s use cases are on the table regarding this. Mike B.: He does currently have a mechanism inside Boeing for dealing with idleness, but crossing company boundaries gets more problematic. Hal: No matter whether you follow a specification or not, you shouldn't be able to harm my security. Conor: What is the incentive of company X to report idleness for company Y's purposes? Hal: Everyone has a choice as to whether they conform to the protocol. If they conform, then they'll report it. Scott: This is where choosing use cases comes in. Hal: Can we agree that we want to cover idle timeout? Prateek: Caution: going much beyond what's provided in ID-FF has a steeper complexity curve. Conor: I don't object to someone coming up with a proposal, but don't necessarily support doing it. John K.: He's willing to do the "easy" proposal and also to roughly scope out the grander proposal. Conor: ID-FF has "reauthenticate on or after", which is a very simple kind of timeout. The IdP is in control of this. And it can send a logout notification to SPs that expose the ability to receive. What it doesn't have is idle timeout. Scott: He would like to see us produce something more precise around SSO data collection to make session support more seamless. General agreement that this is difficult. Prateek: To do an up-or-down vote on this on December 9, what is needed? Do we just need more explication? Conor: Some people are interested in idle timeout, and John K. is willing to do some legwork in that area. He'd have to do this by early next week in order to let us make the decision on the 9th. ACTION (it turns out that this is essentially the same as AI #83, which is already in Kavi; perhaps extend that AI's description with this info): John K. to come up with some solutions-level work to help us decide on December 9 whether to cover idle timeout in SAML V2.0. John K.: He has explored the session linking idea with Tony. He's also been looking into whether a global shared session would meet that use case. Prateek: Use case decisions for V2.0 are no reflection on what we might do in V2.1 or V2.2 or whatever. Interested subgroups could certainly pick up deferred functionality according to their interest. > W-2: reconcile base and extension use cases Scott: The wording of "one-time" in Tony's use case (the mail message attachment 200310/doc00002.doc) is more appropriately called "transient"; we discussed this in the October F2F. They are issued only one-time, but can be retrieved multiple times. If there's no advantage to using the same one, why bother? Conor: There may be reasons to get the same one back. RLBob: Look at the Shibboleth use case here. Scott: That's why I said that it might appear as some other kind of assertion, just not a SSO assertion. John K.: Such as an attribute assertion? Yes. Prateek: Do we even need a vote? Scott: There certainly doesn't seem to be a need to reconcile anything. We just need to clarify what we mean by "transient". Prateek: Is Tony's use case covered by Scott's proposal? Scott: Yes, it's architecturally covered. MOTION: Eve moves to accept the base W-2 use case as well as the extension one-time identifier use case that Tony has posted. ACCEPTED by unanimous consent. ACTION: Scott to incorporate a better understanding of Tony's proposal into his document. > W-2a: decide whether to accept use case MOTION: Mike B. moves to accept the W-2a use case. JeffH seconds. ACCEPTED by unanimous consent. > W-3: reconcile Scott and Prateek use cases > W-5 and W-5a: select among use cases > W-7: decide whether to accept use case > W-8: decide whether to accept use case > W-15: decide whether to accept use case > W-17: decide whether to accept use case > W-19: decide whether to accept use case > W-21: decide whether to accept both base and advanced use cases > W-25: decide whether to accept both base and bridge server use cases > W-28a: reconcile Scott and Rebekah use cases > W-28d: decide whether to accept use case Deferred to the focus group call. > 7. Open Action Items > > #0095: Use Case for W-9: XML Encryption > Owner: Hal Lockhart > Status: Open > Assigned: 24 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 06:23 GMT > Hal will write the use-case for general XML encryption of SAML assertions. > This is distinct from Scott Cantor's work on encrypting name identifiers. DONE. > #0094: Use-Case for W-6: Proxied SSO > Owner: Scott Cantor > Status: Open > Assigned: 24 Nov 2003 > Due: --- > Comments: Pending. Scott has done some work on it and is waiting for Liberty feedback. > #0093: Discovery Protocol Solution Proposal > Owner: Scott Cantor > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 04:36 GMT > AI: Scott Cantor: AI is to take relevant spec from Liberty and produce draft > proposal Pending. This doesn't need to be in place for the December 9 telecon. > #0092: Assertion-level Subject > Owner: Conor Cahill > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 04:31 GMT > AI: Scott Cantor: Connor submitted the Assertion level subject, so he will > be owner if connor doesn't join Close this AI because it's in the issues list. > #0091: Solution proposal for null attribute issue > Owner: Rob Philpott > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 04:31 GMT > AI: Rob Philpott: RSA guy made null attribute request, therefore he'll own. Close this AI because it's in the issues list. > #0090: SAML elements with mixed version sub-elements > Owner: Eve Maler > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 04:29 GMT > Can a SAML 2.0 response include SAML 1.1 assertion?s The general question is > whether SAML containers of version 2.0 can hold elements belonging to > previous versions. Close this AI because it's in the issues list. > #0089: Describe Identity Provider, Service Provider and other roles > Owner: Eve Maler > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 04:25 GMT > This is an action generated during the discussion on the issue list at the > F2F. The point here is that we are moving away from source site terminology > and going towards a new set of terms. Close this AI because it's in the issues list. > #0088: Understanding ID-FF AuthNContext Elements > Owner: Scott Cantor > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 03:56 GMT > Scott will find someone who understands ID-FF AuthNContext work to explicate > difference between statementRef and class. Ref is reallife URI that implies > context. Class notion is some sort of higher order Pending. This is in the nature of a solution proposal. > #0087: UCs for Making Assertions about Issuers of Assertions > Owner: Irving Reid > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 03:51 GMT > ACTION: Scott, Bob, and Irving will develop UCs for Making Assertions about > Issuers of Assertions Pending. Scott sent a message to the list subsequent to the October F2F that contained all he wanted to say on the subject. Irving and Bob were asked to review this topic for the next meeting. > #0086: Non-HTTP use-cases related to the LECP profile > Owner: Bob Morgan > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 03:27 GMT > ACTION: Bob Morgan - more use cases. More generic use cases, may be not > involving HTTP. May involve web dav. Pending. Still putting together material on this. > #0085: Define SAML (it could be derived from LA 1.1) > Owner: Prateek Mishra > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 03:24 GMT > We want to add flows from SP to the IdP in SAML 2.0. To do so we need a > design for an AuthNRequest element. The AI here had angle brackets in it; Prateek will fix in Kavi. Pending. > #0084: Reconcile terminology in glossary and current use-case document > Owner: John Kemp > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 03:19 GMT > Terminology used in sstc-saml-2.0-issues-draft-01.pdf is not consistent with > terminology found in the current SAML glossary. Pending. > #0083: Gap Analysis between ID-FF proposals and John Kemp Use Cases > Owner: John Kemp > Status: Open > Assigned: 23 Nov 2003 > Due: --- > Comments: > Prateek Mishra 2003-11-24 03:16 GMT > ACTION from October 24 F2F: SSTC to direct John Kemp to do a gap analysis > based on Liberty's spec. How much work is needed to support richer notion of > session? In effect we gave John this same AI again today! So it's covered. Next meeting is the new focus group telecon on December 2. In that call, We will proceed with review of the next batch of use cases; Prateek will send out an agenda that gives specifics. ADJOURNED at 2:02pm ET. -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Products, Technologies, and Standards eve.maler @ sun.com To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave _workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]