Minutes of TC conference call on 1/31/06

["Jahan Moreh" <jmoreh@sigaba.com>]

Title: Minutes of TC conference call on 1/31/06

List of Action Items:
Tony N: Will provide a draft of IBM's SAML 2.0 research report  in the next two weeks for TC review.
Jahan M: Open an erratum place holder for Constrained Delegation
Scott C: Propose text for last sentence of PE 43.
Heather H: Correct examples for PE 43 and re-send to list

0. Minute taker for meeting on 2/14/06: Prasanta Behera volunteered for next time

1. Roll call.
Quorum achieved. Please see end of this email for list of attendees.

2. Approve minutes from 17-Jan SSTC con-call
Approved minutes by unanimous consent

3. New IBM research report on security of SAML 2.0 Main focus is on use of artifact binding with web SSO
* IBM has requested a meeting with SSTC to discuss findings and proposals
* Chairs will set up meeting and have asked IBM to provide paper to TC

Tony: IBM in Zurich has expressed concerns on SAML 2.0 Browser/Artifact. They are giving TC a chance to review and respond before it is submitted for the IEEE conference in fall of 2006. Tony will provide draft or link. Link or draft will be provided in two weeks. Authors are willing to join the call to discuss and answer any questions.

Scott: Are there other bindings address in the doc
Tony: No. Paper is proposing alternative binding

4. Constrained Delegation (saml-dev discussion thread continued on main list):

Scott: There are two main arguments. Supports Connor's contention that existing specs need to be clarified. Can be done in core or Confirmation-specific clarification for bearer or holder-of-key.

Rob: Is the main debate whether it gets included in core?
Scott: Yes.
Scott: Can tackle the language, but Prateek has not yet accepted Scott's arguments
Hal: Is this a profile discussion?
Scott: Profile would be interpretation-specific. Absent of any specific interpretation, it is best to change core.
Rob: Let's continue the discussion.
Scott: Thinks that clarification may be done as an erratum.
Jahan: will open an erratum place holder

5. Errata discussion

PE 10 and PE 23 remain open

PE 40:
Language is not clear. Will discuss on next call with Prateek.

PE 41:
Eric T. explains that there were some confusion in the interop event. Eric explains the erratum as documented in draft 22 of errata doc. Suggests additional text to clarify behavior when ResponseLocation is omitted.

Rob: asks for discussion
Brian C.: Do we need to clarify AssertionConssumerService
Rob: Calls for vote
Brian C.: Makes motion to accept PE 41. Scott seconds. No further discussion or objection. PE 41 is approved.

PE 42:
Thomas explains erratum.
Rick Randall moves to accept. Eric T seconds. No further discussion or objection. PE 42 is approved.

PE 43:
Heather: Was discussed in the liberty conformance meeting. Believes that it was discussed in the SAML con call in November or December.

The purpose of the erratum was to clarify and provide examples.
Scott believes that this item was discussed in one of the calls.
Heather will re-send erratum to the list.
Scott: Most of the erratum is fine. Has a question about the text at the end with respect to "legacy implementation". Seems to be saying that original SAML approach cannot be used if there are multiple keys. Does not think XML encryption allows this.

Heather: you can have multiple instances of encrypted data.
Scott: I mean multiple encrypted key not multiple encrypted data and this is a useful use case.
Hal: Recalls that XML encryption supports it but WSS does not.
Scott: XML Encryption does not allow multiple keys. The SAML spec is accounting for this use case.
Heather: We need to clearly state how this is interpreted.
Scott: Encrypted Key in the SAML schema was put in there to support the "multiple key" use case.
Scott will propose alternative text for the last paragraph.
Brian C: Example is not quite correct.
Heather: Will correct the example and send to Scott.

6. Shared credential draft document: Ashish P.
<http://www.oasis-open.org/apps/org/workgroup/security/download.php/15207/draft-saml-protocol-ext-01.pdf>
Asish: Received emails from Scott regarding the proposal. Asish explains the use case and the proposal. Current SAML does have the notion of "group". The proposal tries to document a solution for addressing this requirement.

