Minutes of Focus subgroup 31 July 2001 telecon

[Jeff Hodges <jhodges@oblix.com>]

Attendees..

JeffH
Gil P
Phill H-B
Joe P
Michah L.
Alex B.
Fred M.
Prateek F.
Carlisle A.
Steve A.
Jason Rualt
Don Flinn
Chris M.
Darren P.
Tim M.
Simon G. 
Thomas H. 
Dave O.
Shirley K.




> 
> ACTION items
> ============
> 
> ACTION: Prateek to do traceability review before the next TC telecon.
> - definitely in wait-state, gated by consensus draft from F2F #3.
> - draft-sstc-{core,protocol}-discussion-01 contain some or all of this
>   traceability work?                               ^^^^

orig charter was to do traceback from use case doc. Prateek can start to
approach that in the next week or two. 

discussion-01 docs take as starting point the whiteboard/minutes docs, so we
still need to go back to use case doc. 


> -------
> ACTION: Eve to create master bibliography and provide bibliography section
> for document guidelines.
> - In wait-state. Eve has sent to JeffH draft bib section guidelines for comment,
> otherwise this is in wait-state as she's on vacation for much of Jul
> - Jeff will intersperse his comments and send to group and Eve. will endevor to
> do this by 10-Aug.

queued.

> -------
> ACTION: Marlena to champion DS-1-02, Anonymity Technique, and confer with
> BobB and Phill.
> - In progress. Marlena has initiated thread(s) on the list wherein this is
> discussed explicitly, in terms of an "opaque identifier". Please read the
> thread & provide feedback (Marlena is on vacation, and should be back
> mid-Aug)


no discussion.


> -------
> ACTION: Prateek to champion DS-3-03, ValidityDependsUpon.
> - In wait-state. Prateek will take this up as we come to closure on core-12 et
> al.


now that core-12 is out, will take up over next couple of weeks.



> -------
> ACTION: Jeff to champion DS-4-02, XML Terminology, aka Messages and
> Packaging.
> - in queue.
>


behind security consid stuff in JeffH's queue. 


> -------
> ACTION: Hal to take Jeff's work on classification and composition of identifiers
> and "take it a step further".
> - in progress.


Hal not on call. no discussion.


> -------
> ACTION: Tim Moses to call out some details from draft-sstc-protocols-00 in the
> context of the revival of ISSUE:[UC-1-05:FirstContact]
> see:
> http://www.oasis-open.org/committees/security/docs/draft-sstc-protocols-00.pdf
> 
> This item was brought up in the 10-Jul SSTC/Focus meeting, in the "Open mike"
> section, entitled "Prateek: revival of (ISSUE:[UC-1-05:FirstContact])"; see..
> http://lists.oasis-open.org/archives/security-services/200107/msg00049.html
> 
> - in wait-state.


thread on the list. Tim is thinking that the issue is "closed" -- he looked at
the present bindings doc. discussion has a counter-proposal for browser binding
from Anders. 

binding group's job to sort this out. 

tim notes is a rich area for sec consider. JeffH agrees. 


> -------
> ACTION:  Phill, Prateek, Chris, and Dave (although Dave is on vacation)
> to create core 11 (including stuff from the discussion docs
> described above and Phill's comments) that Prateek, Chris, David
> and Phill can agree upon amongst themselves.
> 
>   draft-sstc-core-12,
>   draft-sstc-schema-{assertion,protocol}-12,
>   daft-sstc-{core,protocol}-discussion-01
> 
>   ..were issued to the list last Fri 27-Jul and are presently in the SSTC doc
> repository.


Dave just got back from vacation. requests we wait to close this until next week
so he has a chance to look at the docs. 



> -------
> ACTION: Hal to comb thru core-12 (was core-10) post issuance and identify those
> issues that he feels it addresses (as a way to try cull the open issues in the
> Issues doc). see:
> http://www.oasis-open.org/committees/security/docs/draft-sstc-saml-issues-04.pdf


in progress. 



