SSTC Telecon, 18 September 2001 - minutes

["PATO,JOE (HP-PaloAlto,ex1)" <joe_pato@hp.com>]

Minutes for SSTC Telecon, 18 September 2001
Dial in number: +1 334 262 0740 Meeting ID#856956.
Minutes taken by Gavenraj & Joe

Agenda

* Attendance

Attached at bottom of these minutes. Quorum achieved.

* Ratification of minutes from F2F#4

[Vote: Approved]

* ratification retry for "green issues" in Hal's issues-to-be-closed doc
(e-mail: RE: Issues to be closed at the Sept 4 Concall (revised
list)31-aug-01)

[Vote: Approved]

[Action - Hal]: Update issues list

* sponsorship of issues in saml-issues doc
  - issues need sponsors to stay on to-resolve for 1.0 list (extended to
9/28)
  - another week to raise hands & sponsor issues

[Vote: Approved]

* Regarding message from Karl Best
   - Anybody could join TC list
     - put proposal on table to continue on vote
     - to have voting members status you must be a member and to champion an
issue

* workload balancing
  - JeffH needs to pass on some tasks
     - Can anyone help website maintenance and document repository upload
     - Jeff to send out explicit requests to mailing list

* uncovered tasks
  - DSIG profile (any takers?)
     - Krishna will act on this.

* a SAML/Kerberos integration discussion group will be created - send mail
to Joe to join him (by 9/14) => extended to 9/21


* "whiteboard issues" from F2F#4
  - which are closed?
  - Issue owners, please be prepared to discuss status
  - need to prioritize (on the call? yes?) - owner will assert priority, TC
can comment. (for each issue/action a want resolved by date will be assigned
during the call)

[Action - Bob B & Marlena]: <Subject> in Core doc to correspond to Artifact

>> vexed, offline discussion. Monday - for status

[Action - Bob B.]: Return of not current valid assertions to RP (e.g. post
dated)

>> Text in Bob's powerpoint, sending in e-mail the text.

[Action - Charles]: To write a concrete proposal that would allow
Authorities to provide helpful info about why certain requests failed. This
would be really helpful during initial deployment when you can't figure out
why things aren't working. This could/should be turned off in production.

>> 8/30 - proposal sent to list

[Action - Chris McClaren]: will champion the sec-consider-xx issues and
drive this subprocess.

>> to start this week.

[Action - Chris]: to write-up versioning strategy and distribute to mailing
list [done Aug 30]

>> done.

[Action - Don]: Smart client profile - develop a proposal

>> to send out by Monday

[Action - Don]: to elaborate the number of 1-1 relationships and propose how
to fix the resulting scaling issues.

>> to send out by Monday

[Action - Gil]: [DS-6-01:Nested Attributes] Not sure how SAML could address
this

>> revisit at next call

[Action - Gil]: To make a proposal on the mandatory use of HTTPS

>> Prateek will take on. Report back end of next week.

[Action - Hal & Bob B]: Artifacts are bearer instruments, Assertions are not

>> E-mail, Hal doesn't believe this any more 

[Action - Hal]: Agrees to create a proposal that indicates why we should
minimize the number of profiles, specifically "Form POST".

>> Withdrawn

[Action - Hal]: to take all the proposed closed issues (green) and send them
out for ratification at the next concall. [Completed 8/31 - ratification
awaiting next concall with quorum]

>> Done

[Action - Hal]: to write scenarios (and / or provide definitions) for how
NameIdentifier is used (e.g., when it is in SubjectConfirmation to identify
an assertion vs. when it is used to represent the assertion referent) 

>> Bob's slides, will send out e-mail today.

[Action - Irving]: Multiple NameIdentifiers are dangerous - Irving to write
up proposal.

>> *** Discuss in focus meeting today

[Action - Irving]: to investigate and write up WAP limits

>> e-mail sent today.

[Action - Jeff]: threat model discussions to be removed from the bindings
doc - but rationale preserved somewhere in SAML documents.

>> Handoff to Chris this week; (Prateek will join for how to split)

[Action - Marlena]: SHIB desires 00-02 artifact type (anonymous user &
attribute assertions - non personal identifiable info) core design issue.

