Re: SSTC Telecon Agenda: September 18

[David Orchard <david.orchard@bea.com>]

Potential regrets, I may be stuck in planes/airports/other places.

Dave

At 10:43 AM 9/17/01 -0700, PATO,JOE (HP-PaloAlto,ex1) wrote:
>Agenda for SSTC Telecon, 18 September 2001
>Dial in number: +1 334 262 0740 Meeting ID#856956.
>
>Agenda
>
>* Attendance
>
>* Ratification of minutes from F2F#4
>
>* ratification retry for "green issues" in Hal's issues-to-be-closed doc
>(e-mail: RE: Issues to be closed at the Sept 4 Concall (revised list)
>31-aug-01)
>
>* sponsorship of issues in saml-issues doc
>   - issues need sponsors to stay on to-resolve for 1.0 list (extended to
>9/28)
>   - another week to raise hands & sponsor issues
>
>* workload balancing
>   - JeffH needs to pass on some tasks
>
>* uncovered tasks
>   - DSIG profile (any takers?)
>
>* a SAML/Kerberos integration discussion group will be created - send mail
>to Joe to join him (by 9/14) => extended to 9/21
>
>
>* "whiteboard issues" from F2F#4
>   - which are closed?
>   - Issue owners, please be prepared to discuss status
>   - need to prioritize (on the call? yes?) - owner will assert priority, TC
>can comment. (for each issue/action a want resolved by date will be assigned
>during the call)
>
>[Action - Bob B & Marlena]: <Subject> in Core doc to correspond to Artifact
>
>[Action - Bob B.]: Return of not current valid assertions to RP (e.g. post
>dated)
>
>[Action - Charles]: To write a concrete proposal that would allow
>Authorities to provide helpful info about why certain requests failed. This
>would be really helpful during initial deployment when you can't figure out
>why things aren't working. This could/should be turned off in production.
>
>[Action - Chris McClaren]: will champion the sec-consider-xx issues and
>drive this subprocess.
>
>[Action - Chris]: to write-up versioning strategy and distribute to mailing
>list [done Aug 30]
>
>[Action - Don]: Smart client profile - develop a proposal
>
>[Action - Don]: to elaborate the number of 1-1 relationships and propose how
>to fix the resulting scaling issues.
>
>[Action - Gil]: [DS-6-01:Nested Attributes] Not sure how SAML could address
>this
>
>[Action - Gil]: To make a proposal on the mandatory use of HTTPS
>
>[Action - Hal & Bob B]: Artifacts are bearer instruments, Assertions are not
>
>[Action - Hal]: Agrees to create a proposal that indicates why we should
>minimize the number of profiles, specifically "Form POST".
>
>[Action - Hal]: to take all the proposed closed issues (green) and send them
>out for ratification at the next concall. [Completed 8/31 - ratification
>awaiting next concall with quorum]
>
>[Action - Hal]: to write scenarios (and / or provide definitions) for how
>NameIdentifier is used (e.g., when it is in SubjectConfirmation to identify
>an assertion vs. when it is used to represent the assertion referent)
>
>[Action - Irving]: Multiple NameIdentifiers are dangerous - Irving to write
>up proposal.
>
>[Action - Irving]: to investigate and write up WAP limits
>
>[Action - Jeff]: threat model discussions to be removed from the bindings
>doc - but rationale preserved somewhere in SAML documents.
>
>[Action - Marlena]: SHIB desires 00-02 artifact type (anonymous user &
>attribute assertions - non personal identifiable info) core design issue.
>
>[Action - Marlena]: to write a proposal to create another Web Browser
>profile that retrieves an Attribute Assertion rather than an Authentication
>Assertion.
>
>[Action - Marlena]: to write up use of artifacts for queries
>
>[ACTION - Phil]: agreed, the core spec will state that all elements need to
>explicitly call out the SAML namespace. Phil to make changes.
>
>[Action - Phil]: Will produce a core-16 that just contains the notional and
>twiddles before any major changes to schema and protocols.
>
>[Action - Prateek]: "Security properties of Assertion Handle" (Bob Blakley
>to act as reviewer).
>
>[Action - Prateek]: Lookup by artifact: Agreed that he should submit a
>detailed proposal to the Core outlining specific changes to specific
>sections. Includes new request-response protocol not currently defined in
>HTTP binding
>
>[Action - Prateek]: Oracle attacks WRT SOAP Profile
>
>[Action - Prateek]: Push profile / use case to be dropped from document
>(Paul Leach's claim that this would assist SAML/Kerberos integration was
>never developed - Paul to present this case if he wishes to re-instate this
>profile)
>
>[Action - Prateek]: Should the Bindings Group select either the HTTP or SOAP
>protocol bindings for inclusion in the final spec?
>
>[Action - Prateek]: Should the SOAP binding address the issue of
>intermediaries - generate proposal for how
>
>[Action - Prateek]: This is an editorial issue about the names of profiles.
>Prateek to revise current document.
>
>[Action - Simon]: write a concrete proposal that outlines the change to the
>nature of the authorization query.
>
>[Action - Tim]: First Contact - will write up what can be done with the
>current design.
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>