> ------
> ACTION: JeffH to solicit the list for input on the abaove F2F #4 options.
> 
> In-progress.


no discussion.


> ===============
> Open discussion
> ===============
> 
> Have folks had time to read & absorb the "core-12 et al" documents:
> 
>   draft-sstc-core-12,
>   draft-sstc-schema-{assertion,protocol}-12,
>   daft-sstc-{core,protocol}-discussion-01
> 
> ??
> 
> General discussion of them is not "on the agenda" for this meeting *unless* a
> preponderance of folks indicate they have read them in detail and are prepared
> with specific questions.
> 
> Rather, the chair wishes to invite the core-12 et al co-authors to point out any
> succinct, important facets or issues of this doc set that readers should be
> aware of and/or carefully consider.
> 
> We propose to open the "floor" to the core-12 co-authors for this after the next
> three items..

question by carlisle: this going to be one doc?
prateek: essentially. one normative doc presently.; what happens w/ discussion
docs not yet decided.
jeffh: non-normative discussion/informational/implementor-guide docs exist in
other protocol design efforts (eg some IETF efforts) so there's precedent.

Shirley: traceability review wrt use cases in the plans? 
JeffH: prateek doing that, we briefly discussed it before you joined the call.
prateek concurs.

Some discussion of whether the SSTC is going to maintain normative schema docs
(eg in .xsd file format) up to and including issuance of "completed" SAML specs.
There's some concern about (1) whether OASIS and/or the SSTC "knows how to do
this" (what is the DocBook TC doing?), and (2) how to ensure the schema in the
normative specification docs (eg core-12) match any accompanying normative
schema-only files. 

One idea was to embed a word macro in the normative .doc specification file(s)
that emits a .xsd file on demand. Another idea was for the nomative spec doc(s)
(eg core-12) to note that all the schema illustrations are NOT themselves
normative and explicitly nomatively point at any accompanying .xsd files. 

JeffH noted that we don't have to figure this out in the immediate term, but it
is something we want to figure out in the intermediate-to-long-term, eg when
we're encouraging othere afield to look at and perhaps implement SAML, so this
should be an identified background task for doc authors. 

ACTION: co-autors of docs w/schema need to consider and propose ways to keep doc
text w/schema consistent wtih external .xsd files if any.


> 1. F2F #4 planning
> 
> - do we have a decision on where, when, and duration of the next F2F?
> 
>   advice: do we need to "officially" ratify the evite poll results on the
>   "official" SSTC concall next week 7-Aug? JeffH is thinking yes, in part
>   because those voting in aggregate for the leading [date,duation,location]
>   tuple doesn't constitute a quorum.
> 
>   Can the prospective F2F #4 host handle the prospective uncertainty for
>   another week?
> 
>   Once we have [date,duation,location] officially decided, the co-chairs will
>   issue an Evite "invite" to the SSTC voting membership, prospective members,
>   and active observers.


DaveO cannot travel that week. 

Joe: can Don get a conf phone during that meeting. 

DaveO: 29th am moving but can do some telecon on 27th 28th.

Carlisle: Tim & Bob Griffin physically attending. I may be able to dial in the
first couple days. 

DECIDED: we're going to fly with..

  Date: Mon 27-Aug - Wed 29-Aug 
  Duration: 3 days (mapping of agenda to specific days, and how "full" of a
             day Wed 29-Aug is, TBD)
  Location: Waltham MA (host: Don Flinn)


ACTION: Don Flinn to get hotel info & maps and stuff together and send to JeffH
& Joe. 

ACTION: JeffH'n'Joe to go about getting Evite Invite out and getting the meeting
otherwise arranged.


We'll set specific agenda closer to the meeting. 


> 2. Are there any discussion threads on the list that need more discussion or
> clarification?

Phill: "naming and structure issues" needs participation & discussion.