>> reconsidering need for this.

[Action - Marlena]: to write a proposal to create another Web Browser
profile that retrieves an Attribute Assertion rather than an Authentication
Assertion.

>> Same as above

[Action - Marlena]: to write up use of artifacts for queries

>> Query handle in request for assertion - anonymous subject discussion will
resolve this

[ACTION - Phil]: agreed, the core spec will state that all elements need to
explicitly call out the SAML namespace. Phil to make changes.


[Action - Phil]: Will produce a core-16 that just contains the notional and
twiddles before any major changes to schema and protocols.

>> processing comments from eve, looking at choice groups. end of week next.

[Action - Prateek]: "Security properties of Assertion Handle" (Bob Blakley
to act as reviewer).

>> One more cycle through bindings con-call - at least through mid next
week. Bob - may linger in review process

[Action - Prateek]: Lookup by artifact: Agreed that he should submit a
detailed proposal to the Core outlining specific changes to specific
sections. Includes new request-response protocol not currently defined in
HTTP binding

>> In part addressed in core-16. status by 9/20

[Action - Prateek]: Oracle attacks WRT SOAP Profile

>> References from Bob. 9/21

[Action - Prateek]: Push profile / use case to be dropped from document
(Paul Leach's claim that this would assist SAML/Kerberos integration was
never developed - Paul to present this case if he wishes to re-instate this
profile)

>> out for now.

[Action - Prateek]: Should the Bindings Group select either the HTTP or SOAP
protocol bindings for inclusion in the final spec?

>> open - reasons for inclusion of both profiles or elimination of 1 should
be sent to the list (by 9/25)

[Action - Prateek]: Should the SOAP binding address the issue of
intermediaries - generate proposal for how

>> *** discussion at focus today

[Action - Prateek]: This is an editorial issue about the names of profiles.
Prateek to revise current document.

>> single sign on terminology to be included in next version

[Action - Simon]: write a concrete proposal that outlines the change to the
nature of the authorization query.

>> idle, report at next con call

[Action - Tim]: First Contact - will write up what can be done with the
current design. 

>> out with next binding doc



New Items:

>> prateek: pseudonym or somewhat anonymous subject identifiers


Meeting Adjourned.

Attendance:

As of the end of the SSTC Meeting, September 18, 2001
Attendance: Voting Members

 
 
Gavenraj  Sodhi  Access360 
Irving  Reid  Baltimore 
Mack  Hicks Bank of America 
Larry  Hollowood Bank of America 
David  Orchard  BEA 
Krishna  Sankar  Cisco 
Ken  Yagen  Crosslogix 
Simon Godik Crosslogix 
Hal  Lockhart Entegrity 
Fred  Moses Entitlenet 
Carlisle  Adams  Entrust 
Alex Berson  Entrust 
Robert  Griffin  Entrust 
Tim  Moses  Entrust 
Don Flinn Hitachi 
Joe   Pato HP 
Jason  Rouault  HP 
Maryann  Hondo  IBM 
Marc Chanliau  Netegrity 
Prateek  Mishra  Netegrity 
Jeff  Hodges  Oblix 
Charles  Knouse  Oblix 
Steve  Anderson  OpenNetwork 
Mark Griesi OpenNetwork 
Michael  Lyons  OpenNetwork 
Darren  Platt  RSA 
Jahan Moreh Sigaba 
Eve  Maler  Sun 
Aravindan  Ranganathan Sun 
Ron Monzillo Sun 
Bob  Blakley  Tivoli 
Marlena  Erdos  Tivoli 
Sridhar  Muppidi  Tivoli 
Bob  Morgan  UWashington 
Phillip  Hallam-Baker  Verisign 
Thomas  Hardjono  Verisign 
Tony  Palmer  Vordel 

 
 
New Members
 
Mary Ann Hondo IBM
 
 
Other Attendance (Prospective Members and Observers)
 
Scott Cantor         Ohio State University
 
 
Others to note
 
Evan Prodromou   RSA  - Placed on observer status
 
Kelvin Beeck        Talking Blocks  - Lost Membership status
 
Nigel Edwards      HP  - Withdrawn