Paul M: We are trying to start discussions
Hal: has a bunch of comments and will send email and believes he has a solution to address this requirements. Thinks this is a special case of a more general case.

Bob M: It is possible and good to separate group membership and changing "users".
Paul M.: In the document there is a "SwitchUser" extension to address this. Scott in his last email suggested treating groups as subjects

Scott: Believes that the use case should be more directly confronted.
Rob: This is represented by a "single subject" and could be addressed by having additional attributes for the subject.
Paul M: it is not how the IdP asserts, it is how the SP indicates what it needs.
Rob: Assertion is about a principal and various characteristics of the principal.
Scott: It is reasonable to treat groups as principals.
Hal: Asserts this is about accountability.
Scott: Believes AuthenticationContext is the right element to use.
Hal: This is not about the act of authentication.
Scott: Believes this is about authentication
Paul M.: We could not convince ourselves that AuthenticationContext is sufficient.
Fredrick H.: Agrees that it is part of authentication act.
Jeff H: The crux is that the IdP knows that the identity has some properties associated with it. Agrees with Scott that the "Identifier" has to have an ID associated with it.

Another aspect is whether the spec should presuppose this kind of mapping that is really external to SAML specs.
Paul M: it is a requirement of this use case that the SP is aware that there is a one to many mapping.
Jeff H: It may be appropriate to create a new NameID format.
Bob M: That is making the assumption that existing NameID formats cannot accommodate groups. It may also be appropriate to use attributes.

Hal: All the SP has to know that the original ID is not sufficient for policy decisions.
Scott: Believes shared credential is reasonable to express in the Authn Context
Rob: It would be useful for anyone who has similar use cases to send to the list.

7. saml-dev discussion re: “strongly matches” * TomS and
ScottC: RE: [saml-dev] strongly matches<http://lists.oasis-open.org/archives/saml-dev/200601/msg00011.html>
Scott: May be worth to have an erratum to address this. Will propose one if he thinks there is an erratum.

8. AI Review
247: Prateek will produce a revision of Constrained Delegation next week
243: Remains open
246: Remains open
180: No owner. We may drop it or may be assigned if someone agrees to take it on.
243: Remains open
245: Remains open
244: Closed (it is PE 41)
238: Remains open
242: Remains open
230: Remains open
240: Abbie should be the owner. The draft is going through review. Will discuss with Jamey how OASIS and ITU SAML specs can remain the same.

9. Any Other Business?
None
10. Adjourned at 13:20 EST.
----
Attendance of Voting Members
Steve Anderson BMC Software
Prasanta Behera Individual
Sharon Boeyen Entrust
Brian Campbell Ping Identity
Carolina Canales-Valenzuela Ericsson
Scott Cantor Internet2
Heather Hinton IBM
Frederick Hirsch Nokia
Jeff Hodges NeuStar
John Hughes Individual
Jim Lien RSA Security
Hal Lockhart BEA Systems, Inc
Paul Madsen NTT Corporation
Jahan Moreh Sigaba
Bob Morgan Internet2
Anthony Nadalin IBM
Ashish Patel France Telecom
Rob Philpott RSA Security
Rick Randall Booz Allen Hamilton
Irving Reid Hewlett-Packard Company
David Staggs Veteran's Health Admin
Eric Tiffany IEEE Industry Standards
Thomas Wisniewski Entrust
Emily Xu Sun Microsystems

Attendance of Non-Voting Members
Abbie Barbir Nortel
Bhavna Bhatnagar Sun Microsystems
Guy Denton IBM
Dana Kaufman Forum Systems
Nick Ragouzis Enosis Group

Membership Status Changes
Greg Whitehead Hewlett-Packard Company - Changed affiliation from Trustgenix before 1/17/2006 call
Vamsi Motukuru Oracle - Lost voting status after 1/31/2006 call
Guy Denton IBM - Granted voting status after 1/31/2006 call
Dana Kaufman Forum Systems - Granted voting status after 1/31/2006 call
Nick Ragouzis Enosis Group - Granted voting status after 1/31/2006 call

Thanks,
Jahan

------------------------------
Jahan Moreh
Chief Security Architect
310.288.214