Prateek: "naming" should be kept somewhat separate from "structure". there's
some lack of consistency in naming, and we need to address this separately.
choice of "structure" in xmlschma is very rich, lots of choices, and it's
orthogonal to naming. 


> 3. Does anyone have any *new*, burning, technical issues to raise?

no disucssion. tho stuff came up below.


> 4. Points of interest in core-12 et al [core-12 co-authors]

Chris: most of actual things are called out as issues in the docs, and need to
be explicitly addressed. 

Prateek: before folks "bring up" issues, please check to see if it is already
raised in core-12 & the *-dicsussion-01 docs!

Phill: there's a namespace issue we can decide soon. need to put in a proper
schema identifier for the SAML namespace sooner rather than later. let's use the
url for where the schema will sit in the oasis web namespace. 

Also, there's a large amount of stuff at the end of core-12 wrt authentication
schemes. need some contributions there. 

Also, the AcceptXML namespace thread needs some discussion. 

JeffH: just need to make sure thosse are covered explicitly by issue numbers if
not already. 




5. Michah asks if req/resps can go on forever or are they bounded 

how long can a chain of reqs & resps become? 

prateek: single req, single resp, then you're done. am I missing something in
your question?

michah: perhaps folks will try to aggregate these? and perhaps you're not done
with a req/resp. there might be subsq processing. 

how much baggage does one end up carrying around thru the entier lifecycle? Can
we get a pointer in here so don't ahve to carry around stuff thru entire
lifecycle. what about when opacity occurs

simon pointed out there's an assertion specifier that perhaps addressed this. 

xmldsig may have addressed this in terms of multi-part docs .

Michah will think about this and take the dicsussion to the list if he feels
there's stuff to think about and/or decide. 


Don Flinn: is "secure delegation" in scope of saml.

someone: "no"

simon: in core-12 if we're asking for attr assertions but what attrs can be
revealed to a requester?

carlisle: there's two senses of delegation - eg that in kerberos & that in
x.509/dsig - they're a little different - which are you asking about? 

simon: a little unsure of what my question is...

prateek: req & responder have some sort of rel. resp'r may only reveal some
stuff to req'r depending on the rel. is impt point, need to work thru it, but is
diff than deleg. 



> 
> ===========================
> Overall Issues and concerns
> ===========================

no discussion.
 
> 
> Item: How to prioritize issues resolution?
> 
> Current issues list is -04:
> http://www.oasis-open.org/committees/security/docs/draft-sstc-saml-issues-04.doc
> 
> Open issues (plus any waiting to be added by Hal; how current is this list?):
> 
> UC-1-05: FirstContact (p. 13)
> UC-2-05: EMarketplace (p. 29)
> UC-7-01: Enveloping (p. 56)
> UC-7-02: Enveloped (p. 56)
> UC-8-02: IntermediaryAdd (p. 58)
> UC-8-03: IntermediaryDelete (p. 61)
> UC-8-04: IntermediaryEdit (p. 63)
> UC-8-05: AtomicAssertion (p. 65)
> UC-9-01: RuntimePrivacy (p. 67)
> UC-9-02: PrivacyStatement (p. 67)
> UC-13-07: Hailstorm Interoperability (p. 85)
> DS-1-01: Referring to Subject (p. 86) BobB?
> DS-1-01: Anonymity Technique (p. 86) Marlena
> DS-3-01: DoNotCache (p. 88) Hal
> DS-3-02: ClockSkew (p. 88) Hal
> DS-3-03: ValidityDependsUpon (p. 88) Prateek
> DS-4-01: Top or Bottom Typing (p. 89) Dave
> DS-4-02: XML Terminology (p. 89) Jeff
> DS-4-03: Assertion Request Template (p. 89) (Tim/Dave initially)
> DS-4-04: URIs for Assertion IDs (p. 89) (Jeff initially)
> 
> [others to add?]
> 
> ---
> end
> 
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: security-services-request@lists.oasis-open.org